Autoconf Options

Please note: This page documents the ./configure options for the latest strongSwan release. Therefore, you should always use

./configure --help

to check which options are actually available for the release you are using.

--dir options

Some directories can be configure through --with options.

Option Default Description

Option	Default	Description
--prefix=PREFIX	`/usr/local`	where to put installation. Most Linux distributions use `/usr`
--libexecdir=LIBEXECDIR	`PREFIX/libexec`	program executables
--libdir=LIBDIR	`PREFIX/lib`	shared libraries
--sysconfdir=SYSCONFDIR	`PREFIX/etc`	where to put configuration files. We strongly recommend `/etc`

--prefix=PREFIX

/usr/local

where to put installation. Most Linux distributions use /usr

--libexecdir=LIBEXECDIR

PREFIX/libexec

program executables

--libdir=LIBDIR

PREFIX/lib

shared libraries

--sysconfdir=SYSCONFDIR

PREFIX/etc

where to put configuration files. We strongly recommend /etc

--enable Options

The plugin list provides more information on specific plugins.

Option Since^[1] Description

Option	Since^[1]	Description
--enable-acert	5.1.3	enable X.509 attribute certificate checking plugin
--enable-addrblock		enable RFC 3779 address block constraint support plugin
--enable-aesni	5.3.1	enable Intel AES-NI crypto plugin
--enable-af-alg		enable AF_ALG crypto interface to Linux Crypto API
--enable-agent		enable ssh-agent signing plugin
--enable-aikgen	5.2.0	enable AIK generator for TPM 1.2
--enable-all	5.1.3	enable all optional plugins and features (they can be disabled with their respective --disable options). Mainly intended for testing
--enable-android		enable Android specific plugin
--enable-android-log		enable Android specific logger plugin
--enable-asan	5.9.8	enable build with AddressSanitizer (ASan)
--enable-attr-sql		enable SQL-based configuration attributes. This is a plugin for VPN gateways only, serving virtual IP addresses
--enable-bfd-backtraces	5.0.1	use binutil’s libbfd to resolve backtraces for memory leaks and segfaults
--enable-bliss	5.2.2	enable deprecated Bimodal Lattice Signature Scheme (BLISS) software implementation plugin. Since a side-channel attack on our BLISS implementation has been reported, please use the NIST PQC (Post-Quantum Cryptography) Selected Algorithms and Round 4 Submissions signature algorithms offered by the post-quantum strongSwan 6.0 version instead.
--enable-blowfish		enable Blowfish software implementation plugin
--enable-botan	5.7.0	enable Botan crypto plugin. Requires Botan 2.8.0 or newer
--enable-bypass-lan	5.5.2	enable plugin to automatically install bypass policies for local subnets
--enable-ccm		enable CCM AEAD wrapper crypto plugin
--enable-chapoly	5.3.3	enables the ChaCha20/Poly1305 AEAD plugin
--enable-cert-enroll	5.9.12	enable automatic certificate enrollment via EST or SCEP
--enable-cert-enroll-timer	5.9.12	enable installation of cert-enroll as a systemd timer
--enable-certexpire		enable CSV export of expiration dates of used certificates
--enable-cmd	5.1.0	enable command line IKE client charon-cmd
--enable-conftest		enable IKE conformance test framework
--enable-connmark	5.3.0	enable conntrack based marks to select return path SA
--enable-counters	5.6.1	enable plugin that collects several performance counters
--enable-coupling		enable IKEv2 plugin to couple peer certificates permanently to authentication
--enable-coverage	5.1.0	enable lcov coverage report generation^[2]
--enable-ctr		enable counter mode wrapper crypto plugin
--enable-curl		enable plugin to fetch files (CRL/OCSP) via `libcurl`. Requires the `libcurl` library
--enable-dbghelp-backtraces	5.2.0	use dbghlp.dll on Windows to create and print backtraces for memory leaks and segfaults
--enable-dhcp		enable DHCP based attribute provider plugin
--enable-dnscert	5.1.1	enable plugin authenticating peers based on DNS CERT resource records protected by DNSSEC
--enable-duplicheck		enable advanced duplicate checking plugin using liveness checks
--enable-eap-aka		enable EAP AKA authentication plugin
--enable-eap-aka-3gpp	5.6.0	enable EAP AKA backend plugin implementing 3GPP MILENAGE algorithms in software
--enable-eap-aka-3gpp2		enable EAP AKA backend plugin implementing 3GPP2 algorithms in software. Requires `libgmp` library
--enable-eap-dynamic	5.0.1	enable dynamic EAP proxy plugin
--enable-eap-gtc		enable EAP GTC authentication plugin
--enable-eap-identity		enable EAP plugin providing EAP-Identity helper
--enable-eap-md5		build EAP MD5 (CHAP) authentication plugin
--enable-eap-mschapv2		enable EAP MS-CHAPv2 authentication plugin
--enable-eap-peap		enable EAP PEAP authentication plugin
--enable-eap-radius		enable RADIUS proxy authentication plugin for EAP
--enable-eap-sim		enable EAP-SIM authentication plugin
--enable-eap-sim-file		enable EAP-SIM backend based on a triplets file
--enable-eap-sim-pcsc		enable EAP-SIM backend based on a smartcard reader. Requires `libpcsclite` library
--enable-eap-simaka-pseudonym		enable EAP-SIM/AKA pseudonym storage
--enable-eap-simaka-reauth		enable EAP-SIM/AKA reauthentication data storage
--enable-eap-simaka-sql		enable EAP-SIM/AKA backend based on a triplet/quintuplet SQL database
--enable-eap-tls		enable EAP TLS authentication plugin
--enable-eap-tnc		enable EAP TNC trusted network connect plugin
--enable-eap-ttls		enable EAP TTLS authentication plugin
--enable-error-notify	5.0.2	enable error notification plugin
--enable-ext-auth	5.2.1	enable plugin calling an external authorization script
--enable-farp		enable ARP faking plugin that responds to ARP requests for virtual IPs assigned to peers
--enable-fast		build `libfast` (FastCGI Application Server w/ templates)
--enable-files	5.3.0	enable simple `file://` URI fetcher
--enable-forecast	5.3.0	enable plugin that forwards broadcast/multicast messages
--enable-fuzzing	5.5.3	enable fuzzing scripts (found in directory `fuzz` and intended for use on the OSS-Fuzz infrastructure)
--enable-gcrypt		enable gcrypt plugin. Requires the GNU libgcrypt library
--enable-git-version		use output of `git describe` as version information in executables
--enable-ha		enable high availability cluster plugin
--enable-imc-attestation		enable TNC Attestation IMC
--enable-imc-hcd	5.3.3	enable TNC Hardcopy Device Integrity (HCD) IMC
--enable-imc-os		enable TNC Operating System (OS) IMC
--enable-imc-scanner		enable TNC Port Scanner IMC
--enable-imc-swima	5.6.0	enable TNC SWIMA IMC
--enable-imc-test		enable TNC Test IMC
--enable-imv-attestation		enable TNC Attestation IMV and the `attest` management tool.
