summaryrefslogtreecommitdiff
path: root/INSTALL
diff options
context:
space:
mode:
Diffstat (limited to 'INSTALL')
-rw-r--r--INSTALL249
1 files changed, 249 insertions, 0 deletions
diff --git a/INSTALL b/INSTALL
new file mode 100644
index 000000000..0ed541936
--- /dev/null
+++ b/INSTALL
@@ -0,0 +1,249 @@
+ ---------------------------
+ strongSwan - Installation
+ ---------------------------
+
+
+Contents
+--------
+
+ 1. Required packages
+ 2. Optional packages
+ 2.1 libcurl
+ 2.2 OpenLDAP
+ 2.3 PKCS#11 smartcard library modules
+ 3. Building strongSwan with a Linux 2.4 kernel
+ 4. Updating strongSwan with a Linux 2.4 kernel
+ 5. Building strongSwan with a Linux 2.6 kernel
+
+
+1. Required packages
+ -----------------
+
+ In order to be able to build strongSwan you'll need the GNU Multiprecision
+ Arithmetic Library (GMP) available from http://www.swox.com/gmp/.
+
+ The libgmp library and the corresponding header file gmp.h are usually
+ included in the form of one or two packages in the major Linux
+ distributions (SuSE: gmp; Debian unstable: libgmp3, libgmp3-dev).
+
+
+2. Optional packages
+ -----------------
+
+2.1 libcurl
+ -------
+
+ If you intend to dynamically fetch Certificate Revocation Lists (CRLs)
+ from an HTTP server or as an alternative want to use the Online
+ Certificate Status Protocol (OCSP) then you will need the libcurl library
+ available from http://curl.haxx.se/.
+
+ In order to keep the library as compact as possible for use with strongSwan
+ you can build libcurl from the sources with the optimized options
+
+ ./configure --prefix=<dir> --without-ssl \
+ --disable-ldap --disable-telnet \
+ --disable-dict --disable-gopher \
+ --disable-debug \
+ --enable-nonblocking --enable-thread
+
+ As an alternative you can use the ready-made packages included with your
+ favorite Linux distribution (SuSE: curl, curl-devel).
+
+ In order to activate the use of the libcurl library in strongSwan you must
+ set the USE_LIBCURL option in "Makefile.inc":
+
+ # include libcurl support (CRL fetching, OCSP and SCEP)
+ USE_LIBCURL?=true
+
+ Under Gentoo emerge strongSwan with
+
+ USE="curl -ssl" emerge strongswan
+
+
+2.2 OpenLDAP
+ --------
+
+ If you intend to dynamically fetch Certificate Revocation Lists (CRLs)
+ from an LDAP server then you will need the libldap library available
+ from http://www.openldap.org/.
+
+ OpenLDAP is usually included with your Linux distribution. You will need
+ both the run-time and development environments (SuSE: openldap2,
+ openldap2-devel).
+
+ In order to activate the use of the libldap library in strongSwan you must
+ set the USE_LDAP option in "Makefile.inc":
+
+ # include LDAP support (CRL fetching)
+ USE_LDAP?=true
+
+ Depending upon whether your LDAP server understands the V3 (preferred) or
+ V2 LDAP protocol, uncomment one ot the two following lines:
+
+ # Uncomment to enable dynamic CRL fetching using LDAP V3
+ LDAP_VERSION=3
+ # Uncomment to enable dynamic CRL fetching using LDAP V2
+ #LDAP_VERSION=2
+
+ The latest OpenLDAP releases use the LDAP V3 protocol, whereas older
+ versions require LDAP V2.
+
+ Under Gentoo emerge strongSwan with
+
+ USE="ldap -ssl" emerge strongswan
+
+
+2.3 PKCS#11 smartcard library modules
+ ---------------------------------
+
+ If you want to securely store your X.509 certificates and private RSA keys
+ on a smart card or a USB crypto token then you will need a PKCS #11 library
+ for the smart card of your choice. The OpenSC PKCS#11 library (use
+ versions >= 0.9.4) available from http://www.opensc.org/ supports quite a
+ selection of cards and tokens (e.g. Aladdin eToken Pro32k, Schlumberger
+ Cryptoflex e-gate, Oberthur AuthentIC, etc.) but requires that a PKCS#15
+ directory structure be present on the smart card. But in principle
+ any other PKCS#11 library could be used since the PKCS#11 API hides the
+ internal data representation on the card.
+
+ For USB crypto token support you must add the OpenCT driver library
+ (version >= 0.6.2) from the OpenSC site, whereas for serial smartcard
+ readers you'll need the pcsc-lite library and the matching driver from the
+ M.U.S.C.L.E project http://www.linuxnet.com/ .
