STRONGSWAN源代码学习2_LIBGCRYPT

StrongSwan支持libgcrypt。对于StrongSwan官网上的例子No.3需要安装libcurl、libgcrypt和libgmp。

• LIBGCRYPT安装

libgcrypt依赖于libgpg-error。首先下载libgpg-error和libgcrypt。

ftp> open ftp.gnupg.orgConnected to ftp.gnupg.org.220-Welcome hacker!220-.220-This is the FTP server of the GnuPG project.  Please send problem reports220-to ftpmaster@gnupg.org after having checked the gnupg-users mailing list220-archive at http://lists.gnupg.org/pipermail/gnupg-users/ for known problems.220-.220-Housing and traffic is sponsored by OpenIT GmbH. 220-.220-The server contains cryptographic software and its use might be illegal in220-your country.  However, as far as we know, only a very few countries have220-restrictions on the use of cryptographic software.220-.220 Service ready for new user.Name (ftp.gnupg.org:***): anonymous（匿名登录）331 Send e-mail address as password.Password:230 User logged in, proceed.Remote system type is UNIX.ftp> cd gcrypt/libgpg-error250-The package libgpg-error contains common error codes and error handling250-functions used by GnuPG, Libgcrypt, GPGME and more packages. 250 Directory change successful.ftp> passive（被动模式）Passive mode on.ftp> binary（BINARY mode）200 Command okay.ftp> get libgpg-error-1.12.tar.bz2local: libgpg-error-1.12.tar.bz2 remote: libgpg-error-1.12.tar.bz2227 Entering Passive Mode (217,69,76,55,156,84).150 About to open data connection.226 File transfer complete.489266 bytes received in 9.86 secs (48.5 kB/s)ftp> cd ..250-This directory is used as FTP site for GNU crypto software and250-related stuff.250-.250-US laws place restrictions on the export of defense articles, which250-includes some types of cryptographic software; this is the reason250-that such software is not available from ftp.gnu.org250-.250-It is legal however, to export such software into the US.250-.250-Please contact <ftpmaster@gnupg.org> it you have any problems with250-this site. 250-.250-Software available here:250-.250-    gnupg/               The GNU Privacy Guard250-    libgpg-error/        Common error codes for GnuPG, Libgcrypt etc.250-    gpgme/               GnuPG Made Easy library250-    pinentry/            Tool to enter a passphrase securely250-    libgcrypt/           General purpose low-level crypto library250-    libassuan/           The IPC library used by GnuPG250-    npth/                The New GNU Portable Threads Library250-    dirmngr/             A daemon to manage CRLs and LDAP queries for GnuPG.250-    gnu-crypt/           GNU Crypto for the classpathx Java libraries250-    egd/                 Entropy Gathering Daemon250-    lsh/                 A Secure Shell v2 implementation (work in progress)250-    250-    alpha/               Current development versions250-    binary/              Compiled versions for MS Windows.250-    contrib/             Other software and more translation files.250-    historic/            Historic versions.  Also includes the content of 250-                         the old devel/ and pgpgpg/ directories.250-.250-See http://www.gnupg.org for further information.250-.250-The programs GnuPG and Libgcrypt hosted here are Free Software packages of250-the GNU Project.  We call them Free Software because you are free to copy250-and redistribute them, following the rules stated in the license of each250-package.  For more information, see250-http://www.gnu.org/philosophy/free-sw.html.250-.250-If you are looking for service or support for this software, see250-http://www.gnupg.org/service.html .250-.250-If you would like to contribute to the development of one of these250-packages, contact the package maintainer or the bug-reporting address250-of the package (which should be listed in the package itself), or look250-on www.gnu.org for more information on how to contribute.250-.250 Directory change successful.ftp> cd libgcrypt250-This is the stable version of Libgcrypt. 250-For devlopment versions see ../alpha/libgcrypt/.250 Directory change successful.ftp> get libgcrypt-1.6.0.tar.bz2 local: libgcrypt-1.6.0.tar.bz2 remote: libgcrypt-1.6.0.tar.bz2227 Entering Passive Mode (217,69,76,55,158,239).150 About to open data connection.226 File transfer complete.2499149 bytes received in 51.68 secs (47.2 kB/s)ftp> close221 Service closing control connection.ftp> bye