--enable-imv-hcd	5.3.3	enable TNC Hardcopy Device Integrity (HCD) IMV
--enable-imv-os		enable TNC Operating System (OS) IMV
--enable-imv-scanner		enable TNC Port Scanner IMV
--enable-imv-swima	5.6.0	enable TNC SWIMA IMV
--enable-imv-test		enable TNC Test IMV
--enable-integrity-test		enable integrity testing of the daemon, libraries and loaded plugins
--enable-ipseckey	5.0.3	enable authentication plugin authenticatomg peers based on IPSECKEY DNS resource records protected by DNSSEC
--enable-kernel-iph	5.2.0	enable Windows IP Helper based networking backend
--enable-kernel-libipsec	5.1.0	enable `libipsec`-based user-space "kernel" interface
--enable-kernel-pfkey		enable PF_KEYv2 NETKEY kernel interface
--enable-kernel-pfroute		enable PF_ROUTE kernel interface. Required for FreeBSD and Mac OSX
----kernel-wfp	5.2.0	enable Windows Filtering Platform IPsec backend
--enable-keychain	5.1.0	enable macOS Keychain Services credential set
--enable-libipsec		enable user space IPsec implementation
--enable-ldap		enable LDAP fetcher to fetch files (CRLs) from an LDAP server. Requires OpenLDAP
--enable-leak-detective		enable malloc hooks to find memory leaks
--enable-led		enable plugin to control LEDs on IKEv2 activity using the Linux kernel LED subsystem
--enable-load-tester		enable load testing plugin for IKEv2 daemon
--enable-lock-profiler		enable lock/mutex profiling code
--enable-log-thread-ids	5.4.0	use thread ID if available instead of an incremented value starting from 1 to identify threads
--enable-lookip		enable fast virtual IP lookup and notification plugin
--enable-manager		build the deprecated strongSwan manager web application
--enable-md4		enable MD4 software implementation plugin. Required for `eap-mschapv2` plugin
--enable-medcli		enable deprecated mediation client web front end and daemon plugin
--enable-mediation		enable IKEv2 Mediation Extension
--enable-medsrv		enable deprecated mediation server web front end and daemon plugin
--enable-mgf1	5.5.1	enable MGF1 software implementation plugin
--enable-monolithic		build monolithic versions of `libstrongswan` and `libcharon` that include all enabled plugins
--enable-mysql		enable MySQL database support. Requires `libmysqlclient_r`
--enable-newhope	5.5.1	enable deprecated NewHope post-quantum key exchange plugin. Use the post-quantum strongSwan 6.0 version instead
--enable-nm		enable NetworkManager backend
--enable-ntru	5.1.2	enable deprecated `NTRUEncrypt` key exchange plugin. Use the post-quantum strongSwan 6.0 version instead
--enable-openssl		enable [OpenSSL] crypto plugin. Requires `libcrypto` library
--enable-openxpki	5.9.12	enable OCSP responder accessing OpenXPKI MySQL/MariaDB certificate database
--enable-osx-attr	5.1.0	enable macOS SystemConfiguration attribute handler
--enable-p-cscf	5.4.0	enable plugin to request P-CSCF server addresses from an ePDG (RFC 7651)
--enable-padlock		enable padlock crypto plugin. Requires a VIA Padlock crypto engine
--enable-perl-cpan	5.4.0	enable build of provided perl CPAN modules e.g. for the `vici` protocol
--enable-perl-cpan-install	5.4.0	enable installation of provided CPAN modules
--enable-pkcs11		enable PKCS#11 crypto token support plugin
--enable-python-eggs	5.3.0	enable build of provided python eggs e.g. for the `vici` protocol
--enable-python-eggs-install	5.3.1	enable local installation of provided python eggs
--enable-radattr		enable plugin to inject and process custom RADIUS attributes as IKEv2 client
--enable-rdrand		enable Intel RDRAND random generator plugin
--enable-ruby-gems	5.2.1	enable build of provided ruby gems e.g. for the `vici` protocol
--enable-ruby-gems-install	5.3.1	enable local installation of provided ruby gems
--enable-save-keys	5.6.2	enable development/debugging plugin that saves IKE and ESP keys in Wireshark format
--enable-selinux	5.9.6	enable SELinux support for labeled IPsec and the selinux plugin
--enable-sha3	5.3.4	enable SHA3 and SHAKE software implementation plugin
--enable-smp		enable deprecated XML configuration and control interface. Requires `libxml` library.
--enable-socket-dynamic		enable dynamic socket implementation for charon
--enable-socket-win	5.2.0	enable Winsock2 based socket implementation for `charon`
--enable-soup		enable fetcher plugin to fetch from HTTP URIs. Requires `libsoup` library
--enable-sql		enable SQL database configuration backend
--enable-sqlite		enable SQLite database support. Requires `libsqlite3` library
--enable-svc	5.2.0	enable charon Windows service
--enable-systemd	5.2.1	enable `systemd` specific IKE daemon charon-systemd
--enable-systime-fix	5.0.3	enable plugin to handle cert lifetimes with invalid system time gracefully
--enable-test-vectors		enable crypto test vectors plugin
--enable-tkm	5.0.3	enable `charon-tkm` an IKEv2 daemon that is backed by a Trusted Key Manager (TKM).
--enable-tnccs-11		enable TNC Client Server (TNCCS) 1.1 protocol plugin. Requires `libxml2` library
--enable-tnccs-20		enable TNC Client Server (TNCCS) 2.0 protocol plugin
--enable-tnccs-dynamic		enable TNC Client Server (TNCCS) dynamic protocol discovery plugin
--enable-tnc-ifmap		enable TNC IF-MAP 2.0 client plugin
--enable-tnc-imc		enable TNC Integrity Measurement Collector (IMC) manager plugin
--enable-tnc-imv		enable TNC Integrity Measurement Validator (IMV) manager plugin
--enable-tnc-pdp		enable TNC Policy Decision Point plugin plugin
--enable-tpm	5.5.2	enable plugin to access persistent RSA and ECDSA private keys bound to Trusted Platform Module 2.0
--enable-tss-trousers	5.5.0	enable TPM 1.2 TrouSerS library. Requires `libtspi` library
--enable-tss-tss2	5.5.0	enable TPM 2.0 TSS2 library. Requires `libtss2` library
--enable-uci		enable OpenWRT UCI configuration plugin
--enable-unbound		DNSSEC-enabled resolver plugin based on libunbound
--enable-unity		enable Cisco Unity extension plugin
--enable-unwind-backtraces	5.1.0	use libunwind to create backtraces for memory leaks and segfaults
--enable-warnings	5.9.7	enable extended compiler warnings and -Werror (auto-enabled when building from the repository)
--enable-whitelist		enable peer identity whitelisting plugin
--enable-winhttp	5.2.0	enable WinHTTP based HTTP/HTTPS fetching plugin
--enable-wolfssl	5.8.0	enable wolfSSL crypto plugin. Requires `libwolfssl` library
--enable-xauth-eap		enable XAuth backend using EAP methods to verify password
--enable-xauth-noauth	5.0.3	enable XAuth pseudo-backend that does not actually verify or even request any credentials
--enable-xauth-pam		enable XAuth backend using PAM to verify passwords