+
+ In order to activate the PKCS#11-based smartcard support in strongSwan
+ you must set the USE_SMARTCARD option in "Makefile.inc":
+
+ #include PKCS11-based smartcard support
+ USE_SMARTCARD?=true
+
+ During compilation no externel smart card libraries must be present.
+ strongSwan directly references a copy of the standard RSAREF pkcs11.h
+ header files stored in the pluto/rsaref sub directory. During compile
+ time a pathname to a default PKCS#11 dynamical library can be specified
+ in "Makefile.inc"
+
+ # Uncomment this line if using OpenSC <= 0.9.6
+ PKCS11_DEFAULT_LIB=\"/usr/lib/pkcs11/opensc-pkcs11.so\"
+ # Uncomment tis line if using OpenSC >= 0.10.0
+ #PKCS11_DEFAULT_LIB=\"usr/lib/opensc-pkcs11.so\"
+
+ This default path to the easily-obtainable OpenSC library module can be
+ simply overridden during run-time by specifying an alternative path in
+ ipsec.conf pointing to any dynamic PKCS#11 library of your choice.
+
+ config setup
+ pkcs11module="/usr/lib/xyz-pkcs11.so"
+
+ Under Gentoo emerge strongSwan with
+
+ USE="smartcard usb -pam -X" emerge strongswan
+
+
+3. Building strongSwan with a Linux 2.4 kernel
+ -------------------------------------------
+
+ * Building strongSwan with a Linux 2.4 kernel requires the presence of the
+ matching kernel sources referenced via the symbolic link /usr/src/linux.
+ The use of the vanilla kernel sources from ftp.kernel.org is strongly
+ recommended.
+
+ Before building strongSwan you must have compiled the kernel sources at
+ least once:
+
+ make menuconfig; make dep; make bzImage; make modules
+
+ * Now change into the strongswan-2.x.x source directory.
+
+ First uncomment any desired compile options in "programs/pluto/Makefile"
+ (see section 2. Optional packages).
+
+ Then in the top source directory type
+
+ make menumod
+
+ This command applies an ESP_IN_UDP encapsulation patch which is required
+ for NAT-Traversal to the kernel sources.
+
+ In the "Networking options" menu set
+
+ <M> IP Security Protocol (strongSwan IPsec)
+
+ in order to build KLIPS as a loadable kernel module "ipsec.o". Do not
+ forget to save the modified configuration file when leaving "menumod".
+
+ The strongSwan userland programs are now automatically built and
+ installed, whereas the ipsec.o kernel module and the crypto modules
+ are only built and must be installed with the command
+
+ make minstall
+
+ * If you intend to use the NAT-Traversal feature then you must compile the
+ patched kernel sources again by executing
+
+ make bzImage
+
+ and then install and boot the modified kernel.
+
+ * Next add your connections to "/etc/ipsec.conf" and start strongSwan with
+
+ ipsec setup start
+
+
+4. Updating strongSwan with a Linux 2.4 kernel
+ -------------------------------------------
+
+ * If you have already successfully installed strongSwan and want to update
+ to a newer version then the following shortcut can be taken:
+
+ First uncomment any desired compile options in "programs/pluto/Makefile"
+ (see section 2. Optional packages).
+
+ Then in the strongwan-2.x.x top directory type
+
+ make programs; make install
+
+ followed by
+
+ make module; make minstall
+
+ * You can then start the updated strongSwan version with
+
+ ipsec setup restart
+
+
+5. Building strongSwan with a Linux 2.6 kernel
+ -------------------------------------------
+
+ * Because the Linux 2.6 kernel comes with a built-in native IPsec stack,
+ you won't need to build the strongSwan kernel modules. Please make sure
+ that the the following Linux 2.6 IPsec kernel modules are available:
+
+ o af_key
+ o ah4
+ o esp4
+ o ipcomp
+ o xfrm_user
+
+ Also the built-in kernel Cryptoapi modules with selected encryption and
+ hash algorithms should be available.
+
+ * First uncomment any desired compile options in "programs/pluto/Makefile"
+ (see section 2. Optional packages).
+
+ Then in the strongwan-2.x.x top directory type
+
+ make programs
+
+ followed by
+
+ make install
+
+ * Next add your connections to "etc/ipsec.conf" and start strongSwan with
+
+ ipsec setup start
+
+-----------------------------------------------------------------------------
+
+This file is RCSID $Id: INSTALL,v 1.8 2006/01/22 16:22:23 as Exp $