Project

General

Profile

strongSwan plugins » History » Version 59

Martin Willi, 13.04.2015 09:00

1 1 Martin Willi
h1. strongSwan plugins
2 1 Martin Willi
3 49 Tobias Brunner
The strongSwan distribution ships with an ever growing list of plugins. This allows us to add extended and specialized features, but keep the core as small as possible.
4 1 Martin Willi
5 48 Martin Willi
Many components of strongSwan come with a set of plugins. The plugins for libstrongswan provide cryptographic backends, URI fetchers and database layers. The plugins of libhydra are usable by the IKE daemon charon (in earlier releases also by the IKEv1 daemon pluto) and starter. libcharon comes with a large set of very specialized plugins for specific needs.
6 1 Martin Willi
7 25 Tobias Brunner
h2. Plugins for current releases
8 1 Martin Willi
9 49 Tobias Brunner
|*Plugin Name*          |*E*|*S*|*Description*|
10 1 Martin Willi
|\4. _E = Enabled by default (plugins can be enabled/disabled using their respective [[AutoConf|./configure options]])_
11 1 Martin Willi
_S = Plugin status: s = stable, e = experimental, d = under development/incomplete_ |
12 49 Tobias Brunner
|\4(level1).*libstrongswan plugins*|
13 49 Tobias Brunner
|acert                                    | |s|Support of X.509 attribute certificates (since [[5.1.3]])|
14 49 Tobias Brunner
|aes                                      |x|s|AES-128/192/256 cipher software implementation|
15 49 Tobias Brunner
|af-alg                                   | |s|AF_ALG Linux crypto API interface, provides ciphers/hashers/hmac/xcbc|
16 49 Tobias Brunner
|agent                                    | |s|RSA/ECDSA private key backend connecting to SSH-Agent|
17 54 Tobias Brunner
|[[BLISS|bliss]]                          | |s|Bimodal Lattice Signature Scheme (BLISS) post-quantum computer signature scheme (since [[5.2.2]])|
18 49 Tobias Brunner
|blowfish                                 | |s|Blowfish cipher software implementation|
19 49 Tobias Brunner
|ccm                                      | |s|CCM cipher mode wrapper|
20 49 Tobias Brunner
|cmac                                     |x|s|CMAC cipher mode wrapper|
21 49 Tobias Brunner
|[[ConstraintsPlugin|constraints]]        |x|s|X.509 certificate advanced constraint checking|
22 49 Tobias Brunner
|ctr                                      | |s|CTR cipher mode wrapper|
23 50 Martin Willi
|[[curl]]                                 | |s|libcurl based HTTP/FTP fetcher|
24 49 Tobias Brunner
|des                                      |x|s|DES/3DES cipher software implementation|
25 49 Tobias Brunner
|dnskey                                   |x|s|Parse "RFC 4034":http://tools.ietf.org/html/rfc4034 public keys|
26 56 Tobias Brunner
|files                                    | |s|Fetcher for local file:// URIs (since version:5.3.0)|
27 49 Tobias Brunner
|fips-prf                                 |x|s|PRF specified by FIPS, used by EAP-SIM/AKA algorithms|
28 49 Tobias Brunner
|gcm                                      | |s|GCM cipher mode wrapper|
29 49 Tobias Brunner
|gcrypt                                   | |s|Crypto backend based on libgcrypt, provides RSA/DH/ciphers/hashers/rng|
30 49 Tobias Brunner
|gmp                                      |x|s|RSA/DH crypto backend based on libgmp|
31 49 Tobias Brunner
|hmac                                     |x|s|HMAC wrapper using various hashers|
32 49 Tobias Brunner
|keychain                                 | |e|Mac OS X Keychain Services credential set (since [[5.1.0]])|
33 49 Tobias Brunner
|ldap                                     | |s|LDAP fetching plugin based on libldap|
34 49 Tobias Brunner
