diff options
Diffstat (limited to 'INSTALL')
| -rw-r--r-- | INSTALL | 305 |
1 files changed, 117 insertions, 188 deletions
@@ -1,246 +1,175 @@ --------------------------- - strongSwan - Installation + strongSwan - Installation --------------------------- Contents -------- - 1. Required packages - 2. Optional packages - 2.1 libcurl - 2.2 OpenLDAP - 2.3 PKCS#11 smartcard library modules - 3. Building strongSwan with a Linux 2.4 kernel - 4. Updating strongSwan with a Linux 2.4 kernel - 5. Building strongSwan with a Linux 2.6 kernel + 1. Overview + 2. Required packages + 3. Optional packages + 3.1 libcurl + 3.2 OpenLDAP + 3.3 PKCS#11 smartcard library modules + 4. Kernel configuration - -1. Required packages - ----------------- - - In order to be able to build strongSwan you'll need the GNU Multiprecision - Arithmetic Library (GMP) available from http://www.swox.com/gmp/. - - The libgmp library and the corresponding header file gmp.h are usually - included in the form of one or two packages in the major Linux - distributions (SuSE: gmp; Debian unstable: libgmp3, libgmp3-dev). - - -2. Optional packages - ----------------- - -2.1 libcurl - ------- - - If you intend to dynamically fetch Certificate Revocation Lists (CRLs) - from an HTTP server or as an alternative want to use the Online - Certificate Status Protocol (OCSP) then you will need the libcurl library - available from http://curl.haxx.se/. - - In order to keep the library as compact as possible for use with strongSwan - you can build libcurl from the sources with the optimized options - - ./configure --prefix=<dir> --without-ssl \ - --disable-ldap --disable-telnet \ - --disable-dict --disable-gopher \ - --disable-debug \ - --enable-nonblocking --enable-thread - - As an alternative you can use the ready-made packages included with your - favorite Linux distribution (SuSE: curl, curl-devel). - - In order to activate the use of the libcurl library in strongSwan you must - set the USE_LIBCURL option in "Makefile.inc": - - # include libcurl support (CRL fetching, OCSP and SCEP) - USE_LIBCURL?=true - - Under Gentoo emerge strongSwan with - - USE="curl -ssl" emerge strongswan - - -2.2 OpenLDAP +1. Overview -------- - If you intend to dynamically fetch Certificate Revocation Lists (CRLs) - from an LDAP server then you will need the libldap library available - from http://www.openldap.org/. - - OpenLDAP is usually included with your Linux distribution. You will need - both the run-time and development environments (SuSE: openldap2, - openldap2-devel). - - In order to activate the use of the libldap library in strongSwan you must - set the USE_LDAP option in "Makefile.inc": + The strongSwan 4.x branch introduces a new build environment featuring + GNU autotools. This should simplify the build process and package + maintenance. + First check for the availability of required packages on your system + (section 2.). You may want to include support for additional features, which + require other packages to be installed (section 3.). + To compile an extracted tarball, run the ./configure script first: - # include LDAP support (CRL fetching) - USE_LDAP?=true + ./configure - Depending upon whether your LDAP server understands the V3 (preferred) or - V2 LDAP protocol, uncomment one ot the two following lines: + You may want to specify some arguments listed in section 3., or see the + available options of the script using "./configure --help". - # Uncomment to enable dynamic CRL fetching using LDAP V3 - LDAP_VERSION=3 - # Uncomment to enable dynamic CRL fetching using LDAP V2 - #LDAP_VERSION=2 + After a successful run of the script, run - The latest OpenLDAP releases use the LDAP V3 protocol, whereas older - versions require LDAP V2. + make - Under Gentoo emerge strongSwan with + followed by - USE="ldap -ssl" emerge strongswan - - -2.3 PKCS#11 smartcard library modules - --------------------------------- - - If you want to securely store your X.509 certificates and private RSA keys - on a smart card or a USB crypto token then you will need a PKCS #11 library - for the smart card of your choice. The OpenSC PKCS#11 library (use - versions >= 0.9.4) available from http://www.opensc.org/ supports quite a - selection of cards and tokens (e.g. Aladdin eToken Pro32k, Schlumberger - Cryptoflex e-gate, Oberthur AuthentIC, etc.) but requires that a PKCS#15 - directory structure be present on the smart card. But in principle - any other PKCS#11 library could be used since the PKCS#11 API hides the - internal data representation on the card. - - For USB crypto token support you must add the OpenCT driver library - (version >= 0.6.2) from the OpenSC site, whereas for serial smartcard - readers you'll need the pcsc-lite library and the matching driver from the - M.U.S.C.L.E project http://www.linuxnet.com/ . - - In order to activate the PKCS#11-based smartcard support in strongSwan - you must set the USE_SMARTCARD option in "Makefile.inc": - - #include PKCS11-based smartcard support - USE_SMARTCARD?