strongSwan on FreeBSD » History » Version 7
Version 6 (Tobias Brunner, 20.07.2009 20:55) → Version 7/21 (Tobias Brunner, 31.07.2009 17:07)
h1. strongSwan on FreeBSD
The IKEv2 daemon charon has recently been ported to "FreeBSD":http://www.freebsd.org. There are some [[FreeBSD#Limitations|limitations]] and it is not thoroughly tested.
This document describes how to install strongSwan on FreeBSD 7.2.
h2. Prepare FreeBSD
The generic FreeBSD kernel does not come with IPsec support. So you will have to compile your own kernel.
Also, the kernel sources do not include NAT traversal. If you need that, you'll have to apply a patch.
Then you will also need some additional packages to compile strongSwan.
h3. Build the Kernel
Basic information on how to build a custom kernel can be found in the "FreeBSD Handbook":http://www.freebsd.org/doc/handbook/kernelconfig-building.html.
You'll need to add the following options to your kernel configuration file:
<pre>
options IPSEC
device crypto
</pre>
You can verify that your kernel has IPsec support using the following command. Which should print a list of ipsec specific kernel state.
<pre>
/sbin/sysctl -a | grep ipsec
</pre>
If you need NAT Traversal, apply one of the "patches":http://vanhu.free.fr/FreeBSD/ provided by Yvan Vanhullebus. Then add the following option to your kernel config.
<pre>
options IPSEC_NAT_T
</pre>
Notes:
* After applying the patch check that the values of the two constants @INP_ESPINUDP@ and @INP_ESPINUDP_NON_IKE@, which are defined in @/usr/src/sys/netinet/in_pcb.h@, do not overlap with the other @INP_@ constants. Values that worked for me were 0x10000000 for INP_ESPINUDP and 0x20000000 for INP_ESPINUDP_NON_IKE (i.e. just add four zeros to both values).
* FreeBSD 8.0 "will include":http://svn.freebsd.org/viewvc/base?view=revision&revision=194062 the NAT-T patch, the kernel option to enable it is the same.
h3. Install Packages
Our test-system was installed using the Developer and Kern-Developer distributions in sysinstall. So there are maybe additional packages required on your system.
The packages required to build strongSwan are as follows:
* vstr
* libgmp
Notes:
* Although FreeBSD supports the GNU specific register_printf_function function, the implementation in the C library contains a "bug":http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/133776 that prevents this from working in a multi-threaded application. Therefore the *vstr* string library is required.
h2. Building strongSwan
Get the latest tarball and configure strongSwan as follows:
<pre>
./configure --enable-kernel-pfkey --enable-kernel-pfroute --disable-kernel-netlink --enable-vstr \
--disable-tools --disable-scripts --disable-pluto --with-group=wheel --with-lib-prefix=/usr/local
</pre>
h2. Limitations
* Due to the lack of policy based routes, virtual IPs can not be used (client-side).
* The kernel-pfroute interface lacks some final tweaks to fully support MOBIKE.
The IKEv2 daemon charon has recently been ported to "FreeBSD":http://www.freebsd.org. There are some [[FreeBSD#Limitations|limitations]] and it is not thoroughly tested.
This document describes how to install strongSwan on FreeBSD 7.2.
h2. Prepare FreeBSD
The generic FreeBSD kernel does not come with IPsec support. So you will have to compile your own kernel.
Also, the kernel sources do not include NAT traversal. If you need that, you'll have to apply a patch.
Then you will also need some additional packages to compile strongSwan.
h3. Build the Kernel
Basic information on how to build a custom kernel can be found in the "FreeBSD Handbook":http://www.freebsd.org/doc/handbook/kernelconfig-building.html.
You'll need to add the following options to your kernel configuration file:
<pre>
options IPSEC
device crypto
</pre>
You can verify that your kernel has IPsec support using the following command. Which should print a list of ipsec specific kernel state.
<pre>
/sbin/sysctl -a | grep ipsec
</pre>
If you need NAT Traversal, apply one of the "patches":http://vanhu.free.fr/FreeBSD/ provided by Yvan Vanhullebus. Then add the following option to your kernel config.
<pre>
options IPSEC_NAT_T
</pre>
Notes:
* After applying the patch check that the values of the two constants @INP_ESPINUDP@ and @INP_ESPINUDP_NON_IKE@, which are defined in @/usr/src/sys/netinet/in_pcb.h@, do not overlap with the other @INP_@ constants. Values that worked for me were 0x10000000 for INP_ESPINUDP and 0x20000000 for INP_ESPINUDP_NON_IKE (i.e. just add four zeros to both values).
* FreeBSD 8.0 "will include":http://svn.freebsd.org/viewvc/base?view=revision&revision=194062 the NAT-T patch, the kernel option to enable it is the same.
h3. Install Packages
Our test-system was installed using the Developer and Kern-Developer distributions in sysinstall. So there are maybe additional packages required on your system.
The packages required to build strongSwan are as follows:
* vstr
* libgmp
Notes:
* Although FreeBSD supports the GNU specific register_printf_function function, the implementation in the C library contains a "bug":http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/133776 that prevents this from working in a multi-threaded application. Therefore the *vstr* string library is required.
h2. Building strongSwan
Get the latest tarball and configure strongSwan as follows:
<pre>
./configure --enable-kernel-pfkey --enable-kernel-pfroute --disable-kernel-netlink --enable-vstr \
--disable-tools --disable-scripts --disable-pluto --with-group=wheel --with-lib-prefix=/usr/local
</pre>
h2. Limitations
* Due to the lack of policy based routes, virtual IPs can not be used (client-side).
* The kernel-pfroute interface lacks some final tweaks to fully support MOBIKE.