strongSwan on FreeBSD
Starting with FreeBSD 11, IPsec is now enabled in the kernel by default. However, if you need NAT Traversal you will still have to enable the
IPSEC_NAT_Toption and build your own kernel (see below).
FreeBSD 11.1 and above now has NAT-T included as well and GENERIC kernel will work.
In versions older than FreeBSD 11.0 the generic kernel does not come with IPsec support enabled. So you will have to compile your own kernel.
Since FreeBSD 8, the NAT Traversal patch is included in the kernel sources, so you don’t have to apply any patches yourself if you need that feature.
Basic documentation on how to build a custom kernel can be found in the FreeBSD Handbook. To enable IPsec you’ll need to add the following options to your kernel configuration file:
options IPSEC device crypto
You can verify that your kernel has IPsec support using the following command which should print a list of ipsec specific kernel state.
/sbin/sysctl -a | grep ipsec
If you need NAT Traversal, add the following option to your kernel config:
The easiest way to install strongSwan on FreeBSD is to use the security/strongswan port
cd /usr/ports/security/strongswan/ && make install clean
or to install the binary package with
pkg install strongswan
or in earlier FreeBSD releases with
pkg_add -r strongswan
Our test-system was installed using the Developer and Kern-Developer distributions
sysinstall. So there are maybe additional packages required on your system.
The packages required to build strongSwan are as follows:
libgmp(optional, depending on configuration)
openssl(optional, depending on configuration)
./configure --enable-kernel-pfkey --enable-kernel-pfroute --disable-kernel-netlink \ --disable-scripts --with-group=wheel
Because there is currently no way to change the IP addresses of an installed
IPsec SA in the FreeBSD kernel,
IPsec SAs are rekeyed when a client’s IP
address changes. This discussion on the FreeBSD forums has more on