strongSwan on macOS

The IKE charon daemon also runs on macOS.

Homebrew

strongSwan can be installed via Homebrew. The strongswan Formula makes installing and updating the current release very simple. The plugin configuration is most suitable for road-warrior access,i.e. plugins specifically designed for use on gateways are disabled (e.g. attr or eap-radius).

$ brew install strongswan

sudo is not required to install strongSwan but is later needed when running swanctl or charon-cmd.

Building from the Git Repository

It’s also possible to build strongSwan manually from the Git repository or a source tarball. Build dependencies can be installed via Homebrew or e.g. MacPorts.

When building from a tarball on macOS 11 or newer, it’s necessary to patch configure so libraries are built correctly. When building from the repository, a patched version of libtool can avoid that. Please refer to #683 for details.

Requirements

If you build from the Git repository the tools/packages listed in HACKING have to be installed. Depending on your plugin configuration, other packages may be required, such as the GMP library or a newer release of the OpenSSL library.

Building strongSwan

The regular installation instructions may be followed to build strongSwan. The following ./configure options are either required or recommended:

--disable-kernel-netlink

Required to disable the Linux-specific kernel interface

--enable-kernel-pfroute

Required to enable the interface to the macOS network stack

--enable-kernel-pfkey

Required to enable the interface to the macOS IPsec stack. Alternatively the --enable-kernel-libipsec option may be used to enable strongSwan’s userland IPsec implementation that provides support for AES-GCM (depending on plugin configuration) in IPsec processing which older macOS kernels don’t.

--disable-gmp
--enable-openssl

Recommended to avoid additional dependencies by using the system’s OpenSSL library instead of the GMP library for public key cryptography

--enable-osx-attr

Recommended to enable DNS server installation via SystemConfiguration

--disable-scripts

Required because these scripts are not fully portable

When building with Homebrew, it’s necessary to adjust environment variables such as PATH, ACLOCAL_PATH, PKG_CONFIG_PATH, CPPFLAGS and LDFLAGS depending on the libraries that are used. See the macos case in scripts/test.sh for details.

With MacPorts using --with-lib-prefix=/opt/local might be enough as all libraries and header files are located in /opt/local.

Native Application

We previously maintained a native application for macOS 10.7 and newer. It allowed easy road-warrior access in a similar fashion as the NetworkManager integration does on Linux.

With the availability of the standard IKEv1/IKEv2 client integration in more recent versions of macOS, we have decided that continuing maintenance of a native application build is no longer required. For information on using the integrated VPN client in macOS see Mac support.

It featured:

  • An easy to deploy unprivileged strongSwan.app, providing a simple graphical user interface to manage and initiate connections

  • Automatic installation of a privileged helper tool (IKE daemon)

  • Gateway/CA certificates get fetched from the macOS Keychain service

  • Currently supported are IKEv2 connections using EAP-MSCHAPv2 or EAP-MD5 client authentication

  • The app does not send certificate requests. So unless the gateway’s certificate is installed in the client’s Keychain, the server has to be configured with connections.<conn>.send_cert = always. Otherwise the client won’t have the gateway’s certificate available, causing the authentication to fail.

  • Requires a 64-bit Intel processor and OS X 10.7 or higher

Archived builds of strongSwan for OS X can be found on http://download.strongswan.org/osx.

Limitations

  • macOS 10.5 doesn’t provide any means (e.g. IP_PKTINFO or IP_SENDSRCADDR) to set the source address of IPv4 UDP packets sent over wildcard sockets. This could be a problem for multihomed gateways.

  • The kernel-pfroute interface lacks some final tweaks to fully support MOBIKE. Due to a limitation of the macOS kernel (IPsec SAs can’t be updated if an IP address changes) IPsec SAs have to be rekeyed instead of updated with a simple MOBIKE message.