strongSwan plugins » History » Version 25

« Previous - Version 25/84 (diff) - Next » - Current version
Tobias Brunner, 02.07.2012 13:17
Updated for 5.0.0

strongSwan plugins

The strongSwan distribution ships with a growing list of plugins. This allows us to add extended and specialized features, but keep the core as small as possible.

Many components of strongSwan come with a set of plugins. The plugins for libstrongswan provide cryptographic backends, URI fetchers and database layers. The plugins of libhydra are usable by the IKE daemon charon (in earlier releases also by the IKEv1 daemon pluto) and starter. libcharon comes with a large set of very specialized plugins for specific needs.

Plugins for current releases

Plugin Name E S Description
E = Enabled by default
S = Plugin status: s = stable, e = experimental, d = under development/incomplete
libstrongswan plugins
aes x s AES-128/192/256 cipher software implementation
af-alg s AF_ALG Linux crypto API interface, provides ciphers/hashers/hmac/xcbc
agent s RSA private key backend connecting to SSH-Agent
blowfish s Blowfish cipher software implementation
ccm s CCM cipher mode wrapper
cmac s CMAC cipher mode wrapper
constraints x s X.509 certificate advanced constraint checking
ctr s CTR cipher mode wrapper
curl s libcurl based HTTP/FTP fetcher
des x s DES/3DES cipher software implementation
dnskey x s Parse RFC 4034 public keys
fips-prf x s PRF specified by FIPS, used by EAP-SIM/AKA algorithms
gcm s GCM cipher mode wrapper
gcrypt s Crypto backend based on libgcrypt, provides RSA/DH/ciphers/hashers/rng
gmp x s RSA/DH crypto backend based on libgmp
hmac x s HMAC wrapper using various hashers
ldap s LDAP fetching plugin based on libldap
md4 s MD4 hasher software implementation
md5 x s MD5 hasher software implementation
mysql s MySQL database backend based on libmysqlclient
openssl s Crypto backend based on OpenSSL, provides RSA/ECDSA/DH/ECDH/ciphers/hashers/HMAC/X.509/CRL/RNG
padlock e VIA padlock crypto backend, provides AES128/SHA1
pem x s PEM encoding/decoding routines
pgp x s PGP encoding/decoding routines
pkcs1 x s PKCS#1 encoding/decoding routines
pkcs8 x s PKCS#8 decoding routines
pkcs11 s PKCS#11 smartcard backend
pubkey x s Wrapper to handle raw public keys as trusted certificates
random x s RNG reading from /dev/[u]random
revocation x s X.509 CRL/OCSP revocation checking
sha1 x s SHA1 hasher software implementation
sha2 x s SHA256/SHA384/SHA512 hasher software implementation
soup s libsoup based HTTP fetcher
sqlite s SQLite database backend based on libsqlite3
test-vectors s Set of test vectors for various algorithms
x509 x s Advanced X.509 plugin for parsing/generating X.509 certificates/CRLs and OCSP messages
xcbc x s XCBC wrapper using various ciphers
libhydra plugins
attr x s Provides IKE attributes configured in strongswan.conf
attr-sql s Provides IKE attributes read from a database to peers
kernel-klips e IPsec kernel interface to an older KLIPS version
kernel-netlink x s IPsec/Networking kernel interface using Linux Netlink
kernel-pfkey e IPsec kernel interface using PF_KEY
kernel-pfroute e Networking kernel interface using PF_ROUTE
resolve x s Writes name servers received via IKE to a resolv.conf file or installs them via resolvconf(8)
libcharon plugins
addrblock s Narrow traffic selectors to RFC 3779 address blocks in X.509 certificates
android s Android configuration/control backend, works with Android strongSwan applet
certexpire s Export expiration dates of used certificates
coupling s Permanent peer certificate coupling
dhcp s Forward virtual IP address pool lookup to a DHCP server
duplicheck s Advanced duplicate checking with liveness test and notifications
eap-aka s Generic EAP-AKA protocol handler using different backends
eap-aka-3gpp2 s EAP-AKA backend implementing standard 3GPP2 algorithm in software
eap-gtc s EAP-GTC protocol handler authenticating against PAM
eap-identity s EAP-Identity identity exchange algorithm, to use with other EAP protocols
eap-md5 s EAP-MD5 protocol handler using passwords
eap-mschapv2 s EAP-MSCHAPv2 protocol handler using passwords/NT hashes
eap-peap s EAP-PEAP protocol handler, wraps other EAP methods securely
eap-radius s EAP server proxy plugin forwarding EAP conversations to a RADIUS server
eap-sim s Generic EAP-SIM protocol handler using different backends
eap-sim-file s EAP-SIM backend reading triplets from a file
eap-sim-pcsc s EAP-SIM backend based on a PC/SC smartcard reader
eap-simaka-pseudonym s EAP-SIM/AKA in-memory pseudonym identity database
eap-simaka-reauth s EAP-SIM/AKA in-memory reauthentication identity database
eap-simaka-sql s EAP-SIM/AKA backend reading triplets/quintuplets from a SQL database
eap-tls s EAP-TLS protocol handler, to authenticate with certificates in EAP
eap-tnc s EAP-TNC protocol handler, Trusted Network Connect in a TLS tunnel
eap-ttls s EAP-TTLS protocol handler, wraps other EAP methods securely
farp s Fakes ARP responses for requests to a virtual IP address assigned to a peer
ha s High-Availability clustering
led s Let Linux LED subsystem LEDs blink on IKE activity
load-tester s Perform IKE load tests against self or a gateway
maemo e Maemo 5 configuration/control backend, works with Maemo strongSwan applet
medcli d Web interface based mediation client interface
medsrv d Web interface based mediation server interface
radattr s Plugin to inject and process custom RADIUS attributes as IKEv2 client
smp d XML based strongSwan Management Protocol
socket-default * s Default socket implementation for IKE messages, enabled if pluto disabled
socket-dynamic e Dynamic binding socket implementation, capable of sending IKE messages on any port
socket-raw * s RAW socket allowing charon to run parallel with pluto, enabled if pluto enabled
sql s SQL configuration backend reading configurations/credentials from a database
stroke x s Stroke configuration/control backend, to use with ipsec script and starter
tnccs-11 s Trusted Network Connect protocol version 1.1
tnccs-20 s Trusted Network Connect protocol version 2.0
tnccs-dynamic s Trusted Network Connect Dynamic protocol discovery
tnc-ifmap s Trusted Network Connect IF-MAP 2.0 client
tnc-imc s Trusted Network Connect Integrity Measurement Collectors
tnc-imv s Trusted Network Connect Integrity Measurement Validators
tnc-pdp s Trusted Network Connect Policy Decision Point with RADIUS server interface
uci d OpenWRT UCI configuration backend
unit-tests d Unit tests to run during daemon startup
updown x s Shell script invocation during tunnel up/down events
whitelist s Check authenticated identities against a whitelist
xauth-eap s XAuth backend that uses EAP methods to verify passwords (since 5.0.0)
xauth-generic x s Generic XAuth backend that provides passwords from ipsec.secrets and other credential sets (since 5.0.0)

Removed plugins

Plugin Name E S Description
pluto plugins
xauth x s XAUTH authentication (removed with 5.0.0)
libcharon plugins
nm s NetworkManager configuration/control backend, works with NetworkManager strongSwan applet. Contained in a separate executable since 5.0.0