StrongSwan支持libgcrypt。对于StrongSwan官网上的例子No.3需要安装libcurl、libgcrypt和libgmp。
- LIBGCRYPT安装
libgcrypt依赖于libgpg-error。首先下载libgpg-error和libgcrypt。
ftp> open ftp.gnupg.org Connected to ftp.gnupg.org. 220-Welcome hacker! 220-. 220-This is the FTP server of the GnuPG project. Please send problem reports 220-to ftpmaster@gnupg.org after having checked the gnupg-users mailing list 220-archive at http://lists.gnupg.org/pipermail/gnupg-users/ for known problems. 220-. 220-Housing and traffic is sponsored by OpenIT GmbH. 220-. 220-The server contains cryptographic software and its use might be illegal in 220-your country. However, as far as we know, only a very few countries have 220-restrictions on the use of cryptographic software. 220-. 220 Service ready for new user. Name (ftp.gnupg.org:***): anonymous(匿名登录) 331 Send e-mail address as password. Password: 230 User logged in, proceed. Remote system type is UNIX. ftp> cd gcrypt/libgpg-error 250-The package libgpg-error contains common error codes and error handling 250-functions used by GnuPG, Libgcrypt, GPGME and more packages. 250 Directory change successful. ftp> passive(被动模式) Passive mode on. ftp> binary(BINARY mode) 200 Command okay. ftp> get libgpg-error-1.12.tar.bz2 local: libgpg-error-1.12.tar.bz2 remote: libgpg-error-1.12.tar.bz2 227 Entering Passive Mode (217,69,76,55,156,84). 150 About to open data connection. 226 File transfer complete. 489266 bytes received in 9.86 secs (48.5 kB/s) ftp> cd .. 250-This directory is used as FTP site for GNU crypto software and 250-related stuff. 250-. 250-US laws place restrictions on the export of defense articles, which 250-includes some types of cryptographic software; this is the reason 250-that such software is not available from ftp.gnu.org 250-. 250-It is legal however, to export such software into the US. 250-. 250-Please contact <ftpmaster@gnupg.org> it you have any problems with 250-this site. 250-. 250-Software available here: 250-. 250- gnupg/ The GNU Privacy Guard 250- libgpg-error/ Common error codes for GnuPG, Libgcrypt etc. 250- gpgme/ GnuPG Made Easy library 250- pinentry/ Tool to enter a passphrase securely 250- libgcrypt/ General purpose low-level crypto library 250- libassuan/ The IPC library used by GnuPG 250- npth/ The New GNU Portable Threads Library 250- dirmngr/ A daemon to manage CRLs and LDAP queries for GnuPG. 250- gnu-crypt/ GNU Crypto for the classpathx Java libraries 250- egd/ Entropy Gathering Daemon 250- lsh/ A Secure Shell v2 implementation (work in progress) 250- 250- alpha/ Current development versions 250- binary/ Compiled versions for MS Windows. 250- contrib/ Other software and more translation files. 250- historic/ Historic versions. Also includes the content of 250- the old devel/ and pgpgpg/ directories. 250-. 250-See http://www.gnupg.org for further information. 250-. 250-The programs GnuPG and Libgcrypt hosted here are Free Software packages of 250-the GNU Project. We call them Free Software because you are free to copy 250-and redistribute them, following the rules stated in the license of each 250-package. For more information, see 250-http://www.gnu.org/philosophy/free-sw.html. 250-. 250-If you are looking for service or support for this software, see 250-http://www.gnupg.org/service.html . 250-. 