strongSwan plugins » History » Version 25
« Previous -
Version 25/84
(diff) -
Next » -
Current version
Tobias Brunner, 02.07.2012 13:17
Updated for 5.0.0
strongSwan plugins¶
The strongSwan distribution ships with a growing list of plugins. This allows us to add extended and specialized features, but keep the core as small as possible.
Many components of strongSwan come with a set of plugins. The plugins for libstrongswan provide cryptographic backends, URI fetchers and database layers. The plugins of libhydra are usable by the IKE daemon charon (in earlier releases also by the IKEv1 daemon pluto) and starter. libcharon comes with a large set of very specialized plugins for specific needs.
Plugins for current releases¶
| Plugin Name | E | S | Description |
| E = Enabled by default S = Plugin status: s = stable, e = experimental, d = under development/incomplete |
|||
| libstrongswan plugins | |||
| aes | x | s | AES-128/192/256 cipher software implementation |
| af-alg | s | AF_ALG Linux crypto API interface, provides ciphers/hashers/hmac/xcbc | |
| agent | s | RSA private key backend connecting to SSH-Agent | |
| blowfish | s | Blowfish cipher software implementation | |
| ccm | s | CCM cipher mode wrapper | |
| cmac | s | CMAC cipher mode wrapper | |
| constraints | x | s | X.509 certificate advanced constraint checking |
| ctr | s | CTR cipher mode wrapper | |
| curl | s | libcurl based HTTP/FTP fetcher | |
| des | x | s | DES/3DES cipher software implementation |
| dnskey | x | s | Parse RFC 4034 public keys |
| fips-prf | x | s | PRF specified by FIPS, used by EAP-SIM/AKA algorithms |
| gcm | s | GCM cipher mode wrapper | |
| gcrypt | s | Crypto backend based on libgcrypt, provides RSA/DH/ciphers/hashers/rng | |
| gmp | x | s | RSA/DH crypto backend based on libgmp |
| hmac | x | s | HMAC wrapper using various hashers |
| ldap | s | LDAP fetching plugin based on libldap | |
| md4 | s | MD4 hasher software implementation | |
| md5 | x | s | MD5 hasher software implementation |
| mysql | s | MySQL database backend based on libmysqlclient | |
| openssl | s | Crypto backend based on OpenSSL, provides RSA/ECDSA/DH/ECDH/ciphers/hashers/HMAC/X.509/CRL/RNG | |
| padlock | e | VIA padlock crypto backend, provides AES128/SHA1 | |
| pem | x | s | PEM encoding/decoding routines |
| pgp | x | s | PGP encoding/decoding routines |
| pkcs1 | x | s | PKCS#1 encoding/decoding routines |
| pkcs8 | x | s | PKCS#8 decoding routines |
| pkcs11 | s | PKCS#11 smartcard backend | |
| pubkey | x | s | Wrapper to handle raw public keys as trusted certificates |
| random | x | s | RNG reading from /dev/[u]random |
| revocation | x | s | X.509 CRL/OCSP revocation checking |
| sha1 | x | s | SHA1 hasher software implementation |
| sha2 | x | s | SHA256/SHA384/SHA512 hasher software implementation |
| soup | s | libsoup based HTTP fetcher | |
| sqlite | s | SQLite database backend based on libsqlite3 | |
| test-vectors | s | Set of test vectors for various algorithms | |
| x509 | x | s | Advanced X.509 plugin for parsing/generating X.509 certificates/CRLs and OCSP messages |
| xcbc | x | s | XCBC wrapper using various ciphers |
| libhydra plugins | |||
| attr | x | s | Provides IKE attributes configured in strongswan.conf |
| attr-sql | s | Provides IKE attributes read from a database to peers | |
| kernel-klips | e | IPsec kernel interface to an older KLIPS version | |
| kernel-netlink | x | s | IPsec/Networking kernel interface using Linux Netlink |
| kernel-pfkey | e | IPsec kernel interface using PF_KEY | |
| kernel-pfroute | e | Networking kernel interface using PF_ROUTE | |
| resolve | x | s | Writes name servers received via IKE to a resolv.conf file or installs them via resolvconf(8) |
| libcharon plugins | |||
| addrblock | s | Narrow traffic selectors to RFC 3779 address blocks in X.509 certificates | |
| android | s | Android configuration/control backend, works with Android strongSwan applet | |
| certexpire | s | Export expiration dates of used certificates | |
| coupling | s | Permanent peer certificate coupling | |
