strongSwan plugins » History » Version 72

Version 71 (Tobias Brunner, 22.03.2017 15:55) → Version 72/84 (Tobias Brunner, 27.03.2017 10:48)

h1. strongSwan plugins

The strongSwan distribution ships with an ever growing list of plugins. This allows us to add extended and specialized features, but keep the core as small as possible.

Many components of strongSwan come with a set of plugins. The plugins for libstrongswan provide cryptographic backends, URI fetchers and database layers. The plugins of libhydra are usable by the IKE daemon charon (in earlier releases also by the IKEv1 daemon pluto) and starter. libcharon comes with a large set of very specialized plugins for specific needs.

h2. Plugins for current releases

|*Plugin Name* |*E*|*S*|*Description*|
|\4. _E = Enabled by default (plugins can be enabled/disabled using their respective [[AutoConf|./configure options]])_
_S = Plugin status: s = stable, e = experimental, d = under development/incomplete_ |
|\4(level1).*libstrongswan plugins*|
|acert | |s|Support of X.509 attribute certificates (since version:5.1.3)|
|aes |x|s|AES-128/192/256 cipher software implementation|
|aesni | |s|Intel AES-NI crypto plugin (since version:5.3.1)|
|af-alg | |s|AF_ALG Linux crypto API interface, provides ciphers/hashers/hmac/xcbc|
|agent | |s|RSA/ECDSA private key backend connecting to SSH-Agent|
|[[BLISS|bliss]] | |s|Bimodal Lattice Signature Scheme (BLISS) post-quantum computer signature scheme (since version:5.2.2)|
|blowfish | |s|Blowfish cipher software implementation|
|ccm | |s|CCM cipher mode wrapper|
|chapoly | |s|ChaCha20/Poly1305 AEAD implementation (since version:5.3.3) and ChaCha20 XOF (since version:5.5.1)|
|cmac |x|s|CMAC cipher mode wrapper|
|[[ConstraintsPlugin|constraints]] |x|s|X.509 certificate advanced constraint checking|
|ctr | |s|CTR cipher mode wrapper|
|[[curl]] | |s|libcurl based HTTP/FTP fetcher|
|curve25519 |x|s|X25519 DH group and Ed25519 public key authentication (since version:5.5.2)|
|des |x|s|DES/3DES cipher software implementation|
|dnskey |x|s|Parse "RFC 4034": public keys|
|files | |s|Fetcher for local file:// URIs (since version:5.3.0)|
|fips-prf |x|s|PRF specified by FIPS, used by EAP-SIM/AKA algorithms|
|gcm | |s|GCM cipher mode wrapper|
|gcrypt | |s|Crypto backend based on libgcrypt, provides RSA/DH/ciphers/hashers/rng|
|gmp |x|s|RSA/DH crypto backend based on libgmp|
|hmac |x|s|HMAC wrapper using various hashers|
|keychain | |e|Mac OS X Keychain Services credential set (since version:5.1.0)|
|ldap | |s|LDAP fetching plugin based on libldap|
|md4 | |s|MD4 hasher software implementation|
|md5 |x|s|MD5 hasher software implementation|
|mgf1 | |s|MGF1 mask generation function (since version:5.5.1)|
|mysql | |s|MySQL database backend based on libmysqlclient|
|[[NewHope|newhope]] | |s|Key exchange based on post-quantum computer New Hope algorithm (since version:5.5.1)|
|nonce |x|s|Default nonce generation plugin (since version:5.0.0)|
|[[NTRU|ntru]] | |s|Key exchange based on post-quantum computer NTRU encryption (since version:5.1.2)|
|openssl | |s|Crypto backend based on OpenSSL, provides RSA/ECDSA/DH/ECDH/ciphers/hashers/HMAC/X.509/CRL/RNG|
|padlock | |e|VIA padlock crypto backend, provides AES128/SHA1|
|pem |x|s|PEM encoding/decoding routines|
|pgp |x|s|PGP encoding/decoding routines|
|pkcs1 |x|s|PKCS#1 encoding/decoding routines|
|pkcs7 |x|s|PKCS#7 encoding/decoding routines|
|pkcs8 |x|s|PKCS#8 decoding routines|
|[[PKCS11Plugin|pkcs11]] | |s|PKCS#11 smartcard backend|
|pkcs12 |x|s|PKCS#12 decoding routines (since version:5.1.0)|
|pubkey |x|s|Wrapper to handle raw public keys as trusted certificates|
|random |x|s|RNG reading from /dev/[u]random|
|rc2 |x|s|RC2 cipher software implementation (since version:5.1.0)|
|rdrand | |e|High quality / high performance random source using the Intel _rdrand_ instruction found on Ivy Bridge processors (since version:5.0.2)|
|revocation |x|s|X.509 CRL/OCSP revocation checking|
|sha1 |x|s|SHA1 hasher software implementation|
|sha2 |x|s|SHA2_224/SHA2_256/SHA2_384/SHA2_512 hasher software implementation|
|sha3 | |s|SHA3_224/SHA3_256/SHA3_384/SHA3_512 hasher software implementation (since version:5.3.4) and SHAKE128/SHAKE256 XOF (since version:5.5.1)|
|soup | |s|libsoup based HTTP fetcher|
