1d3ec1fc7f
Strongswan allows[1] to run the IKE charon daemon as non-root (defaults to running as root) user/group, so let's allow that. [1] https://docs.strongswan.org/docs/latest/install/reducedPrivileges.html#_running_strongswan_as_non_root Signed-off-by: Quentin Schulz <quentin.schulz@cherry.de> Signed-off-by: Julien Olivain <ju.o@free.fr>
229 lines
6.6 KiB
Plaintext
229 lines
6.6 KiB
Plaintext
comment "strongswan needs a toolchain w/ threads, dynamic library"
|
|
depends on BR2_USE_MMU
|
|
depends on BR2_TOOLCHAIN_HAS_ATOMIC
|
|
depends on !BR2_TOOLCHAIN_HAS_THREADS || BR2_STATIC_LIBS
|
|
|
|
menuconfig BR2_PACKAGE_STRONGSWAN
|
|
bool "strongswan"
|
|
depends on BR2_USE_MMU # fork()
|
|
depends on BR2_TOOLCHAIN_HAS_THREADS
|
|
depends on BR2_TOOLCHAIN_HAS_ATOMIC
|
|
depends on !BR2_STATIC_LIBS
|
|
help
|
|
strongSwan is an OpenSource IPsec implementation for the
|
|
Linux operating system. It is based on the discontinued
|
|
FreeS/WAN project and the X.509 patch.
|
|
|
|
The focus is on:
|
|
- simplicity of configuration
|
|
- strong encryption and authentication methods
|
|
- powerful IPsec policies supporting large and complex
|
|
VPN networks
|
|
|
|
strongSwan provide many plugins. Only a few are presented
|
|
here.
|
|
|
|
http://www.strongswan.org/
|
|
|
|
if BR2_PACKAGE_STRONGSWAN
|
|
|
|
choice
|
|
prompt "Cryptographic backend"
|
|
default BR2_PACKAGE_STRONGSWAN_GMP
|
|
|
|
config BR2_PACKAGE_STRONGSWAN_BOTAN
|
|
bool "botan"
|
|
depends on BR2_PACKAGE_BOTAN_ARCH_SUPPORTS
|
|
depends on BR2_INSTALL_LIBSTDCPP
|
|
depends on BR2_TOOLCHAIN_GCC_AT_LEAST_10 # botan
|
|
select BR2_PACKAGE_BOTAN
|
|
|
|
comment "botan backend needs a toolchain w/ C++, gcc >= 10"
|
|
depends on !BR2_INSTALL_LIBSTDCPP \
|
|
|| !BR2_TOOLCHAIN_GCC_AT_LEAST_10
|
|
depends on BR2_PACKAGE_BOTAN_ARCH_SUPPORTS
|
|
|
|
config BR2_PACKAGE_STRONGSWAN_OPENSSL
|
|
bool "OpenSSL"
|
|
select BR2_PACKAGE_OPENSSL
|
|
|
|
config BR2_PACKAGE_STRONGSWAN_GCRYPT
|
|
bool "libgcrypt"
|
|
depends on BR2_PACKAGE_LIBGPG_ERROR_ARCH_SUPPORTS # libgcrypt
|
|
select BR2_PACKAGE_LIBGCRYPT
|
|
|
|
config BR2_PACKAGE_STRONGSWAN_GMP
|
|
bool "GNU MP (libgmp)"
|
|
select BR2_PACKAGE_GMP
|
|
|
|
config BR2_PACKAGE_STRONGSWAN_WOLFSSL
|
|
bool "wolfssl"
|
|
select BR2_PACKAGE_WOLFSSL
|
|
select BR2_PACKAGE_WOLFSSL_ALL
|
|
|
|
endchoice
|
|
|
|
config BR2_PACKAGE_STRONGSWAN_AF_ALG
|
|
bool "Enable AF_ALG crypto interface to Linux Crypto API"
|
|
|
|
config BR2_PACKAGE_STRONGSWAN_CURL
|
|
bool "Enable CURL fetcher plugin to fetch files via libcurl"
|
|
select BR2_PACKAGE_LIBCURL
|
|
|
|
config BR2_PACKAGE_STRONGSWAN_MD4
|
|
bool "Enable MD4 hash algorithm"
|
|
|
|
config BR2_PACKAGE_STRONGSWAN_DROP_CAPS
|
|
bool "Drop unneeded capabilities after initialization"
|
|
select BR2_PACKAGE_LIBCAP
|
|
help
|
|
strongSwan supports capability dropping. The IKE charon daemon
|
|
is started as root and most of its privileges are dropped
|
|
immediately.
