Autoconf Options
Please note: This page documents the ./configure
options for the latest
strongSwan release. Therefore, you should always use
./configure --help
to check which options are actually available for the release you are using.
--dir options
Some directories can be configure through --with options.
Option | Default | Description |
---|---|---|
--prefix=PREFIX |
|
where to put installation. Most Linux distributions use |
--libexecdir=LIBEXECDIR |
|
program executables |
--libdir=LIBDIR |
|
shared libraries |
--sysconfdir=SYSCONFDIR |
|
where to put configuration files. We strongly recommend |
--enable Options
The plugin list provides more information on specific plugins.
Option | Since[1] | Description |
---|---|---|
--enable-acert |
5.1.3 |
enable X.509 attribute certificate checking plugin |
enable RFC 3779 address block constraint support plugin |
||
--enable-aes |
enable AES software implementation plugin |
|
--enable-aesni |
5.3.1 |
enable Intel AES-NI crypto plugin |
--enable-af-alg |
enable AF_ALG crypto interface to Linux Crypto API |
|
--enable-agent |
enable ssh-agent signing plugin |
|
--enable-aikgen |
5.2.0 |
enable AIK generator for TPM 1.2 |
--enable-all |
5.1.3 |
enable all optional plugins and features (they can be disabled with their respective --disable options). Mainly intended for testing |
--enable-android |
enable Android specific plugin |
|
--enable-android-log |
enable Android specific logger plugin |
|
--enable-asan |
5.9.8 |
enable build with AddressSanitizer (ASan) |
enable SQL-based configuration attributes. This is a plugin for VPN gateways only, serving virtual IP addresses |
||
--enable-bfd-backtraces |
5.0.1 |
use binutil’s libbfd to resolve backtraces for memory leaks and segfaults |
--enable-blowfish |
enable Blowfish software implementation plugin |
|
--enable-botan |
5.7.0 |
enable Botan crypto plugin. Requires Botan 2.8.0 or newer |
5.5.2 |
enable plugin to automatically install bypass policies for local subnets |
|
--enable-ccm |
enable CCM AEAD wrapper crypto plugin |
|
--enable-chapoly |
5.3.3 |
enables the ChaCha20/Poly1305 AEAD plugin |
5.9.12 |
enable automatic certificate enrollment via EST or SCEP |
|
5.9.12 |
enable installation of cert-enroll as a systemd timer |
|
enable CSV export of expiration dates of used certificates |
||
--enable-cmd |
5.1.0 |
enable command line IKE client charon-cmd |
--enable-conftest |
enable IKE conformance test framework |
|
5.3.0 |
enable conntrack based marks to select return path SA |
|
--enable-curve25519 |
5.5.2 |
enable plugin providing X25519 DH group and Ed25519 public key authentication |
5.6.1 |
enable plugin that collects several performance counters |
|
enable IKEv2 plugin to couple peer certificates permanently to authentication |
||
--enable-coverage |
5.1.0 |
enable lcov coverage report generation[2] |
--enable-ctr |
enable counter mode wrapper crypto plugin |
|
enable plugin to fetch files (CRL/OCSP) via |
||
--enable-dbghelp-backtraces |
5.2.0 |
use dbghlp.dll on Windows to create and print backtraces for memory leaks and segfaults |
--enable-des |
enable DES/3DES software implementation plugin |
|
enable DHCP based attribute provider plugin |
||
--enable-dnscert |
5.1.1 |
enable plugin authenticating peers based on DNS CERT resource records protected by DNSSEC |
enable advanced duplicate checking plugin using liveness checks |
||
--enable-eap-aka |
enable EAP AKA authentication plugin |
|
--enable-eap-aka-3gpp |
5.6.0 |
enable EAP AKA backend plugin implementing 3GPP MILENAGE algorithms in software |
--enable-eap-aka-3gpp2 |
enable EAP AKA backend plugin implementing 3GPP2 algorithms in software.
