Project

General

Profile

strongSwan plugins » History » Version 73

Tobias Brunner, 08.08.2017 09:31
eap-aka-3gpp added

1 1 Martin Willi
h1. strongSwan plugins
2 1 Martin Willi
3 49 Tobias Brunner
The strongSwan distribution ships with an ever growing list of plugins. This allows us to add extended and specialized features, but keep the core as small as possible.
4 1 Martin Willi
5 48 Martin Willi
Many components of strongSwan come with a set of plugins. The plugins for libstrongswan provide cryptographic backends, URI fetchers and database layers. The plugins of libhydra are usable by the IKE daemon charon (in earlier releases also by the IKEv1 daemon pluto) and starter. libcharon comes with a large set of very specialized plugins for specific needs.
6 1 Martin Willi
7 25 Tobias Brunner
h2. Plugins for current releases
8 1 Martin Willi
9 49 Tobias Brunner
|*Plugin Name*          |*E*|*S*|*Description*|
10 1 Martin Willi
|\4. _E = Enabled by default (plugins can be enabled/disabled using their respective [[AutoConf|./configure options]])_
11 1 Martin Willi
_S = Plugin status: s = stable, e = experimental, d = under development/incomplete_ |
12 49 Tobias Brunner
|\4(level1).*libstrongswan plugins*|
13 64 Tobias Brunner
|acert                                    | |s|Support of X.509 attribute certificates (since version:5.1.3)|
14 49 Tobias Brunner
|aes                                      |x|s|AES-128/192/256 cipher software implementation|
15 60 Tobias Brunner
|aesni                                    | |s|Intel AES-NI crypto plugin (since version:5.3.1)|
16 49 Tobias Brunner
|af-alg                                   | |s|AF_ALG Linux crypto API interface, provides ciphers/hashers/hmac/xcbc|
17 49 Tobias Brunner
|agent                                    | |s|RSA/ECDSA private key backend connecting to SSH-Agent|
18 64 Tobias Brunner
|[[BLISS|bliss]]                          | |s|Bimodal Lattice Signature Scheme (BLISS) post-quantum computer signature scheme (since version:5.2.2)|
19 49 Tobias Brunner
|blowfish                                 | |s|Blowfish cipher software implementation|
20 49 Tobias Brunner
|ccm                                      | |s|CCM cipher mode wrapper|
21 68 Andreas Steffen
|chapoly                                  | |s|ChaCha20/Poly1305 AEAD implementation (since version:5.3.3) and ChaCha20 XOF (since version:5.5.1)|
22 49 Tobias Brunner
|cmac                                     |x|s|CMAC cipher mode wrapper|
23 49 Tobias Brunner
|[[ConstraintsPlugin|constraints]]        |x|s|X.509 certificate advanced constraint checking|
24 49 Tobias Brunner
|ctr                                      | |s|CTR cipher mode wrapper|
25 50 Martin Willi
|[[curl]]                                 | |s|libcurl based HTTP/FTP fetcher|
26 69 Andreas Steffen
|curve25519                               |x|s|X25519 DH group and Ed25519 public key authentication (since version:5.5.2)|
27 49 Tobias Brunner
|des                                      |x|s|DES/3DES cipher software implementation|
28 49 Tobias Brunner
|dnskey                                   |x|s|Parse "RFC 4034":http://tools.ietf.org/html/rfc4034 public keys|
29 56 Tobias Brunner
|files                                    | |s|Fetcher for local file:// URIs (since version:5.3.0)|
30 49 Tobias Brunner
|fips-prf                                 |x|s|PRF specified by FIPS, used by EAP-SIM/AKA algorithms|
31 49 Tobias Brunner
|gcm                                      | |s|GCM cipher mode wrapper|
32 49 Tobias Brunner
|gcrypt                                   | |s|Crypto backend based on libgcrypt, provides RSA/DH/ciphers/hashers/rng|
33 49 Tobias Brunner
|gmp                                      |x|s|RSA/DH crypto backend based on libgmp|
34 49 Tobias Brunner
|hmac                                     |x|s|HMAC wrapper using various hashers|
35 64 Tobias Brunner
|keychain                                 | |e|Mac OS X Keychain Services credential set (since version:5.1.0)|
36 49 Tobias Brunner