--enable-acert

5.1.3

enable X.509 attribute certificate checking plugin

--enable-addrblock

enable RFC 3779 address block constraint support plugin

--enable-aesni

5.3.1

enable Intel AES-NI crypto plugin

--enable-af-alg

enable AF_ALG crypto interface to Linux Crypto API

--enable-agent

enable ssh-agent signing plugin

--enable-aikgen

5.2.0

enable AIK generator for TPM 1.2

--enable-all

5.1.3

enable all optional plugins and features (they can be disabled with their respective --disable options). Mainly intended for testing

--enable-android

enable Android specific plugin

--enable-android-log

enable Android specific logger plugin

--enable-asan

5.9.8

enable build with AddressSanitizer (ASan)

--enable-attr-sql

enable SQL-based configuration attributes. This is a plugin for VPN gateways only, serving virtual IP addresses

--enable-bfd-backtraces

5.0.1

use binutil’s libbfd to resolve backtraces for memory leaks and segfaults

--enable-bliss

5.2.2

enable deprecated Bimodal Lattice Signature Scheme (BLISS) software implementation plugin. Since a side-channel attack on our BLISS implementation has been reported, please use the NIST PQC (Post-Quantum Cryptography) Selected Algorithms and Round 4 Submissions signature algorithms offered by the post-quantum strongSwan 6.0 version instead.

