strongSwan plugins » History » Version 61

Version 60 (Tobias Brunner, 27.05.2015 13:08) → Version 61/84 (Tobias Brunner, 27.08.2015 12:13)

h1. strongSwan plugins

The strongSwan distribution ships with an ever growing list of plugins. This allows us to add extended and specialized features, but keep the core as small as possible.

Many components of strongSwan come with a set of plugins. The plugins for libstrongswan provide cryptographic backends, URI fetchers and database layers. The plugins of libhydra are usable by the IKE daemon charon (in earlier releases also by the IKEv1 daemon pluto) and starter. libcharon comes with a large set of very specialized plugins for specific needs.

h2. Plugins for current releases

|*Plugin Name* |*E*|*S*|*Description*|
|\4. _E = Enabled by default (plugins can be enabled/disabled using their respective [[AutoConf|./configure options]])_
_S = Plugin status: s = stable, e = experimental, d = under development/incomplete_ |
|\4(level1).*libstrongswan plugins*|
|acert | |s|Support of X.509 attribute certificates (since [[5.1.3]])|
|aes |x|s|AES-128/192/256 cipher software implementation|
|aesni | |s|Intel AES-NI crypto plugin (since version:5.3.1)|
|af-alg | |s|AF_ALG Linux crypto API interface, provides ciphers/hashers/hmac/xcbc|
|agent | |s|RSA/ECDSA private key backend connecting to SSH-Agent|
|[[BLISS|bliss]] | |s|Bimodal Lattice Signature Scheme (BLISS) post-quantum computer signature scheme (since [[5.2.2]])|
|blowfish | |s|Blowfish cipher software implementation|
|ccm | |s|CCM cipher mode wrapper|
|chapoly | |s|ChaCha20/Poly1305 AEAD implementation (since version:5.3.3)|
|cmac |x|s|CMAC cipher mode wrapper|
|[[ConstraintsPlugin|constraints]] |x|s|X.509 certificate advanced constraint checking|
|ctr | |s|CTR cipher mode wrapper|
|[[curl]] | |s|libcurl based HTTP/FTP fetcher|
|des |x|s|DES/3DES cipher software implementation|
|dnskey |x|s|Parse "RFC 4034": public keys|
|files | |s|Fetcher for local file:// URIs (since version:5.3.0)|
|fips-prf |x|s|PRF specified by FIPS, used by EAP-SIM/AKA algorithms|
|gcm | |s|GCM cipher mode wrapper|
|gcrypt | |s|Crypto backend based on libgcrypt, provides RSA/DH/ciphers/hashers/rng|
|gmp |x|s|RSA/DH crypto backend based on libgmp|
|hmac |x|s|HMAC wrapper using various hashers|
|keychain | |e|Mac OS X Keychain Services credential set (since [[5.1.0]])|
|ldap | |s|LDAP fetching plugin based on libldap|
|md4 | |s|MD4 hasher software implementation|
|md5 |x|s|MD5 hasher software implementation|
|mysql | |s|MySQL database backend based on libmysqlclient|
|nonce |x|s|Default nonce generation plugin (since [[5.0.0]])|
|[[NTRU|ntru]] | |s|Key exchange based on post-quantum computer NTRU encryption (since [[5.1.2]])|
|openssl | |s|Crypto backend based on OpenSSL, provides RSA/ECDSA/DH/ECDH/ciphers/hashers/HMAC/X.509/CRL/RNG|
|padlock | |e|VIA padlock crypto backend, provides AES128/SHA1|
|pem |x|s|PEM encoding/decoding routines|
|pgp |x|s|PGP encoding/decoding routines|
|pkcs1 |x|s|PKCS#1 encoding/decoding routines|
|pkcs7 |x|s|PKCS#7 encoding/decoding routines|
|pkcs8 |x|s|PKCS#8 decoding routines|
|[[PKCS11Plugin|pkcs11]] | |s|PKCS#11 smartcard backend|
|pkcs12 |x|s|PKCS#12 decoding routines (since [[5.1.0]])|
|pubkey |x|s|Wrapper to handle raw public keys as trusted certificates|
|random |x|s|RNG reading from /dev/[u]random|
|rc2 |x|s|RC2 cipher software implementation (since [[5.1.0]])|
|rdrand | |e|High quality / high performance random source using the Intel _rdrand_ instruction found on Ivy Bridge processors (since [[5.0.2]])|
|revocation |x|s|X.509 CRL/OCSP revocation checking|
|sha1 |x|s|SHA1 hasher software implementation|
|sha2 |x|s|SHA256/SHA384/SHA512 hasher software implementation|
|soup | |s|libsoup based HTTP fetcher|
|sqlite | |s|SQLite database backend based on libsqlite3|
|sshkey |x|s|SSH key decoding routines (since [[5.1.0]])|