=true - - During compilation no externel smart card libraries must be present. - strongSwan directly references a copy of the standard RSAREF pkcs11.h - header files stored in the pluto/rsaref sub directory. During compile - time a pathname to a default PKCS#11 dynamical library can be specified - in "Makefile.inc" - - # Uncomment this line if using OpenSC <= 0.9.6 - #PKCS11_DEFAULT_LIB=\"/usr/lib/pkcs11/opensc-pkcs11.so\" - # Uncomment tis line if using OpenSC >= 0.10.0 - PKCS11_DEFAULT_LIB=\"usr/lib/opensc-pkcs11.so\" - - This default path to the easily-obtainable OpenSC library module can be - simply overridden during run-time by specifying an alternative path in - ipsec.conf pointing to any dynamic PKCS#11 library of your choice. - - config setup - pkcs11module="/usr/lib/xyz-pkcs11.so" + make install - Under Gentoo emerge strongSwan with + in the usual manner. - USE="smartcard usb -pam -X" emerge strongswan + To check if your kernel fullfills the requirements, see section 4. + Next add your connections to "/etc/ipsec.conf" and your secrets to + "/etc/ipsec.secrets". Connections that are to be negotiated by the new + IKEv2 charon keying daemon should be designated by "keyexchange=ikev2" and + those by the IKEv1 pluto keying daemon either by "keyexchange=ikev1" or + the default "keyexchange=ike". -3. Building strongSwan with a Linux 2.4 kernel - ------------------------------------------- + At last start strongSwan with - * Building strongSwan with a Linux 2.4 kernel requires the presence of the - matching kernel sources referenced via the symbolic link /usr/src/linux. - The use of the vanilla kernel sources from ftp.kernel.org is strongly - recommended. + ipsec start - Before building strongSwan you must have compiled the kernel sources at - least once: - make menuconfig; make dep; make bzImage; make modules +2. Required packages + ----------------- - * Now change into the strongswan-2.x.x source directory. + In order to be able to build strongSwan you'll need the GNU Multiprecision + Arithmetic Library (GMP) available from http://www.swox.com/gmp/. At least + version 4.1.5 of libgmp is required. - First select any desired compile options in "Makefile.inc" (see section 2. - Optional packages). Then in the top source directory type + The libgmp library and the corresponding header file gmp.h are usually + included in the form of one or two packages in the major Linux + distributions (SuSE: gmp; Debian unstable: libgmp3, libgmp3-dev). - make menumod - This command applies an ESP_IN_UDP encapsulation patch which is required - for NAT-Traversal to the kernel sources. +3. Optional packages + ----------------- - In the "Networking options" menu set +3.1 libcurl + ------- - <M> IP Security Protocol (strongSwan IPsec) + If you intend to dynamically fetch Certificate Revocation Lists (CRLs) + from an HTTP server or as an alternative want to use the Online + Certificate Status Protocol (OCSP) then you will need the libcurl library + available from http://curl.haxx.se/. - in order to build KLIPS as a loadable kernel module "ipsec.o". Do not - forget to save the modified configuration file when leaving "menumod". + In order to keep the library as compact as possible for use with strongSwan + you can build libcurl from the sources with the optimized options - The strongSwan userland programs are now automatically built and - installed, whereas the ipsec.o kernel module and the crypto modules - are only built and must be installed with the command + ./configure --prefix=<dir> --without-ssl \ + --disable-ldap --disable-telnet \ + --disable-dict --disable-gopher \ + --disable-debug \ + --enable-nonblocking --enable-thread - make minstall + As an alternative you can use the ready-made packages included with your + favorite Linux distribution (SuSE: curl, curl-devel). - * If you intend to use the NAT-Traversal feature then you must compile the - patched kernel sources again by executing + In order to activate the use of the libcurl library in strongSwan you must + enable the ./configure switch: - make bzImage + ./configure [...] --enable-http - and then install and boot the modified