Some updates to the INSTALL document.
This commit is contained in:
parent
6d599fb964
commit
2015c46985
143
INSTALL
143
INSTALL
|
@ -9,20 +9,20 @@ Contents
|
|||
1. Overview
|
||||
2. Required packages
|
||||
3. Optional packages
|
||||
3.1 libcurl
|
||||
3.2 OpenLDAP
|
||||
3.3 PKCS#11 smartcard library modules
|
||||
3.1 HTTP fetcher
|
||||
3.2 LDAP
|
||||
3.3 Other pluggable modules
|
||||
4. Kernel configuration
|
||||
|
||||
1. Overview
|
||||
--------
|
||||
|
||||
The strongSwan 4.x branch introduces a new build environment featuring
|
||||
GNU autotools. This should simplify the build process and package
|
||||
maintenance.
|
||||
First check for the availability of required packages on your system
|
||||
(section 2.). You may want to include support for additional features, which
|
||||
require other packages to be installed (section 3.).
|
||||
Since version 4.x strongSwan uses the GNU build system (Autotools).
|
||||
This simplifies the build process and package maintenance. First, check for
|
||||
the availability of required packages on your system (section 2.). You may
|
||||
want to include support for additional features, which require other
|
||||
packages to be installed (section 3.).
|
||||
|
||||
To compile an extracted tarball, run the ./configure script first:
|
||||
|
||||
./configure
|
||||
|
@ -40,13 +40,10 @@ Contents
|
|||
|
||||
in the usual manner.
|
||||
|
||||
To check if your kernel fullfills the requirements, see section 4.
|
||||
To check if your kernel fulfills the requirements, see section 4.
|
||||
|
||||
Next add your connections to "/etc/ipsec.conf" and your secrets to
|
||||
"/etc/ipsec.secrets". Connections that are to be negotiated by the new
|
||||
IKEv2 charon keying daemon should be designated by "keyexchange=ikev2" and
|
||||
those by the IKEv1 pluto keying daemon either by "keyexchange=ikev1" or
|
||||
the default "keyexchange=ike".
|
||||
"/etc/ipsec.secrets".
|
||||
|
||||
At last start strongSwan with
|
||||
|
||||
|
@ -56,46 +53,45 @@ Contents
|
|||
2. Required packages
|
||||
-----------------
|
||||
|
||||
In order to be able to build strongSwan you'll need the GNU Multiprecision
|
||||
Arithmetic Library (GMP) available from http://www.swox.com/gmp/. At least
|
||||
version 4.1.5 of libgmp is required.
|
||||
In order to be able to build strongSwan you'll need one of the following
|
||||
cryptographic libraries:
|
||||
|
||||
The libgmp library and the corresponding header file gmp.h are usually
|
||||
included in the form of one or two packages in the major Linux
|
||||
distributions (SuSE: gmp; Debian unstable: libgmp3, libgmp3-dev).
|
||||
* The GNU Multiprecision Arithmetic Library (GMP, libgmp)
|
||||
http://www.gmplib.org
|
||||
* The OpenSSL cryptographic library (libcrypto)
|
||||
http://www.openssl.org
|
||||
* The GNU cryptographic library (libgcrypt)
|
||||
http://www.gnupg.org
|
||||
|
||||
If no other options are specified during ./configure libgmp will be used.
|
||||
|
||||
The libraries and the corresponding header files are usually included in
|
||||
the form of one or two packages in the major Linux distributions (for GMP on
|
||||
Debian: libgmp3 and libgmp3-dev).
|
||||
|
||||
|
||||
3. Optional packages
|
||||
-----------------
|
||||
|
||||
3.1 libcurl
|
||||
-------
|
||||
3.1 HTTP Fetcher
|
||||
------------
|
||||
|
||||
If you intend to dynamically fetch Certificate Revocation Lists (CRLs)
|
||||
from an HTTP server or as an alternative want to use the Online
|
||||
Certificate Status Protocol (OCSP) then you will need the libcurl library
|
||||
available from http://curl.haxx.se/.
|
||||
Certificate Status Protocol (OCSP) then you will need the either of the
|
||||
following libraries:
|
||||
|
||||
In order to keep the library as compact as possible for use with strongSwan
|
||||
you can build libcurl from the sources with the optimized options
|
||||
* The cURL library (libcurl)
|
||||
http://curl.haxx.se/libcurl/
|
||||
* The LibSoup library (libsoup)
|
||||
https://live.gnome.org/LibSoup
|
||||
|
||||
./configure --prefix=<dir> --without-ssl \
|
||||
--disable-ldap --disable-telnet \
|
||||
--disable-dict --disable-gopher \
|
||||
--disable-debug \
|
||||
--enable-nonblocking --enable-thread
|
||||
|
||||
As an alternative you can use the ready-made packages included with your
|
||||
favorite Linux distribution (SuSE: curl, curl-devel).
