[strongSwan-dev] strongswan dependencies
Jan Willem Beusink
jan.willem.beusink at ti-wmc.nl
Tue Mar 9 13:44:56 CET 2010
Thank you Martin for your swift reply.
Martin Willi wrote:
>> I'm at it I also intend to adapt strongSwan to perform authorization
>> using the PERMIS reasoning engine, using a WebDAV repository for the
I agree :) and a lot more work than I bargained for..
>> 1. Using --enable-openssl obsoletes (to my knowledge) gmp, thus I can
>> --disable-gmp without any problems, right?
> Yes, the openssl plugin provides Diffie-Hellman and RSA implementations
> usually offered by gmp, so there is no need for gmp.
> The eap-aka-3gpp2 plugin additionally depends on GMP functions, but I
> assume you won't need it.
you assume correctly
>> 2. strongSwan depends on several kernel crypto modules. some of which
>> are selected by a 2.6 kernel in combination with ipsec (core, des, hmac,
>> md5, sha-1) others are selected by kmod-mac80211 (core, aes, arc4). So
>> these will get installed on my target device. But does strongSwan itself
>> rely on / need these?
> I don't know these OpenWRT specific kernel modules packages in detail,
> but having a look at our kernel module list  might be of help. For
> the algorithms, you can limit the selection to what you'll actually use.
not all the options in  can be linked 1-on-1. but I've managed to
figure out so far that:
openwrt: Modules -> Network Support -> kmod_ipsec
Transformation user configuration interface
│ - af_key
│ - xfrm_user
IP: advanced router
is needed for the next:
IP: policy routing
Enables routing based on more then destination only. selects (
Which _probably_ maps to:
openwrt: Network -> IP
(Routing control utility)
openwrt: Kernel Modules -> Network Support -> kmod_ipsec4/kmod_ipsec6
maps to the following
IP: AH transformation
IP: ESP transformation
IP: IPComp transformation
IP: IPsec transport mode
IP: IPsec tunnel mode
IP: IPsec BEET mode (experimental)
│ - ah4
│ - esp4
│ - ipcomp
│ - xfrm4_mode_beet
│ - xfrm4_mode_transport
│ - xfrm4_mode_tunnel
│ - xfrm4_tunnel
│ - ah6
│ - esp6
│ - ipcomp6
│ - xfrm6_mode_beet
│ - xfrm6_mode_transport
│ - xfrm6_mode_tunnel
│ - xfrm6_tunnel
IPv6: Multiple Routing Tables
_best guess_ maps to:
openwrt: Kernel Modules -> Netfilter extentions -> kmod-ip6tables
openwrt: Kernel Modules -> Netfilter extentions -> kmod-ipt-core
Core Netfilter Configuration
openwrt: Kernel Modules -> Netfilter extentions -> kmod-ipt-ipsec
IPsec "policy" match support
>> 3. what about kmod-crypto-authenc? does strongSwan need this?
> Yes, the authenc wrapper is needed.
>> 4. In light of previous questions: there are several configure options
>> disabling 'own' crypto plugin. What is meant by 'own' and which can I
>> disable if I enable openssl (or gmp for that matter)?
> With "own" we mean that this plugin provides the algorithm in software
> by itself. If you have enabled the openssl wrapper plugin, you can
> disable all of them. OpenSSL provides a superior list of crypto
> algorithms. But keep the random plugin, the openssl plugin does not
> provide a random data source.
> The gmp plugin provides asymmetric algorithms only.
Not sure what you mean by all.
I had to following selected, works like a charm.
But if I understand you correctly I can also disable these?
And just to be sure, can I disable the following and leave the decoding
>> 5. "ipsec is a wrapper script for controlling starter, whack and stroke"
>> So if I wish to use the charon daemon, what is the preferred starting
>> method? the up-down scripts?
> Depends on what your platform offers. The charon daemon does not have
> any forking/background functionality, so you'll need a daemon startup
> helper, such as start-stop-daemon. PID file is created
> under /var/run/charon.pid.
> If you abandon the ipsec.conf based configuration in conjunction with
> starter, keep in mind that you'll need another configuration interface.
> We have started the UCI plugin a while ago, but it does not offer all
> the options you might need. I think it does not even compile against a
> current libuci, but it is a good starting point to build a OpenWRT
> specific backend.
I assume that by starter you mean 'ipsec start', I'm confused as to
which option(s) would disable starter. Please enlighten me.
Jan Willem Beusink
More information about the Dev