StrongSwan支持libgcrypt。对于StrongSwan官网上的例子No.3需要安装libcurl、libgcrypt和libgmp。
- LIBGCRYPT安装
libgcrypt依赖于libgpg-error。首先下载libgpg-error和libgcrypt。
ftp> open ftp.gnupg.org
Connected to ftp.gnupg.org.
220-Welcome hacker!
220-.
220-This is the FTP server of the GnuPG project. Please send problem reports
220-to ftpmaster@gnupg.org after having checked the gnupg-users mailing list
220-archive at http://lists.gnupg.org/pipermail/gnupg-users/ for known problems.
220-.
220-Housing and traffic is sponsored by OpenIT GmbH.
220-.
220-The server contains cryptographic software and its use might be illegal in
220-your country. However, as far as we know, only a very few countries have
220-restrictions on the use of cryptographic software.
220-.
220 Service ready for new user.
Name (ftp.gnupg.org:***): anonymous(匿名登录)
331 Send e-mail address as password.
Password:
230 User logged in, proceed.
Remote system type is UNIX.
ftp> cd gcrypt/libgpg-error
250-The package libgpg-error contains common error codes and error handling
250-functions used by GnuPG, Libgcrypt, GPGME and more packages.
250 Directory change successful.
ftp> passive(被动模式)
Passive mode on.
ftp> binary(BINARY mode)
200 Command okay.
ftp> get libgpg-error-1.12.tar.bz2
local: libgpg-error-1.12.tar.bz2 remote: libgpg-error-1.12.tar.bz2
227 Entering Passive Mode (217,69,76,55,156,84).
150 About to open data connection.
226 File transfer complete.
489266 bytes received in 9.86 secs (48.5 kB/s)
ftp> cd ..
250-This directory is used as FTP site for GNU crypto software and
250-related stuff.
250-.
250-US laws place restrictions on the export of defense articles, which
250-includes some types of cryptographic software; this is the reason
250-that such software is not available from ftp.gnu.org
250-.
250-It is legal however, to export such software into the US.
250-.
250-Please contact <ftpmaster@gnupg.org> it you have any problems with
250-this site.
250-.
250-Software available here:
250-.
250- gnupg/ The GNU Privacy Guard
250- libgpg-error/ Common error codes for GnuPG, Libgcrypt etc.
250- gpgme/ GnuPG Made Easy library
250- pinentry/ Tool to enter a passphrase securely
250- libgcrypt/ General purpose low-level crypto library
250- libassuan/ The IPC library used by GnuPG
250- npth/ The New GNU Portable Threads Library
250- dirmngr/ A daemon to manage CRLs and LDAP queries for GnuPG.
250- gnu-crypt/ GNU Crypto for the classpathx Java libraries
250- egd/ Entropy Gathering Daemon
250- lsh/ A Secure Shell v2 implementation (work in progress)
250-
250- alpha/ Current development versions
250- binary/ Compiled versions for MS Windows.
250- contrib/ Other software and more translation files.
250- historic/ Historic versions. Also includes the content of
250- the old devel/ and pgpgpg/ directories.
250-.
250-See http://www.gnupg.org for further information.
250-.
250-The programs GnuPG and Libgcrypt hosted here are Free Software packages of
250-the GNU Project. We call them Free Software because you are free to copy
250-and redistribute them, following the rules stated in the license of each
250-package. For more information, see
250-http://www.gnu.org/philosophy/free-sw.html.
250-.
250-If you are looking for service or support for this software, see
250-http://www.gnupg.org/service.html .
250-.
250-If you would like to contribute to the development of one of these
250-packages, contact the package maintainer or the bug-reporting address
250-of the package (which should be listed in the package itself), or look
250-on www.gnu.org for more information on how to contribute.
250-.
250 Directory change successful.
ftp> cd libgcrypt
250-This is the stable version of Libgcrypt.
250-For devlopment versions see ../alpha/libgcrypt/.