Requires |
|
5.0.1 |
enable dynamic EAP proxy plugin |
|
enable EAP GTC authentication plugin |
||
--enable-eap-identity |
enable EAP plugin providing EAP-Identity helper |
|
--enable-eap-md5 |
build EAP MD5 (CHAP) authentication plugin |
|
--enable-eap-mschapv2 |
enable EAP MS-CHAPv2 authentication plugin |
|
--enable-eap-peap |
enable EAP PEAP authentication plugin |
|
enable RADIUS proxy authentication plugin for EAP |
||
--enable-eap-sim |
enable EAP-SIM authentication plugin |
|
--enable-eap-sim-file |
enable EAP-SIM backend based on a triplets file |
|
--enable-eap-sim-pcsc |
enable EAP-SIM backend based on a smartcard reader.
Requires |
|
--enable-eap-simaka-pseudonym |
enable EAP-SIM/AKA pseudonym storage |
|
--enable-eap-simaka-reauth |
enable EAP-SIM/AKA reauthentication data storage |
|
enable EAP-SIM/AKA backend based on a triplet/quintuplet SQL database |
||
enable EAP TLS authentication plugin |
||
--enable-eap-tnc |
enable EAP TNC trusted network connect plugin |
|
--enable-eap-ttls |
enable EAP TTLS authentication plugin |
|
5.0.2 |
enable error notification plugin |
|
5.2.1 |
enable plugin calling an external authorization script |
|
enable ARP faking plugin that responds to ARP requests for virtual IPs assigned to peers |
||
--enable-fast |
build |
|
--enable-files |
5.3.0 |
enable simple |
--enable-fips-prf |
enable FIPS PRF software implementation plugin. Required for |
|
5.3.0 |
enable plugin that forwards broadcast/multicast messages |
|
5.5.3 |
enable fuzzing scripts (found in directory |
|
--enable-gcm |
enable GCM AEAD wrapper crypto plugin |
|
--enable-gcrypt |
enable gcrypt plugin. Requires the GNU libgcrypt library |
|
--enable-git-version |
use output of |
|
--enable-gmp |
enable GNU Multi Precision based public key cryptography
implementation plugin. Requires |
|
--enable-hmac |
enable HMAC crypto implementation plugin |
|
enable high availability cluster plugin |
||
--enable-imc-attestation |
enable TNC Attestation IMC |
|
--enable-imc-hcd |
5.3.3 |
enable TNC Hardcopy Device Integrity (HCD) IMC |
--enable-imc-os |
enable TNC Operating System (OS) IMC |
|
--enable-imc-scanner |
enable TNC Port Scanner IMC |
|
--enable-imc-swima |
5.6.0 |
enable TNC SWIMA IMC |
--enable-imc-test |
enable TNC Test IMC |
|
--enable-imv-attestation |
||
--enable-imv-hcd |
5.3.3 |
enable TNC Hardcopy Device Integrity (HCD) IMV |
--enable-imv-os |
enable TNC Operating System (OS) IMV |
|
--enable-imv-scanner |
enable TNC Port Scanner IMV |
|
--enable-imv-swima |
5.6.0 |
enable TNC SWIMA IMV |
--enable-imv-test |
enable TNC Test IMV |
|
--enable-integrity-test |
enable integrity testing of the daemon, libraries and loaded plugins |
|
--enable-ipseckey |
5.0.3 |
enable authentication plugin authenticatomg peers based on IPSECKEY DNS resource records protected by DNSSEC |
5.2.0 |
enable Windows IP Helper based networking backend |
|
5.1.0 |
enable |
|
--enable-kernel-pfkey |
enable PF_KEYv2 NETKEY kernel interface |
|
--enable-kernel-pfroute |
enable PF_ROUTE kernel interface. Required for FreeBSD and Mac OSX |
|
5.2.0 |
enable Windows Filtering Platform IPsec backend |
|
--enable-keychain |
5.1.0 |
enable macOS Keychain Services credential set |
--enable-libipsec |
enable user space IPsec implementation |
|
--enable-ldap |
enable LDAP fetcher to fetch files (CRLs) from an LDAP server. Requires OpenLDAP |
|
--enable-leak-detective |
enable malloc hooks to find memory leaks |
|
--enable-led |
