Project

General

Profile

strongSwan on FreeBSD » History » Version 19

Martin Larsson, 25.10.2016 17:53

1 1 Tobias Brunner
h1. strongSwan on FreeBSD
2 1 Tobias Brunner
3 13 Tobias Brunner
{{>toc}}
4 13 Tobias Brunner
5 11 Tobias Brunner
Since [[4.3.4|strongSwan 4.3.4]] the IKE daemon charon runs on "FreeBSD":http://www.freebsd.org. There are still some [[FreeBSD#Limitations|limitations]] but
6 11 Tobias Brunner
it has since been tested by several users (even with an adapted version of our "test framework":http://www.strongswan.org/uml-testing.html).
7 1 Tobias Brunner
8 11 Tobias Brunner
Please note that releases before [[5.0.0]] don't support IKEv1 because the old pluto IKEv1 daemon was not ported to FreeBSD.
9 1 Tobias Brunner
10 1 Tobias Brunner
h2. Prepare FreeBSD
11 1 Tobias Brunner
12 1 Tobias Brunner
Starting from FreeBSD 11, IPsec is now default in the kernel. If you need NAT Traversal you will have to add
13 1 Tobias Brunner
the following line to the kernel config.
14 1 Tobias Brunner
<pre>
15 1 Tobias Brunner
options IPSEC_NAT_T
16 1 Tobias Brunner
</pre>
17 19 Martin Larsson
18 19 Martin Larsson
In older versions then FreeBSD 11.0 generic kernel does not come with IPsec support. So you will have to compile your own kernel.
19 19 Martin Larsson
20 19 Martin Larsson
Fortunately, starting with FreeBSD 8, the NAT Traversal patch is included in the kernel sources, so you don't
21 19 Martin Larsson
have to apply any patches yourself, if you need that feature.
22 19 Martin Larsson
23 18 Martin Larsson
24 16 Martin Larsson
25 3 Tobias Brunner
h3. Build the Kernel
26 1 Tobias Brunner
27 8 Tobias Brunner
Basic documentation on how to build a custom kernel can be found in the "FreeBSD Handbook":http://www.freebsd.org/doc/handbook/kernelconfig-building.html.
28 3 Tobias Brunner
29 8 Tobias Brunner
To enable IPsec you'll need to add the following options to your kernel configuration file:
30 1 Tobias Brunner
31 1 Tobias Brunner
<pre>
32 1 Tobias Brunner
options   IPSEC
33 1 Tobias Brunner
device    crypto
34 1 Tobias Brunner
</pre>
35 1 Tobias Brunner
36 8 Tobias Brunner
You can verify that your kernel has IPsec support using the following command, which should print a list of ipsec specific kernel state.
37 2 Tobias Brunner
38 3 Tobias Brunner
<pre>
39 3 Tobias Brunner
/sbin/sysctl -a | grep ipsec
40 1 Tobias Brunner
</pre>
41 1 Tobias Brunner
42 8 Tobias Brunner
If you need NAT Traversal, add the following option to your kernel config:
43 1 Tobias Brunner
44 7 Tobias Brunner
<pre>
45 1 Tobias Brunner
options   IPSEC_NAT_T
46 1 Tobias Brunner
</pre>
47 1 Tobias Brunner
48 11 Tobias Brunner
h2. Install FreeBSD Port / Package
49 11 Tobias Brunner
50 11 Tobias Brunner
The easiest way to install strongSwan on FreeBSD is to use the "security/strongswan":http://www.freshports.org/security/strongswan port
51 11 Tobias Brunner
52 11 Tobias Brunner
<pre>
53 11 Tobias Brunner
cd /usr/ports/security/strongswan/ && make install clean
54 11 Tobias Brunner
</pre>
55 11 Tobias Brunner
56 15 Tobias Brunner
or to install the binary package with
57 15 Tobias Brunner
58 15 Tobias Brunner
<pre>
59 15 Tobias Brunner
pkg install strongswan
60 15 Tobias Brunner
</pre>