|md4                                      | |s|MD4 hasher software implementation|
35 49 Tobias Brunner
|md5                                      |x|s|MD5 hasher software implementation|
36 49 Tobias Brunner
|mysql                                    | |s|MySQL database backend based on libmysqlclient|
37 49 Tobias Brunner
|nonce                                    |x|s|Default nonce generation plugin (since [[5.0.0]])|
38 49 Tobias Brunner
|[[NTRU|ntru]]                            | |s|Key exchange based on post-quantum computer NTRU encryption (since [[5.1.2]])|
39 49 Tobias Brunner
|openssl                                  | |s|Crypto backend based on OpenSSL, provides RSA/ECDSA/DH/ECDH/ciphers/hashers/HMAC/X.509/CRL/RNG|
40 49 Tobias Brunner
|padlock                                  | |e|VIA padlock crypto backend, provides AES128/SHA1|
41 49 Tobias Brunner
|pem                                      |x|s|PEM encoding/decoding routines|
42 49 Tobias Brunner
|pgp                                      |x|s|PGP encoding/decoding routines|
43 49 Tobias Brunner
|pkcs1                                    |x|s|PKCS#1 encoding/decoding routines|
44 49 Tobias Brunner
|pkcs7                                    |x|s|PKCS#7 encoding/decoding routines|
45 49 Tobias Brunner
|pkcs8                                    |x|s|PKCS#8 decoding routines|
46 49 Tobias Brunner
|[[PKCS11Plugin|pkcs11]]                  | |s|PKCS#11 smartcard backend|
47 49 Tobias Brunner
|pkcs12                                   |x|s|PKCS#12 decoding routines (since [[5.1.0]])|
48 49 Tobias Brunner
|pubkey                                   |x|s|Wrapper to handle raw public keys as trusted certificates|
49 49 Tobias Brunner
|random                                   |x|s|RNG reading from /dev/[u]random|
50 49 Tobias Brunner
|rc2                                      |x|s|RC2 cipher software implementation (since [[5.1.0]])|
51 49 Tobias Brunner
|rdrand                                   | |e|High quality / high performance random source using the Intel _rdrand_ instruction found on Ivy Bridge processors (since [[5.0.2]])|
52 49 Tobias Brunner
|revocation                               |x|s|X.509 CRL/OCSP revocation checking|
53 49 Tobias Brunner
|sha1                                     |x|s|SHA1 hasher software implementation|
54 49 Tobias Brunner
|sha2                                     |x|s|SHA256/SHA384/SHA512 hasher software implementation|
55 49 Tobias Brunner
|soup                                     | |s|libsoup based HTTP fetcher|
56 49 Tobias Brunner
|sqlite                                   | |s|SQLite database backend based on libsqlite3|
57 49 Tobias Brunner
|sshkey                                   |x|s|SSH key decoding routines (since [[5.1.0]])|
58 49 Tobias Brunner
|[[CryptoTest|test-vectors]]              | |s|Set of test vectors for various algorithms|
59 49 Tobias Brunner
|unbound                                  | |s|DNSSEC enabled resolver using libunbound (since [[5.0.3]])|
60 49 Tobias Brunner
|[[winhttp]]                              | |s|WinHTTP based HTTP/HTTPS fetcher for Windows platform (since [[5.2.0]])|
61 49 Tobias Brunner
|x509                                     |x|s|Advanced X.509 plugin for parsing/generating X.509 certificates/CRLs and OCSP messages|
62 49 Tobias Brunner
|xcbc                                     |x|s|XCBC wrapper using various ciphers|
63 49 Tobias Brunner
|\4(level1).*libhydra plugins*|
64 49 Tobias Brunner
|[[AttrPlugin|attr]]                      |x|s|Provides IKE attributes configured in strongswan.conf|
65 49 Tobias Brunner
