StrongSwan支持libgcrypt。对于StrongSwan官网上的例子No.3需要安装libcurl、libgcrypt和libgmp。

  • LIBGCRYPT安装

libgcrypt依赖于libgpg-error。首先下载libgpg-error和libgcrypt。

ftp> open ftp.gnupg.org
Connected to ftp.gnupg.org.
220-Welcome hacker!
220-.
220-This is the FTP server of the GnuPG project.  Please send problem reports
220-to ftpmaster@gnupg.org after having checked the gnupg-users mailing list
220-archive at http://lists.gnupg.org/pipermail/gnupg-users/ for known problems.
220-.
220-Housing and traffic is sponsored by OpenIT GmbH. 
220-.
220-The server contains cryptographic software and its use might be illegal in
220-your country.  However, as far as we know, only a very few countries have
220-restrictions on the use of cryptographic software.
220-.
220 Service ready for new user.
Name (ftp.gnupg.org:***): anonymous(匿名登录)
331 Send e-mail address as password.
Password:
230 User logged in, proceed.
Remote system type is UNIX.
ftp> cd gcrypt/libgpg-error
250-The package libgpg-error contains common error codes and error handling
250-functions used by GnuPG, Libgcrypt, GPGME and more packages. 
250 Directory change successful.
ftp> passive(被动模式)
Passive mode on.
ftp> binary(BINARY mode)
200 Command okay.
ftp> get libgpg-error-1.12.tar.bz2
local: libgpg-error-1.12.tar.bz2 remote: libgpg-error-1.12.tar.bz2
227 Entering Passive Mode (217,69,76,55,156,84).
150 About to open data connection.
226 File transfer complete.
489266 bytes received in 9.86 secs (48.5 kB/s)
ftp> cd ..
250-This directory is used as FTP site for GNU crypto software and
250-related stuff.
250-.
250-US laws place restrictions on the export of defense articles, which
250-includes some types of cryptographic software; this is the reason
250-that such software is not available from ftp.gnu.org
250-.
250-It is legal however, to export such software into the US.
250-.
250-Please contact <ftpmaster@gnupg.org> it you have any problems with
250-this site. 
250-.
250-Software available here:
250-.
250-    gnupg/               The GNU Privacy Guard
250-    libgpg-error/        Common error codes for GnuPG, Libgcrypt etc.
250-    gpgme/               GnuPG Made Easy library
250-    pinentry/            Tool to enter a passphrase securely
250-    libgcrypt/           General purpose low-level crypto library
250-    libassuan/           The IPC library used by GnuPG
250-    npth/                The New GNU Portable Threads Library
250-    dirmngr/             A daemon to manage CRLs and LDAP queries for GnuPG.
250-    gnu-crypt/           GNU Crypto for the classpathx Java libraries
250-    egd/                 Entropy Gathering Daemon
250-    lsh/                 A Secure Shell v2 implementation (work in progress)
250-    
250-    alpha/               Current development versions
250-    binary/              Compiled versions for MS Windows.
250-    contrib/             Other software and more translation files.
250-    historic/            Historic versions.  Also includes the content of 
250-                         the old devel/ and pgpgpg/ directories.
250-.
250-See http://www.gnupg.org for further information.
250-.
250-The programs GnuPG and Libgcrypt hosted here are Free Software packages of
250-the GNU Project.  We call them Free Software because you are free to copy
250-and redistribute them, following the rules stated in the license of each
250-package.  For more information, see
250-http://www.gnu.org/philosophy/free-sw.html.
250-.
250-If you are looking for service or support for this software, see
250-http://www.gnupg.org/service.html .
250-.
250-If you would like to contribute to the development of one of these
250-packages, contact the package maintainer or the bug-reporting address
250-of the package (which should be listed in the package itself), or look
250-on www.gnu.org for more information on how to contribute.
250-.
250 Directory change successful.
ftp> cd libgcrypt
250-This is the stable version of Libgcrypt. 
250-For devlopment versions see ../alpha/libgcrypt/.
250 Directory change successful.
ftp> get libgcrypt-1.6.0.tar.bz2 
local: libgcrypt-1.6.0.tar.bz2 remote: libgcrypt-1.6.0.tar.bz2
227 Entering Passive Mode (217,69,76,55,158,239).
150 About to open data connection.
226 File transfer complete.
2499149 bytes received in 51.68 secs (47.2 kB/s)
ftp> close
221 Service closing control connection.
ftp> bye

