strongSwan on FreeBSD » History » Version 9
Tobias Brunner, 20.09.2011 16:04
Note about starter added
| 1 | 1 | Tobias Brunner | h1. strongSwan on FreeBSD |
|---|---|---|---|
| 2 | 1 | Tobias Brunner | |
| 3 | 8 | Tobias Brunner | With strongSwan 4.3.4 the IKEv2 daemon charon was ported to "FreeBSD":http://www.freebsd.org. There are still some [[FreeBSD#Limitations|limitations]] but |
| 4 | 8 | Tobias Brunner | it has since been tested by several users (even with an adapted version of our "UML test framework":http://www.strongswan.org/uml-testing.html). |
| 5 | 1 | Tobias Brunner | |
| 6 | 8 | Tobias Brunner | This document describes how to install strongSwan on FreeBSD 8.2 (see older revisions of this page for instructions for previous releases). |
| 7 | 1 | Tobias Brunner | |
| 8 | 1 | Tobias Brunner | h2. Prepare FreeBSD |
| 9 | 1 | Tobias Brunner | |
| 10 | 1 | Tobias Brunner | The generic FreeBSD kernel does not come with IPsec support. So you will have to compile your own kernel. |
| 11 | 1 | Tobias Brunner | |
| 12 | 8 | Tobias Brunner | Fortunately, starting with FreeBSD 8, the NAT Traversal patch is included in the kernel sources, so you don't |
| 13 | 8 | Tobias Brunner | have to apply any patches yourself, if you need that feature. |
| 14 | 8 | Tobias Brunner | |
| 15 | 3 | Tobias Brunner | h3. Build the Kernel |
| 16 | 1 | Tobias Brunner | |
| 17 | 8 | Tobias Brunner | Basic documentation on how to build a custom kernel can be found in the "FreeBSD Handbook":http://www.freebsd.org/doc/handbook/kernelconfig-building.html. |
| 18 | 3 | Tobias Brunner | |
| 19 | 8 | Tobias Brunner | To enable IPsec you'll need to add the following options to your kernel configuration file: |
| 20 | 1 | Tobias Brunner | |
| 21 | 1 | Tobias Brunner | <pre> |
| 22 | 1 | Tobias Brunner | options IPSEC |
| 23 | 1 | Tobias Brunner | device crypto |
| 24 | 1 | Tobias Brunner | </pre> |
| 25 | 1 | Tobias Brunner | |
| 26 | 8 | Tobias Brunner | You can verify that your kernel has IPsec support using the following command, which should print a list of ipsec specific kernel state. |
| 27 | 2 | Tobias Brunner | |
| 28 | 3 | Tobias Brunner | <pre> |
| 29 | 3 | Tobias Brunner | /sbin/sysctl -a | grep ipsec |
| 30 | 1 | Tobias Brunner | </pre> |
| 31 | 1 | Tobias Brunner | |
| 32 | 8 | Tobias Brunner | If you need NAT Traversal, add the following option to your kernel config: |
| 33 | 1 | Tobias Brunner | |
| 34 | 7 | Tobias Brunner | <pre> |
| 35 | 7 | Tobias Brunner | options IPSEC_NAT_T |
| 36 | 1 | Tobias Brunner | </pre> |
| 37 | 7 | Tobias Brunner | |
| 38 | 7 | Tobias Brunner | h3. Install Packages |
| 39 | 1 | Tobias Brunner | |
| 40 | 7 | Tobias Brunner | Our test-system was installed using the Developer and Kern-Developer distributions in sysinstall. So there are maybe additional packages required on your system. |
| 41 | 1 | Tobias Brunner | |
| 42 | 1 | Tobias Brunner | The packages required to build strongSwan are as follows: |
| 43 | 1 | Tobias Brunner | |
| 44 | 8 | Tobias Brunner | * libgmp (optional, depending on configuration) |
| 45 | 8 | Tobias Brunner | * openssl (optional, depending on configuration) |
| 46 | 5 | Tobias Brunner | |
| 47 | 1 | Tobias Brunner | Notes: |
| 48 | 8 | Tobias Brunner | * The "printf-Bug":http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/133776 in earlier FreeBSD releases has been fixed and backported to FreeBSD 8. Thus, the *vstr* string library is not required anymore. |
| 49 | 5 | Tobias Brunner | |
| 50 | 1 | Tobias Brunner | h2. Building strongSwan |
| 51 | 1 | Tobias Brunner | |
| 52 | 8 | Tobias Brunner | Get the "latest tarball":http://www.strongswan.org/download.html and configure strongSwan as follows (this compiles the GMP plugin, so libgmp is required). |
| 53 | 8 | Tobias Brunner | For details refer to [[InstallationDocumentation]]. |
| 54 | 1 | Tobias Brunner | |
| 55 | 1 | Tobias Brunner | <pre> |
| 56 | 8 | Tobias Brunner | ./configure --enable-kernel-pfkey --enable-kernel-pfroute --disable-kernel-netlink \ |
| 57 | 8 | Tobias Brunner | --disable-tools --disable-scripts --disable-pluto --with-group=wheel |
| 58 | 1 | Tobias Brunner | </pre> |
| 59 | 1 | Tobias Brunner | |
| 60 | 1 | Tobias Brunner | |
| 61 | 1 | Tobias Brunner | h2. Limitations |
| 62 | 1 | Tobias Brunner | |
| 63 | 1 | Tobias Brunner | * Due to the lack of policy based routes, virtual IPs can not be used (client-side). |
| 64 | 2 | Tobias Brunner | * The kernel-pfroute interface lacks some final tweaks to fully support MOBIKE. |
| 65 | 9 | Tobias Brunner | |
| 66 | 9 | Tobias Brunner | h2. Known Problems |
| 67 | 9 | Tobias Brunner | |
| 68 | 9 | Tobias Brunner | * [[IpsecStarter|Starter]] does not yet use the modular kernel interfaces, thus, when it tries to detect an IPsec stack it fails: |
| 69 | 9 | Tobias Brunner | <pre> |
| 70 | 9 | Tobias Brunner | Starting strongSwan 4.x.x IPsec [starter]... |
| 71 | 9 | Tobias Brunner | no netkey IPsec stack detected |
| 72 | 9 | Tobias Brunner | no KLIPS IPsec stack detected |
| 73 | 9 | Tobias Brunner | no known IPsec stack detected, ignoring! |
| 74 | 9 | Tobias Brunner | </pre> Fortunately, this detection is not really needed on FreeBSD so simply ignore this message. |