enable plugin to control LEDs on IKEv2 activity using the Linux kernel LED subsystem |
|
enable load testing plugin for IKEv2 daemon |
||
--enable-lock-profiler |
enable lock/mutex profiling code |
|
--enable-log-thread-ids |
5.4.0 |
use thread ID if available instead of an incremented value starting from 1 to identify threads |
enable fast virtual IP lookup and notification plugin |
||
--enable-manager |
build the deprecated strongSwan manager web application |
|
--enable-md4 |
enable MD4 software implementation plugin. Required for |
|
--enable-md5 |
enable MD5 software implementation plugin |
|
--enable-medcli |
enable deprecated mediation client web front end and daemon plugin |
|
--enable-mediation |
enable IKEv2 Mediation Extension |
|
--enable-medsrv |
enable deprecated mediation server web front end and daemon plugin |
|
--enable-mgf1 |
5.5.1 |
enable MGF1 software implementation plugin |
--enable-ml |
6.0.0 |
enable Module-Lattice-based crypto (ML-KEM) plugin |
--enable-monolithic |
build monolithic versions of |
|
--enable-mysql |
enable MySQL database support. Requires |
|
--enable-nm |
enable NetworkManager backend |
|
5.9.12 |
enable OCSP responder accessing OpenXPKI MySQL/MariaDB certificate database |
|
--enable-osx-attr |
5.1.0 |
enable macOS SystemConfiguration attribute handler |
--enable-p-cscf |
5.4.0 |
enable plugin to request P-CSCF server addresses from an ePDG (RFC 7651) |
--enable-padlock |
enable padlock crypto plugin. Requires a VIA Padlock crypto engine |
|
--enable-perl-cpan |
5.4.0 |
enable build of provided perl CPAN modules e.g. for the
|
--enable-perl-cpan-install |
5.4.0 |
enable installation of provided CPAN modules |
enable PKCS#11 crypto token support plugin |
||
--enable-pkcs12 |
5.1.0 |
enable PKCS#12 container support plugin |
--enable-python-eggs |
5.3.0 |
enable build of provided python eggs e.g. for the
|
--enable-python-eggs-install |
5.3.1 |
enable local installation of provided python eggs |
enable plugin to inject and process custom RADIUS attributes as IKEv2 client |
||
--enable-rc2 |
5.1.0 |
enable RC2 software implementation plugin. Required for |
--enable-rdrand |
enable Intel RDRAND random generator plugin |
|
--enable-ruby-gems |
5.2.1 |
enable build of provided ruby gems e.g. for the
|
--enable-ruby-gems-install |
5.3.1 |
enable local installation of provided ruby gems |
5.6.2 |
enable development/debugging plugin that saves IKE and ESP keys in Wireshark format |
|
5.9.6 |
enable SELinux support for labeled IPsec and the selinux plugin |
|
--enable-sha1 |
enable SHA-1 software implementation plugin |
|
--enable-sha2 |
enable SHA-256/SHA-384/SHA-512 software implementation plugin |
|
--enable-sha3 |
5.3.4 |
enable SHA3 and SHAKE software implementation plugin |
--enable-smp |
enable deprecated XML configuration and control interface. Requires
|
|
--enable-socket-dynamic |
enable dynamic socket implementation for charon |
|
5.2.0 |
enable Winsock2 based socket implementation for
|
|
--enable-soup |
enable fetcher plugin to fetch from HTTP URIs. Requires |
|
enable SQL database configuration backend |
||
--enable-sqlite |
enable SQLite database support. Requires |
|
--enable-stroke |
enable legacy |
|
--enable-svc |
5.2.0 |
enable charon Windows service |
--enable-systemd |
5.2.1 |
enable |
5.0.3 |
enable plugin to handle cert lifetimes with invalid system time gracefully |
|
enable crypto test vectors plugin |
||
--enable-tkm |
5.0.3 |
enable |
--enable-tnccs-11 |
enable TNC Client Server (TNCCS) 1.1 protocol plugin.
