This shows you the differences between two versions of the page.
— |
ipsec_strongswan [2011/08/30 17:34] (current) |
||
---|---|---|---|
Line 1: | Line 1: | ||
+ | Here a how to install an IPsec implementation [[http://www.strongswan.org/|strongswan]] | ||
+ | |||
+ | ====== install ====== | ||
+ | |||
+ | * build dependencies | ||
+ | |||
+ | sudo aptitude install build-essential bison libgmp3-dev libssl-dev libpcsclite-dev | ||
+ | |||
+ | * get strongswan | ||
+ | |||
+ | wget http://download.strongswan.org/strongswan-4.5.2.tar.bz2 | ||
+ | tar xf strongswan-4.*.tar.bz2 | ||
+ | cd strongswan-4.*/ | ||
+ | |||
+ | * configure with following options : | ||
+ | * for the server : | ||
+ | |||
+ | ./configure --prefix=/usr --sysconfdir=/etc --disable-pluto --enable-openssl --enable-eap-sim --enable-eap-sim-file --enable-socket-dynamic | ||
+ | |||
+ | * for the client : | ||
+ | |||
+ | ./configure --prefix=/usr --sysconfdir=/etc --disable-pluto --enable-openssl --enable-eap-sim --enable-eap-sim-pcsc --enable-eap-identity --enable-socket-dynamic | ||
+ | |||
+ | * details about the options : | ||
+ | * get rid of pluto=ikev1 | ||
+ | * openssl for the CA | ||
+ | * eap-sim for EAP-SIM auth procedure | ||
+ | * eap-sim-file to read the tuples from file **/etc/ipsec.d/triplets.dat** | ||
+ | * eap-sim-pcsc to read the tuples from SIM card | ||
+ | * eap-identity to provide the EAP id (> ESP ID) | ||
+ | * socket-dynamic to be able to send IKE_SA_INIT to port 4500 | ||
+ | |||
+ | * compile and install | ||
+ | |||
+ | make | ||
+ | sudo make install | ||
+ | cd .. | ||
+ | |||
+ | ====== tools ====== | ||
+ | |||
+ | * to get the status infos | ||
+ | |||
+ | sudo ipsec statusall | ||
+ | sudo ipsec listall | ||
+ | |||
+ | * to get the logs | ||
+ | |||
+ | tail -f /var/log/daemon.log | ||
+ | |||
+ | * to get the keys on current connection | ||
+ | |||
+ | ip xfrm state | ||
+ | |||
+ | * to have very verbose debug trace, in file **/etc/ipsec.conf**, section ''config setup'', add : | ||
+ | |||
+ | charondebug="dmn 4,mgr 4,ike 4,chd 4,net 4,enc 4" | ||