summaryrefslogtreecommitdiff
path: root/INSTALL
blob: ff5b2f80cc0c40b9b2d06f61cffba4bc84759fe2 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
                 ---------------------------
	          strongSwan - Installation
                 ---------------------------


Contents
--------

   1. Required packages
   2. Optional packages
   2.1 libcurl
   2.2 OpenLDAP
   2.3 PKCS#11 smartcard library modules
   3. Building strongSwan with a Linux 2.4 kernel
   4. Updating strongSwan with a Linux 2.4 kernel
   5. Building strongSwan with a Linux 2.6 kernel


1. Required packages
   -----------------

   In order to be able to build strongSwan you'll need the GNU Multiprecision
   Arithmetic Library (GMP) available from http://www.swox.com/gmp/.

   The libgmp library and the corresponding header file gmp.h are usually
   included in the form of one or two packages in the major Linux
   distributions (SuSE: gmp; Debian unstable:  libgmp3, libgmp3-dev).


2. Optional packages
   -----------------

2.1 libcurl
    -------

   If you intend to dynamically fetch Certificate Revocation Lists (CRLs)
   from an HTTP server or as an alternative want to use the Online
   Certificate Status Protocol (OCSP) then you will need the  libcurl library
   available from http://curl.haxx.se/.

   In order to keep the library as compact as possible for use with strongSwan
   you can build libcurl from the sources with the optimized options

       ./configure --prefix=<dir> --without-ssl \
                   --disable-ldap --disable-telnet \
                   --disable-dict --disable-gopher \
                   --disable-debug \
                   --enable-nonblocking --enable-thread

   As an alternative you can use the ready-made packages included with your
   favorite Linux distribution (SuSE: curl, curl-devel).

   In order to activate the use of the libcurl library in strongSwan you must
   set the USE_LIBCURL option in "Makefile.inc":

       # include libcurl support (CRL fetching, OCSP and SCEP)
       USE_LIBCURL?=true

   Under Gentoo emerge strongSwan with

       USE="curl -ssl" emerge strongswan


2.2 OpenLDAP
    --------

   If you intend to dynamically fetch Certificate Revocation Lists (CRLs)
   from an LDAP server  then you will need the libldap library available
   from http://www.openldap.org/.

    OpenLDAP is usually included  with your Linux distribution. You will need
   both the run-time and development environments (SuSE: openldap2,
   openldap2-devel).

   In order to activate the use of the libldap library in strongSwan you must
   set the USE_LDAP option in "Makefile.inc":

       # include LDAP support (CRL fetching)
       USE_LDAP?=true

   Depending upon whether your LDAP server understands the V3 (preferred) or
   V2 LDAP protocol, uncomment one ot the two following lines:

       # Uncomment to enable dynamic CRL fetching using LDAP V3
       LDAP_VERSION=3
       # Uncomment to enable dynamic CRL fetching using LDAP V2
       #LDAP_VERSION=2

   The latest OpenLDAP releases use the LDAP V3 protocol, whereas older
   versions require LDAP V2.

   Under Gentoo emerge strongSwan with

       USE="ldap -ssl" emerge strongswan


2.3 PKCS#11 smartcard library modules
    ---------------------------------

   If you want to securely store your X.509 certificates and private RSA keys
   on a smart card or a USB crypto token then you will need a PKCS #11 library 
   for the smart card of your choice. The OpenSC PKCS#11 library (use
   versions >= 0.9.4) available from http://www.opensc.org/ supports quite a
   selection of cards and tokens (e.g. Aladdin eToken Pro32k, Schlumberger
   Cryptoflex e-gate, Oberthur AuthentIC,  etc.) but requires that a PKCS#15
   directory structure be present on the smart card. But in principle
   any other PKCS#11 library could be used since the PKCS#11 API hides the
   internal data representation on the card.

   For USB crypto token support you must add the OpenCT driver library
   (version >= 0.6.2) from the OpenSC site, whereas for serial smartcard
   readers you'll need the pcsc-lite library and the matching driver from the
   M.U.S.C.L.E project http://www.linuxnet.com/ .

