strongSwan on FreeBSD » History » Version 17
Version 16 (Martin Larsson, 25.10.2016 17:40) → Version 17/21 (Martin Larsson, 25.10.2016 17:41)
h1. strongSwan on FreeBSD
{{>toc}}
Since [[4.3.4|strongSwan 4.3.4]] the IKE daemon charon runs on "FreeBSD":http://www.freebsd.org. There are still some [[FreeBSD#Limitations|limitations]] but
it has since been tested by several users (even with an adapted version of our "test framework":http://www.strongswan.org/uml-testing.html).
Please note that releases before [[5.0.0]] don't support IKEv1 because the old pluto IKEv1 daemon was not ported to FreeBSD.
h2. Prepare FreeBSD
The generic FreeBSD kernel does not come with IPsec support. So you will have to compile your own kernel.
Fortunately, starting with FreeBSD 8, the NAT Traversal patch is included in the kernel sources, so you don't
have to apply any patches yourself, if you need that feature.
Starting from FreeBSD 11, IPsec is now default in the kernel. Ff you need NAT Traversal you will have to add
<pre>
options IPSEC_NAT_T
</pre>
"options IPSEC_NAT_T" to the kernel.
h3. Build the Kernel
Basic documentation on how to build a custom kernel can be found in the "FreeBSD Handbook":http://www.freebsd.org/doc/handbook/kernelconfig-building.html.
To enable IPsec you'll need to add the following options to your kernel configuration file:
<pre>
options IPSEC
device crypto
</pre>
You can verify that your kernel has IPsec support using the following command, which should print a list of ipsec specific kernel state.
<pre>
/sbin/sysctl -a | grep ipsec
</pre>
If you need NAT Traversal, add the following option to your kernel config:
<pre>
options IPSEC_NAT_T
</pre>
h2. Install FreeBSD Port / Package
The easiest way to install strongSwan on FreeBSD is to use the "security/strongswan":http://www.freshports.org/security/strongswan port
<pre>
cd /usr/ports/security/strongswan/ && make install clean
</pre>
or to install the binary package with
<pre>
pkg install strongswan
</pre>
or in earlier FreeBSD releases with
<pre>
pkg_add -r strongswan
</pre>
h2. Manual Installation
h3. Install Packages
Our test-system was installed using the Developer and Kern-Developer distributions in sysinstall. So there are maybe additional packages required on your system.
The packages required to build strongSwan are as follows:
* libgmp (optional, depending on configuration)
* openssl (optional, depending on configuration)
Notes:
* The "printf-Bug":http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/133776 in earlier FreeBSD releases has been fixed and backported to FreeBSD 8. Thus, the *vstr* string library is not required anymore (check the history of this wiki page for details).
h3. Building strongSwan
Get the "latest tarball":http://www.strongswan.org/download.html and configure strongSwan as follows (this compiles the GMP plugin, so libgmp is required).
For details refer to [[InstallationDocumentation]].
<pre>
./configure --enable-kernel-pfkey --enable-kernel-pfroute --disable-kernel-netlink \
--disable-scripts --with-group=wheel
</pre>
Notes:
* For releases before [[5.0.0]] you also need to add @--disable-pluto@.
h2. Limitations
* Before [[5.1.0]] virtual IPs could not be used on clients due to the lack of policy based routing. Since [[5.1.0]] TUN devices are created to implement this, so that FreeBSD can be used as client in road-warrior setups.
* Before [[5.1.0]] the kernel-pfroute interface lacked several features to properly support MOBIKE.
* Because there is currently no way to change the IP addresses of an installed IPsec SA in the FreeBSD kernel IPsec SAs are rekeyed when a client's IP address changes. "This discussion":http://forums.freebsd.org/showthread.php?p=226838 on the FreeBSD forums has more on this.
h2. Known Problems
* Before [[4.6.0|strongSwan 4.6.0]] [[IpsecStarter|starter]] did not use the modular kernel interfaces, thus, when it tried to detect an IPsec stack it failed:
<pre>
Starting strongSwan 4.x.x IPsec [starter]...
no netkey IPsec stack detected
no KLIPS IPsec stack detected
no known IPsec stack detected, ignoring!
