Project

General

Profile

strongSwan on FreeBSD » History » Version 13

Tobias Brunner, 12.08.2013 12:00

1 1 Tobias Brunner
h1. strongSwan on FreeBSD
2 1 Tobias Brunner
3 13 Tobias Brunner
{{>toc}}
4 13 Tobias Brunner
5 11 Tobias Brunner
Since [[4.3.4|strongSwan 4.3.4]] the IKE daemon charon runs on "FreeBSD":http://www.freebsd.org. There are still some [[FreeBSD#Limitations|limitations]] but
6 11 Tobias Brunner
it has since been tested by several users (even with an adapted version of our "test framework":http://www.strongswan.org/uml-testing.html).
7 1 Tobias Brunner
8 11 Tobias Brunner
Please note that releases before [[5.0.0]] don't support IKEv1 because the old pluto IKEv1 daemon was not ported to FreeBSD.
9 1 Tobias Brunner
10 1 Tobias Brunner
h2. Prepare FreeBSD
11 1 Tobias Brunner
12 1 Tobias Brunner
The generic FreeBSD kernel does not come with IPsec support. So you will have to compile your own kernel.
13 1 Tobias Brunner
14 8 Tobias Brunner
Fortunately, starting with FreeBSD 8, the NAT Traversal patch is included in the kernel sources, so you don't
15 8 Tobias Brunner
have to apply any patches yourself, if you need that feature.
16 8 Tobias Brunner
17 3 Tobias Brunner
h3. Build the Kernel
18 1 Tobias Brunner
19 8 Tobias Brunner
Basic documentation on how to build a custom kernel can be found in the "FreeBSD Handbook":http://www.freebsd.org/doc/handbook/kernelconfig-building.html.
20 3 Tobias Brunner
21 8 Tobias Brunner
To enable IPsec you'll need to add the following options to your kernel configuration file:
22 1 Tobias Brunner
23 1 Tobias Brunner
<pre>
24 1 Tobias Brunner
options   IPSEC
25 1 Tobias Brunner
device    crypto
26 1 Tobias Brunner
</pre>
27 1 Tobias Brunner
28 8 Tobias Brunner
You can verify that your kernel has IPsec support using the following command, which should print a list of ipsec specific kernel state.
29 2 Tobias Brunner
30 3 Tobias Brunner
<pre>
31 3 Tobias Brunner
/sbin/sysctl -a | grep ipsec
32 1 Tobias Brunner
</pre>
33 1 Tobias Brunner
34 8 Tobias Brunner
If you need NAT Traversal, add the following option to your kernel config:
35 1 Tobias Brunner
36 7 Tobias Brunner
<pre>
37 1 Tobias Brunner
options   IPSEC_NAT_T
38 1 Tobias Brunner
</pre>
39 1 Tobias Brunner
40 11 Tobias Brunner
h2. Install FreeBSD Port / Package
41 11 Tobias Brunner
42 11 Tobias Brunner
The easiest way to install strongSwan on FreeBSD is to use the "security/strongswan":http://www.freshports.org/security/strongswan port
43 11 Tobias Brunner
44 11 Tobias Brunner
<pre>
45 11 Tobias Brunner
cd /usr/ports/security/strongswan/ && make install clean
46 11 Tobias Brunner
</pre>
47 11 Tobias Brunner
48 11 Tobias Brunner
or to install the binary package
49 11 Tobias Brunner
50 11 Tobias Brunner
<pre>
51 11 Tobias Brunner
pkg_add -r strongswan
52 11 Tobias Brunner
</pre>
53 11 Tobias Brunner
54 11 Tobias Brunner
h2. Manual Installation
55 11 Tobias Brunner
56 1 Tobias Brunner
h3. Install Packages
57 1 Tobias Brunner
58 1 Tobias Brunner
Our test-system was installed using the Developer and Kern-Developer distributions in sysinstall. So there are maybe additional packages required on your system.
59 8 Tobias Brunner
60 8 Tobias Brunner
The packages required to build strongSwan are as follows:
61 5 Tobias Brunner
62 1 Tobias Brunner
* libgmp (optional, depending on configuration)
63 1 Tobias Brunner
* openssl (optional, depending on configuration)
64 1 Tobias Brunner
65 8 Tobias Brunner
Notes:
66 11 Tobias Brunner
* The "printf-Bug":http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/133776 in earlier FreeBSD releases has been fixed and backported to FreeBSD 8. Thus, the *vstr* string library is not required anymore (check the history of this wiki page for details).
67 1 Tobias Brunner
68 11 Tobias Brunner
h3. Building strongSwan
69 1 Tobias Brunner
70 8 Tobias Brunner
Get the "latest tarball":http://www.strongswan.org/download.html and configure strongSwan as follows (this compiles the GMP plugin, so libgmp is required).
71 8 Tobias Brunner
For details refer to [[InstallationDocumentation]].
72 1 Tobias Brunner
73 1 Tobias Brunner
<pre>
74 1 Tobias Brunner
./configure --enable-kernel-pfkey --enable-kernel-pfroute --disable-kernel-netlink \
75 11 Tobias Brunner
            --disable-tools --disable-scripts --with-group=wheel
76 8 Tobias Brunner
</pre>
77 8 Tobias Brunner
78 11 Tobias Brunner
Notes:
79 12 Tobias Brunner
* For releases before [[5.0.0]] you also need to add @--disable-pluto@.
80 1 Tobias Brunner
81 1 Tobias Brunner
h2. Limitations
82 1 Tobias Brunner
83 13 Tobias Brunner
* Before [[5.1.0]] virtual IPs could not be used on clients due to the lack of policy based routing. Since [[5.1.0]] TUN devices are created to implement this, so that FreeBSD can be used as client in road-warrior setups.
84 13 Tobias Brunner
* Before [[5.1.0]] the kernel-pfroute interface lacked several features to properly support MOBIKE.
85 13 Tobias Brunner
* Because there is currently no way to change the IP addresses of an installed IPsec SA in the FreeBSD kernel IPsec SAs are rekeyed when a client's IP address changes. "This discussion":http://forums.freebsd.org/showthread.php?p=226838 on the FreeBSD forums has more on this.
86 9 Tobias Brunner
87 9 Tobias Brunner
h2. Known Problems
88 9 Tobias Brunner
89 10 Tobias Brunner
* Before [[4.6.0|strongSwan 4.6.0]] [[IpsecStarter|starter]] did not use the modular kernel interfaces, thus, when it tried to detect an IPsec stack it failed:
90 9 Tobias Brunner
<pre>
91 9 Tobias Brunner
Starting strongSwan 4.x.x IPsec [starter]...
92 9 Tobias Brunner
no netkey IPsec stack detected
93 9 Tobias Brunner
no KLIPS IPsec stack detected
94 9 Tobias Brunner
no known IPsec stack detected, ignoring!
95 9 Tobias Brunner
</pre> Fortunately, this detection is not really needed on FreeBSD so simply ignore this message.