|[[AttrSQL|attr-sql]]                     | |s|Provides IKE attributes read from a database to peers|
66 49 Tobias Brunner
|kernel-netlink                           |x|s|IPsec/Networking kernel interface using Linux Netlink|
67 49 Tobias Brunner
|kernel-pfkey                             | |e|IPsec kernel interface using PF_KEY|
68 49 Tobias Brunner
|kernel-pfroute                           | |e|Networking kernel interface using PF_ROUTE|
69 49 Tobias Brunner
|[[ResolvePlugin|resolve]]                |x|s|Writes name servers received via IKE to a resolv.conf file or installs them via resolvconf(8)|
70 49 Tobias Brunner
|\4(level1).*libcharon plugins*|
71 49 Tobias Brunner
|addrblock                                | |s|Narrow traffic selectors to "RFC 3779":http://tools.ietf.org/html/rfc3779 address blocks in X.509 certificates|
72 49 Tobias Brunner
|android-dns                              | |s|[[Android]]-specific DNS handler plugin (since [[5.0.3]])|
73 49 Tobias Brunner
|android-log                              | |s|[[Android]]-specific logger plugin|
74 49 Tobias Brunner
|[[CertExpire|certexpire]]                | |s|Export expiration dates of used certificates|
75 49 Tobias Brunner
|[[CertCoupling|coupling]]                | |s|Permanent peer certificate coupling|
76 49 Tobias Brunner
|[[DHCPPlugin|dhcp]]                      | |s|Forward [[VirtualIP|virtual IP]] address pool lookup to a DHCP server|
77 55 Martin Willi
|[[connmark]]                             | |e|Plugin using Netfilter conntrack marks to handle multiple transport mode clients (for L2TP, since [[5.3.0]])|
78 49 Tobias Brunner
|dnscert                                  | |s|Provides authentication via CERT RRs protected by DNSSEC (since [[5.1.1]])|
79 49 Tobias Brunner
|[[Duplicheck|duplicheck]]                | |s|Advanced duplicate checking with liveness test and notifications|
80 49 Tobias Brunner
|eap-aka                                  | |s|Generic EAP-AKA protocol handler using different backends|
81 49 Tobias Brunner
|eap-aka-3gpp2                            | |s|EAP-AKA backend implementing standard 3GPP2 algorithm in software|
82 57 Tobias Brunner
|[[eap-dynamic]]                          | |s|EAP proxy plugin that dynamically selects an EAP method requested/supported by the client (since [[5.0.1]])|
83 49 Tobias Brunner
|[[EapGtc|eap-gtc]]                       | |s|EAP-GTC protocol handler authenticating with XAuth backends|
84 49 Tobias Brunner
|eap-identity                             | |s|EAP-Identity identity exchange algorithm, to use with other EAP protocols|
85 49 Tobias Brunner
|eap-md5                                  | |s|EAP-MD5 protocol handler using passwords|
86 49 Tobias Brunner
|eap-mschapv2                             | |s|EAP-MSCHAPv2 protocol handler using passwords/NT hashes|
87 49 Tobias Brunner
|eap-peap                                 | |s|EAP-PEAP protocol handler, wraps other EAP methods securely|
88 49 Tobias Brunner
|[[EapRadius|eap-radius]]                 | |s|EAP server proxy plugin forwarding EAP conversations to a RADIUS server|
89 49 Tobias Brunner
|eap-sim                                  | |s|Generic EAP-SIM protocol handler using different backends|
90 49 Tobias Brunner
|eap-sim-file                             | |s|EAP-SIM backend reading triplets from a file|
91 49 Tobias Brunner
|eap-sim-pcsc                             | |s|EAP-SIM backend based on a PC/SC smartcard reader|
92 49 Tobias Brunner
|eap-simaka-pseudonym                     | |s|EAP-SIM/AKA in-memory pseudonym identity database|
93 49 Tobias Brunner
|eap-simaka-reauth                        | |s|EAP-SIM/AKA in-memory reauthentication identity database|