61 15 Tobias Brunner
62 15 Tobias Brunner
or in earlier FreeBSD releases with
63 11 Tobias Brunner
64 11 Tobias Brunner
<pre>
65 11 Tobias Brunner
pkg_add -r strongswan
66 11 Tobias Brunner
</pre>
67 11 Tobias Brunner
68 11 Tobias Brunner
h2. Manual Installation
69 11 Tobias Brunner
70 1 Tobias Brunner
h3. Install Packages
71 1 Tobias Brunner
72 1 Tobias Brunner
Our test-system was installed using the Developer and Kern-Developer distributions in sysinstall. So there are maybe additional packages required on your system.
73 8 Tobias Brunner
74 8 Tobias Brunner
The packages required to build strongSwan are as follows:
75 5 Tobias Brunner
76 1 Tobias Brunner
* libgmp (optional, depending on configuration)
77 1 Tobias Brunner
* openssl (optional, depending on configuration)
78 1 Tobias Brunner
79 8 Tobias Brunner
Notes:
80 11 Tobias Brunner
* The "printf-Bug":http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/133776 in earlier FreeBSD releases has been fixed and backported to FreeBSD 8. Thus, the *vstr* string library is not required anymore (check the history of this wiki page for details).
81 1 Tobias Brunner
82 11 Tobias Brunner
h3. Building strongSwan
83 1 Tobias Brunner
84 8 Tobias Brunner
Get the "latest tarball":http://www.strongswan.org/download.html and configure strongSwan as follows (this compiles the GMP plugin, so libgmp is required).
85 8 Tobias Brunner
For details refer to [[InstallationDocumentation]].
86 1 Tobias Brunner
87 1 Tobias Brunner
<pre>
88 1 Tobias Brunner
./configure --enable-kernel-pfkey --enable-kernel-pfroute --disable-kernel-netlink \
89 14 Tobias Brunner
            --disable-scripts --with-group=wheel
90 8 Tobias Brunner
</pre>
91 8 Tobias Brunner
92 11 Tobias Brunner
Notes:
93 12 Tobias Brunner
* For releases before [[5.0.0]] you also need to add @--disable-pluto@.
94 1 Tobias Brunner
95 1 Tobias Brunner
h2. Limitations
96 1 Tobias Brunner
97 13 Tobias Brunner
* Before [[5.1.0]] virtual IPs could not be used on clients due to the lack of policy based routing. Since [[5.1.0]] TUN devices are created to implement this, so that FreeBSD can be used as client in road-warrior setups.
98 13 Tobias Brunner
* Before [[5.1.0]] the kernel-pfroute interface lacked several features to properly support MOBIKE.
99 13 Tobias Brunner
* Because there is currently no way to change the IP addresses of an installed IPsec SA in the FreeBSD kernel IPsec SAs are rekeyed when a client's IP address changes. "This discussion":http://forums.freebsd.org/showthread.php?p=226838 on the FreeBSD forums has more on this.
100 9 Tobias Brunner
101 9 Tobias Brunner
h2. Known Problems
102 9 Tobias Brunner
103 10 Tobias Brunner
* Before [[4.6.0|strongSwan 4.6.0]] [[IpsecStarter|starter]] did not use the modular kernel interfaces, thus, when it tried to detect an IPsec stack it failed:
104 9 Tobias Brunner
<pre>
105 9 Tobias Brunner
Starting strongSwan 4.x.x IPsec [starter]...
106 9 Tobias Brunner
no netkey IPsec stack detected
107 9 Tobias Brunner
no KLIPS IPsec stack detected
108 9 Tobias Brunner
no known IPsec stack detected, ignoring!
109 9 Tobias Brunner
</pre> Fortunately, this detection is not really needed on FreeBSD so simply ignore this message.