--enable-blowfish

enable Blowfish software implementation plugin

--enable-botan

5.7.0

enable Botan crypto plugin. Requires Botan 2.8.0 or newer

--enable-bypass-lan

5.5.2

enable plugin to automatically install bypass policies for local subnets

--enable-ccm

enable CCM AEAD wrapper crypto plugin

--enable-chapoly

5.3.3

enables the ChaCha20/Poly1305 AEAD plugin

--enable-cert-enroll

5.9.12

enable automatic certificate enrollment via EST or SCEP

--enable-cert-enroll-timer

5.9.12

enable installation of cert-enroll as a systemd timer

--enable-certexpire

enable CSV export of expiration dates of used certificates

--enable-cmd

5.1.0

enable command line IKE client charon-cmd

--enable-conftest

enable IKE conformance test framework

--enable-connmark

5.3.0

enable conntrack based marks to select return path SA

--enable-counters

5.6.1

enable plugin that collects several performance counters

--enable-coupling

enable IKEv2 plugin to couple peer certificates permanently to authentication

--enable-coverage

5.1.0

enable lcov coverage report generation^[2]

--enable-ctr

enable counter mode wrapper crypto plugin

--enable-curl

enable plugin to fetch files (CRL/OCSP) via libcurl. Requires the libcurl library

--enable-dbghelp-backtraces

5.2.0

use dbghlp.dll on Windows to create and print backtraces for memory leaks and segfaults

--enable-dhcp

enable DHCP based attribute provider plugin

--enable-dnscert

5.1.1

enable plugin authenticating peers based on DNS CERT resource records protected by DNSSEC

--enable-duplicheck

enable advanced duplicate checking plugin using liveness checks

--enable-eap-aka

enable EAP AKA authentication plugin

--enable-eap-aka-3gpp

5.6.0

enable EAP AKA backend plugin implementing 3GPP MILENAGE algorithms in software

--enable-eap-aka-3gpp2

enable EAP AKA backend plugin implementing 3GPP2 algorithms in software. Requires libgmp library

--enable-eap-dynamic

5.0.1

enable dynamic EAP proxy plugin

--enable-eap-gtc

enable EAP GTC authentication plugin

--enable-eap-identity

enable EAP plugin providing EAP-Identity helper

--enable-eap-md5

build EAP MD5 (CHAP) authentication plugin

--enable-eap-mschapv2

enable EAP MS-CHAPv2 authentication plugin

--enable-eap-peap

enable EAP PEAP authentication plugin

--enable-eap-radius

enable RADIUS proxy authentication plugin for EAP

--enable-eap-sim

enable EAP-SIM authentication plugin

--enable-eap-sim-file

enable EAP-SIM backend based on a triplets file

--enable-eap-sim-pcsc

enable EAP-SIM backend based on a smartcard reader. Requires libpcsclite library

--enable-eap-simaka-pseudonym

enable EAP-SIM/AKA pseudonym storage

--enable-eap-simaka-reauth

enable EAP-SIM/AKA reauthentication data storage

--enable-eap-simaka-sql

enable EAP-SIM/AKA backend based on a triplet/quintuplet SQL database

--enable-eap-tls

enable EAP TLS authentication plugin

--enable-eap-tnc

enable EAP TNC trusted network connect plugin

--enable-eap-ttls

enable EAP TTLS authentication plugin

--enable-error-notify

5.0.2

enable error notification plugin

--enable-ext-auth

5.2.1

enable plugin calling an external authorization script

--enable-farp

enable ARP faking plugin that responds to ARP requests for virtual IPs assigned to peers

--enable-fast

build libfast (FastCGI Application Server w/ templates)

--enable-files

5.3.0

enable simple file:// URI fetcher

--enable-forecast

5.3.0

enable plugin that forwards broadcast/multicast messages

--enable-fuzzing

5.5.3

enable fuzzing scripts (found in directory fuzz and intended for use on the OSS-Fuzz infrastructure)

--enable-gcrypt

enable gcrypt plugin. Requires the GNU libgcrypt library

--enable-git-version

use output of git describe as version information in executables

--enable-ha

enable high availability cluster plugin

--enable-imc-attestation

enable TNC Attestation IMC

--enable-imc-hcd

5.3.3

enable TNC Hardcopy Device Integrity (HCD) IMC

--enable-imc-os

enable TNC Operating System (OS) IMC

--enable-imc-scanner

enable TNC Port Scanner IMC

--enable-imc-swima

5.6.0

enable TNC SWIMA IMC

--enable-imc-test

enable TNC Test IMC

--enable-imv-attestation

enable TNC Attestation IMV and the attest management tool.