94 49 Tobias Brunner
|[[EapSimakaSql|eap-simaka-sql]]          | |s|EAP-SIM/AKA backend reading triplets/quintuplets from a SQL database|
95 49 Tobias Brunner
|[[EapTls|eap-tls]]                       | |s|EAP-TLS protocol handler, to authenticate with certificates in EAP|
96 49 Tobias Brunner
|eap-tnc                                  | |s|EAP-TNC protocol handler, Trusted Network Connect in a TLS tunnel|
97 49 Tobias Brunner
|eap-ttls                                 | |s|EAP-TTLS protocol handler, wraps other EAP methods securely|
98 49 Tobias Brunner
|[[ErrorNotifyPlugin|error-notify]]       | |s|Notification about errors via UNIX socket (since [[5.0.2]])|
99 52 Tobias Brunner
|[[ext-auth]]                             | |s|Invokes an external script for custom authorization rules (since [[5.2.1]])|
100 49 Tobias Brunner
|[[FARPPlugin|farp]]                      | |s|Fakes ARP responses for requests to a [[VirtualIP|virtual IP address]] assigned to a peer|
101 55 Martin Willi
|[[forecast]]                             | |e|Multicast and broadcast forwarding plugin (since [[5.3.0]])|
102 49 Tobias Brunner
|[[HighAvailability|ha]]                  | |s|High-Availability clustering|
103 49 Tobias Brunner
|ipseckey                                 | |s|Provides authentication via IPSECKEY RRs protected by DNSSEC (since [[5.0.3]])|
104 49 Tobias Brunner
|[[kernel-libipsec]]                      | |e|IPsec "kernel" interface in user-space using libipsec (since [[5.1.0]])|
105 49 Tobias Brunner
|[[kernel-iph]]                           | |e|Networking backend for the Windows platform, based on IPHelper APIs (since [[5.2.0]])|
106 49 Tobias Brunner
|[[kernel-wfp]]                           | |e|IPsec backend for the Windows platform, using the Windows Filtering Platform (since [[5.2.0]])|
107 49 Tobias Brunner
|led                                      | |s|Let Linux LED subsystem LEDs blink on IKE activity|
108 49 Tobias Brunner
|[[Lookip|lookip]]                        | |s|Virtual IP lookup facility using a UNIX socket (since [[5.0.2]])|
109 49 Tobias Brunner
|[[LoadTests|load-tester]]                | |s|Perform IKE load tests against self or a gateway|
110 49 Tobias Brunner
|maemo                                    | |e|Maemo 5 configuration/control backend, works with Maemo strongSwan applet|
111 49 Tobias Brunner
|medcli                                   | |d|Web interface based mediation client interface|
112 49 Tobias Brunner
|medsrv                                   | |d|Web interface based mediation server interface|
113 49 Tobias Brunner
|osx-attr                                 | |e|Mac OS X SystemConfiguration attribute handler (since [[5.1.0]])|
114 49 Tobias Brunner
|[[RadAttrPlugin|radattr]]                | |s|Plugin to inject and process custom RADIUS attributes as IKEv2 client|
115 49 Tobias Brunner
|[[SMP|smp]]                              | |d|XML based strongSwan Management Protocol|
116 49 Tobias Brunner
|socket-default                           |x|s|Default socket implementation for IKE messages, enabled if pluto disabled|
117 49 Tobias Brunner
|socket-dynamic                           | |e|Dynamic binding socket implementation, capable of sending IKE messages on any port|
118 49 Tobias Brunner
|[[socket-win]]                           | |s|Socket implementation for IKE messages on Windows, based on Winsock2 APIs (since [[5.2.0]])|
119 49 Tobias Brunner
|[[SQL|sql]]                              | |s|SQL configuration backend reading configurations/credentials from a database|
120 49 Tobias Brunner
|stroke                                   |x|s|Stroke configuration/control backend, to use with ipsec script and starter|