Requires |
|
--enable-tnccs-20 |
enable TNC Client Server (TNCCS) 2.0 protocol plugin |
|
--enable-tnccs-dynamic |
enable TNC Client Server (TNCCS) dynamic protocol discovery plugin |
|
--enable-tnc-ifmap |
enable TNC IF-MAP 2.0 client plugin |
|
--enable-tnc-imc |
enable TNC Integrity Measurement Collector (IMC) manager plugin |
|
--enable-tnc-imv |
enable TNC Integrity Measurement Validator (IMV) manager plugin |
|
--enable-tnc-pdp |
enable TNC Policy Decision Point plugin plugin |
|
5.5.2 |
enable plugin to access persistent RSA and ECDSA private keys bound to Trusted Platform Module 2.0 |
|
--enable-tss-trousers |
5.5.0 |
enable TPM 1.2 TrouSerS library. Requires |
--enable-tss-tss2 |
5.5.0 |
enable TPM 2.0 TSS2 library. Requires |
--enable-uci |
enable OpenWRT UCI configuration plugin |
|
--enable-unbound |
DNSSEC-enabled resolver plugin based on libunbound |
|
enable Cisco Unity extension plugin |
||
--enable-unwind-backtraces |
5.1.0 |
use libunwind to create backtraces for memory leaks and segfaults |
--enable-warnings |
5.9.7 |
enable extended compiler warnings and -Werror (auto-enabled when building from the repository) |
enable peer identity whitelisting plugin |
||
5.2.0 |
enable WinHTTP based HTTP/HTTPS fetching plugin |
|
--enable-wolfssl |
5.8.0 |
enable wolfSSL crypto plugin. Requires |
enable XAuth backend using EAP methods to verify password |
||
5.0.3 |
enable XAuth pseudo-backend that does not actually verify or even request any credentials |
|
enable XAuth backend using PAM to verify passwords |
--disable Options
The plugin list provides more information on specific plugins.
Option | Since[1] | Description |
---|---|---|
disable |
||
--disable-charon |
disable the build of the IKEv1/IKEv2 keying |
|
--disable-cmac |
disable CMAC crypto implementation plugin |
|
disable advanced X.509 constraint checking plugin |
||
--disable-defaults |
5.0.3 |
disable all features that are enabled by default. Basically it’s short for removing all options listed in this section. |
--disable-dnskey |
disable DNS Resource Records key decoding plugin |
|
--disable-drgb |
5.8.2 |
disable the NIST Deterministic Random Bit Generator plugin |
--disable-ikev1 |
disable IKEv1 protocol support in |
|
--disable-ikev2 |
disable IKEv2 protocol support in |
|
--disable-kdf |
5.9.6 |
disable default KDF (prf+) implementation plugin |
--disable-kernel-netlink |
disable default Netlink kernel interface |
|
--disable-load-warning |
disable the |
|
--disable-nonce |
disable nonce generation plugin |
|
--disable-openssl |
disable default OpenSSL crypto plugin. Requires the |
|
--disable-pem |
disable PEM decoding plugin |
|
--disable-pgp |
disable PGP key decoding plugin |
|
--disable-pkcs1 |
disable PKCS#1 key decoding plugin |
|
--disable-pkcs7 |
disable PKCS#7 container support plugin |
|
--disable-pkcs8 |
disable PKCS#8 private key decoding plugin |
|
5.2.0 |
disable |
|
--disable-pubkey |
disable default RAW public key support plugin |
|
--disable-random |
disable default RNG implementation using the raw |
|
disable writing DNS information received via configuration payload to
|
||
--disable-revocation |
disable X.509 CRL/OCSP revocation check plugin |
|
--disable-scripts |
disable the build of additional utilities found in |
|
--disable-socket-default |