--enable-imv-hcd

5.3.3

enable TNC Hardcopy Device Integrity (HCD) IMV

--enable-imv-os

enable TNC Operating System (OS) IMV

--enable-imv-scanner

enable TNC Port Scanner IMV

--enable-imv-swima

5.6.0

enable TNC SWIMA IMV

--enable-imv-test

enable TNC Test IMV

--enable-integrity-test

enable integrity testing of the daemon, libraries and loaded plugins

--enable-ipseckey

5.0.3

enable authentication plugin authenticatomg peers based on IPSECKEY DNS resource records protected by DNSSEC

--enable-kernel-iph

5.2.0

enable Windows IP Helper based networking backend

--enable-kernel-libipsec

5.1.0

enable libipsec-based user-space "kernel" interface

--enable-kernel-pfkey

enable PF_KEYv2 NETKEY kernel interface

--enable-kernel-pfroute

enable PF_ROUTE kernel interface. Required for FreeBSD and Mac OSX

----kernel-wfp

5.2.0

enable Windows Filtering Platform IPsec backend

--enable-keychain

5.1.0

enable macOS Keychain Services credential set

--enable-libipsec

enable user space IPsec implementation

--enable-ldap

enable LDAP fetcher to fetch files (CRLs) from an LDAP server. Requires OpenLDAP

--enable-leak-detective

enable malloc hooks to find memory leaks

--enable-led

enable plugin to control LEDs on IKEv2 activity using the Linux kernel LED subsystem

--enable-load-tester

enable load testing plugin for IKEv2 daemon

--enable-lock-profiler

enable lock/mutex profiling code

--enable-log-thread-ids

5.4.0

use thread ID if available instead of an incremented value starting from 1 to identify threads

--enable-lookip

enable fast virtual IP lookup and notification plugin

--enable-manager

build the deprecated strongSwan manager web application

--enable-md4

enable MD4 software implementation plugin. Required for eap-mschapv2 plugin

--enable-medcli

enable deprecated mediation client web front end and daemon plugin

--enable-mediation

enable IKEv2 Mediation Extension

--enable-medsrv

enable deprecated mediation server web front end and daemon plugin

--enable-mgf1

5.5.1

enable MGF1 software implementation plugin

--enable-monolithic

build monolithic versions of libstrongswan and libcharon that include all enabled plugins

--enable-mysql

enable MySQL database support. Requires libmysqlclient_r

--enable-newhope

5.5.1

enable deprecated NewHope post-quantum key exchange plugin. Use the post-quantum strongSwan 6.0 version instead

--enable-nm

enable NetworkManager backend

--enable-ntru

5.1.2

enable deprecated NTRUEncrypt key exchange plugin. Use the post-quantum strongSwan 6.0 version instead

--enable-openssl

enable [OpenSSL] crypto plugin. Requires libcrypto library

--enable-openxpki

5.9.12

enable OCSP responder accessing OpenXPKI MySQL/MariaDB certificate database

--enable-osx-attr

5.1.0

enable macOS SystemConfiguration attribute handler

--enable-p-cscf

5.4.0

enable plugin to request P-CSCF server addresses from an ePDG (RFC 7651)

--enable-padlock

enable padlock crypto plugin. Requires a VIA Padlock crypto engine

--enable-perl-cpan

5.4.0

enable build of provided perl CPAN modules e.g. for the vici protocol

--enable-perl-cpan-install

5.4.0

enable installation of provided CPAN modules

--enable-pkcs11

enable PKCS#11 crypto token support plugin

--enable-python-eggs

5.3.0

enable build of provided python eggs e.g. for the vici protocol

--enable-python-eggs-install

5.3.1

enable local installation of provided python eggs

--enable-radattr

enable plugin to inject and process custom RADIUS attributes as IKEv2 client

--enable-rdrand

enable Intel RDRAND random generator plugin

--enable-ruby-gems

5.2.1

enable build of provided ruby gems e.g. for the vici protocol

--enable-ruby-gems-install

5.3.1

enable local installation of provided ruby gems

--enable-save-keys

5.6.2

enable development/debugging plugin that saves IKE and ESP keys in Wireshark format

--enable-selinux

5.9.6

enable SELinux support for labeled IPsec and the selinux plugin

--enable-sha3

5.3.4

enable SHA3 and SHAKE software implementation plugin

--enable-smp

enable deprecated XML configuration and control interface. Requires libxml library.

--enable-socket-dynamic

enable dynamic socket implementation for charon

--enable-socket-win

5.2.0

enable Winsock2 based socket implementation for charon

--enable-soup

enable fetcher plugin to fetch from HTTP URIs. Requires libsoup library

--enable-sql

enable SQL database configuration backend

--enable-sqlite

enable SQLite database support. Requires libsqlite3 library

--enable-svc

5.2.0

enable charon Windows service

--enable-systemd

5.2.1

enable systemd specific IKE daemon charon-systemd

--enable-systime-fix

5.0.3

enable plugin to handle cert lifetimes with invalid system time gracefully

--enable-test-vectors

enable crypto test vectors plugin

--enable-tkm

5.0.3

enable charon-tkm an IKEv2 daemon that is backed by a Trusted Key Manager (TKM).