250-If you would like to contribute to the development of one of these 250-packages, contact the package maintainer or the bug-reporting address 250-of the package (which should be listed in the package itself), or look 250-on www.gnu.org for more information on how to contribute. 250-. 250 Directory change successful. ftp> cd libgcrypt 250-This is the stable version of Libgcrypt. 250-For devlopment versions see ../alpha/libgcrypt/. 250 Directory change successful. ftp> get libgcrypt-1.6.0.tar.bz2 local: libgcrypt-1.6.0.tar.bz2 remote: libgcrypt-1.6.0.tar.bz2 227 Entering Passive Mode (217,69,76,55,158,239). 150 About to open data connection. 226 File transfer complete. 2499149 bytes received in 51.68 secs (47.2 kB/s) ftp> close 221 Service closing control connection. ftp> bye
下载完成后,安装libgpg-error和libgcrypt。
******xxx.tar.bz2格式文件解压******
bzip2 -d xxx.tar.bz2
tar -xvf xxx.tar
或者
tar -xjvf xxx.tar.bz2
******************************************
bzip2 -d libgpg-error-1.12.tar.bz2 tar -xvf libgpg-error-1.12.tar bzip2 -d libgcrypt-1.6.0.tar.bz2 tar -xvf libgcrypt-1.6.0.tar
对libgpg-error和libgcrypt请参考——libgpg-error-1.12和libgcrypt-1.6.0:
libgpg-error-1.12安装:
Install libgpg-error by running the following commands: ./configure --prefix=/usr --disable-static && make To test the results, issue: make check. Now, as the root user: make install && install -v -m644 -D README /usr/share/doc/libgpg-error-1.12/README
libgcrypt-1.6.0安装(实验中执行了红字部分):
Install libgcrypt by running the following commands: ./configure --prefix=/usr && make Only info documentation is shipped in the package tarball. If you wish to build alternate formats of the documentation, (you must have texlive-20130530 installed to build the PDF and PostScript documentation), then issue the following commands: make -C doc pdf ps html && makeinfo --html --no-split -o doc/gcrypt_nochunks.html doc/gcrypt.texi && makeinfo --plaintext -o doc/gcrypt.txt doc/gcrypt.texi To test the results, issue: make check. Now, as the root user: make install && install -v -dm755 /usr/share/doc/libgcrypt-1.6.0 && install -v -m644 README doc/{README.apichanges,fips*,libgcrypt*} \ /usr/share/doc/libgcrypt-1.6.0 If you built the additional documentation, install it by issuing the following commands as the root user: install -v -dm755 /usr/share/doc/libgcrypt-1.6.0/html && install -v -m644 doc/gcrypt.html/* \ /usr/share/doc/libgcrypt-1.6.0/html && install -v -m644 doc/gcrypt_nochunks.html \ /usr/share/doc/libgcrypt-1.6.0 && install -v -m644 doc/gcrypt.{pdf,ps,dvi,txt,texi} \ /usr/share/doc/libgcrypt-1.6.0
- LIBGMP安装
安装libgmp之前需要安装m4(a macro processing language)和build-essential(Informational list of build-essential packages)。
sudo apt-get install m4 apt-get install build-essential
在libgmp官网下载gmp-x.x.x.tar.bz2进行安装,实验中下载的是gmp-5.1.3.tar.bz2:
tar -xjvf gmp-5.1.3.tar.bz2 cd gmp-5.1.3 sudo ./configure --enable-cxx sudo make sudo make check sudo make install
- LIBCURL安装
wget http://curl.haxx.se/download/curl-7.22.0.tar.gz tar -zxvf curl-7.22.0.tar.gz cd curl-7.22.0 ./configure make make install
- StrongSwan安装
wget http://download.strongswan.org/strongswan-4.6.4.tar.bz2 tar xjvf strongswan-4.6.4.tar.bz2 cd strongswan-4.6.4 ./configure --prefix=/usr --sysconfdir=/etc --enable-gcrypt --enable-curl --disable-pluto make make install
- 实验
配置:
Ubuntu3(虚拟机)——Ubuntu12.04LTS(32位)——IP192.168.31.132