| dhcp | s | Forward virtual IP address pool lookup to a DHCP server | |
| duplicheck | s | Advanced duplicate checking with liveness test and notifications | |
| eap-aka | s | Generic EAP-AKA protocol handler using different backends | |
| eap-aka-3gpp2 | s | EAP-AKA backend implementing standard 3GPP2 algorithm in software | |
| eap-gtc | s | EAP-GTC protocol handler authenticating against PAM | |
| eap-identity | s | EAP-Identity identity exchange algorithm, to use with other EAP protocols | |
| eap-md5 | s | EAP-MD5 protocol handler using passwords | |
| eap-mschapv2 | s | EAP-MSCHAPv2 protocol handler using passwords/NT hashes | |
| eap-peap | s | EAP-PEAP protocol handler, wraps other EAP methods securely | |
| eap-radius | s | EAP server proxy plugin forwarding EAP conversations to a RADIUS server | |
| eap-sim | s | Generic EAP-SIM protocol handler using different backends | |
| eap-sim-file | s | EAP-SIM backend reading triplets from a file | |
| eap-sim-pcsc | s | EAP-SIM backend based on a PC/SC smartcard reader | |
| eap-simaka-pseudonym | s | EAP-SIM/AKA in-memory pseudonym identity database | |
| eap-simaka-reauth | s | EAP-SIM/AKA in-memory reauthentication identity database | |
| eap-simaka-sql | s | EAP-SIM/AKA backend reading triplets/quintuplets from a SQL database | |
| eap-tls | s | EAP-TLS protocol handler, to authenticate with certificates in EAP | |
| eap-tnc | s | EAP-TNC protocol handler, Trusted Network Connect in a TLS tunnel | |
| eap-ttls | s | EAP-TTLS protocol handler, wraps other EAP methods securely | |
| farp | s | Fakes ARP responses for requests to a virtual IP address assigned to a peer | |
| ha | s | High-Availability clustering | |
| led | s | Let Linux LED subsystem LEDs blink on IKE activity | |
| load-tester | s | Perform IKE load tests against self or a gateway | |
| maemo | e | Maemo 5 configuration/control backend, works with Maemo strongSwan applet | |
| medcli | d | Web interface based mediation client interface | |
| medsrv | d | Web interface based mediation server interface | |
| radattr | s | Plugin to inject and process custom RADIUS attributes as IKEv2 client | |
| smp | d | XML based strongSwan Management Protocol | |
| socket-default | * | s | Default socket implementation for IKE messages, enabled if pluto disabled |
| socket-dynamic | e | Dynamic binding socket implementation, capable of sending IKE messages on any port | |
| socket-raw | * | s | RAW socket allowing charon to run parallel with pluto, enabled if pluto enabled |
| sql | s | SQL configuration backend reading configurations/credentials from a database | |
| stroke | x | s | Stroke configuration/control backend, to use with ipsec script and starter |
| tnccs-11 | s | Trusted Network Connect protocol version 1.1 | |
| tnccs-20 | s | Trusted Network Connect protocol version 2.0 | |
| tnccs-dynamic | s | Trusted Network Connect Dynamic protocol discovery | |
| tnc-ifmap | s | Trusted Network Connect IF-MAP 2.0 client | |
| tnc-imc | s | Trusted Network Connect Integrity Measurement Collectors | |
| tnc-imv | s | Trusted Network Connect Integrity Measurement Validators | |
| tnc-pdp | s | Trusted Network Connect Policy Decision Point with RADIUS server interface | |
| uci | d | OpenWRT UCI configuration backend | |
| unit-tests | d | Unit tests to run during daemon startup | |
| updown | x | s | Shell script invocation during tunnel up/down events |
| whitelist | s | Check authenticated identities against a whitelist | |
| xauth-eap | s | XAuth backend that uses EAP methods to verify passwords (since 5.0.0) | |
| xauth-generic | x | s | Generic XAuth backend that provides passwords from ipsec.secrets and other credential sets (since 5.0.0) |
Removed plugins¶
| Plugin Name | E | S | Description |
| pluto plugins | |||
| xauth | x | s | XAUTH authentication (removed with 5.0.0) |
| libcharon plugins | |||
| nm | s | NetworkManager configuration/control backend, works with NetworkManager strongSwan applet. Contained in a separate executable since 5.0.0 | |