--enable-tnccs-11

enable TNC Client Server (TNCCS) 1.1 protocol plugin. Requires libxml2 library

--enable-tnccs-20

enable TNC Client Server (TNCCS) 2.0 protocol plugin

--enable-tnccs-dynamic

enable TNC Client Server (TNCCS) dynamic protocol discovery plugin

--enable-tnc-ifmap

enable TNC IF-MAP 2.0 client plugin

--enable-tnc-imc

enable TNC Integrity Measurement Collector (IMC) manager plugin

--enable-tnc-imv

enable TNC Integrity Measurement Validator (IMV) manager plugin

--enable-tnc-pdp

enable TNC Policy Decision Point plugin plugin

--enable-tpm

5.5.2

enable plugin to access persistent RSA and ECDSA private keys bound to Trusted Platform Module 2.0

--enable-tss-trousers

5.5.0

enable TPM 1.2 TrouSerS library. Requires libtspi library

--enable-tss-tss2

5.5.0

enable TPM 2.0 TSS2 library. Requires libtss2 library

--enable-uci

enable OpenWRT UCI configuration plugin

--enable-unbound

DNSSEC-enabled resolver plugin based on libunbound

--enable-unity

enable Cisco Unity extension plugin

--enable-unwind-backtraces

5.1.0

use libunwind to create backtraces for memory leaks and segfaults

--enable-warnings

5.9.7

enable extended compiler warnings and -Werror (auto-enabled when building from the repository)

--enable-whitelist

enable peer identity whitelisting plugin

--enable-winhttp

5.2.0

enable WinHTTP based HTTP/HTTPS fetching plugin

--enable-wolfssl

5.8.0

enable wolfSSL crypto plugin. Requires libwolfssl library

--enable-xauth-eap

enable XAuth backend using EAP methods to verify password

--enable-xauth-noauth

5.0.3

enable XAuth pseudo-backend that does not actually verify or even request any credentials

--enable-xauth-pam

enable XAuth backend using PAM to verify passwords

--disable Options

The plugin list provides more information on specific plugins.

Option Since^[1] Description

Option	Since^[1]	Description
--disable-aes		disable default AES software implementation plugin
--disable-attr		disable `strongswan.conf` based configuration of DNS and WINS server attributes^[3]
--disable-charon		disable the build of the IKEv1/IKEv2 keying `charon` daemon
--disable-cmac		disable CMAC crypto implementation plugin
--disable-constraints		disable advanced X.509 constraint checking plugin
--disable-curve25519	5.5.2	disable plugin providing X25519 DH group and Ed25519 public key authentication
--disable-defaults	5.0.3	disable all features that are enabled by default. Basically it’s short for removing all options listed in this section.
--disable-des		disable default DES/3DES software implementation plugin
--disable-dnskey		disable DNS Resource Records key decoding plugin
--disable-drgb	5.8.2	disable the NIST Deterministic Random Bit Generator plugin
--disable-fips-prf		disable default FIPS PRF software implementation plugin
--disable-gcm		disable GCM AEAD wrapper crypto plugin (was disabled by default prior to 5.9.8)
--disable-gmp		disable default GNU Multi Precision based public key cryptography implementation plugin. Requires `libgmp` library.
--disable-hmac		disable default HMAC crypto implementation plugin
--disable-ikev1		disable IKEv1 protocol support in `charon` daemon
--disable-ikev2		disable IKEv2 protocol support in `charon` daemon
--disable-kdf	5.9.6	disable default KDF (prf+) implementation plugin
--disable-kernel-netlink		disable default Netlink kernel interface
--disable-load-warning		disable the `charon` plugin load option warning in starter
--disable-md5		disable default MD5 software implementation plugin
--disable-nonce		disable nonce generation plugin
--disable-pem		disable PEM decoding plugin
--disable-pgp		disable PGP key decoding plugin
--disable-pkcs1		disable PKCS#1 key decoding plugin
--disable-pkcs7		disable PKCS#7 container support plugin
--disable-pkcs8		disable PKCS#8 private key decoding plugin
--disable-pkcs12	5.1.0	disable PKCS#12 container support plugin
--disable-pki	5.2.0	disable `pki` public key and certificate utility
--disable-pubkey		disable default RAW public key support plugin
--disable-random		disable default RNG implementation using the raw `/dev/[u]random` devices
--disable-rc2	5.1.0	disable RC2 software implementation plugin
--disable-resolve		disable writing DNS information received via configuration payload to `/etc/resolv.conf`. This is a plugin for VPN clients only
--disable-revocation		disable X.509 CRL/OCSP revocation check plugin
--disable-scripts		disable the build of additional utilities found in `scripts` directory
--disable-sha1		disable default SHA-1 software implementation plugin
--disable-sha2		disable default SHA-256/SHA-384/SHA-512 software implementation plugin
--disable-socket-default		disable default socket implementation for `charon` daemon
--disable-sshkey	5.1.0	disable SSH key decoding plugin
--disable-stroke		disable legacy `stroke` configuration backend for `charon` daemon
--disable-swanctl	5.2.0	disable `swanctl` configuration and control tool
--disable-updown		disable updown firewall script plugin
--disable-vici	5.2.0	disable the Versatile IKE Control Interface (VICI) plugin for `charon` daemon
--disable-x509		disable default X.509 certificate implementation plugin
--disable-xauth-generic		disable generic XAauth backend
--disable-xcbc		disable default XCBC crypto implementation plugin

--disable-aes

disable default AES software implementation plugin

--disable-attr

disable strongswan.conf based configuration of DNS and WINS server attributes^[3]

--disable-charon

disable the build of the IKEv1/IKEv2 keying charon daemon

--disable-cmac

disable CMAC crypto implementation plugin

--disable-constraints

disable advanced X.509 constraint checking plugin

--disable-curve25519

5.5.2

disable plugin providing X25519 DH group and Ed25519 public key authentication

--disable-defaults

5.0.3

disable all features that are enabled by default. Basically it’s short for removing all options listed in this section.