121 49 Tobias Brunner
|[[IfMap|tnc-ifmap]]                      | |s|Trusted Network Connect IF-MAP 2.0 client|
122 49 Tobias Brunner
|[[TrustedNetworkConnect|tnc-pdp]]        | |s|Trusted Network Connect Policy Decision Point with RADIUS server interface|
123 49 Tobias Brunner
|[[SystimeFixPlugin|systime-fix]]         | |s|Handle invalid system time when checking certificates (since [[5.0.3]])|
124 49 Tobias Brunner
|uci                                      | |d|OpenWRT UCI configuration backend|
125 49 Tobias Brunner
|unit-tests                               | |d|Unit tests to run during daemon startup|
126 49 Tobias Brunner
|[[UnityPlugin|unity]]                    | |s|Cisco Unity extensions for IKEv1 (since [[5.0.1]])|
127 53 Martin Willi
|[[updown]]                               |x|s|Shell script invocation during tunnel up/down events|
128 49 Tobias Brunner
|[[Vici|vici]]                            | |e|Versatile IKE Configuration Interface (since [[5.2.0]])|
129 49 Tobias Brunner
|[[Whitelist|whitelist]]                  | |s|Check authenticated identities against a whitelist|
130 49 Tobias Brunner
|[[XAuthEAP|xauth-eap]]                   | |s|XAuth backend that uses EAP methods to verify passwords (since [[5.0.0]])|
131 49 Tobias Brunner
|xauth-generic                            |x|s|Generic XAuth backend that provides passwords from [[XauthSecret|ipsec.secrets]] and other credential sets (since [[5.0.0]])|
132 59 Martin Willi
|[[XauthNoauth|xauth-noauth]]             | |s|XAuth backend that does not do any authentication (since [[5.0.3]])|
133 49 Tobias Brunner
|[[XAuthPAM|xauth-pam]]                   | |s|XAuth backend that uses PAM modules to verify passwords (since [[5.0.1]])|
134 49 Tobias Brunner
|\4(level1).*libtnccs plugins*|
135 49 Tobias Brunner
|[[TrustedNetworkConnect|tnccs-11]]       | |s|Trusted Network Connect protocol version 1.1|
136 49 Tobias Brunner
|[[TrustedNetworkConnect|tnccs-20]]       | |s|Trusted Network Connect protocol version 2.0|
137 49 Tobias Brunner
|[[TrustedNetworkConnect|tnccs-dynamic]]  | |s|Trusted Network Connect Dynamic protocol discovery|
138 49 Tobias Brunner
|[[TrustedNetworkConnect|tnc-imc]]        | |s|Trusted Network Connect Integrity Measurement Collectors|
139 49 Tobias Brunner
|[[TrustedNetworkConnect|tnc-imv]]        | |s|Trusted Network Connect Integrity Measurement Validators|
140 47 Andreas Steffen
141 47 Andreas Steffen
h2. Removed plugins
142 25 Tobias Brunner
143 49 Tobias Brunner
|*Plugin Name*          |*E*|*S*|*Description*|
144 49 Tobias Brunner
|\4(level1).*pluto plugins*|
145 49 Tobias Brunner
|xauth                                    |x|s|XAUTH authentication (removed with [[5.0.0]])|
146 49 Tobias Brunner
|\4(level1).*libhydra plugins*|
147 49 Tobias Brunner
|kernel-klips                             | |e|IPsec kernel interface to an older KLIPS version (removed with version:5.2.0)|
148 49 Tobias Brunner
|\4(level1).*libcharon plugins*|
149 49 Tobias Brunner
|android                                  | |s|[[Android]] configuration/control backend, worked with the [[AndroidFrontend|Android VPN applet patch]]. It was removed with [[5.0.3]]. The DNS handler was moved to a separate plugin.|
150 49 Tobias Brunner
|[[NetworkManager|nm]]                    | |s|NetworkManager configuration/control backend, works with NetworkManager strongSwan applet. Contained in a separate executable since [[5.0.0]]|
151 49 Tobias Brunner
|socket-raw                               |x|s|RAW socket allowing charon to run parallel with pluto, enabled if pluto enabled (removed with [[5.0.1]])|