[strongSwan-dev] strongswan dependencies

Jan Willem Beusink jan.willem.beusink at ti-wmc.nl
Tue Mar 9 13:44:56 CET 2010 

Hi,

Thank you Martin for your swift reply.

Martin Willi wrote:
> Hi,
> 
>> I'm at it I also intend to adapt strongSwan to perform authorization
>> using the PERMIS reasoning engine, using a WebDAV repository for the
>> certificates.
> 
> Interesting.
I agree :) and a lot more work than I bargained for..
> 
>> 1. Using --enable-openssl obsoletes (to my knowledge) gmp, thus I can
>> --disable-gmp without any problems, right?
> 
> Yes, the openssl plugin provides Diffie-Hellman and RSA implementations
> usually offered by gmp, so there is no need for gmp.
> The eap-aka-3gpp2 plugin additionally depends on GMP functions, but I
> assume you won't need it.
you assume correctly

>> 2. strongSwan depends on several kernel crypto modules. some of which
>> are selected by a 2.6 kernel in combination with ipsec (core, des, hmac,
>> md5, sha-1) others are selected by kmod-mac80211 (core, aes, arc4). So
>> these will get installed on my target device. But does strongSwan itself
>> rely on / need these?
> 
> I don't know these OpenWRT specific kernel modules packages in detail,
> but having a look at our kernel module list [1] might be of help. For
> the algorithms, you can limit the selection to what you'll actually use.
> 

not all the options in [1] can be linked 1-on-1. but I've managed to
figure out so far that:

openwrt: Modules -> Network Support -> kmod_ipsec
maps to
   PF_KEY sockets
   Transformation user configuration interface
+kmod_ipsec includes:

  │  - af_key

  │  - xfrm_user

 IP: advanced router
is needed for the next:
 IP: policy routing
	Enables routing based on more then destination only. selects (
CONFIG_IP_MULTIPLE_TABLES )
Which _probably_ maps to:
  openwrt: Network -> IP
	(Routing control utility)

openwrt: Kernel Modules -> Network Support -> kmod_ipsec4/kmod_ipsec6
maps to the following
  IP: AH transformation
  IP: ESP transformation
  IP: IPComp transformation
  IP: IPsec transport mode
  IP: IPsec tunnel mode
  IP: IPsec BEET mode (experimental)
+ipsec4 includes
  │  - ah4

  │  - esp4

  │  - ipcomp

  │  - xfrm4_mode_beet

  │  - xfrm4_mode_transport

  │  - xfrm4_mode_tunnel

  │  - xfrm4_tunnel
+ipsec6 includes
  │  - ah6

  │  - esp6

  │  - ipcomp6

  │  - xfrm6_mode_beet

  │  - xfrm6_mode_transport

  │  - xfrm6_mode_tunnel

  │  - xfrm6_tunnel

IPv6: Multiple Routing Tables
_best guess_ maps to:
  openwrt: Kernel Modules -> Netfilter extentions -> kmod-ip6tables

openwrt: Kernel Modules -> Netfilter extentions -> kmod-ipt-core
maps to:
   Core Netfilter Configuration

openwrt: Kernel Modules -> Netfilter extentions -> kmod-ipt-ipsec
maps to:
   IPsec "policy" match support

>> 3. what about kmod-crypto-authenc? does strongSwan need this?
> 
> Yes, the authenc wrapper is needed.
> 
>> 4. In light of previous questions: there are several configure options
>> disabling 'own' crypto plugin. What is meant by 'own'  and which can I
>> disable if I enable openssl (or gmp for that matter)?
> 
> With "own" we mean that this plugin provides the algorithm in software
> by itself. If you have enabled the openssl wrapper plugin, you can
> disable all of them. OpenSSL provides a superior list of crypto
> algorithms. But keep the random plugin, the openssl plugin does not
> provide a random data source.
> The gmp plugin provides asymmetric algorithms only.

Not sure what you mean by all.
I had to following selected, works like a charm.
--disable-aes
--disable-des
--disable-fips-prf
--disable-gmp
--disable-md5
--disable-sha1
--disable-sha2

But if I understand you correctly I can also disable these?
--disable-hmac
--disable-x509
--disable-xcbc

And just to be sure, can I disable the following and leave the decoding
to openssl?
--disable-pem
--disable-pgp
--disable-pkcs1
--disable-pubkey

>> 5. "ipsec is a wrapper script for controlling starter, whack and stroke"
>> So if I wish to use the charon daemon, what is the preferred starting
>> method? the up-down scripts?
> 
> Depends on what your platform offers. The charon daemon does not have
> any forking/background functionality, so you'll need a daemon startup
> helper, such as start-stop-daemon. PID file is created
> under /var/run/charon.pid.
> 
> 
> If you abandon the ipsec.conf based configuration in conjunction with
> starter, keep in mind that you'll need another configuration interface.
> We have started the UCI plugin a while ago, but it does not offer all
> the options you might need. I think it does not even compile against a
> current libuci, but it is a good starting point to build a OpenWRT
> specific backend.

I assume that by starter you mean 'ipsec start', I'm confused as to
which option(s) would disable starter. Please enlighten me.

> Regards
> Martin
>  [1]http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules


kind regards,

Jan Willem Beusink

More information about the Dev mailing list