</pre> Fortunately, this detection is not really needed on FreeBSD so simply ignore this message.
{{>toc}}
Since [[4.3.4|strongSwan 4.3.4]] the IKE daemon charon runs on "FreeBSD":http://www.freebsd.org. There are still some [[FreeBSD#Limitations|limitations]] but
it has since been tested by several users (even with an adapted version of our "test framework":http://www.strongswan.org/uml-testing.html).
Please note that releases before [[5.0.0]] don't support IKEv1 because the old pluto IKEv1 daemon was not ported to FreeBSD.
h2. Prepare FreeBSD
The generic FreeBSD kernel does not come with IPsec support. So you will have to compile your own kernel.
Fortunately, starting with FreeBSD 8, the NAT Traversal patch is included in the kernel sources, so you don't
have to apply any patches yourself, if you need that feature.
Starting from FreeBSD 11, IPsec is now default in the kernel. Ff you need NAT Traversal you will have to add
<pre>
options IPSEC_NAT_T
</pre>
"options IPSEC_NAT_T" to the kernel.
h3. Build the Kernel
Basic documentation on how to build a custom kernel can be found in the "FreeBSD Handbook":http://www.freebsd.org/doc/handbook/kernelconfig-building.html.
To enable IPsec you'll need to add the following options to your kernel configuration file:
<pre>
options IPSEC
device crypto
</pre>
You can verify that your kernel has IPsec support using the following command, which should print a list of ipsec specific kernel state.
<pre>
/sbin/sysctl -a | grep ipsec
</pre>
If you need NAT Traversal, add the following option to your kernel config:
<pre>
options IPSEC_NAT_T
</pre>
h2. Install FreeBSD Port / Package
The easiest way to install strongSwan on FreeBSD is to use the "security/strongswan":http://www.freshports.org/security/strongswan port
<pre>
cd /usr/ports/security/strongswan/ && make install clean
</pre>
or to install the binary package with
<pre>
pkg install strongswan
</pre>
or in earlier FreeBSD releases with
<pre>
pkg_add -r strongswan
</pre>
h2. Manual Installation
h3. Install Packages
Our test-system was installed using the Developer and Kern-Developer distributions in sysinstall. So there are maybe additional packages required on your system.
The packages required to build strongSwan are as follows:
* libgmp (optional, depending on configuration)
* openssl (optional, depending on configuration)
Notes:
* The "printf-Bug":http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/133776 in earlier FreeBSD releases has been fixed and backported to FreeBSD 8. Thus, the *vstr* string library is not required anymore (check the history of this wiki page for details).
h3. Building strongSwan
Get the "latest tarball":http://www.strongswan.org/download.html and configure strongSwan as follows (this compiles the GMP plugin, so libgmp is required).
For details refer to [[InstallationDocumentation]].
<pre>
./configure --enable-kernel-pfkey --enable-kernel-pfroute --disable-kernel-netlink \
--disable-scripts --with-group=wheel
</pre>
Notes:
* For releases before [[5.0.0]] you also need to add @--disable-pluto@.
h2. Limitations
* Before [[5.1.0]] virtual IPs could not be used on clients due to the lack of policy based routing. Since [[5.1.0]] TUN devices are created to implement this, so that FreeBSD can be used as client in road-warrior setups.
* Before [[5.1.0]] the kernel-pfroute interface lacked several features to properly support MOBIKE.
* Because there is currently no way to change the IP addresses of an installed IPsec SA in the FreeBSD kernel IPsec SAs are rekeyed when a client's IP address changes. "This discussion":http://forums.freebsd.org/showthread.php?p=226838 on the FreeBSD forums has more on this.
h2. Known Problems
* Before [[4.6.0|strongSwan 4.6.0]] [[IpsecStarter|starter]] did not use the modular kernel interfaces, thus, when it tried to detect an IPsec stack it failed:
<pre>
Starting strongSwan 4.x.x IPsec [starter]...
no netkey IPsec stack detected
no KLIPS IPsec stack detected
no known IPsec stack detected, ignoring!
</pre> Fortunately, this detection is not really needed on FreeBSD so simply ignore this message.