250 Directory change successful.
ftp> get libgcrypt-1.6.0.tar.bz2
local: libgcrypt-1.6.0.tar.bz2 remote: libgcrypt-1.6.0.tar.bz2
227 Entering Passive Mode (217,69,76,55,158,239).
150 About to open data connection.
226 File transfer complete.
2499149 bytes received in 51.68 secs (47.2 kB/s)
ftp> close
221 Service closing control connection.
ftp> bye
下载完成后,安装libgpg-error和libgcrypt。
******xxx.tar.bz2格式文件解压******
bzip2 -d xxx.tar.bz2
tar -xvf xxx.tar
或者
tar -xjvf xxx.tar.bz2
******************************************
bzip2 -d libgpg-error-1.12.tar.bz2
tar -xvf libgpg-error-1.12.tar
bzip2 -d libgcrypt-1.6.0.tar.bz2
tar -xvf libgcrypt-1.6.0.tar
对libgpg-error和libgcrypt请参考——libgpg-error-1.12和libgcrypt-1.6.0:
libgpg-error-1.12安装:
Install libgpg-error by running the following commands:
./configure --prefix=/usr --disable-static &&
make
To test the results, issue: make check.
Now, as the root user:
make install &&
install -v -m644 -D README /usr/share/doc/libgpg-error-1.12/README
libgcrypt-1.6.0安装(实验中执行了红字部分):
Install libgcrypt by running the following commands:
./configure --prefix=/usr &&
make
Only info documentation is shipped in the package tarball. If you wish to build alternate formats of the documentation, (you must have texlive-20130530 installed to build the PDF and PostScript documentation), then issue the following commands:
make -C doc pdf ps html &&
makeinfo --html --no-split -o doc/gcrypt_nochunks.html doc/gcrypt.texi &&
makeinfo --plaintext -o doc/gcrypt.txt doc/gcrypt.texi
To test the results, issue: make check.
Now, as the root user:
make install &&
install -v -dm755 /usr/share/doc/libgcrypt-1.6.0 &&
install -v -m644 README doc/{README.apichanges,fips*,libgcrypt*} \
/usr/share/doc/libgcrypt-1.6.0
If you built the additional documentation, install it by issuing the following commands as the root user:
install -v -dm755 /usr/share/doc/libgcrypt-1.6.0/html &&
install -v -m644 doc/gcrypt.html/* \
/usr/share/doc/libgcrypt-1.6.0/html &&
install -v -m644 doc/gcrypt_nochunks.html \
/usr/share/doc/libgcrypt-1.6.0 &&
install -v -m644 doc/gcrypt.{pdf,ps,dvi,txt,texi} \
/usr/share/doc/libgcrypt-1.6.0
- LIBGMP安装
安装libgmp之前需要安装m4(a macro processing language)和build-essential(Informational list of build-essential packages)。
sudo apt-get install m4
apt-get install build-essential
在libgmp官网下载gmp-x.x.x.tar.bz2进行安装,实验中下载的是gmp-5.1.3.tar.bz2:
tar -xjvf gmp-5.1.3.tar.bz2
cd gmp-5.1.3
sudo ./configure --enable-cxx
sudo make
sudo make check
sudo make install
- LIBCURL安装
wget http://curl.haxx.se/download/curl-7.22.0.tar.gz
tar -zxvf curl-7.22.0.tar.gz
cd curl-7.22.0
./configure
make
make install
- StrongSwan安装
wget http://download.strongswan.org/strongswan-4.6.4.tar.bz2
tar xjvf strongswan-4.6.4.tar.bz2
cd strongswan-4.6.4
./configure --prefix=/usr --sysconfdir=/etc --enable-gcrypt --enable-curl --disable-pluto
make
make install
- 实验
配置:
Ubuntu3(虚拟机)——Ubuntu12.04LTS(32位)——IP192.168.31.132
Ubuntu4(虚拟机)——Ubuntu12.04LTS(32位)——IP192.168.31.133
对Ubuntu3进行配置:
配置/etc/ipsec.secrets
192.168.31.132 : PSK "chu"
配置/etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# plutodebug=all
# crlcheckinterval=600
# strictcrlpolicy=yes
# cachecrls=yes
# nat_traversal=yes
# charonstart=no
# plutostart=no
plutodebug=all
charondebug="ike 4"
