Project

General

Profile

strongSwan on FreeBSD » History » Version 5

Tobias Brunner, 15.07.2009 11:55
removed packages required for a build-without-tarball

1 1 Tobias Brunner
h1. strongSwan on FreeBSD
2 1 Tobias Brunner
3 1 Tobias Brunner
The IKEv2 daemon charon has recently been ported to "FreeBSD":http://www.freebsd.org. There are some [[FreeBSD#Limitations|limitations]] and it is not thoroughly tested.
4 1 Tobias Brunner
5 1 Tobias Brunner
This document describes how to install strongSwan on FreeBSD 7.2.
6 1 Tobias Brunner
7 1 Tobias Brunner
h2. Prepare FreeBSD
8 1 Tobias Brunner
9 1 Tobias Brunner
The generic FreeBSD kernel does not come with IPsec support. So you will have to compile your own kernel.
10 1 Tobias Brunner
Also, the kernel sources do not include NAT traversal. If you need that, you'll have to apply a patch.
11 1 Tobias Brunner
Then you will also need some additional packages to compile strongSwan.
12 1 Tobias Brunner
13 3 Tobias Brunner
h3. Build the Kernel
14 1 Tobias Brunner
15 4 Tobias Brunner
Basic information on how to build a custom kernel can be found in the "FreeBSD Handbook":http://www.freebsd.org/doc/handbook/kernelconfig-building.html.
16 1 Tobias Brunner
17 3 Tobias Brunner
You'll need to add the following options to your kernel configuration file:
18 1 Tobias Brunner
19 1 Tobias Brunner
<pre>
20 1 Tobias Brunner
options   IPSEC
21 1 Tobias Brunner
device    crypto
22 1 Tobias Brunner
</pre>
23 1 Tobias Brunner
24 2 Tobias Brunner
You can verify that your kernel has IPsec support using the following command. Which should print a list of ipsec specific kernel state.
25 2 Tobias Brunner
26 2 Tobias Brunner
<pre>
27 2 Tobias Brunner
/sbin/sysctl -a | grep ipsec
28 1 Tobias Brunner
</pre>
29 1 Tobias Brunner
30 3 Tobias Brunner
If you need NAT Traversal, apply one of the "patches":http://vanhu.free.fr/FreeBSD/ provided by Yvan Vanhullebus. Then add the following option to your kernel config.
31 3 Tobias Brunner
32 3 Tobias Brunner
<pre>
33 3 Tobias Brunner
options   IPSEC_NAT_T
34 3 Tobias Brunner
</pre>
35 1 Tobias Brunner
36 1 Tobias Brunner
h3. Install Packages
37 1 Tobias Brunner
38 1 Tobias Brunner
Our test-system was installed using the Developer and Kern-Developer distributions in sysinstall. So there are maybe additional packages required on your system.
39 1 Tobias Brunner
40 1 Tobias Brunner
The packages required to build strongSwan are as follows:
41 1 Tobias Brunner
42 5 Tobias Brunner
* vstr
43 5 Tobias Brunner
* libgmp
44 1 Tobias Brunner
45 1 Tobias Brunner
Notes:
46 5 Tobias Brunner
* Although FreeBSD supports the GNU specific register_printf_function function, the implementation in the C library contains a "bug":http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/133776 that prevents this from working in a multi-threaded application. Therefore the *vstr* string library is required.
47 1 Tobias Brunner
48 1 Tobias Brunner
h2. Building strongSwan
49 1 Tobias Brunner
50 1 Tobias Brunner
Get the latest tarball and configure strongSwan as follows:
51 1 Tobias Brunner
52 1 Tobias Brunner
<pre>
53 1 Tobias Brunner
./configure --enable-kernel-pfkey --enable-kernel-pfroute --disable-kernel-netlink --enable-vstr --disable-tools --disable-pluto --with-lib-prefix=/usr/local
54 1 Tobias Brunner
</pre>
55 1 Tobias Brunner
56 1 Tobias Brunner
57 1 Tobias Brunner
h2. Limitations
58 1 Tobias Brunner
59 1 Tobias Brunner
* Due to the lack of policy based routes, virtual IPs can not be used (client-side).
60 2 Tobias Brunner
* The kernel-pfroute interface lacks some final tweaks to fully support MOBIKE.