Project

General

Profile

strongSwan on FreeBSD » History » Version 2

Tobias Brunner, 14.07.2009 16:47
check for IPsec added

1 1 Tobias Brunner
h1. strongSwan on FreeBSD
2 1 Tobias Brunner
3 1 Tobias Brunner
The IKEv2 daemon charon has recently been ported to "FreeBSD":http://www.freebsd.org. There are some [[FreeBSD#Limitations|limitations]] and it is not thoroughly tested.
4 1 Tobias Brunner
5 1 Tobias Brunner
This document describes how to install strongSwan on FreeBSD 7.2.
6 1 Tobias Brunner
7 1 Tobias Brunner
h2. Prepare FreeBSD
8 1 Tobias Brunner
9 1 Tobias Brunner
The generic FreeBSD kernel does not come with IPsec support. So you will have to compile your own kernel.
10 1 Tobias Brunner
Also, the kernel sources do not include NAT traversal. If you need that, you'll have to apply a patch.
11 1 Tobias Brunner
Then you will also need some additional packages to compile strongSwan.
12 1 Tobias Brunner
13 1 Tobias Brunner
h3. The Kernel
14 1 Tobias Brunner
15 1 Tobias Brunner
Basic information on how to build a custom kernel can be found in the "FreeBSD Handbook":http://www.freebsd.org/doc/handbook/.
16 1 Tobias Brunner
17 1 Tobias Brunner
You'll need to add the following options to your kernel configuration files:
18 1 Tobias Brunner
19 1 Tobias Brunner
<pre>
20 1 Tobias Brunner
options   IPSEC
21 1 Tobias Brunner
device    crypto
22 1 Tobias Brunner
</pre>
23 1 Tobias Brunner
24 2 Tobias Brunner
You can verify that your kernel has IPsec support using the following command. Which should print a list of ipsec specific kernel state.
25 2 Tobias Brunner
26 2 Tobias Brunner
<pre>
27 2 Tobias Brunner
/sbin/sysctl -a | grep ipsec
28 2 Tobias Brunner
</pre>
29 2 Tobias Brunner
30 1 Tobias Brunner
If you need NAT Traversal, apply one of the "patches":http://vanhu.free.fr/FreeBSD/ provided by Yvan Vanhullebus.
31 1 Tobias Brunner
32 1 Tobias Brunner
h3. Install Packages
33 1 Tobias Brunner
34 1 Tobias Brunner
Our test-system was installed using the Developer and Kern-Developer distributions in sysinstall. So there are maybe additional packages required on your system.
35 1 Tobias Brunner
36 1 Tobias Brunner
The packages required to build strongSwan are as follows:
37 1 Tobias Brunner
38 1 Tobias Brunner
* Build system:
39 1 Tobias Brunner
** automake110
40 1 Tobias Brunner
** automake-wrapper
41 1 Tobias Brunner
** autoconf262
42 1 Tobias Brunner
** autoconf-wrapper
43 1 Tobias Brunner
** libtool
44 1 Tobias Brunner
** bison
45 1 Tobias Brunner
* Libraries
46 1 Tobias Brunner
** vstr
47 1 Tobias Brunner
** libgmp
48 1 Tobias Brunner
** libgcrypt
49 1 Tobias Brunner
50 1 Tobias Brunner
Notes:
51 1 Tobias Brunner
* *bison* is required because our parsers are not fully YACC compatible.
52 1 Tobias Brunner
* Although FreeBSD supports the GNU specific register_printf_function function, the implementation in the C library contains a "bug":http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/133776 that prevents this from working in a multi-thread program. Therefore the *vstr* string library is required.
53 1 Tobias Brunner
* *libgcrypt* is required because our configure script depends on some M4 macros provided by it.
54 1 Tobias Brunner
55 1 Tobias Brunner
h2. Building strongSwan
56 1 Tobias Brunner
57 1 Tobias Brunner
Get the latest tarball and configure strongSwan as follows:
58 1 Tobias Brunner
59 1 Tobias Brunner
<pre>
60 1 Tobias Brunner
./configure --enable-kernel-pfkey --enable-kernel-pfroute --disable-kernel-netlink --enable-vstr --disable-tools --disable-pluto --with-lib-prefix=/usr/local
61 1 Tobias Brunner
</pre>
62 1 Tobias Brunner
63 1 Tobias Brunner
64 1 Tobias Brunner
h2. Limitations
65 1 Tobias Brunner
66 1 Tobias Brunner
* Due to the lack of policy based routes, virtual IPs can not be used (client-side).
67 2 Tobias Brunner
* The kernel-pfroute interface lacks some final tweaks to fully support MOBIKE.