|ldap                                     | |s|LDAP fetching plugin based on libldap|
37 49 Tobias Brunner
|md4                                      | |s|MD4 hasher software implementation|
38 1 Martin Willi
|md5                                      |x|s|MD5 hasher software implementation|
39 68 Andreas Steffen
|mgf1                                     | |s|MGF1 mask generation function (since version:5.5.1)|
40 49 Tobias Brunner
|mysql                                    | |s|MySQL database backend based on libmysqlclient|
41 67 Andreas Steffen
|[[NewHope|newhope]]                      | |s|Key exchange based on post-quantum computer New Hope algorithm (since version:5.5.1)|
42 64 Tobias Brunner
|nonce                                    |x|s|Default nonce generation plugin (since version:5.0.0)|
43 64 Tobias Brunner
|[[NTRU|ntru]]                            | |s|Key exchange based on post-quantum computer NTRU encryption (since version:5.1.2)|
44 49 Tobias Brunner
|openssl                                  | |s|Crypto backend based on OpenSSL, provides RSA/ECDSA/DH/ECDH/ciphers/hashers/HMAC/X.509/CRL/RNG|
45 49 Tobias Brunner
|padlock                                  | |e|VIA padlock crypto backend, provides AES128/SHA1|
46 49 Tobias Brunner
|pem                                      |x|s|PEM encoding/decoding routines|
47 49 Tobias Brunner
|pgp                                      |x|s|PGP encoding/decoding routines|
48 49 Tobias Brunner
|pkcs1                                    |x|s|PKCS#1 encoding/decoding routines|
49 49 Tobias Brunner
|pkcs7                                    |x|s|PKCS#7 encoding/decoding routines|
50 49 Tobias Brunner
|pkcs8                                    |x|s|PKCS#8 decoding routines|
51 49 Tobias Brunner
|[[PKCS11Plugin|pkcs11]]                  | |s|PKCS#11 smartcard backend|
52 64 Tobias Brunner
|pkcs12                                   |x|s|PKCS#12 decoding routines (since version:5.1.0)|
53 49 Tobias Brunner
|pubkey                                   |x|s|Wrapper to handle raw public keys as trusted certificates|
54 49 Tobias Brunner
|random                                   |x|s|RNG reading from /dev/[u]random|
55 64 Tobias Brunner
|rc2                                      |x|s|RC2 cipher software implementation (since version:5.1.0)|
56 64 Tobias Brunner
|rdrand                                   | |e|High quality / high performance random source using the Intel _rdrand_ instruction found on Ivy Bridge processors (since version:5.0.2)|
57 49 Tobias Brunner
|revocation                               |x|s|X.509 CRL/OCSP revocation checking|
58 1 Martin Willi
|sha1                                     |x|s|SHA1 hasher software implementation|
59 62 Andreas Steffen
|sha2                                     |x|s|SHA2_224/SHA2_256/SHA2_384/SHA2_512 hasher software implementation|
60 68 Andreas Steffen
|sha3                                     | |s|SHA3_224/SHA3_256/SHA3_384/SHA3_512 hasher software implementation (since version:5.3.4) and SHAKE128/SHAKE256 XOF (since version:5.5.1)|
61 49 Tobias Brunner
|soup                                     | |s|libsoup based HTTP fetcher|
62 49 Tobias Brunner
|sqlite                                   | |s|SQLite database backend based on libsqlite3|
63 64 Tobias Brunner
|sshkey                                   |x|s|SSH key decoding routines (since version:5.1.0)|
64 49 Tobias Brunner
|[[CryptoTest|test-vectors]]              | |s|Set of test vectors for various algorithms|
65 64 Tobias Brunner
|unbound                                  | |s|DNSSEC enabled resolver using libunbound (since version:5.0.3)|
66 64 Tobias Brunner
|[[winhttp]]                              | |s|WinHTTP based HTTP/HTTPS fetcher for Windows platform (since version:5.2.0)|
67 49 Tobias Brunner
|x509                                     |x|s|Advanced X.509 plugin for parsing/generating X.509 certificates/CRLs and OCSP messages|
68 49 Tobias Brunner
|xcbc                                     |x|s|XCBC wrapper using various ciphers|
69 49 Tobias Brunner