|sqlite | |s|SQLite database backend based on libsqlite3|
|sshkey |x|s|SSH key decoding routines (since version:5.1.0)|
|[[CryptoTest|test-vectors]] | |s|Set of test vectors for various algorithms|
|unbound | |s|DNSSEC enabled resolver using libunbound (since version:5.0.3)|
|[[winhttp]] | |s|WinHTTP based HTTP/HTTPS fetcher for Windows platform (since version:5.2.0)|
|x509 |x|s|Advanced X.509 plugin for parsing/generating X.509 certificates/CRLs and OCSP messages|
|xcbc |x|s|XCBC wrapper using various ciphers|
|\4(level1).*libcharon plugins*|
|addrblock | |s|Narrow traffic selectors to "RFC 3779": address blocks in X.509 certificates|
|android-dns | |s|[[Android]]-specific DNS handler plugin (since version:5.0.3)|
|android-log | |s|[[Android]]-specific logger plugin|
|[[AttrPlugin|attr]] |x|s|Provides IKE attributes configured in strongswan.conf|
|[[AttrSQL|attr-sql]] | |s|Provides IKE attributes read from a database to peers|
|[[bypass-lan]] |bypass-lan | |e|Automatically installs and updates bypass policies for locally attached subnets (since version:5.5.2)|
|[[CertExpire|certexpire]] | |s|Export expiration dates of used certificates|
|[[CertCoupling|coupling]] | |s|Permanent peer certificate coupling|
|[[DHCPPlugin|dhcp]] | |s|Forward [[VirtualIP|virtual IP]] address pool lookup to a DHCP server|
|[[connmark]] | |e|Plugin using Netfilter conntrack marks to handle multiple transport mode clients (for L2TP, since version:5.3.0)|
|dnscert | |s|Provides authentication via CERT RRs protected by DNSSEC (since version:5.1.1)|
|[[Duplicheck|duplicheck]] | |s|Advanced duplicate checking with liveness test and notifications|
|eap-aka | |s|Generic EAP-AKA protocol handler using different backends|
|eap-aka-3gpp2 | |s|EAP-AKA backend implementing standard 3GPP2 algorithm in software|
|[[eap-dynamic]] | |s|EAP proxy plugin that dynamically selects an EAP method requested/supported by the client (since version:5.0.1)|
|[[EapGtc|eap-gtc]] | |s|EAP-GTC protocol handler authenticating with XAuth backends|
|eap-identity | |s|EAP-Identity identity exchange algorithm, to use with other EAP protocols|
|eap-md5 | |s|EAP-MD5 protocol handler using passwords|
|eap-mschapv2 | |s|EAP-MSCHAPv2 protocol handler using passwords/NT hashes|
|eap-peap | |s|EAP-PEAP protocol handler, wraps other EAP methods securely|
|[[EapRadius|eap-radius]] | |s|EAP server proxy plugin forwarding EAP conversations to a RADIUS server|
|eap-sim | |s|Generic EAP-SIM protocol handler using different backends|
|eap-sim-file | |s|EAP-SIM backend reading triplets from a file|
|eap-sim-pcsc | |s|EAP-SIM backend based on a PC/SC smartcard reader|
|eap-simaka-pseudonym | |s|EAP-SIM/AKA in-memory pseudonym identity database|
|eap-simaka-reauth | |s|EAP-SIM/AKA in-memory reauthentication identity database|
|[[EapSimakaSql|eap-simaka-sql]] | |s|EAP-SIM/AKA backend reading triplets/quintuplets from a SQL database|
|[[EapTls|eap-tls]] | |s|EAP-TLS protocol handler, to authenticate with certificates in EAP|
|eap-tnc | |s|EAP-TNC protocol handler, Trusted Network Connect in a TLS tunnel|
|eap-ttls | |s|EAP-TTLS protocol handler, wraps other EAP methods securely|
|[[ErrorNotifyPlugin|error-notify]] | |s|Notification about errors via UNIX socket (since version:5.0.2)|
|[[ext-auth]] | |s|Invokes an external script for custom authorization rules (since version:5.2.1)|
|[[FARPPlugin|farp]] | |s|Fakes ARP responses for requests to a [[VirtualIP|virtual IP address]] assigned to a peer|
|[[forecast]] | |e|Multicast and broadcast forwarding plugin (since version:5.3.0)|
|[[HighAvailability|ha]] | |s|High-Availability clustering|
|ipseckey | |s|Provides authentication via IPSECKEY RRs protected by DNSSEC (since version:5.0.3)|
|[[kernel-libipsec]] | |e|IPsec "kernel" interface in user-space using libipsec (since version:5.1.0)|
|kernel-netlink |x|s|IPsec/Networking kernel interface using Linux Netlink|
|[[kernel-iph]] | |e|Networking backend for the Windows platform, based on IPHelper APIs (since version:5.2.0)|
|kernel-pfkey | |e|IPsec kernel interface using PF_KEY|
|kernel-pfroute | |e|Networking kernel interface using PF_ROUTE|
|[[kernel-wfp]] | |e|IPsec backend for the Windows platform, using the Windows Filtering Platform (since version:5.2.0)|
