[strongSwan-dev] strongswan dependencies

Martin Willi martin at strongswan.org
Tue Mar 9 08:28:32 CET 2010


Hi,

> I'm at it I also intend to adapt strongSwan to perform authorization
> using the PERMIS reasoning engine, using a WebDAV repository for the
> certificates.

Interesting.

> 1. Using --enable-openssl obsoletes (to my knowledge) gmp, thus I can
> --disable-gmp without any problems, right?

Yes, the openssl plugin provides Diffie-Hellman and RSA implementations
usually offered by gmp, so there is no need for gmp.
The eap-aka-3gpp2 plugin additionally depends on GMP functions, but I
assume you won't need it.

> 2. strongSwan depends on several kernel crypto modules. some of which
> are selected by a 2.6 kernel in combination with ipsec (core, des, hmac,
> md5, sha-1) others are selected by kmod-mac80211 (core, aes, arc4). So
> these will get installed on my target device. But does strongSwan itself
> rely on / need these?

I don't know these OpenWRT specific kernel modules packages in detail,
but having a look at our kernel module list [1] might be of help. For
the algorithms, you can limit the selection to what you'll actually use.

> 3. what about kmod-crypto-authenc? does strongSwan need this?

Yes, the authenc wrapper is needed.

> 4. In light of previous questions: there are several configure options
> disabling 'own' crypto plugin. What is meant by 'own'  and which can I
> disable if I enable openssl (or gmp for that matter)?

With "own" we mean that this plugin provides the algorithm in software
by itself. If you have enabled the openssl wrapper plugin, you can
disable all of them. OpenSSL provides a superior list of crypto
algorithms. But keep the random plugin, the openssl plugin does not
provide a random data source.
The gmp plugin provides asymmetric algorithms only.

> 5. "ipsec is a wrapper script for controlling starter, whack and stroke"
> So if I wish to use the charon daemon, what is the preferred starting
> method? the up-down scripts?

Depends on what your platform offers. The charon daemon does not have
any forking/background functionality, so you'll need a daemon startup
helper, such as start-stop-daemon. PID file is created
under /var/run/charon.pid.


If you abandon the ipsec.conf based configuration in conjunction with
starter, keep in mind that you'll need another configuration interface.
We have started the UCI plugin a while ago, but it does not offer all
the options you might need. I think it does not even compile against a
current libuci, but it is a good starting point to build a OpenWRT
specific backend.

Regards
Martin





More information about the Dev mailing list