|
|
After the daemon has been initialized, further unneeded
|
|
capabilities are dropped.
|
|
|
|
config BR2_PACKAGE_STRONGSWAN_CHARON
|
|
bool "Enable the IKEv1/IKEv2 keying daemon charon"
|
|
default y
|
|
|
|
if BR2_PACKAGE_STRONGSWAN_CHARON
|
|
|
|
config BR2_PACKAGE_STRONGSWAN_TNCCS_11
|
|
bool "Enable TNCCS 1.1 protocol module"
|
|
select BR2_PACKAGE_LIBXML2
|
|
|
|
config BR2_PACKAGE_STRONGSWAN_TNCCS_20
|
|
bool "Enable TNCCS 2.0 protocol module"
|
|
|
|
config BR2_PACKAGE_STRONGSWAN_TNCCS_DYNAMIC
|
|
bool "Enable dynamic TNCCS protocol discovery module"
|
|
|
|
config BR2_PACKAGE_STRONGSWAN_SYSTIME_FIX
|
|
bool "Enable systime-fix plugin"
|
|
|
|
config BR2_PACKAGE_STRONGSWAN_EAP_SIM
|
|
bool "Enable EAP-SIM"
|
|
default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
|
|
|
|
config BR2_PACKAGE_STRONGSWAN_EAP_SIM_FILE
|
|
bool "Enable EAP-SIM file backend"
|
|
default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
|
|
select BR2_PACKAGE_STRONGSWAN_EAP_SIM
|
|
|
|
config BR2_PACKAGE_STRONGSWAN_EAP_SIM_PCSC
|
|
bool "Enable EAP-SIM smart card backend"
|
|
depends on !BR2_STATIC_LIBS # pcsc-lite
|
|
depends on BR2_TOOLCHAIN_GCC_AT_LEAST_4_9 # pcsc-lite
|
|
select BR2_PACKAGE_PCSC_LITE
|
|
select BR2_PACKAGE_STRONGSWAN_EAP_SIM
|
|
|
|
comment "EAP-SIM smart backend needs a toolchain w/ dynamic library, gcc >= 4.9"
|
|
depends on BR2_STATIC_LIBS || !BR2_TOOLCHAIN_GCC_AT_LEAST_4_9
|
|
|
|
config BR2_PACKAGE_STRONGSWAN_EAP_AKA
|
|
bool "Enable EAP-AKA"
|
|
default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
|
|
|
|
config BR2_PACKAGE_STRONGSWAN_EAP_AKA_3GPP2
|
|
bool "Enable EAP-AKA 3GPP2 algorithms"
|
|
default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
|
|
select BR2_PACKAGE_GMP
|
|
select BR2_PACKAGE_STRONGSWAN_EAP_AKA
|
|
|
|
config BR2_PACKAGE_STRONGSWAN_EAP_SIMAKA_SQL
|
|
bool "Enable EAP-SIM/AKA backend based on a triplet/quintuplet SQL database"
|
|
default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
|
|
select BR2_PACKAGE_STRONGSWAN_EAP_AKA
|
|
select BR2_PACKAGE_STRONGSWAN_EAP_SIM
|
|
|
|
config BR2_PACKAGE_STRONGSWAN_EAP_SIMAKA_PSEUDONYM
|
|
bool "Enable EAP-SIM/AKA pseudonym storage"
|
|
default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
|
|
select BR2_PACKAGE_STRONGSWAN_EAP_AKA
|
|
select BR2_PACKAGE_STRONGSWAN_EAP_SIM
|
|
|
|
config BR2_PACKAGE_STRONGSWAN_EAP_SIMAKA_REAUTH
|
|
bool "Enable EAP-SIM/AKA reauthentication data storage"
|
|
default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
|
|
select BR2_PACKAGE_STRONGSWAN_EAP_AKA