|led | |s|Let Linux LED subsystem LEDs blink on IKE activity|
|[[Lookip|lookip]] | |s|Virtual IP lookup facility using a UNIX socket (since version:5.0.2)|
|[[LoadTests|load-tester]] | |s|Perform IKE load tests against self or a gateway|
|maemo | |e|Maemo 5 configuration/control backend, works with Maemo strongSwan applet|
|medcli | |d|Web interface based mediation client interface|
|medsrv | |d|Web interface based mediation server interface|
|osx-attr | |e|Mac OS X SystemConfiguration attribute handler (since version:5.1.0)|
|p-cscf | |s|Plugin that requests P-CSCF server addresses from an ePDG via IKEv2 (since version:5.4.0)|
|[[RadAttrPlugin|radattr]] | |s|Plugin to inject and process custom RADIUS attributes as IKEv2 client|
|[[ResolvePlugin|resolve]] |x|s|Writes name servers received via IKE to a resolv.conf file or installs them via resolvconf(8)|
|[[SMP|smp]] | |d|XML based strongSwan Management Protocol|
|socket-default |x|s|Default socket implementation for IKE messages, enabled if pluto disabled|
|socket-dynamic | |e|Dynamic binding socket implementation, capable of sending IKE messages on any port|
|[[socket-win]] | |s|Socket implementation for IKE messages on Windows, based on Winsock2 APIs (since version:5.2.0)|
|[[SQL|sql]] | |s|SQL configuration backend reading configurations/credentials from a database|
|stroke |x|s|Stroke configuration/control backend, to use with ipsec script and starter|
|[[IfMap|tnc-ifmap]] | |s|Trusted Network Connect IF-MAP 2.0 client|
|[[TrustedNetworkConnect|tnc-pdp]] | |s|Trusted Network Connect Policy Decision Point with RADIUS server interface|
|[[SystimeFixPlugin|systime-fix]] | |s|Handle invalid system time when checking certificates (since version:5.0.3)|
|uci | |d|OpenWRT UCI configuration backend|
|unit-tests | |d|Unit tests to run during daemon startup|
|[[UnityPlugin|unity]] | |s|Cisco Unity extensions for IKEv1 (since version:5.0.1)|
|[[updown]] |x|s|Shell script invocation during tunnel up/down events|
|[[Vici|vici]] |x|s|Versatile IKE Configuration Interface (since version:5.2.0, enabled since version:5.4.0)|
|[[Whitelist|whitelist]] | |s|Check authenticated identities against a whitelist|
|[[XAuthEAP|xauth-eap]] | |s|XAuth backend that uses EAP methods to verify passwords (since version:5.0.0)|
|xauth-generic |x|s|Generic XAuth backend that provides passwords from [[XauthSecret|ipsec.secrets]] and other credential sets (since version:5.0.0)|
|[[XauthNoauth|xauth-noauth]] | |s|XAuth backend that does not do any authentication (since version:5.0.3)|
|[[XAuthPAM|xauth-pam]] | |s|XAuth backend that uses PAM modules to verify passwords (since version:5.0.1)|
|\4(level1).*libtnccs plugins*|
|[[TrustedNetworkConnect|tnccs-11]] | |s|Trusted Network Connect protocol version 1.1|
|[[TrustedNetworkConnect|tnccs-20]] | |s|Trusted Network Connect protocol version 2.0|
|[[TrustedNetworkConnect|tnccs-dynamic]] | |s|Trusted Network Connect Dynamic protocol discovery|
|[[TrustedNetworkConnect|tnc-imc]] | |s|Trusted Network Connect Integrity Measurement Collectors|
|[[TrustedNetworkConnect|tnc-imv]] | |s|Trusted Network Connect Integrity Measurement Validators|
|\4(level1).*libtpmtss plugins*|
|[[TpmPlugin|tpm]] | |s|Access persistent RSA and ECDSA private keys bound to Trusted Platform Module 2.0 (since version:5.5.2)|

h2. Removed plugins

|*Plugin Name* |*E*|*S*|*Description*|
|\4(level1).*pluto plugins*|
|xauth |x|s|XAUTH authentication (removed with version:5.0.0)|
|\4(level1).*libhydra plugins*|
|\4(level2).All plugins were moved to _libcharon_ with version:5.4.0 (_attr_, _attr-sql_ and _resolve_ already with version:5.3.0)|
|kernel-klips | |e|IPsec kernel interface to an older KLIPS version (removed with version:5.2.0)|
|\4(level1).*libcharon plugins*|
|android | |s|[[Android]] configuration/control backend, worked with the [[AndroidFrontend|Android VPN applet patch]]. It was removed with version:5.0.3. The DNS handler was moved to a separate plugin.|
|[[NetworkManager|nm]] | |s|NetworkManager configuration/control backend, works with NetworkManager strongSwan applet. Contained in a separate executable since version:5.0.0|
|socket-raw |x|s|RAW socket allowing charon to run parallel with pluto, enabled if pluto enabled (removed with version:5.0.1)|