|\4(level1).*libcharon plugins*|
70 49 Tobias Brunner
|addrblock                                | |s|Narrow traffic selectors to "RFC 3779":http://tools.ietf.org/html/rfc3779 address blocks in X.509 certificates|
71 49 Tobias Brunner
|android-dns                              | |s|[[Android]]-specific DNS handler plugin (since version:5.0.3)|
72 49 Tobias Brunner
|android-log                              | |s|[[Android]]-specific logger plugin|
73 65 Tobias Brunner
|[[AttrPlugin|attr]]                      |x|s|Provides IKE attributes configured in strongswan.conf|
74 65 Tobias Brunner
|[[AttrSQL|attr-sql]]                     | |s|Provides IKE attributes read from a database to peers|
75 72 Tobias Brunner
|[[bypass-lan]]                           | |e|Automatically installs and updates bypass policies for locally attached subnets (since version:5.5.2)|
76 49 Tobias Brunner
|[[CertExpire|certexpire]]                | |s|Export expiration dates of used certificates|
77 49 Tobias Brunner
|[[CertCoupling|coupling]]                | |s|Permanent peer certificate coupling|
78 49 Tobias Brunner
|[[DHCPPlugin|dhcp]]                      | |s|Forward [[VirtualIP|virtual IP]] address pool lookup to a DHCP server|
79 64 Tobias Brunner
|[[connmark]]                             | |e|Plugin using Netfilter conntrack marks to handle multiple transport mode clients (for L2TP, since version:5.3.0)|
80 64 Tobias Brunner
|dnscert                                  | |s|Provides authentication via CERT RRs protected by DNSSEC (since version:5.1.1)|
81 49 Tobias Brunner
|[[Duplicheck|duplicheck]]                | |s|Advanced duplicate checking with liveness test and notifications|
82 49 Tobias Brunner
|eap-aka                                  | |s|Generic EAP-AKA protocol handler using different backends|
83 73 Tobias Brunner
|eap-aka-3gpp                             | |s|EAP-AKA backend implementing 3GPP MILENAGE algorithms in software (since version:5.6.0)|
84 73 Tobias Brunner
|eap-aka-3gpp2                            | |s|EAP-AKA backend implementing 3GPP2 algorithms in software|
85 64 Tobias Brunner
|[[eap-dynamic]]                          | |s|EAP proxy plugin that dynamically selects an EAP method requested/supported by the client (since version:5.0.1)|
86 49 Tobias Brunner
|[[EapGtc|eap-gtc]]                       | |s|EAP-GTC protocol handler authenticating with XAuth backends|
87 49 Tobias Brunner
|eap-identity                             | |s|EAP-Identity identity exchange algorithm, to use with other EAP protocols|
88 49 Tobias Brunner
|eap-md5                                  | |s|EAP-MD5 protocol handler using passwords|
89 49 Tobias Brunner
|eap-mschapv2                             | |s|EAP-MSCHAPv2 protocol handler using passwords/NT hashes|
90 49 Tobias Brunner
|eap-peap                                 | |s|EAP-PEAP protocol handler, wraps other EAP methods securely|
91 49 Tobias Brunner
|[[EapRadius|eap-radius]]                 | |s|EAP server proxy plugin forwarding EAP conversations to a RADIUS server|
92 49 Tobias Brunner
|eap-sim                                  | |s|Generic EAP-SIM protocol handler using different backends|
93 49 Tobias Brunner
|eap-sim-file                             | |s|EAP-SIM backend reading triplets from a file|
94 49 Tobias Brunner
|eap-sim-pcsc                             | |s|EAP-SIM backend based on a PC/SC smartcard reader|
95 49 Tobias Brunner
|eap-simaka-pseudonym                     | |s|EAP-SIM/AKA in-memory pseudonym identity database|
96 49 Tobias Brunner
|eap-simaka-reauth                        | |s|EAP-SIM/AKA in-memory reauthentication identity database|
97 49 Tobias Brunner
|[[EapSimakaSql|eap-simaka-sql]]          | |s|EAP-SIM/AKA backend reading triplets/quintuplets from a SQL database|
98 49 Tobias Brunner
|[[EapTls|eap-tls]]                       | |s|EAP-TLS protocol handler, to authenticate with certificates in EAP|
99 49 Tobias Brunner
|eap-tnc                                  | |s|EAP-TNC protocol handler, Trusted Network Connect in a TLS tunnel|
