Project

General

Profile

History

strongSwan Installation Documentation ยป

Required Kernel Modules

Include the following modules:

 Networking  --->
  Networking options  --->
    Transformation user configuration interface [CONFIG_XFRM_USER]
    PF_KEY sockets [CONFIG_NET_KEY]
    TCP/IP networking [CONFIG_INET]
      IP: advanced router [CONFIG_IP_ADVANCED_ROUTER]
      IP: policy routing [CONFIG_IP_MULTIPLE_TABLES]
      IP: AH transformation [CONFIG_INET_AH]
      IP: ESP transformation [CONFIG_INET_ESP]
      IP: IPComp transformation [CONFIG_INET_IPCOMP]
      IP: IPsec transport mode [CONFIG_INET_XFRM_MODE_TRANSPORT]
      IP: IPsec tunnel mode [CONFIG_INET_XFRM_MODE_TUNNEL]
      IP: IPsec BEET mode [CONFIG_INET_XFRM_MODE_BEET]
    The IPv6 protocol ---> [CONFIG_IPV6]
      IPv6: AH transformation [CONFIG_INET6_AH]
      IPv6: ESP transformation [CONFIG_INET6_ESP]
      IPv6: IPComp transformation [CONFIG_INET6_IPCOMP]
      IPv6: IPsec transport mode [CONFIG_INET6_XFRM_MODE_TRANSPORT]
      IPv6: IPsec tunnel mode [CONFIG_INET6_XFRM_MODE_TUNNEL]
      IPv6: IPsec BEET mode [CONFIG_INET6_XFRM_MODE_BEET]
      IPv6: Multiple Routing Tables  [CONFIG_IPV6_MULTIPLE_TABLES]
    Network packet filtering framework (Netfilter) ---> [CONFIG_NETFILTER]
      Core Netfilter Configuration --->
        Netfilter Xtables support [CONFIG_NETFILTER_XTABLES]
          IPsec "policy" match support [CONFIG_NETFILTER_XT_MATCH_POLICY]
 Cryptographic API
   Select algorithms you want to use...
   Encrypted Chain IV Generator [CRYPTO_ECHAINIV]

Note: For kernel versions 4.2-4.5 you will have to select Encrypted Chain IV Generator manually in order to use any encryption algorithm in CBC mode.

List of the names of required modules

Make sure you have the following modules loaded when you try to establish a tunnel:

ah4
ah6
esp4
esp6
xfrm4_tunnel
xfrm6_tunnel
xfrm_user
ip_tunnel
tunnel
tunnel6
xfrm4_mode_tunnel
xfrm6_mode_tunnel

Optional modules

pcrypt
xfrm_ipcomp
deflate

For information about pcrypt, see the page about pcrypt.
If you want to use compression (compress=yes), you need the xfrm_ipcomp module and the deflate module for the compression algorithm.

Shell script to check Required Kernel Modules

#!/bin/sh
grep '\<CONFIG_XFRM_USER\>' /boot/config-`uname -r`
grep '\<CONFIG_NET_KEY\>' /boot/config-`uname -r`
grep '\<CONFIG_INET\>' /boot/config-`uname -r`
grep '\<CONFIG_IP_ADVANCED_ROUTER\>' /boot/config-`uname -r`
grep '\<CONFIG_IP_MULTIPLE_TABLES\>' /boot/config-`uname -r`
grep '\<CONFIG_INET_AH\>' /boot/config-`uname -r`
grep '\<CONFIG_INET_ESP\>' /boot/config-`uname -r`
grep '\<CONFIG_INET_IPCOMP\>' /boot/config-`uname -r`
grep '\<CONFIG_INET_XFRM_MODE_TRANSPORT\>' /boot/config-`uname -r`
grep '\<CONFIG_INET_XFRM_MODE_TUNNEL\>' /boot/config-`uname -r`
grep '\<CONFIG_INET_XFRM_MODE_BEET\>' /boot/config-`uname -r`
grep '\<CONFIG_IPV6\>' /boot/config-`uname -r`
grep '\<CONFIG_INET6_AH\>' /boot/config-`uname -r`
grep '\<CONFIG_INET6_ESP\>' /boot/config-`uname -r`
grep '\<CONFIG_INET6_IPCOMP\>' /boot/config-`uname -r`
grep '\<CONFIG_INET6_XFRM_MODE_TRANSPORT\>' /boot/config-`uname -r`
grep '\<CONFIG_INET6_XFRM_MODE_TUNNEL\>' /boot/config-`uname -r`
grep '\<CONFIG_INET6_XFRM_MODE_BEET\>' /boot/config-`uname -r`
grep '\<CONFIG_IPV6_MULTIPLE_TABLES\>' /boot/config-`uname -r`
grep '\<CONFIG_NETFILTER\>' /boot/config-`uname -r`
grep '\<CONFIG_NETFILTER_XTABLES\>' /boot/config-`uname -r`
grep '\<CONFIG_NETFILTER_XT_MATCH_POLICY\>' /boot/config-`uname -r`