|[[CryptoTest|test-vectors]] | |s|Set of test vectors for various algorithms|
|unbound | |s|DNSSEC enabled resolver using libunbound (since [[5.0.3]])|
|[[winhttp]] | |s|WinHTTP based HTTP/HTTPS fetcher for Windows platform (since [[5.2.0]])|
|x509 |x|s|Advanced X.509 plugin for parsing/generating X.509 certificates/CRLs and OCSP messages|
|xcbc |x|s|XCBC wrapper using various ciphers|
|\4(level1).*libhydra plugins*|
|[[AttrPlugin|attr]] |x|s|Provides IKE attributes configured in strongswan.conf|
|[[AttrSQL|attr-sql]] | |s|Provides IKE attributes read from a database to peers|
|kernel-netlink |x|s|IPsec/Networking kernel interface using Linux Netlink|
|kernel-pfkey | |e|IPsec kernel interface using PF_KEY|
|kernel-pfroute | |e|Networking kernel interface using PF_ROUTE|
|[[ResolvePlugin|resolve]] |x|s|Writes name servers received via IKE to a resolv.conf file or installs them via resolvconf(8)|
|\4(level1).*libcharon plugins*|
|addrblock | |s|Narrow traffic selectors to "RFC 3779": address blocks in X.509 certificates|
|android-dns | |s|[[Android]]-specific DNS handler plugin (since [[5.0.3]])|
|android-log | |s|[[Android]]-specific logger plugin|
|[[CertExpire|certexpire]] | |s|Export expiration dates of used certificates|
|[[CertCoupling|coupling]] | |s|Permanent peer certificate coupling|
|[[DHCPPlugin|dhcp]] | |s|Forward [[VirtualIP|virtual IP]] address pool lookup to a DHCP server|
|[[connmark]] | |e|Plugin using Netfilter conntrack marks to handle multiple transport mode clients (for L2TP, since [[5.3.0]])|
|dnscert | |s|Provides authentication via CERT RRs protected by DNSSEC (since [[5.1.1]])|
|[[Duplicheck|duplicheck]] | |s|Advanced duplicate checking with liveness test and notifications|
|eap-aka | |s|Generic EAP-AKA protocol handler using different backends|
|eap-aka-3gpp2 | |s|EAP-AKA backend implementing standard 3GPP2 algorithm in software|
|[[eap-dynamic]] | |s|EAP proxy plugin that dynamically selects an EAP method requested/supported by the client (since [[5.0.1]])|
|[[EapGtc|eap-gtc]] | |s|EAP-GTC protocol handler authenticating with XAuth backends|
|eap-identity | |s|EAP-Identity identity exchange algorithm, to use with other EAP protocols|
|eap-md5 | |s|EAP-MD5 protocol handler using passwords|
|eap-mschapv2 | |s|EAP-MSCHAPv2 protocol handler using passwords/NT hashes|
|eap-peap | |s|EAP-PEAP protocol handler, wraps other EAP methods securely|
|[[EapRadius|eap-radius]] | |s|EAP server proxy plugin forwarding EAP conversations to a RADIUS server|
|eap-sim | |s|Generic EAP-SIM protocol handler using different backends|
|eap-sim-file | |s|EAP-SIM backend reading triplets from a file|
|eap-sim-pcsc | |s|EAP-SIM backend based on a PC/SC smartcard reader|
|eap-simaka-pseudonym | |s|EAP-SIM/AKA in-memory pseudonym identity database|
|eap-simaka-reauth | |s|EAP-SIM/AKA in-memory reauthentication identity database|
|[[EapSimakaSql|eap-simaka-sql]] | |s|EAP-SIM/AKA backend reading triplets/quintuplets from a SQL database|
|[[EapTls|eap-tls]] | |s|EAP-TLS protocol handler, to authenticate with certificates in EAP|
|eap-tnc | |s|EAP-TNC protocol handler, Trusted Network Connect in a TLS tunnel|
|eap-ttls | |s|EAP-TTLS protocol handler, wraps other EAP methods securely|
|[[ErrorNotifyPlugin|error-notify]] | |s|Notification about errors via UNIX socket (since [[5.0.2]])|
|[[ext-auth]] | |s|Invokes an external script for custom authorization rules (since [[5.2.1]])|
|[[FARPPlugin|farp]] | |s|Fakes ARP responses for requests to a [[VirtualIP|virtual IP address]] assigned to a peer|
|[[forecast]] | |e|Multicast and broadcast forwarding plugin (since [[5.3.0]])|
|[[HighAvailability|ha]] | |s|High-Availability clustering|
|ipseckey | |s|Provides authentication via IPSECKEY RRs protected by DNSSEC (since [[5.0.3]])|
|[[kernel-libipsec]] | |e|IPsec "kernel" interface in user-space using libipsec (since [[5.1.0]])|