disable default socket implementation for |
|
--disable-sshkey |
5.1.0 |
disable SSH key decoding plugin |
5.2.0 |
disable |
|
disable updown firewall script plugin |
||
5.2.0 |
disable the Versatile IKE Control Interface (VICI)
plugin for |
|
--disable-x509 |
disable default X.509 certificate implementation plugin |
|
--disable-xauth-generic |
disable generic XAauth backend |
|
--disable-xcbc |
disable default XCBC crypto implementation plugin |
--with Options
Option | Description [Default] |
---|---|
--with-capabilities=LIBCAP |
set capability dropping library. Currently supported values are |
--with-charon-udp-port=PORT |
UDP port used by |
--with-charon-natt-port=PORT |
UDP port used by |
--with-dbuspolicydir=DIR |
directory for D-Bus policies for the
NetworkManager backend |
--with-dev-headers=DIR |
install strongSwan development headers to |
--with-fips-mode=MODE |
set OpenSSL FIPS mode: disabled ( |
--with-libfuzzer=FILE |
|
--with-group=GROUP |
change group of |
--with-imcvdir=IMCVDIR |
set the installation path of |
--with-ipsecdir=IPSECDIR |
installation path for ipsec tools. [ |
--with-ipseclibdir=IPSECLIBDIR |
installation path for ipsec libraries |
--with-ipsec-script=NAME |
change the name of the ipsec script. [ |
--with-linux-headers=DIR |
linux header files to be used. [ |
--with-mpz_powm_sec= YES|NO |
use the more side-channel resistant |
--with-nm-ca-dir=NMCADIR |
directory the NetworkManager backend uses to look up trusted root certificates.
[ |
--with-piddir=DIR |
path for PID and UNIX socket files. [ |
--with-plugindir=PLUGINDIR |
installation path for plugins. [ |
--with-printf-hooks=IMPL |
force the use of a specific printf()-hook implementation
(auto, builtin, glibc, vstr). [ |
--with-pythoneggdir=ARG |
path to install python eggs to. [ |
--with-random-device=DEV |
set the device for true random data. [ |
--with-resolv-conf=FILE |
set the file to store DNS server information. [ |
--with-routing-table=NUM |
routing table for IPsec source routes (set to |
--with-routing-table-prio=PRIO |
priority for IPsec routing table [ |
--with-rubygemdir=ARG |
path to install ruby gems to. [ |
--with-strongswan-conf=FILE |
set the |
--with-systemdsystemunitdir=ARG |
directory for systemd service files.
[ |
--with-swanctldir=ARG |
|
--with-urandom-device=DEV |
set the device for pseudo random data. [ |
--with-user=USER |
change user of |
Example
The following configuration example builds a strongSwan IKEv2
charon-systemd
daemon supporting the
authentication methods pubkey
, psk
, eap-md5
and eap-tls
.
All crypto functions are based on the openssl
plugin. Private keys and
X.509 certificates can be securely stored in a TPM 2.0
device. Additionally the swanctl
and
pki
tools are built. Also support for the
updown
firewall script support is enabled.
./configure --prefix=/usr --sysconfdir=/etc --disable-defaults --enable-silent-rules \ --enable-charon --enable-systemd --enable-ikev2 --enable-vici --enable-swanctl \ --enable-nonce --enable-random --enable-drbg --enable-openssl --enable-curl \ --enable-pem --enable-x509 --enable-constraints --enable-revocation --enable-pki \ --enable-pubkey --enable-socket-default --enable-kernel-netlink --enable-resolve \ --enable-eap-identity --enable-eap-md5 --enable-eap-dynamic --enable-eap-tls \ --enable-updown --enable-tss-tss2 --enable-tpm