   In order to activate the PKCS#11-based smartcard support in strongSwan
   you must set the USE_SMARTCARD option in "Makefile.inc":

       #include PKCS11-based smartcard support
       USE_SMARTCARD?=true

   During compilation no externel smart card libraries must be present.
   strongSwan directly references a copy of the standard RSAREF pkcs11.h
   header files stored in the pluto/rsaref sub directory. During compile
   time a pathname to a default PKCS#11 dynamical library can be specified
   in "Makefile.inc" 

      # Uncomment this line if using OpenSC <= 0.9.6
      #PKCS11_DEFAULT_LIB=\"/usr/lib/pkcs11/opensc-pkcs11.so\"
      # Uncomment tis line if using OpenSC >= 0.10.0
      PKCS11_DEFAULT_LIB=\"usr/lib/opensc-pkcs11.so\"

   This default path to the easily-obtainable OpenSC library module can be
   simply overridden during run-time by specifying an alternative path in
   ipsec.conf pointing to any dynamic PKCS#11 library of your choice.

   config setup
          pkcs11module="/usr/lib/xyz-pkcs11.so"

   Under Gentoo emerge strongSwan with

       USE="smartcard usb -pam -X" emerge strongswan


3. Building strongSwan with a Linux 2.4 kernel
   -------------------------------------------

   * Building strongSwan with a Linux 2.4 kernel requires the presence of the
     matching kernel sources referenced via the symbolic link /usr/src/linux.
     The use of the vanilla kernel sources from ftp.kernel.org is strongly
     recommended.

     Before building strongSwan you must have compiled the kernel sources at
     least once:

         make menuconfig; make dep; make bzImage; make modules

   * Now change into the  strongswan-2.x.x  source directory.

     First select any desired compile options in "Makefile.inc" (see section 2.
     Optional packages). Then in the top source directory type

         make menumod

     This command applies an ESP_IN_UDP encapsulation patch which is required
     for NAT-Traversal to the kernel sources.

     In the "Networking options" menu set

         <M> IP Security Protocol (strongSwan IPsec)

     in order to build KLIPS as a loadable kernel module "ipsec.o".  Do not
     forget to save the modified configuration file when leaving "menumod".

     The strongSwan userland programs are now automatically built and
     installed, whereas the  ipsec.o  kernel module and the crypto modules
     are only built and must be installed with the command

         make minstall

   * If you intend to use the NAT-Traversal feature then you must compile the
     patched kernel sources again by executing

         make bzImage

     and then install and boot the modified kernel.

   * Next add your connections to "/etc/ipsec.conf" and your secrets to
     "/etc/ipsec.secrets" and start strongSwan with

         ipsec start


4. Updating strongSwan with a Linux 2.4 kernel
   -------------------------------------------

   * If you have already successfully installed  strongSwan and want to update
     to a newer version then the following shortcut can be taken:

     First select any desired compile options in "Makefile.inc" (see section 2.
     Optional packages). Then in the strongwan-2.x.x top directory type

         make programs; make install

     followed by

         make module; make minstall

   * You can then start the updated strongSwan version with

         ipsec restart


5. Building strongSwan with a Linux 2.6 kernel
   -------------------------------------------

   * Because the Linux 2.6 kernel comes with a built-in native IPsec stack,
     you won't need to build the strongSwan kernel modules. Please make sure 
     that the the following Linux 2.6 IPsec kernel modules are available:

         o af_key
         o ah4
         o esp4
         o ipcomp
         o xfrm_user
         o xfrm4_tunnel
	 
     Also the built-in kernel Cryptoapi modules with selected encryption and 
     hash algorithms should be available.

   * First select any desired compile options in "Makefile.inc" (see section 2.
     Optional packages). Then in the  strongwan-2.x.x  top directory type

         make programs

     followed by

         make install

   * Next add your connections to "/etc/ipsec.conf" and your secrets to
     "/etc/ipsec.secrets" and start strongSwan with

         ipsec start

-----------------------------------------------------------------------------

This file is RCSID $Id: INSTALL,v 1.11 2006/05/19 06:44:17 as Exp $