charonstart=yes
plutostart=yes
# Add connections here.
# Sample VPN connections
#conn sample-self-signed
# left=%defaultroute
# leftsubnet=10.1.0.0/16
# leftcert=selfCert.der
# leftsendcert=never
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightcert=peerCert.der
# auto=start
#conn sample-with-ca-cert
# left=%defaultroute
# leftsubnet=10.1.0.0/16
# leftcert=myCert.pem
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightid="C=CH, O=Linux strongSwan CN=peer name"
# keyexchange=ikev2
# auto=start
conn host-to-host
left=192.168.31.133
right=192.168.31.132
type=transport
authby=secret
auto=start
配置/etc/strongswan.conf
# strongswan.conf - strongSwan configuration file
charon {
# number of worker threads in charon
threads = 16
# send strongswan vendor ID?
# send_vendor_id = yes
load = curl pem pkcs1 gcrypt x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
plugins {
sql {
# loglevel to log into sql database
loglevel = -1
# URI to the database
# database = sqlite:///path/to/file.db
# database = mysql://user:password@localhost/database
}
}
filelog {
/var/log/strongswan.log {
time_format = %b %e %T
append = no
default = 4
flush_line = yes
}
}
# ...
}
pluto {
}
libstrongswan {
# set to no, the DH exponent size is optimized
# dh_exponent_ansi_x9_42 = no
}
类似的,对Ubuntu4进行配置。通过ipsec restart重启软件。查看日志文件(/var/log/strongswan.log):
Jan 12 17:36:50 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.6.4)
Jan 12 17:36:50 00[LIB] plugin 'curl': loaded successfully
Jan 12 17:36:50 00[LIB] plugin 'pem': loaded successfully
Jan 12 17:36:50 00[LIB] plugin 'pkcs1': loaded successfully
Jan 12 17:36:50 00[LIB] plugin 'gcrypt': loaded successfully
Jan 12 17:36:50 00[LIB] plugin 'x509': loaded successfully
Jan 12 17:36:50 00[LIB] plugin 'revocation': loaded successfully
Jan 12 17:36:50 00[LIB] plugin 'hmac': loaded successfully
Jan 12 17:36:50 00[LIB] plugin 'xcbc': loaded successfully
Jan 12 17:36:50 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Jan 12 17:36:50 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Jan 12 17:36:50 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Jan 12 17:36:50 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Jan 12 17:36:50 00[CFG] loading crls from '/etc/ipsec.d/crls'
Jan 12 17:36:50 00[CFG] loading secrets from '/etc/ipsec.secrets'
Jan 12 17:36:50 00[CFG] loaded IKE secret for 192.168.31.133
Jan 12 17:36:50 00[CFG] secret: 63:68:75
Jan 12 17:36:50 00[LIB] plugin 'stroke': loaded successfully
Jan 12 17:36:50 00[LIB] plugin 'kernel-netlink': loaded successfully
Jan 12 17:36:50 00[KNL] listening on interfaces:
Jan 12 17:36:50 00[KNL] eth0
Jan 12 17:36:50 00[KNL] 192.168.31.133
Jan 12 17:36:50 00[KNL] fe80::20c:29ff:feb9:b29c
Jan 12 17:36:50 00[LIB] plugin 'socket-default': loaded successfully
Jan 12 17:36:50 00[LIB] plugin 'updown': loaded successfully
Jan 12 17:36:50 00[DMN] loaded plugins: curl pem pkcs1 gcrypt x509 revocation hmac xcbc stroke kernel-netlink socket-default updown