Project

General

Profile

strongSwan on FreeBSD » History » Version 4

Tobias Brunner, 14.07.2009 22:13
more specific link to the handbook

1 1 Tobias Brunner
h1. strongSwan on FreeBSD
2 1 Tobias Brunner
3 1 Tobias Brunner
The IKEv2 daemon charon has recently been ported to "FreeBSD":http://www.freebsd.org. There are some [[FreeBSD#Limitations|limitations]] and it is not thoroughly tested.
4 1 Tobias Brunner
5 1 Tobias Brunner
This document describes how to install strongSwan on FreeBSD 7.2.
6 1 Tobias Brunner
7 1 Tobias Brunner
h2. Prepare FreeBSD
8 1 Tobias Brunner
9 1 Tobias Brunner
The generic FreeBSD kernel does not come with IPsec support. So you will have to compile your own kernel.
10 1 Tobias Brunner
Also, the kernel sources do not include NAT traversal. If you need that, you'll have to apply a patch.
11 1 Tobias Brunner
Then you will also need some additional packages to compile strongSwan.
12 1 Tobias Brunner
13 3 Tobias Brunner
h3. Build the Kernel
14 1 Tobias Brunner
15 4 Tobias Brunner
Basic information on how to build a custom kernel can be found in the "FreeBSD Handbook":http://www.freebsd.org/doc/handbook/kernelconfig-building.html.
16 1 Tobias Brunner
17 3 Tobias Brunner
You'll need to add the following options to your kernel configuration file:
18 1 Tobias Brunner
19 1 Tobias Brunner
<pre>
20 1 Tobias Brunner
options   IPSEC
21 1 Tobias Brunner
device    crypto
22 1 Tobias Brunner
</pre>
23 1 Tobias Brunner
24 2 Tobias Brunner
You can verify that your kernel has IPsec support using the following command. Which should print a list of ipsec specific kernel state.
25 2 Tobias Brunner
26 2 Tobias Brunner
<pre>
27 2 Tobias Brunner
/sbin/sysctl -a | grep ipsec
28 1 Tobias Brunner
</pre>
29 1 Tobias Brunner
30 3 Tobias Brunner
If you need NAT Traversal, apply one of the "patches":http://vanhu.free.fr/FreeBSD/ provided by Yvan Vanhullebus. Then add the following option to your kernel config.
31 3 Tobias Brunner
32 3 Tobias Brunner
<pre>
33 3 Tobias Brunner
options   IPSEC_NAT_T
34 3 Tobias Brunner
</pre>
35 1 Tobias Brunner
36 1 Tobias Brunner
h3. Install Packages
37 1 Tobias Brunner
38 1 Tobias Brunner
Our test-system was installed using the Developer and Kern-Developer distributions in sysinstall. So there are maybe additional packages required on your system.
39 1 Tobias Brunner
40 1 Tobias Brunner
The packages required to build strongSwan are as follows:
41 1 Tobias Brunner
42 1 Tobias Brunner
* Build system:
43 1 Tobias Brunner
** automake110
44 1 Tobias Brunner
** automake-wrapper
45 1 Tobias Brunner
** autoconf262
46 1 Tobias Brunner
** autoconf-wrapper
47 1 Tobias Brunner
** libtool
48 1 Tobias Brunner
** bison
49 1 Tobias Brunner
* Libraries
50 1 Tobias Brunner
** vstr
51 1 Tobias Brunner
** libgmp
52 1 Tobias Brunner
** libgcrypt
53 1 Tobias Brunner
54 1 Tobias Brunner
Notes:
55 1 Tobias Brunner
* *bison* is required because our parsers are not fully YACC compatible.
56 1 Tobias Brunner
* Although FreeBSD supports the GNU specific register_printf_function function, the implementation in the C library contains a "bug":http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/133776 that prevents this from working in a multi-thread program. Therefore the *vstr* string library is required.
57 1 Tobias Brunner
* *libgcrypt* is required because our configure script depends on some M4 macros provided by it.
58 1 Tobias Brunner
59 1 Tobias Brunner
h2. Building strongSwan
60 1 Tobias Brunner
61 1 Tobias Brunner
Get the latest tarball and configure strongSwan as follows:
62 1 Tobias Brunner
63 1 Tobias Brunner
<pre>
64 1 Tobias Brunner
./configure --enable-kernel-pfkey --enable-kernel-pfroute --disable-kernel-netlink --enable-vstr --disable-tools --disable-pluto --with-lib-prefix=/usr/local
65 1 Tobias Brunner
</pre>
66 1 Tobias Brunner
67 1 Tobias Brunner
68 1 Tobias Brunner
h2. Limitations
69 1 Tobias Brunner
70 1 Tobias Brunner
* Due to the lack of policy based routes, virtual IPs can not be used (client-side).
71 2 Tobias Brunner
* The kernel-pfroute interface lacks some final tweaks to fully support MOBIKE.