|
|
select BR2_PACKAGE_STRONGSWAN_EAP_SIM
|
|
|
|
config BR2_PACKAGE_STRONGSWAN_EAP_IDENTITY
|
|
bool "Enable EAP-Identity"
|
|
default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
|
|
|
|
config BR2_PACKAGE_STRONGSWAN_EAP_MD5
|
|
bool "Enable EAP-MD5"
|
|
default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
|
|
|
|
config BR2_PACKAGE_STRONGSWAN_EAP_GTC
|
|
bool "Enable EAP-GDC"
|
|
default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
|
|
|
|
config BR2_PACKAGE_STRONGSWAN_EAP_MSCHAPV2
|
|
bool "Enable EAP-MSCHAPv2"
|
|
default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
|
|
select BR2_PACKAGE_STRONGSWAN_MD4
|
|
|
|
config BR2_PACKAGE_STRONGSWAN_EAP_PEAP
|
|
bool "Enable EAP-PEAP"
|
|
default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
|
|
|
|
config BR2_PACKAGE_STRONGSWAN_EAP_RADIUS
|
|
bool "Enable EAP-RADIUS"
|
|
default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
|
|
|
|
config BR2_PACKAGE_STRONGSWAN_EAP_TLS
|
|
bool "Enable EAP-TLS"
|
|
default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
|
|
|
|
config BR2_PACKAGE_STRONGSWAN_EAP_TTLS
|
|
bool "Enable EAP-TTLS"
|
|
default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
|
|
|
|
config BR2_PACKAGE_STRONGSWAN_EAP_DYNAMIC
|
|
bool "Enable EAP-DYNAMIC"
|
|
default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
|
|
|
|
config BR2_PACKAGE_STRONGSWAN_EAP_TNC
|
|
bool "Enable EAP-TNC"
|
|
default y if BR2_PACKAGE_STRONGSWAN_EAP # legacy
|
|
|
|
config BR2_PACKAGE_STRONGSWAN_UNITY
|
|
bool "Enables Cisco Unity extension plugin"
|
|
|
|
config BR2_PACKAGE_STRONGSWAN_STROKE
|
|
bool "Enable charons stroke configuration backend"
|
|
default y
|
|
|
|
config BR2_PACKAGE_STRONGSWAN_SQL
|
|
bool "Enable SQL database configuration backend"
|
|
depends on BR2_PACKAGE_SQLITE || BR2_PACKAGE_MARIADB
|
|
|
|
config BR2_PACKAGE_STRONGSWAN_BYPASS_LAN
|
|
bool "Enable BYPASS-LAN plugin"
|
|
|
|
config BR2_PACKAGE_STRONGSWAN_NONROOT
|
|
bool "Run as non-root"
|
|
help
|
|
This allows running the IKE charon daemon as the non-root
|
|
user/group charon/charon.
|
|
endif
|
|
|
|
config BR2_PACKAGE_STRONGSWAN_PKI
|
|
bool "Enable pki certificate utility"
|
|
default y
|
|
|
|
config BR2_PACKAGE_STRONGSWAN_SCRIPTS
|
|
bool "Enable additional utilities (found in scripts directory)"
|
|
default y
|
|
depends on BR2_PACKAGE_STRONGSWAN_CHARON
|
|
|
|
config BR2_PACKAGE_STRONGSWAN_VICI
|
|
bool "Enable vici/swanctl"
|
|
default y
|
|
depends on BR2_PACKAGE_STRONGSWAN_CHARON
|
|
|
|
endif
|