Project

General

Profile

strongSwan on FreeBSD » History » Version 9

Tobias Brunner, 20.09.2011 16:04
Note about starter added

1 1 Tobias Brunner
h1. strongSwan on FreeBSD
2 1 Tobias Brunner
3 8 Tobias Brunner
With strongSwan 4.3.4 the IKEv2 daemon charon was ported to "FreeBSD":http://www.freebsd.org. There are still some [[FreeBSD#Limitations|limitations]] but
4 8 Tobias Brunner
it has since been tested by several users (even with an adapted version of our "UML test framework":http://www.strongswan.org/uml-testing.html).
5 1 Tobias Brunner
6 8 Tobias Brunner
This document describes how to install strongSwan on FreeBSD 8.2 (see older revisions of this page for instructions for previous releases).
7 1 Tobias Brunner
8 1 Tobias Brunner
h2. Prepare FreeBSD
9 1 Tobias Brunner
10 1 Tobias Brunner
The generic FreeBSD kernel does not come with IPsec support. So you will have to compile your own kernel.
11 1 Tobias Brunner
12 8 Tobias Brunner
Fortunately, starting with FreeBSD 8, the NAT Traversal patch is included in the kernel sources, so you don't
13 8 Tobias Brunner
have to apply any patches yourself, if you need that feature.
14 8 Tobias Brunner
15 3 Tobias Brunner
h3. Build the Kernel
16 1 Tobias Brunner
17 8 Tobias Brunner
Basic documentation on how to build a custom kernel can be found in the "FreeBSD Handbook":http://www.freebsd.org/doc/handbook/kernelconfig-building.html.
18 3 Tobias Brunner
19 8 Tobias Brunner
To enable IPsec you'll need to add the following options to your kernel configuration file:
20 1 Tobias Brunner
21 1 Tobias Brunner
<pre>
22 1 Tobias Brunner
options   IPSEC
23 1 Tobias Brunner
device    crypto
24 1 Tobias Brunner
</pre>
25 1 Tobias Brunner
26 8 Tobias Brunner
You can verify that your kernel has IPsec support using the following command, which should print a list of ipsec specific kernel state.
27 2 Tobias Brunner
28 3 Tobias Brunner
<pre>
29 3 Tobias Brunner
/sbin/sysctl -a | grep ipsec
30 1 Tobias Brunner
</pre>
31 1 Tobias Brunner
32 8 Tobias Brunner
If you need NAT Traversal, add the following option to your kernel config:
33 1 Tobias Brunner
34 7 Tobias Brunner
<pre>
35 7 Tobias Brunner
options   IPSEC_NAT_T
36 1 Tobias Brunner
</pre>
37 7 Tobias Brunner
38 7 Tobias Brunner
h3. Install Packages
39 1 Tobias Brunner
40 7 Tobias Brunner
Our test-system was installed using the Developer and Kern-Developer distributions in sysinstall. So there are maybe additional packages required on your system.
41 1 Tobias Brunner
42 1 Tobias Brunner
The packages required to build strongSwan are as follows:
43 1 Tobias Brunner
44 8 Tobias Brunner
* libgmp (optional, depending on configuration)
45 8 Tobias Brunner
* openssl (optional, depending on configuration)
46 5 Tobias Brunner
47 1 Tobias Brunner
Notes:
48 8 Tobias Brunner
* The "printf-Bug":http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/133776 in earlier FreeBSD releases has been fixed and backported to FreeBSD 8. Thus, the *vstr* string library is not required anymore.
49 5 Tobias Brunner
50 1 Tobias Brunner
h2. Building strongSwan
51 1 Tobias Brunner
52 8 Tobias Brunner
Get the "latest tarball":http://www.strongswan.org/download.html and configure strongSwan as follows (this compiles the GMP plugin, so libgmp is required).
53 8 Tobias Brunner
For details refer to [[InstallationDocumentation]].
54 1 Tobias Brunner
55 1 Tobias Brunner
<pre>
56 8 Tobias Brunner
./configure --enable-kernel-pfkey --enable-kernel-pfroute --disable-kernel-netlink \
57 8 Tobias Brunner
            --disable-tools --disable-scripts --disable-pluto --with-group=wheel
58 1 Tobias Brunner
</pre>
59 1 Tobias Brunner
60 1 Tobias Brunner
61 1 Tobias Brunner
h2. Limitations
62 1 Tobias Brunner
63 1 Tobias Brunner
* Due to the lack of policy based routes, virtual IPs can not be used (client-side).
64 2 Tobias Brunner
* The kernel-pfroute interface lacks some final tweaks to fully support MOBIKE.
65 9 Tobias Brunner
66 9 Tobias Brunner
h2. Known Problems
67 9 Tobias Brunner
68 9 Tobias Brunner
* [[IpsecStarter|Starter]] does not yet use the modular kernel interfaces, thus, when it tries to detect an IPsec stack it fails:
69 9 Tobias Brunner
<pre>
70 9 Tobias Brunner
Starting strongSwan 4.x.x IPsec [starter]...
71 9 Tobias Brunner
no netkey IPsec stack detected
72 9 Tobias Brunner
no KLIPS IPsec stack detected
73 9 Tobias Brunner
no known IPsec stack detected, ignoring!
74 9 Tobias Brunner
</pre> Fortunately, this detection is not really needed on FreeBSD so simply ignore this message.