|[[kernel-iph]] | |e|Networking backend for the Windows platform, based on IPHelper APIs (since [[5.2.0]])|
|[[kernel-wfp]] | |e|IPsec backend for the Windows platform, using the Windows Filtering Platform (since [[5.2.0]])|
|led | |s|Let Linux LED subsystem LEDs blink on IKE activity|
|[[Lookip|lookip]] | |s|Virtual IP lookup facility using a UNIX socket (since [[5.0.2]])|
|[[LoadTests|load-tester]] | |s|Perform IKE load tests against self or a gateway|
|maemo | |e|Maemo 5 configuration/control backend, works with Maemo strongSwan applet|
|medcli | |d|Web interface based mediation client interface|
|medsrv | |d|Web interface based mediation server interface|
|osx-attr | |e|Mac OS X SystemConfiguration attribute handler (since [[5.1.0]])|
|[[RadAttrPlugin|radattr]] | |s|Plugin to inject and process custom RADIUS attributes as IKEv2 client|
|[[SMP|smp]] | |d|XML based strongSwan Management Protocol|
|socket-default |x|s|Default socket implementation for IKE messages, enabled if pluto disabled|
|socket-dynamic | |e|Dynamic binding socket implementation, capable of sending IKE messages on any port|
|[[socket-win]] | |s|Socket implementation for IKE messages on Windows, based on Winsock2 APIs (since [[5.2.0]])|
|[[SQL|sql]] | |s|SQL configuration backend reading configurations/credentials from a database|
|stroke |x|s|Stroke configuration/control backend, to use with ipsec script and starter|
|[[IfMap|tnc-ifmap]] | |s|Trusted Network Connect IF-MAP 2.0 client|
|[[TrustedNetworkConnect|tnc-pdp]] | |s|Trusted Network Connect Policy Decision Point with RADIUS server interface|
|[[SystimeFixPlugin|systime-fix]] | |s|Handle invalid system time when checking certificates (since [[5.0.3]])|
|uci | |d|OpenWRT UCI configuration backend|
|unit-tests | |d|Unit tests to run during daemon startup|
|[[UnityPlugin|unity]] | |s|Cisco Unity extensions for IKEv1 (since [[5.0.1]])|
|[[updown]] |x|s|Shell script invocation during tunnel up/down events|
|[[Vici|vici]] | |e|Versatile IKE Configuration Interface (since [[5.2.0]])|
|[[Whitelist|whitelist]] | |s|Check authenticated identities against a whitelist|
|[[XAuthEAP|xauth-eap]] | |s|XAuth backend that uses EAP methods to verify passwords (since [[5.0.0]])|
|xauth-generic |x|s|Generic XAuth backend that provides passwords from [[XauthSecret|ipsec.secrets]] and other credential sets (since [[5.0.0]])|
|[[XauthNoauth|xauth-noauth]] | |s|XAuth backend that does not do any authentication (since [[5.0.3]])|
|[[XAuthPAM|xauth-pam]] | |s|XAuth backend that uses PAM modules to verify passwords (since [[5.0.1]])|
|\4(level1).*libtnccs plugins*|
|[[TrustedNetworkConnect|tnccs-11]] | |s|Trusted Network Connect protocol version 1.1|
|[[TrustedNetworkConnect|tnccs-20]] | |s|Trusted Network Connect protocol version 2.0|
|[[TrustedNetworkConnect|tnccs-dynamic]] | |s|Trusted Network Connect Dynamic protocol discovery|
|[[TrustedNetworkConnect|tnc-imc]] | |s|Trusted Network Connect Integrity Measurement Collectors|
|[[TrustedNetworkConnect|tnc-imv]] | |s|Trusted Network Connect Integrity Measurement Validators|

h2. Removed plugins

|*Plugin Name* |*E*|*S*|*Description*|
|\4(level1).*pluto plugins*|
|xauth |x|s|XAUTH authentication (removed with [[5.0.0]])|
|\4(level1).*libhydra plugins*|
|kernel-klips | |e|IPsec kernel interface to an older KLIPS version (removed with version:5.2.0)|
|\4(level1).*libcharon plugins*|
|android | |s|[[Android]] configuration/control backend, worked with the [[AndroidFrontend|Android VPN applet patch]]. It was removed with [[5.0.3]]. The DNS handler was moved to a separate plugin.|
|[[NetworkManager|nm]] | |s|NetworkManager configuration/control backend, works with NetworkManager strongSwan applet. Contained in a separate executable since [[5.0.0]]|
|socket-raw |x|s|RAW socket allowing charon to run parallel with pluto, enabled if pluto enabled (removed with [[5.0.1]])|