strongSwan on macOS
strongSwan can be installed via Homebrew. The
strongswan Formula makes
installing and updating the current release very simple. The plugin configuration
is most suitable for road-warrior access,i.e. plugins specifically designed for
use on gateways are disabled (e.g.
$ brew install strongswan
sudo is not required to install strongSwan but is later needed when running
Building from the Git Repository
It’s also possible to build strongSwan manually from the Git repository or a source tarball. Build dependencies can be installed via Homebrew or e.g. MacPorts.
|When building from a tarball on macOS 11 or newer, it’s necessary to patch configure so libraries are built correctly. When building from the repository, a patched version of libtool can avoid that. Please refer to #683 for details.|
If you build from the Git repository the tools/packages listed in
HACKING have to be installed. Depending on
your plugin configuration, other packages may be required, such as the GMP library
or a newer release of the OpenSSL library.
The regular installation instructions may be followed
to build strongSwan. The following
options are either required or recommended:
Required to disable the Linux-specific kernel interface
Required to enable the interface to the macOS network stack
Required to enable the interface to the macOS IPsec stack. Alternatively the
Recommended to avoid additional dependencies by using the system’s OpenSSL library instead of the GMP library for public key cryptography
Recommended to enable DNS server installation via
Required because these scripts are not fully portable
When building with Homebrew, it’s necessary to adjust environment variables such
depending on the libraries that are used. See the
macos case in
scripts/test.sh for details.
With MacPorts using
--with-lib-prefix=/opt/local might be enough as all
libraries and header files are located in
We previously maintained a native application for macOS 10.7 and newer. It allowed easy road-warrior access in a similar fashion as the NetworkManager integration does on Linux.
With the availability of the standard IKEv1/IKEv2 client integration in more
recent versions of macOS, we have decided that continuing maintenance of a native
application build is no longer required. For information on using the integrated
VPN client in
macOS see Mac support.
An easy to deploy unprivileged strongSwan.app, providing a simple graphical user interface to manage and initiate connections
Automatic installation of a privileged helper tool (IKE daemon)
Gateway/CA certificates get fetched from the macOS Keychain service
Currently supported are IKEv2 connections using EAP-MSCHAPv2 or EAP-MD5 client authentication
The app does not send certificate requests. So unless the gateway’s certificate is installed in the client’s Keychain, the server has to be configured with
connections.<conn>.send_cert = always. Otherwise the client won’t have the gateway’s certificate available, causing the authentication to fail.
Requires a 64-bit Intel processor and OS X 10.7 or higher
Archived builds of strongSwan for OS X can be found on http://download.strongswan.org/osx.
macOS 10.5 doesn’t provide any means (e.g.
IP_SENDSRCADDR) to set the source address of IPv4 UDP packets sent over wildcard sockets. This could be a problem for multihomed gateways.
kernel-pfrouteinterface lacks some final tweaks to fully support MOBIKE. Due to a limitation of the macOS kernel (IPsec SAs can’t be updated if an IP address changes) IPsec SAs have to be rekeyed instead of updated with a simple MOBIKE message.