[strongSwan] Strongswan packages selection

Naveen Neelakanta nbnopenswan at gmail.com
Fri Aug 30 22:29:54 CEST 2013 

HI Noel,
Thank you for your reply .
Even after using the configuration
"--disable-rc2 --disable-md5 --disable-sha1 --disable-sha2
--disable-fips-prf --disable-aes --disable-des --enable-openssl
--disable-pkcs1 --disable-pkcs7 --disable-pkcs8 \
- --disable-pkcs12 --disable-pgp --disable-dnskey --disable-sshkey
--disable-hmac --disable-cmac --disable-xcbc --disable-gmp
--disable-scripts --disable-ikev1 --disable-tools"

I see that the strongwas was taking more memory , i was trying to port this
on a embedded device for supporting VPN client,
I need to evaluate the VPN tools for the same , hence i was very confident
about using strongswan .
Can i still further reduce the size , because i have very less memory
footprint about 30MB .

Regards
Naveen


On Fri, Aug 30, 2013 at 11:47 AM, Noel Kuntze <noel at familie-kuntze.de>wrote:

>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Naveen,
>
> First of all, you don't need to include all the --enable options.
> If you don't use them, the corresponding features won't be compiled
> anyway, so you can
> simply use this: "--disable-rc2 --disable-md5 --disable-sha1
> --disable-sha2 --disable-fips-prf --disable-aes --disable-des
> --enable-openssl --disable-pkcs1 --disable-pkcs7 --disable-pkcs8 \
> - --disable-pkcs12 --disable-pgp --disable-dnskey --disable-sshkey
> --disable-hmac --disable-cmac --disable-xcbc --disable-gmp
> --disable-scripts --disable-ikev1 --disable-tools"
>
> I think you should keep the "pem" and "x509" plugins, as those are needed
> to authenticate peers using certificates for authentication. You should
> also keep the nonce generator, as strongSwan
> won't work without it. As of now, the "nonce" plugin is the only one
> providing a nonce generator.
> Another thing: Also keep the "random" plugin. strongSwan needs it, too.
>
> To your ipsec starter problem: It could be, that disabling "stroke" also
> removed starter or your --sbindir, --bindir --libexecdir are not properly
> defined. If you want to install a self compiled version
> of strongswan without packaging it, you should remove the package version
> of strongSwan first and then install your own version of it, otherwise
> strange things might happen.
> personally, I use the following line to configure strongSwan:
>   ./configure --prefix=/usr \
>         --sbindir=/usr/bin \
>         --sysconfdir=/etc \
>         --libexecdir=/usr/lib \
>         --with-ipsecdir=/usr/lib/strongswan \
>         <lots of modules>
> This line will produce a working set of binaries.
> Remember to uninstall the strongSwan version that was installed over the
> package manager first!
>
> Regards,
> Noel Kuntze
>
> On 30.08.2013 20:19, Naveen Neelakanta wrote:
> > Hi
> > I am new to strongswan, I have been able to successfully  establish
> tunnel
> > between to linux PC . How ever i want to reduce the size of the
> strongswan image
> > and hence i have used the below compilation options .
> >
> > "       --disable-curl --disable-soup --disable-ldap \
> >         --enable-gmp --disable-mysql --disable-sqlite \
> >         --enable-openssl --enable-curl=no --enable-unbound=no  --enable-
>     soup=no --enable-ldap=no --enable-blowfish=no --disable-rc2
>  --disable-fips-prf --disable-gmp \
> > --enable-rdrand=no --disable-nonce --disable-x509 --disable-revocation
> --disable-constraints --disable-pubkey --disable-pkcs1 \
> > --disable-pkcs7 --disable-pkcs8 --disable-pkcs12   --disable-pgp
> --disable-sshkey  --disable-dnskey --disable-pem --enable-test-vectors=no \
> > --enable-mysql=no --enable-sqlite=no --disable-stroke --enable-medsrv=no
> --enable-medcli=no --enable-sql=no --enable-leak-detective=no \
> > --enable-shared  --enable-static=no
> > "
> > I got it compiled but when i run the below command
> > #ipsec start
> > /usr/sbin/ipsec: exec: line 326: /usr/libexec/ipsec/starter: not found
> >
> > Can you please let me know is the above configuartion that i have used is
> > good for my below requirement.
> > I want to just make use of openssl has crypto library and IKEV2 client
> only and
> > i am using linux kernel for ipsec functionality with xfrm and netlink
> modules
> > built in kernel.
> >
> > Appreciate your response.
> >
> > Thanks
> > Naveen
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.21 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJSIOjEAAoJEDg5KY9j7GZYNNYP/0gPJhoh6ywoOGWD6MskmcDJ
> aGAo83WRpqVHYkUMO7IiQFn/EL9c7eMvM95VvyN1ACy7UgtdZl8UQV0NRrs48DYK
> JXdC3gFENPSp/ykjZvAs1Qq8uMGh3Y07c3JhAWc0lR9icaMjIXO9ZoWrah9gfbEd
> ymC6ZphbEFqW6fX7PSl1wQQEV4AkP9CWQA3SsQSDdOOOqw3rkMgB4pd/OCOk423W
> iF0QvW5jQy4eMj426NYEB4GjbRCLXmzxmaniX6T/cjw6nIn6eh9t2qN9mK3e7xrL
> nriCSZ5s4P6X/1YHP2SkpzvNhXaoxVCkZFblqgBvImzB6EbluK6+DeFFhzbmzIiR
> lHtjSc6YRCM7sPjkfTv0UipfmmvyXpYeSuhVeguZZRs9IOjiSviiBy72ZFZ0ljWO
> GAN6EKVzUPiNvPstzDAwKAb7XEd6RLiyYOcM7QYJ16YTmC3IJG05b81CCX4ebf1n
> 3BSVtmsFhtnZl8kP29wwQFcE5NKaK/t4fHT0W2jCfHIEXVqkksIYoCBuSNwmaEuO
> EF1aLkKVYLhsvoZvEWpxetJ65UKxgAUQ5+M+vf4C2n848LJOp6cjOSl1CxbTdxvj
> ZiTZHaOFFAJjzlld/cOKk0ZP9i9Fy/aq4VA21+Ch3si2Ecsw1MnOHjHztStolK2m
> kbR7ryNO9NwtGxcF6EDy
> =oqVg
> -----END PGP SIGNATURE-----
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130830/26141680/attachment.html>

More information about the Users mailing list