 

下载完成后，安装libgpg-error和libgcrypt。

******xxx.tar.bz2格式文件解压******

bzip2 -d xxx.tar.bz2
tar -xvf xxx.tar

或者

tar -xjvf xxx.tar.bz2

******************************************

bzip2 -d libgpg-error-1.12.tar.bz2tar -xvf libgpg-error-1.12.tarbzip2 -d libgcrypt-1.6.0.tar.bz2tar -xvf libgcrypt-1.6.0.tar

对libgpg-error和libgcrypt请参考——libgpg-error-1.12和libgcrypt-1.6.0：

libgpg-error-1.12安装：

Install libgpg-error by running the following commands:./configure --prefix=/usr --disable-static &&makeTo test the results, issue: make check.Now, as the root user:make install &&install -v -m644 -D README /usr/share/doc/libgpg-error-1.12/README

 libgcrypt-1.6.0安装（实验中执行了红字部分）：

Install libgcrypt by running the following commands:./configure --prefix=/usr &&makeOnly info documentation is shipped in the package tarball. If you wish to build alternate formats of the documentation, (you must have texlive-20130530 installed to build the PDF and PostScript documentation), then issue the following commands:make -C doc pdf ps html &&makeinfo --html --no-split -o doc/gcrypt_nochunks.html doc/gcrypt.texi &&makeinfo --plaintext       -o doc/gcrypt.txt           doc/gcrypt.texiTo test the results, issue: make check.Now, as the root user:make install &&install -v -dm755   /usr/share/doc/libgcrypt-1.6.0 &&install -v -m644    README doc/{README.apichanges,fips*,libgcrypt*} \                    /usr/share/doc/libgcrypt-1.6.0If you built the additional documentation, install it by issuing the following commands as the root user:install -v -dm755   /usr/share/doc/libgcrypt-1.6.0/html &&install -v -m644 doc/gcrypt.html/* \                    /usr/share/doc/libgcrypt-1.6.0/html &&install -v -m644 doc/gcrypt_nochunks.html \                    /usr/share/doc/libgcrypt-1.6.0 &&install -v -m644 doc/gcrypt.{pdf,ps,dvi,txt,texi} \                    /usr/share/doc/libgcrypt-1.6.0

• LIBGMP安装

安装libgmp之前需要安装m4（a macro processing language）和build-essential（Informational list of build-essential packages）。

sudo apt-get install m4apt-get install build-essential

在libgmp官网下载gmp-x.x.x.tar.bz2进行安装，实验中下载的是gmp-5.1.3.tar.bz2：

tar -xjvf gmp-5.1.3.tar.bz2cd gmp-5.1.3sudo ./configure --enable-cxxsudo makesudo make checksudo make install

• LIBCURL安装

wget http://curl.haxx.se/download/curl-7.22.0.tar.gztar -zxvf curl-7.22.0.tar.gzcd curl-7.22.0./configuremakemake install

• StrongSwan安装

wget http://download.strongswan.org/strongswan-4.6.4.tar.bz2tar xjvf strongswan-4.6.4.tar.bz2cd strongswan-4.6.4./configure --prefix=/usr --sysconfdir=/etc --enable-gcrypt --enable-curl --disable-plutomakemake install

---

• 实验

配置：

Ubuntu3（虚拟机）——Ubuntu12.04LTS（32位）——IP192.168.31.132

Ubuntu4（虚拟机）——Ubuntu12.04LTS（32位）——IP192.168.31.133

对Ubuntu3进行配置：

配置/etc/ipsec.secrets

 

192.168.31.132 : PSK "chu"