Ubuntu4(虚拟机)——Ubuntu12.04LTS(32位)——IP192.168.31.133
对Ubuntu3进行配置:
配置/etc/ipsec.secrets
192.168.31.132 : PSK "chu"
配置/etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup # plutodebug=all # crlcheckinterval=600 # strictcrlpolicy=yes # cachecrls=yes # nat_traversal=yes # charonstart=no # plutostart=no plutodebug=all charondebug="ike 4" charonstart=yes plutostart=yes # Add connections here. # Sample VPN connections #conn sample-self-signed # left=%defaultroute # leftsubnet=10.1.0.0/16 # leftcert=selfCert.der # leftsendcert=never # right=192.168.0.2 # rightsubnet=10.2.0.0/16 # rightcert=peerCert.der # auto=start #conn sample-with-ca-cert # left=%defaultroute # leftsubnet=10.1.0.0/16 # leftcert=myCert.pem # right=192.168.0.2 # rightsubnet=10.2.0.0/16 # rightid="C=CH, O=Linux strongSwan CN=peer name" # keyexchange=ikev2 # auto=start conn host-to-host left=192.168.31.133 right=192.168.31.132 type=transport authby=secret auto=start
配置/etc/strongswan.conf
# strongswan.conf - strongSwan configuration file charon { # number of worker threads in charon threads = 16 # send strongswan vendor ID? # send_vendor_id = yes load = curl pem pkcs1 gcrypt x509 revocation hmac xcbc stroke kernel-netlink socket-default updown plugins { sql { # loglevel to log into sql database loglevel = -1 # URI to the database # database = sqlite:///path/to/file.db # database = mysql://user:password@localhost/database } } filelog { /var/log/strongswan.log { time_format = %b %e %T append = no default = 4 flush_line = yes } } # ... } pluto { } libstrongswan { # set to no, the DH exponent size is optimized # dh_exponent_ansi_x9_42 = no }
类似的,对Ubuntu4进行配置。通过ipsec restart重启软件。查看日志文件(/var/log/strongswan.log):
Jan 12 17:36:50 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.6.4) Jan 12 17:36:50 00[LIB] plugin 'curl': loaded successfully Jan 12 17:36:50 00[LIB] plugin 'pem': loaded successfully Jan 12 17:36:50 00[LIB] plugin 'pkcs1': loaded successfully Jan 12 17:36:50 00[LIB] plugin 'gcrypt': loaded successfully Jan 12 17:36:50 00[LIB] plugin 'x509': loaded successfully Jan 12 17:36:50 00[LIB] plugin 'revocation': loaded successfully Jan 12 17:36:50 00[LIB] plugin 'hmac': loaded successfully Jan 12 17:36:50 00[LIB] plugin 'xcbc': loaded successfully Jan 12 17:36:50 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Jan 12 17:36:50 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Jan 12 17:36:50 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Jan 12 17:36:50 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Jan 12 17:36:50 00[CFG] loading crls from '/etc/ipsec.d/crls' Jan 12 17:36:50 00[CFG] loading secrets from '/etc/ipsec.secrets' Jan 12 17:36:50 00[CFG] loaded IKE secret for 192.168.31.133 Jan 12 17:36:50 00[CFG] secret: 63:68:75 Jan 12 17:36:50 00[LIB] plugin 'stroke': loaded successfully Jan 12 17:36:50 00[LIB] plugin 'kernel-netlink': loaded successfully Jan 12 17:36:50 00[KNL] listening on interfaces: Jan 12 17:36:50 00[KNL] eth0 Jan 12 17:36:50 00[KNL] 192.168.31.133 Jan 12 17:36:50 00[KNL] fe80::20c:29ff:feb9:b29c Jan 12 17:36:50 00[LIB] plugin 'socket-default': loaded successfully Jan 12 17:36:50 00[LIB] plugin 'updown': loaded successfully Jan 12 17:36:50 00[DMN] loaded plugins: curl pem pkcs1 gcrypt x509 revocation hmac xcbc stroke kernel-netlink socket-default updown