Saturday, August 18, 2012

Compiling Strongswan 4.6.4 for Ubuntu 12.04

Debian and Ubuntu are still shipping ancient Strongswan packages. Today I wanted to do some testing with kernel crypto algorithms (af-alg) but Ubuntu Stronsgwan package had them disabled.



Below updated version of my previous notes on how to compile bit newer Strongswan. This time 4.6.4 with af-alg enabled. Tried with 5.0 too, but it barfed bunch of errors.
# Get latest source tarball
mkdir -p /usr/src/strongswan
cd /usr/src/strongswan
wget http://download.strongswan.org/strongswan-4.6.4.tar.bz2

# Install components required for compiling it
apt-get -y install build-essential devscripts
apt-get -y build-dep strongswan

# Grab source of old version
apt-get -y source strongswan

# Do little magic
cd strongswan-4.5.2
uupdate ../strongswan-4.6.4.tar.bz2 -v 4.6.4

# Docs say dpkg-source creates .dsc but that doesn't seem to be true
# so we do it manually.
cd ..
dpkg-source -D"Version=4.6.4-0ubuntu1" -Zbzip2 --before-build strongswan-4.6.4
cat >strongswan_4.6.4-0ubuntu1.dsc << __EOF__
Format: 3.0 (quilt)
Source: strongswan
Binary: strongswan, libstrongswan, strongswan-dbg, strongswan-starter, strongswan-ikev1, strongswan-ikev2, strongswan-nm
Architecture: any
Version: 4.6.4-0ubuntu1
Maintainer: Rene Mayrhofer <rmayr@debian.org>
Homepage: http://www.strongswan.org
Standards-Version: 3.9.1
Vcs-Browser: http://anonscm.debian.org/git/pkg-swn/strongswan.git
Vcs-Git: git://anonscm.debian.org/pkg-swan/strongswan.git
Build-Depends: debhelper (>= 7.1), libtool, libgmp3-dev, libssl-dev (>= 0.9.8), libcurl4-openssl-dev | libcurl3-dev | libcurl2-dev, libldap2-dev, libpam0g-dev, libkrb5-dev, bison, flex, bzip2, po-debconf, hardening-wrapper, network-manager-dev (>= 0.7), libfcgi-dev, clearsilver-dev, libxml2-dev, libsqlite3-dev, libnm-glib-vpn-dev (>= 0.7), libnm-util-dev (>= 0.7), gperf, libcap-dev
__EOF__

# disable eap-tnc support (fails to compile on Ubuntu)
# enable kernel crypto support
# update lib paths
# remove unnecessary patch
sed strongswan-4.6.4/debian/rules -i.bak \
 -e 's/enable-eap-tnc/disable-eap-tnc/g' \
 -e 's/enable-led/enable-led --enable-af-alg --enable-blowfish /g'
sed -i.bak -e 's/usr\/lib\/lib/usr\/lib\/ipsec\/lib/g' \
 -e 's/usr\/lib\/$/usr\/lib\/ipsec\//g' \
 strongswan-4.6.4/debian/libstrongswan.install
sed -i.bak -e 's/usr\/lib\/lib/usr\/lib\/ipsec\/lib/g' \
 -e 's/usr\/lib\/$/usr\/lib\/ipsec\//g' \
 strongswan-4.6.4/debian/strongswan-ikev2.install
echo "usr/lib/ipsec/libtls.so* usr/lib/ipsec/" >>strongswan-4.6.4/debian/libstrongswan.install
echo "usr/lib/ipsec/libsimaka.so* usr/lib/ipsec/" >>strongswan-4.6.4/debian/libstrongswan.install
echo "usr/lib/ipsec/libradius.so* usr/lib/ipsec/" >>strongswan-4.6.4/debian/libstrongswan.install
echo "usr/lib/ipsec/plugins/libstrongswan-af-alg.so* usr/lib/ipsec/plugins/" >>strongswan-4.6.4/debian/libstrongswan.install
echo "usr/lib/ipsec/plugins/libstrongswan-blowfish.so* usr/lib/ipsec/plugins/" >>strongswan-4.6.4/debian/libstrongswan.install
echo "usr/lib/ipsec/plugins/libstrongswan-cmac.so* usr/lib/ipsec/plugins/" >>strongswan-4.6.4/debian/libstrongswan.install
echo "usr/lib/ipsec/plugins/libstrongswan-pkcs8.so* usr/lib/ipsec/plugins/" >>strongswan-4.6.4/debian/libstrongswan.install
sed -i.bak -e 's/^0001/#0001/g' strongswan-4.6.4/debian/patches/series

# Compile and package latest version
dpkg-source -D"Version=4.6.4-0ubuntu1" -Zbzip2 --before-build strongswan-4.6.4
cd strongswan-4.6.4
dpkg-buildpackage -us -uc -nc -v4.6.4

# Install new packages
cd ..
dpkg -i \
libstrongswan_4.6.4-0ubuntu1_i386.deb \
strongswan_4.6.4-0ubuntu1_all.deb \
strongswan-ikev1_4.6.4-0ubuntu1_i386.deb \
strongswan-ikev2_4.6.4-0ubuntu1_i386.deb \
strongswan-starter_4.6.4-0ubuntu1_i386.deb

# Block updates from overwriting our version
echo "strongswan hold"|dpkg --set-selections 
echo "strongswan-ikev1 hold"|dpkg --set-selections 
echo "strongswan-ikev2 hold"|dpkg --set-selections 
echo "strongswan-starter hold"|dpkg --set-selections 
echo "libstrongswan hold"|dpkg --set-selections

1 comment:

  1. nice work but looking something similar for debian 6 and strongswan 5

    ReplyDelete

Got something to say?!