100 49 Tobias Brunner
|eap-ttls                                 | |s|EAP-TTLS protocol handler, wraps other EAP methods securely|
101 1 Martin Willi
|[[ErrorNotifyPlugin|error-notify]]       | |s|Notification about errors via UNIX socket (since version:5.0.2)|
102 64 Tobias Brunner
|[[ext-auth]]                             | |s|Invokes an external script for custom authorization rules (since version:5.2.1)|
103 1 Martin Willi
|[[FARPPlugin|farp]]                      | |s|Fakes ARP responses for requests to a [[VirtualIP|virtual IP address]] assigned to a peer|
104 1 Martin Willi
|[[forecast]]                             | |e|Multicast and broadcast forwarding plugin (since version:5.3.0)|
105 64 Tobias Brunner
|[[HighAvailability|ha]]                  | |s|High-Availability clustering|
106 49 Tobias Brunner
|ipseckey                                 | |s|Provides authentication via IPSECKEY RRs protected by DNSSEC (since version:5.0.3)|
107 64 Tobias Brunner
|[[kernel-libipsec]]                      | |e|IPsec "kernel" interface in user-space using libipsec (since version:5.1.0)|
108 65 Tobias Brunner
|kernel-netlink                           |x|s|IPsec/Networking kernel interface using Linux Netlink|
109 64 Tobias Brunner
|[[kernel-iph]]                           | |e|Networking backend for the Windows platform, based on IPHelper APIs (since version:5.2.0)|
110 65 Tobias Brunner
|kernel-pfkey                             | |e|IPsec kernel interface using PF_KEY|
111 65 Tobias Brunner
|kernel-pfroute                           | |e|Networking kernel interface using PF_ROUTE|
112 64 Tobias Brunner
|[[kernel-wfp]]                           | |e|IPsec backend for the Windows platform, using the Windows Filtering Platform (since version:5.2.0)|
113 49 Tobias Brunner
|led                                      | |s|Let Linux LED subsystem LEDs blink on IKE activity|
114 1 Martin Willi
|[[Lookip|lookip]]                        | |s|Virtual IP lookup facility using a UNIX socket (since version:5.0.2)|
115 64 Tobias Brunner
|[[LoadTests|load-tester]]                | |s|Perform IKE load tests against self or a gateway|
116 49 Tobias Brunner
|maemo                                    | |e|Maemo 5 configuration/control backend, works with Maemo strongSwan applet|
117 49 Tobias Brunner
|medcli                                   | |d|Web interface based mediation client interface|
118 49 Tobias Brunner
|medsrv                                   | |d|Web interface based mediation server interface|
119 49 Tobias Brunner
|osx-attr                                 | |e|Mac OS X SystemConfiguration attribute handler (since version:5.1.0)|
120 66 Tobias Brunner
|p-cscf                                   | |s|Plugin that requests P-CSCF server addresses from an ePDG via IKEv2 (since version:5.4.0)|
121 64 Tobias Brunner
|[[RadAttrPlugin|radattr]]                | |s|Plugin to inject and process custom RADIUS attributes as IKEv2 client|
122 65 Tobias Brunner
|[[ResolvePlugin|resolve]]                |x|s|Writes name servers received via IKE to a resolv.conf file or installs them via resolvconf(8)|
123 49 Tobias Brunner
|[[SMP|smp]]                              | |d|XML based strongSwan Management Protocol|
124 49 Tobias Brunner
|socket-default                           |x|s|Default socket implementation for IKE messages, enabled if pluto disabled|
125 49 Tobias Brunner
|socket-dynamic                           | |e|Dynamic binding socket implementation, capable of sending IKE messages on any port|
126 64 Tobias Brunner
|[[socket-win]]                           | |s|Socket implementation for IKE messages on Windows, based on Winsock2 APIs (since version:5.2.0)|
127 49 Tobias Brunner
|[[SQL|sql]]                              | |s|SQL configuration backend reading configurations/credentials from a database|
128 49 Tobias Brunner
|stroke                                   |x|s|Stroke configuration/control backend, to use with ipsec script and starter|
129 1 Martin Willi