配置/etc/ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file# basic configurationconfig setup    # plutodebug=all    # crlcheckinterval=600    # strictcrlpolicy=yes    # cachecrls=yes    # nat_traversal=yes    # charonstart=no    # plutostart=no    plutodebug=all        charondebug="ike 4"        charonstart=yes        plutostart=yes# Add connections here.# Sample VPN connections#conn sample-self-signed#      left=%defaultroute#      leftsubnet=10.1.0.0/16#      leftcert=selfCert.der#      leftsendcert=never#      right=192.168.0.2#      rightsubnet=10.2.0.0/16#      rightcert=peerCert.der#      auto=start#conn sample-with-ca-cert#      left=%defaultroute#      leftsubnet=10.1.0.0/16#      leftcert=myCert.pem#      right=192.168.0.2#      rightsubnet=10.2.0.0/16#      rightid="C=CH, O=Linux strongSwan CN=peer name"#      keyexchange=ikev2#      auto=startconn host-to-host    left=192.168.31.133    right=192.168.31.132    type=transport    authby=secret    auto=start

配置/etc/strongswan.conf

# strongswan.conf - strongSwan configuration filecharon {    # number of worker threads in charon    threads = 16    # send strongswan vendor ID?    # send_vendor_id = yes    load = curl pem pkcs1 gcrypt x509 revocation hmac xcbc stroke kernel-netlink socket-default updown    plugins {        sql {            # loglevel to log into sql database            loglevel = -1            # URI to the database            # database = sqlite:///path/to/file.db            # database = mysql://user:password@localhost/database        }    }    filelog {            /var/log/strongswan.log {                time_format = %b %e %T                append = no                default = 4                flush_line = yes            }        }    # ...}    pluto {}libstrongswan {    #  set to no, the DH exponent size is optimized    #  dh_exponent_ansi_x9_42 = no}

类似的，对Ubuntu4进行配置。通过ipsec restart重启软件。查看日志文件（/var/log/strongswan.log）：

Jan 12 17:36:50 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.6.4)Jan 12 17:36:50 00[LIB] plugin 'curl': loaded successfullyJan 12 17:36:50 00[LIB] plugin 'pem': loaded successfullyJan 12 17:36:50 00[LIB] plugin 'pkcs1': loaded successfullyJan 12 17:36:50 00[LIB] plugin 'gcrypt': loaded successfullyJan 12 17:36:50 00[LIB] plugin 'x509': loaded successfullyJan 12 17:36:50 00[LIB] plugin 'revocation': loaded successfullyJan 12 17:36:50 00[LIB] plugin 'hmac': loaded successfullyJan 12 17:36:50 00[LIB] plugin 'xcbc': loaded successfullyJan 12 17:36:50 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'Jan 12 17:36:50 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'Jan 12 17:36:50 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'Jan 12 17:36:50 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'Jan 12 17:36:50 00[CFG] loading crls from '/etc/ipsec.d/crls'Jan 12 17:36:50 00[CFG] loading secrets from '/etc/ipsec.secrets'Jan 12 17:36:50 00[CFG]   loaded IKE secret for 192.168.31.133Jan 12 17:36:50 00[CFG]   secret: 63:68:75Jan 12 17:36:50 00[LIB] plugin 'stroke': loaded successfullyJan 12 17:36:50 00[LIB] plugin 'kernel-netlink': loaded successfullyJan 12 17:36:50 00[KNL] listening on interfaces:Jan 12 17:36:50 00[KNL]   eth0Jan 12 17:36:50 00[KNL]     192.168.31.133Jan 12 17:36:50 00[KNL]     fe80::20c:29ff:feb9:b29cJan 12 17:36:50 00[LIB] plugin 'socket-default': loaded successfullyJan 12 17:36:50 00[LIB] plugin 'updown': loaded successfullyJan 12 17:36:50 00[DMN] loaded plugins: curl pem pkcs1 gcrypt x509 revocation hmac xcbc stroke kernel-netlink socket-default updown

每个菜鸟都有鹰的梦想