strongSwan on Windows¶
- Table of contents
- strongSwan on Windows
Starting with 5.2.0, strongSwan can be built for the Windows platform using the MinGW toolchain. Supported are Windows 7 / Server 2008 R2 and newer releases. Older versions are unlikely to get ever supported, as they have some IPsec API limitations.
- Beside some other limitations, the kernel-iph networking backend currently does not support the installation of virtual IP addresses. Such addresses are usually assigned to road-warrior clients, making the strongSwan Windows port not usable as client for this particular scenario.
- The socket-win socket plugin by default binds to UDP ports 500 and 4500. To receive any packets, the Windows native IKE service must be disabled by stopping/disabling the IKEEXT service. If you see any WFP MM failure errors, the IKEEXT service is probably running.
strongSwan has a large codebase, and not all functionality has been ported to Windows. Beside the libstrongswan, libhydra and libcharon core libraries, the libtls and libtnccs libraries are known to work under Windows.The following plugins are supported in Windows builds:
- mysql and sqlite
- eap-tls and eap-ttls
- eap-tnc using tnccs-2.0
- tnc-imv with imv-os and imv-attestation
- tnc-imc with imc-os and imc-attestation
- ext-auth (since 5.2.1)
- updown (since 5.2.1)
Many additional plugins might work without or with minor modifications, but have not yet been tested extensively.The following additional components are supported:
Windows specific components¶
Specifically for the Windows port, the following components have been introduced:
|charon-svc||Windows IKE service using libcharon|
|socket-win||IKE socket implementation using Winsock2 API|
|winhttp||HTTP/HTTPS CRL/OCSP fetcher using WinHTTP API|
|kernel-iph||Networking backend using IP Helper API|
|kernel-wfp||Interface to native Windows IPsec backend in the Windows Filtering Platform|
There are no hard third party dependencies on the Windows platform, as strongSwan uses a native (non-pthread) threading backend on Windows. You'll need a working crypto backend, though, and OpenSSL is known to work fine. Other crypto backends have not yet been tested, future releases might include a native Windows crypto backend.
Toolchain¶There are two ways how to build strongSwan for the Windows platform:
- Using MinGW on Unix to cross-compile strongSwan for Windows
- Using MinGW on Windows to build a native strongSwan
The first option is usually simpler and recommended when building from Git sources.
The port has been done using the MinGW-W64 toolchain. Other compilers are currently not supported. Using Visual C compilers is not an option in the near future, as we heavily use some C99 features which MSVC does not support.
Note: In pre-3.2.0 MinGW-W64 releases, there is a bug in one of the required system headers. Apply the patch provided with the kernel-wfp sources to fix it. Newer releases have these changes included. strongSwan 5.2.2 requires a at least MinGW-W64 3.2.0 to properly handle
TryAcquireSRWLockExclusive (MinGW builds having GCC 4.9.1 should have that fix).
In strongSwan 5.2.0, only monolithic builds are supported, hence pass
Both x86_64 and i686 build variants are supported. The 32-bit build variants have been tested less extensively, though.
As many of the strongSwan default plugins are not supported, it is recommended to pass
--disable-defaultsto ./configure, and enable the specific options as required. A minimal set of ./configure options could look like:
CFLAGS="-g -O2 -Wall -Wno-pointer-sign -Wno-format-security \ -Wno-format -mno-ms-bitfields \ -I/c/path/to/openssl/include" \ LDFLAGS="-L/c/path/to/openssl/lib" \ ./configure --disable-defaults --enable-monolithic --enable-static \ --enable-svc --enable-ikev2 --enable-ikev1 \ --enable-nonce --enable-pem --enable-pkcs1 \ --enable-x509 --enable-openssl --enable-socket-win \ --enable-kernel-wfp --enable-kernel-iph --enable-pubkey \ --enable-swanctl --with-swanctldir=swanctl \ --with-strongswan-conf=strongswan.conf
Windows native build ¶
First install MinGW-W64, preferably using the installer. The 4.8.1 version is known to work fine using the x64 Architecture and native win32 threading.
To run ./configure, you'll need MSYS, for example by using the MinGW-W64 MSYS builds. After extracting the .zip file, invoke msys.bat and run:
sh /postinstall/pi.shto complete the installation.
Use this shell to ./configure and build strongSwan.
Unix cross-compile build ¶
After installing the MinGW-W64 toolchain and the Windows system headers for your distribution, add
--host=x86_64-w64-mingw32or, for 32-bit builds,
--host=i686-w64-mingw32to ./configure to enable cross-compilation.
To extract the binaries, you may use make install using a specific DESTDIR, or manually copy the requires binaries from the .libs subdirectories. A future version hopefully provides a more convenient way to create a redistributable binary package.