|[[IfMap|tnc-ifmap]]                      | |s|Trusted Network Connect IF-MAP 2.0 client|
130 49 Tobias Brunner
|[[TrustedNetworkConnect|tnc-pdp]]        | |s|Trusted Network Connect Policy Decision Point with RADIUS server interface|
131 64 Tobias Brunner
|[[SystimeFixPlugin|systime-fix]]         | |s|Handle invalid system time when checking certificates (since version:5.0.3)|
132 49 Tobias Brunner
|uci                                      | |d|OpenWRT UCI configuration backend|
133 49 Tobias Brunner
|unit-tests                               | |d|Unit tests to run during daemon startup|
134 64 Tobias Brunner
|[[UnityPlugin|unity]]                    | |s|Cisco Unity extensions for IKEv1 (since version:5.0.1)|
135 53 Martin Willi
|[[updown]]                               |x|s|Shell script invocation during tunnel up/down events|
136 65 Tobias Brunner
|[[Vici|vici]]                            |x|s|Versatile IKE Configuration Interface (since version:5.2.0, enabled since version:5.4.0)|
137 49 Tobias Brunner
|[[Whitelist|whitelist]]                  | |s|Check authenticated identities against a whitelist|
138 64 Tobias Brunner
|[[XAuthEAP|xauth-eap]]                   | |s|XAuth backend that uses EAP methods to verify passwords (since version:5.0.0)|
139 64 Tobias Brunner
|xauth-generic                            |x|s|Generic XAuth backend that provides passwords from [[XauthSecret|ipsec.secrets]] and other credential sets (since version:5.0.0)|
140 64 Tobias Brunner
|[[XauthNoauth|xauth-noauth]]             | |s|XAuth backend that does not do any authentication (since version:5.0.3)|
141 64 Tobias Brunner
|[[XAuthPAM|xauth-pam]]                   | |s|XAuth backend that uses PAM modules to verify passwords (since version:5.0.1)|
142 49 Tobias Brunner
|\4(level1).*libtnccs plugins*|
143 49 Tobias Brunner
|[[TrustedNetworkConnect|tnccs-11]]       | |s|Trusted Network Connect protocol version 1.1|
144 49 Tobias Brunner
|[[TrustedNetworkConnect|tnccs-20]]       | |s|Trusted Network Connect protocol version 2.0|
145 49 Tobias Brunner
|[[TrustedNetworkConnect|tnccs-dynamic]]  | |s|Trusted Network Connect Dynamic protocol discovery|
146 49 Tobias Brunner
|[[TrustedNetworkConnect|tnc-imc]]        | |s|Trusted Network Connect Integrity Measurement Collectors|
147 1 Martin Willi
|[[TrustedNetworkConnect|tnc-imv]]        | |s|Trusted Network Connect Integrity Measurement Validators|
148 70 Andreas Steffen
|\4(level1).*libtpmtss plugins*|
149 70 Andreas Steffen
|[[TpmPlugin|tpm]]                        | |s|Access persistent RSA and ECDSA private keys bound to Trusted Platform Module 2.0 (since version:5.5.2)|
150 49 Tobias Brunner
151 47 Andreas Steffen
h2. Removed plugins
152 47 Andreas Steffen
153 25 Tobias Brunner
|*Plugin Name*          |*E*|*S*|*Description*|
154 49 Tobias Brunner
|\4(level1).*pluto plugins*|
155 49 Tobias Brunner
|xauth                                    |x|s|XAUTH authentication (removed with version:5.0.0)|
156 64 Tobias Brunner
|\4(level1).*libhydra plugins*|
157 65 Tobias Brunner
|\4(level2).All plugins were moved to _libcharon_ with version:5.4.0 (_attr_, _attr-sql_ and _resolve_ already with version:5.3.0)|
158 49 Tobias Brunner
|kernel-klips                             | |e|IPsec kernel interface to an older KLIPS version (removed with version:5.2.0)|
159 49 Tobias Brunner
|\4(level1).*libcharon plugins*|
160 64 Tobias Brunner
|android                                  | |s|[[Android]] configuration/control backend, worked with the [[AndroidFrontend|Android VPN applet patch]]. It was removed with version:5.0.3. The DNS handler was moved to a separate plugin.|
161 64 Tobias Brunner
|[[NetworkManager|nm]]                    | |s|NetworkManager configuration/control backend, works with NetworkManager strongSwan applet. Contained in a separate executable since version:5.0.0|
162 64 Tobias Brunner
|socket-raw                               |x|s|RAW socket allowing charon to run parallel with pluto, enabled if pluto enabled (removed with version:5.0.1)|