 

下载完成后,安装libgpg-error和libgcrypt。

******xxx.tar.bz2格式文件解压******

bzip2 -d xxx.tar.bz2
tar -xvf xxx.tar

或者

tar -xjvf xxx.tar.bz2

******************************************

bzip2 -d libgpg-error-1.12.tar.bz2
tar -xvf libgpg-error-1.12.tar
bzip2 -d libgcrypt-1.6.0.tar.bz2
tar -xvf libgcrypt-1.6.0.tar

对libgpg-error和libgcrypt请参考——libgpg-error-1.12libgcrypt-1.6.0

libgpg-error-1.12安装:

Install libgpg-error by running the following commands:

./configure --prefix=/usr --disable-static &&
make
To test the results, issue: make check.

Now, as the root user:

make install &&
install -v -m644 -D README /usr/share/doc/libgpg-error-1.12/README

 libgcrypt-1.6.0安装(实验中执行了红字部分):

Install libgcrypt by running the following commands:

./configure --prefix=/usr &&
make
Only info documentation is shipped in the package tarball. If you wish to build alternate formats of the documentation, (you must have texlive-20130530 installed to build the PDF and PostScript documentation), then issue the following commands:

make -C doc pdf ps html &&
makeinfo --html --no-split -o doc/gcrypt_nochunks.html doc/gcrypt.texi &&
makeinfo --plaintext       -o doc/gcrypt.txt           doc/gcrypt.texi
To test the results, issue: make check.

Now, as the root user:

make install &&
install -v -dm755   /usr/share/doc/libgcrypt-1.6.0 &&
install -v -m644    README doc/{README.apichanges,fips*,libgcrypt*} \
                    /usr/share/doc/libgcrypt-1.6.0
If you built the additional documentation, install it by issuing the following commands as the root user:

install -v -dm755   /usr/share/doc/libgcrypt-1.6.0/html &&
install -v -m644 doc/gcrypt.html/* \
                    /usr/share/doc/libgcrypt-1.6.0/html &&
install -v -m644 doc/gcrypt_nochunks.html \
                    /usr/share/doc/libgcrypt-1.6.0 &&
install -v -m644 doc/gcrypt.{pdf,ps,dvi,txt,texi} \
                    /usr/share/doc/libgcrypt-1.6.0
  • LIBGMP安装

安装libgmp之前需要安装m4(a macro processing language)和build-essential(Informational list of build-essential packages)。

sudo apt-get install m4
apt-get install build-essential

libgmp官网下载gmp-x.x.x.tar.bz2进行安装,实验中下载的是gmp-5.1.3.tar.bz2:

tar -xjvf gmp-5.1.3.tar.bz2
cd gmp-5.1.3
sudo ./configure --enable-cxx
sudo make
sudo make check
sudo make install
  • LIBCURL安装
wget http://curl.haxx.se/download/curl-7.22.0.tar.gz
tar -zxvf curl-7.22.0.tar.gz
cd curl-7.22.0
./configure
make
make install
  • StrongSwan安装
wget http://download.strongswan.org/strongswan-4.6.4.tar.bz2
tar xjvf strongswan-4.6.4.tar.bz2
cd strongswan-4.6.4
./configure --prefix=/usr --sysconfdir=/etc --enable-gcrypt --enable-curl --disable-pluto
make
make install

  • 实验

配置:

Ubuntu3(虚拟机)——Ubuntu12.04LTS(32位)——IP192.168.31.132

Ubuntu4(虚拟机)——Ubuntu12.04LTS(32位)——IP192.168.31.133

对Ubuntu3进行配置:

配置/etc/ipsec.secrets

 

192.168.31.132 : PSK "chu"

配置/etc/ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
    # plutodebug=all
    # crlcheckinterval=600
    # strictcrlpolicy=yes
    # cachecrls=yes
    # nat_traversal=yes
    # charonstart=no
    # plutostart=no
    plutodebug=all
        charondebug="ike 4"
        charonstart=yes
        plutostart=yes

# Add connections here.

# Sample VPN connections

#conn sample-self-signed
#      left=%defaultroute
#      leftsubnet=10.1.0.0/16
#      leftcert=selfCert.der
#      leftsendcert=never
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightcert=peerCert.der
#      auto=start

#conn sample-with-ca-cert
#      left=%defaultroute
#      leftsubnet=10.1.0.0/16
#      leftcert=myCert.pem
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightid="C=CH, O=Linux strongSwan CN=peer name"
#      keyexchange=ikev2
#      auto=start
conn host-to-host
    left=192.168.31.133
    right=192.168.31.132
    type=transport
    authby=secret
    auto=start

配置/etc/strongswan.conf

# strongswan.conf - strongSwan configuration file

charon {

    # number of worker threads in charon
    threads = 16

    # send strongswan vendor ID?
    # send_vendor_id = yes
    load = curl pem pkcs1 gcrypt x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
    plugins {

        sql {
            # loglevel to log into sql database
            loglevel = -1

            # URI to the database
            # database = sqlite:///path/to/file.db
            # database = mysql://user:password@localhost/database
        }
    }
    filelog {
            /var/log/strongswan.log {
                time_format = %b %e %T
                append = no
                default = 4
                flush_line = yes
            }
        }

    # ...
}
    

pluto {

}

libstrongswan {

    #  set to no, the DH exponent size is optimized
    #  dh_exponent_ansi_x9_42 = no
}

类似的,对Ubuntu4进行配置。通过ipsec restart重启软件。查看日志文件(/var/log/strongswan.log):

Jan 12 17:36:50 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.6.4)
Jan 12 17:36:50 00[LIB] plugin 'curl': loaded successfully
Jan 12 17:36:50 00[LIB] plugin 'pem': loaded successfully
Jan 12 17:36:50 00[LIB] plugin 'pkcs1': loaded successfully
Jan 12 17:36:50 00[LIB] plugin 'gcrypt': loaded successfully
Jan 12 17:36:50 00[LIB] plugin 'x509': loaded successfully
Jan 12 17:36:50 00[LIB] plugin 'revocation': loaded successfully
Jan 12 17:36:50 00[LIB] plugin 'hmac': loaded successfully
Jan 12 17:36:50 00[LIB] plugin 'xcbc': loaded successfully
Jan 12 17:36:50 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Jan 12 17:36:50 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Jan 12 17:36:50 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Jan 12 17:36:50 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Jan 12 17:36:50 00[CFG] loading crls from '/etc/ipsec.d/crls'
Jan 12 17:36:50 00[CFG] loading secrets from '/etc/ipsec.secrets'
Jan 12 17:36:50 00[CFG]   loaded IKE secret for 192.168.31.133
Jan 12 17:36:50 00[CFG]   secret: 63:68:75
Jan 12 17:36:50 00[LIB] plugin 'stroke': loaded successfully
Jan 12 17:36:50 00[LIB] plugin 'kernel-netlink': loaded successfully
Jan 12 17:36:50 00[KNL] listening on interfaces:
Jan 12 17:36:50 00[KNL]   eth0
Jan 12 17:36:50 00[KNL]     192.168.31.133
Jan 12 17:36:50 00[KNL]     fe80::20c:29ff:feb9:b29c
Jan 12 17:36:50 00[LIB] plugin 'socket-default': loaded successfully
Jan 12 17:36:50 00[LIB] plugin 'updown': loaded successfully
Jan 12 17:36:50 00[DMN] loaded plugins: curl pem pkcs1 gcrypt x509 revocation hmac xcbc stroke kernel-netlink socket-default updown