--disable-des

disable default DES/3DES software implementation plugin

--disable-dnskey

disable DNS Resource Records key decoding plugin

--disable-drgb

5.8.2

disable the NIST Deterministic Random Bit Generator plugin

--disable-fips-prf

disable default FIPS PRF software implementation plugin

--disable-gcm

disable GCM AEAD wrapper crypto plugin (was disabled by default prior to 5.9.8)

--disable-gmp

disable default GNU Multi Precision based public key cryptography implementation plugin. Requires libgmp library.

--disable-hmac

disable default HMAC crypto implementation plugin

--disable-ikev1

disable IKEv1 protocol support in charon daemon

--disable-ikev2

disable IKEv2 protocol support in charon daemon

--disable-kdf

5.9.6

disable default KDF (prf+) implementation plugin

--disable-kernel-netlink

disable default Netlink kernel interface

--disable-load-warning

disable the charon plugin load option warning in starter

--disable-md5

disable default MD5 software implementation plugin

--disable-nonce

disable nonce generation plugin

--disable-pem

disable PEM decoding plugin

--disable-pgp

disable PGP key decoding plugin

--disable-pkcs1

disable PKCS#1 key decoding plugin

--disable-pkcs7

disable PKCS#7 container support plugin

--disable-pkcs8

disable PKCS#8 private key decoding plugin

--disable-pkcs12

5.1.0

disable PKCS#12 container support plugin

--disable-pki

5.2.0

disable pki public key and certificate utility

--disable-pubkey

disable default RAW public key support plugin

--disable-random

disable default RNG implementation using the raw /dev/[u]random devices

--disable-rc2

5.1.0

disable RC2 software implementation plugin

--disable-resolve

disable writing DNS information received via configuration payload to /etc/resolv.conf. This is a plugin for VPN clients only

--disable-revocation

disable X.509 CRL/OCSP revocation check plugin

--disable-scripts

disable the build of additional utilities found in scripts directory

--disable-sha1

disable default SHA-1 software implementation plugin

--disable-sha2

disable default SHA-256/SHA-384/SHA-512 software implementation plugin

--disable-socket-default

disable default socket implementation for charon daemon

--disable-sshkey

5.1.0

disable SSH key decoding plugin

--disable-stroke

disable legacy stroke configuration backend for charon daemon

--disable-swanctl

5.2.0

disable swanctl configuration and control tool

--disable-updown

disable updown firewall script plugin

--disable-vici

5.2.0

disable the Versatile IKE Control Interface (VICI) plugin for charon daemon

--disable-x509

disable default X.509 certificate implementation plugin

--disable-xauth-generic

disable generic XAauth backend

--disable-xcbc

disable default XCBC crypto implementation plugin

--with Options

Option Description [Default]

Option	Description [Default]
--with-capabilities=LIBCAP	set capability dropping library. Currently supported values are `libcap` and `native` [no]
--with-charon-udp-port=PORT	UDP port used by `charon` daemon locally. Set to `0` to allocate randomly. [`500`]
--with-charon-natt-port=PORT	UDP port used by `charon` daemon locally in case a NAT situation is detected (must be different from `charon-udp-port`). Set to `0` to allocate randomly. [`4500`]
--with-dbuspolicydir=DIR	directory for D-Bus policies for the NetworkManager backend `charon-nm`. [`/usr/share/dbus-1/system.d`]
--with-dev-headers=DIR	install strongSwan development headers to `DIR` []
--with-fips-mode=MODE	set OpenSSL FIPS mode: disabled (`0`), enabled (`1`), Suite B enabled (`2`). [`0`]
--with-libfuzzer=FILE	`-fsanitize=fuzzer` or path to `libFuzzer.a`. A local driver is used if not specified
--with-group=GROUP	change group of `charon` daemon to `GROUP` after startup. [`root`]
--with-imcvdir=IMCVDIR	set the installation path of `IMC` and `IMV` dynamic libraries. [`IPSECLIBDIR/imcvs`]
--with-ipsecdir=IPSECDIR	installation path for ipsec tools. [`LIBEXECDIR/ipsec`]
--with-ipseclibdir=IPSECLIBDIR	installation path for ipsec libraries `libstrongswan`, `libcharon`, etc. [`LIBDIR/ipsec`]
--with-ipsec-script=NAME	change the name of the ipsec script. [`ipsec`]
--with-linux-headers=DIR	linux header files to be used. [`../include`]
--with-mpz_powm_sec= YES\|NO	use the more side-channel resistant `mpz_powm_sec` in `libgmp` if available. [yes]
--with-nm-ca-dir=NMCADIR	directory the NetworkManager backend uses to look up trusted root certificates. [`/usr/share/ca-certificates`]
--with-piddir=DIR	path for PID and UNIX socket files. [`/var/run`]
--with-plugindir=PLUGINDIR	installation path for plugins. [`IPSECLIBDIR/plugins`]
--with-printf-hooks=IMPL	force the use of a specific printf()-hook implementation (auto, builtin, glibc, vstr). [`auto`]
--with-pythoneggdir=ARG	path to install python eggs to. [`main site-packages directory`]
--with-random-device=DEV	set the device for true random data. [`/dev/random`]
--with-resolv-conf=FILE	set the file to store DNS server information. [`SYSCONFDIR/resolv.conf`]
--with-routing-table=NUM	routing table for IPsec source routes (set to `0` to use default routing table). [`220`]
--with-routing-table-prio=PRIO	priority for IPsec routing table [`220`].
--with-rubygemdir=ARG	path to install ruby gems to. [`gem environment gemdir`]
--with-strongswan-conf=FILE	set the `strongswan.conf` file location. [`SYSCONFDIR/strongswan.conf`]
--with-systemdsystemunitdir=ARG	directory for systemd service files. [`pkg-config --variable=systemdsystemunitdir systemd`]
--with-swanctldir=ARG	`swanctl` directory for `swanctl.conf` configuration files and credentials. [`SYSCONFDIR/swanctl`]
--with-urandom-device=DEV	set the device for pseudo random data. [`/dev/urandom`]
--with-user=USER	change user of `charon` daemon to USER after startup. [`root`]

