strongSwan

= strongSwan User Documentation =

== Features ==

  * [wiki:VirtualIp Virtual IP] via mode-config (IKEv1) or configuration payload (IKEv2)

  * [wiki:NatTraversal NAT Traversal]

  * [wiki:MobIke MOBIKE]

=== FAQ ===

'''Q:''' ''I'm trying to set up a VPN tunnel with a ZyXELL/Linksys/X router but the other side keeps on telling me "no proposal chosen" when strongSwan initiates the connection.''

'''A:''' Make sure that the peer supports all the algorithms (including the key lengths) which strongSwan proposes for IKE and ESP. In terms of IKE, the proposal consists of the following parts: Encryption algorithm, hash algorithm (PRF) and DH group. In terms of ESP the proposal includes the following: Encryption algorithm, hash algorithm, pfs group (DH group) and '''compression algorithm'''. There are lots of IPSec implementations out there that do '''not''' support compression or have implemented it erronously. So the first thing to try in this situation is to switch compression off on the peer. strongSwan's default setting is

{{{

compress=no

}}} 

See also Chapter [http://www.strongswan.org/docs/readme4.htm#section_14.1 14.1 Authentication and encryption algorithms] of the strongSwan documentation. It has good information about the relevant parameters.

=== Interoperability ===

 * [wiki:WindowsVista Windows Vista]

== Installation ==

=== Autoconf Options ===

strongSwan can be built with the following '''./configure''' options:

''--prefix=PREFIX''

    where to put installation [''/usr/local'']. Most Linux distributions use ''"/usr"''.

''--libexecdir=DIR''

    program executables [''PREFIX/libexec'']

''--sysconfdir=DIR''

    where to put configuration files [''PREFIX/etc'']. We strongly recommend ''"/etc"''.

''--enable-cisco-quirks''

    enable support of Cisco VPN client [''no''].

''--enable-dbus''

    enable DBUS configuration and control interface [''no'']. Requires libdbus.

''--enable-eap-sim''

    build SIM authentication module for EAP [''no''].

''--enable-http''

    enable OCSP and fetching of certificates and CRLs over HTTP [''no'']. Requires libcurl.

''--enable-integrity-test''

    enable the integrity test of the crypto library [''no''].

''--enable-ldap''

    enable fetching of CRLs from LDAP [''no'']. Requires OpenLDAP.

''--enable-leak-detective''

    enable malloc hooks to find memory leaks [''no''].

''--enable-nat-transport''

    enable NAT traversal with IPsec transport mode [''no''].

''--enable-smartcard''

    enable smartcard support [''no''].

''--enable-uml''

    build the UML test framework [''no''].

''--enable-xml''  

    enable XML configuration and control interface [''no'']. Requires libxml.

''--disable-self-test''

    disable the self-test of the crypto library [''no''].

''--disable-vendor-id''

    disable the sending of the strongSwan vendor ID [''no''].  

''--with-backenddir=DIR''

    path for pluggable configuration backend modules [''IPSECDIR/plugins/backends'']

''--with-default-pkcs11=LIB''

    set the default PKCS11 library [''/usr/lib/opensc-pkcs11.so'']

''--with-eapdir=DIR''

    path for pluggable EAP modules [''IPSECDIR/plugins/eap'']

''--with-gid=GID''

    change group of the daemons to GID after startup [''0'']

''--with-interfacedir=DIR''

    path for pluggable control interface modules [''IPSECDIR/plugins/interfaces'']

''--with-ipsecdir=DIR''

    installation path for ipsec tools [''LIBEXECDIR/ipsec'']

''--with-linux-headers=DIR''

    linux header files to be used [''../include'']

''--with-piddir=DIR''

    path for PID and UNIX socket files [''/var/run'']

''--with-random-device=DEV''

    set the device for true random data [''/dev/random'']

''-with-resolv-conf=FILE''

   set the file to store DNS server information [''SYSCONFDIR/resolv.conf'']

''--with-routing-table=NUM''

    routing table for IPsec source routes [''220'']

''--with-routing-table-prio=PRIO''

    priority for IPsec routing table [''220'']

''--with-sim-reader=LIB''

    library containing the sim_run_alg() function for EAP-SIM []

''--with-uid=UID''

    change user of the daemons to UID after startup [''0'']

''--with-urandom-device=DEV''

    set the device for pseudo random data [''/dev/urandom'']

''--with-xauth-module=LIB''

    set the path to the XAUTH module []