kernel. - * Next add your connections to "/etc/ipsec.conf" and your secrets to - "/etc/ipsec.secrets" and start strongSwan with +3.2 OpenLDAP + -------- - ipsec start + If you intend to dynamically fetch Certificate Revocation Lists (CRLs) + from an LDAP server then you will need the libldap library available + from http://www.openldap.org/. + OpenLDAP is usually included with your Linux distribution. You will need + both the run-time and development environments (SuSE: openldap2, + openldap2-devel). -4. Updating strongSwan with a Linux 2.4 kernel - ------------------------------------------- + In order to activate the use of the libldap library in strongSwan you must + enable the ./configure switch: - * If you have already successfully installed strongSwan and want to update - to a newer version then the following shortcut can be taken: + ./configure [...] --enable-ldap - First select any desired compile options in "Makefile.inc" (see section 2. - Optional packages). Then in the strongwan-2.x.x top directory type + LDAP Protocl version 2 is not supported anymore, --enable-ldap uses always + version 3 of the LDAP protocol - make programs; make install - followed by +3.3 PKCS#11 smartcard library modules + --------------------------------- - make module; make minstall + If you want to securely store your X.509 certificates and private RSA keys + on a smart card or a USB crypto token then you will need a PKCS #11 library + for the smart card of your choice. The OpenSC PKCS#11 library (use + versions >= 0.9.4) available from http://www.opensc.org/ supports quite a + selection of cards and tokens (e.g. Aladdin eToken Pro32k, Schlumberger + Cryptoflex e-gate, Oberthur AuthentIC, etc.) but requires that a PKCS#15 + directory structure be present on the smart card. But in principle + any other PKCS#11 library could be used since the PKCS#11 API hides the + internal data representation on the card. - * You can then start the updated strongSwan version with + For USB crypto token support you must add the OpenCT driver library + (version >= 0.6.2) from the OpenSC site, whereas for serial smartcard + readers you'll need the pcsc-lite library and the matching driver from the + M.U.S.C.L.E project http://www.linuxnet.com/ . - ipsec restart + In order to activate the PKCS#11-based smartcard support in strongSwan + you must enable the smartcard ./configure switch: + ./configure [...] --enable-smartcard -5. Building strongSwan with a Linux 2.6 kernel - ------------------------------------------- + During compilation no externel smart card libraries must be present. + strongSwan directly references a copy of the standard RSAREF pkcs11.h + header files stored in the pluto/rsaref sub directory. During compile + time a pathname to a default PKCS#11 dynamical library can be specified + with a ./configure flag: - * Because the Linux 2.6 kernel comes with a built-in native IPsec stack, - you won't need to build the strongSwan kernel modules. Please make sure - that the the following Linux 2.6 IPsec kernel modules are available: + ./configure --enable-smartcard --with-default-pkcs11=/path/to/lib.so - o af_key - o ah4 - o esp4 - o ipcomp - o xfrm_user - o xfrm4_tunnel - - Also the built-in kernel Cryptoapi modules with selected encryption and - hash algorithms should be available. + This default path to the easily-obtainable OpenSC library module can be + simply overridden during run-time by specifying an alternative path in + ipsec.conf pointing to any dynamic PKCS#11 library of your choice. - * First select any desired compile options in "Makefile.inc" (see section 2. - Optional packages). Then in the strongwan-2.x.x top directory type + config setup + pkcs11module="/usr/lib/xyz-pkcs11.so" - make programs - followed by +4. Kernel configuration + -------------------- - make install + The strongSwan 4.x series currently support only 2.6 kernels and its + native IPsec stack. Please make sure that the following IPsec kernel + modules are available: - * Next add your connections to "/etc/ipsec.conf" and your secrets to - "/etc/ipsec.secrets" and start strongSwan with + o af_key + o ah4 + o esp4 + o ipcomp + o xfrm_user + o xfrm4_tunnel - ipsec start + These may be built into the kernel or as modules. Modules get loaded + automatically at strongSwan startup. ------------------------------------------------------------------------------ + Also the built-in kernel Cryptoapi modules with selected encryption and + hash algorithms should be available. -This file is RCSID $Id: INSTALL,v 1.11 2006/05/19 06:44:17 as Exp $ |