|
||||
|
||||
In order to activate the use of the libcurl library in strongSwan you must
|
||||
enable the ./configure switch:
|
||||
|
||||
./configure [...] --enable-http
|
||||
In order to activate the use of either of these libraries in strongSwan you
|
||||
must enable the appropriate ./configure switch.
|
||||
|
||||
|
||||
3.2 OpenLDAP
|
||||
--------
|
||||
3.2 LDAP
|
||||
----
|
||||
|
||||
If you intend to dynamically fetch Certificate Revocation Lists (CRLs)
|
||||
from an LDAP server then you will need the libldap library available
|
||||
|
@ -110,62 +106,33 @@ Contents
|
|||
|
||||
./configure [...] --enable-ldap
|
||||
|
||||
LDAP Protocl version 2 is not supported anymore, --enable-ldap uses always
|
||||
LDAP Protocol version 2 is not supported anymore, --enable-ldap uses always
|
||||
version 3 of the LDAP protocol
|
||||
|
||||
|
||||
3.3 PKCS#11 smartcard library modules
|
||||
---------------------------------
|
||||
3.3 Other pluggable modules
|
||||
-----------------------
|
||||
|
||||
If you want to securely store your X.509 certificates and private RSA keys
|
||||
on a smart card or a USB crypto token then you will need a PKCS #11 library
|
||||
for the smart card of your choice. The OpenSC PKCS#11 library (use
|
||||
versions >= 0.9.4) available from http://www.opensc.org/ supports quite a
|
||||
selection of cards and tokens (e.g. Aladdin eToken Pro32k, Schlumberger
|
||||
Cryptoflex e-gate, Oberthur AuthentIC, etc.) but requires that a PKCS#15
|
||||
directory structure be present on the smart card. But in principle
|
||||
any other PKCS#11 library could be used since the PKCS#11 API hides the
|
||||
internal data representation on the card.
|
||||
There are many other optional plugins that, for instance, provide support
|
||||
for PKCS#11 or SQL databases.
|
||||
For a more detailed description of these refer to our wiki:
|
||||
|
||||
For USB crypto token support you must add the OpenCT driver library
|
||||
(version >= 0.6.2) from the OpenSC site, whereas for serial smartcard
|
||||
readers you'll need the pcsc-lite library and the matching driver from the
|
||||
M.U.S.C.L.E project http://www.linuxnet.com/ .
|
||||
|
||||
In order to activate the PKCS#11-based smartcard support in strongSwan
|
||||
you must enable the smartcard ./configure switch:
|
||||
|
||||
./configure [...] --enable-smartcard
|
||||
|
||||
During compilation no externel smart card libraries must be present.
|
||||
strongSwan directly references a copy of the standard RSAREF pkcs11.h
|
||||
header files stored in the pluto/rsaref sub directory. During compile
|
||||
time a pathname to a default PKCS#11 dynamical library can be specified
|
||||
with a ./configure flag:
|
||||
|
||||
./configure --enable-smartcard --with-default-pkcs11=/path/to/lib.so
|
||||
|
||||
This default path to the easily-obtainable OpenSC library module can be
|
||||
simply overridden during run-time by specifying an alternative path in
|
||||
ipsec.conf pointing to any dynamic PKCS#11 library of your choice.
|
||||
|
||||
config setup
|
||||
pkcs11module="/usr/lib/xyz-pkcs11.so"
|
||||
* http://wiki.strongswan.org
|
||||
|
||||
|
||||
4. Kernel configuration
|
||||
--------------------
|
||||
|
||||
The strongSwan 4.x series currently support only 2.6 kernels and its
|
||||
native IPsec stack. Please make sure that the following IPsec kernel
|
||||
Since version 4.x strongSwan only supports 2.6.x and 3.x kernels and its
|
||||
native NETKEY IPsec stack. Please make sure that the following IPsec kernel
|
||||
modules are available:
|
||||
|
||||
o af_key
|
||||
o ah4
|
||||
o esp4
|
||||
o ipcomp
|
||||
o xfrm_user
|
||||
o xfrm4_tunnel
|
||||
* af_key
|
||||
* ah4
|
||||
* esp4
|
||||
* ipcomp
|
||||
* xfrm_user
|
||||
* xfrm4_tunnel
|
||||
|
||||
These may be built into the kernel or as modules. Modules get loaded
|
||||
automatically at strongSwan startup.
|
||||
|
@ -173,3 +140,9 @@ Contents
|
|||
Also the built-in kernel Cryptoapi modules with selected encryption and
|
||||
hash algorithms should be available.
|
||||
|
||||
Support for multiple routing tables is also recommended.
|
||||
|
||||
For a more up-to-date list of recommended modules refer to:
|
||||
|
||||
* http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules
|
||||
|
||||
|
|
Loading…
Reference in New Issue