--with-capabilities=LIBCAP

set capability dropping library. Currently supported values are libcap and native [no]

--with-charon-udp-port=PORT

UDP port used by charon daemon locally. Set to 0 to allocate randomly. [500]

--with-charon-natt-port=PORT

UDP port used by charon daemon locally in case a NAT situation is detected (must be different from charon-udp-port). Set to 0 to allocate randomly. [4500]

--with-dbuspolicydir=DIR

directory for D-Bus policies for the NetworkManager backend charon-nm. [/usr/share/dbus-1/system.d]

--with-dev-headers=DIR

install strongSwan development headers to DIR []

--with-fips-mode=MODE

set OpenSSL FIPS mode: disabled (0), enabled (1), Suite B enabled (2). [0]

--with-libfuzzer=FILE

-fsanitize=fuzzer or path to libFuzzer.a. A local driver is used if not specified

--with-group=GROUP

change group of charon daemon to GROUP after startup. [root]

--with-imcvdir=IMCVDIR

set the installation path of IMC and IMV dynamic libraries. [IPSECLIBDIR/imcvs]

--with-ipsecdir=IPSECDIR

installation path for ipsec tools. [LIBEXECDIR/ipsec]

--with-ipseclibdir=IPSECLIBDIR

installation path for ipsec libraries libstrongswan, libcharon, etc. [LIBDIR/ipsec]

--with-ipsec-script=NAME

change the name of the ipsec script. [ipsec]

--with-linux-headers=DIR

linux header files to be used. [../include]

--with-mpz_powm_sec= YES|NO

use the more side-channel resistant mpz_powm_sec in libgmp if available. [yes]

--with-nm-ca-dir=NMCADIR

directory the NetworkManager backend uses to look up trusted root certificates. [/usr/share/ca-certificates]

--with-piddir=DIR

path for PID and UNIX socket files. [/var/run]

--with-plugindir=PLUGINDIR

installation path for plugins. [IPSECLIBDIR/plugins]

--with-printf-hooks=IMPL

force the use of a specific printf()-hook implementation (auto, builtin, glibc, vstr). [auto]

--with-pythoneggdir=ARG

path to install python eggs to. [main site-packages directory]

--with-random-device=DEV

set the device for true random data. [/dev/random]

--with-resolv-conf=FILE

set the file to store DNS server information. [SYSCONFDIR/resolv.conf]

--with-routing-table=NUM

routing table for IPsec source routes (set to 0 to use default routing table). [220]

--with-routing-table-prio=PRIO

priority for IPsec routing table [220].

--with-rubygemdir=ARG

path to install ruby gems to. [gem environment gemdir]

--with-strongswan-conf=FILE

set the strongswan.conf file location. [SYSCONFDIR/strongswan.conf]

--with-systemdsystemunitdir=ARG

directory for systemd service files. [pkg-config --variable=systemdsystemunitdir systemd]

--with-swanctldir=ARG

swanctl directory for swanctl.conf configuration files and credentials. [SYSCONFDIR/swanctl]

--with-urandom-device=DEV

set the device for pseudo random data. [/dev/urandom]

--with-user=USER

change user of charon daemon to USER after startup. [root]

Example

The following configuration example builds a strongSwan IKEv2 charon-systemd daemon supporting the authentication methods pubkey, psk, eap-md5 and eap-tls. All crypto functions are based on the openssl plugin. Private keys and X.509 certificates can be securely stored in a TPM 2.0 device. Additionally the swanctl and pki tools are built. Also support for the updown firewall script support is enabled.

./configure --prefix=/usr --sysconfdir=/etc --disable-defaults --enable-silent-rules  \
    --enable-charon --enable-systemd --enable-ikev2 --enable-vici --enable-swanctl    \
    --enable-nonce --enable-random --enable-drbg --enable-openssl --enable-curl       \
    --enable-pem --enable-x509 --enable-constraints --enable-revocation --enable-pki  \
    --enable-pubkey --enable-socket-default --enable-kernel-netlink --enable-resolve  \
    --enable-eap-identity --enable-eap-md5 --enable-eap-dynamic --enable-eap-tls      \
    --enable-updown --enable-tss-tss2 --enable-tpm

1. First strongSwan version to support this option

2. This disables any optimization, so it shouldn’t be enabled when building production releases

3. This is a plugin for VPN gateways only, serving internal DNS and WINS nameserver information