strongSwan plugins » History » Version 78
Andreas Steffen, 23.12.2017 17:40
| 1 | 1 | Martin Willi | h1. strongSwan plugins |
|---|---|---|---|
| 2 | 1 | Martin Willi | |
| 3 | 49 | Tobias Brunner | The strongSwan distribution ships with an ever growing list of plugins. This allows us to add extended and specialized features, but keep the core as small as possible. |
| 4 | 1 | Martin Willi | |
| 5 | 48 | Martin Willi | Many components of strongSwan come with a set of plugins. The plugins for libstrongswan provide cryptographic backends, URI fetchers and database layers. The plugins of libhydra are usable by the IKE daemon charon (in earlier releases also by the IKEv1 daemon pluto) and starter. libcharon comes with a large set of very specialized plugins for specific needs. |
| 6 | 1 | Martin Willi | |
| 7 | 25 | Tobias Brunner | h2. Plugins for current releases |
| 8 | 1 | Martin Willi | |
| 9 | 49 | Tobias Brunner | |*Plugin Name* |*E*|*S*|*Description*| |
| 10 | 1 | Martin Willi | |\4. _E = Enabled by default (plugins can be enabled/disabled using their respective [[AutoConf|./configure options]])_ |
| 11 | 1 | Martin Willi | _S = Plugin status: s = stable, e = experimental, d = under development/incomplete_ | |
| 12 | 49 | Tobias Brunner | |\4(level1).*libstrongswan plugins*| |
| 13 | 64 | Tobias Brunner | |acert | |s|Support of X.509 attribute certificates (since version:5.1.3)| |
| 14 | 49 | Tobias Brunner | |aes |x|s|AES-128/192/256 cipher software implementation| |
| 15 | 60 | Tobias Brunner | |aesni | |s|Intel AES-NI crypto plugin (since version:5.3.1)| |
| 16 | 49 | Tobias Brunner | |af-alg | |s|AF_ALG Linux crypto API interface, provides ciphers/hashers/hmac/xcbc| |
| 17 | 49 | Tobias Brunner | |agent | |s|RSA/ECDSA private key backend connecting to SSH-Agent| |
| 18 | 64 | Tobias Brunner | |[[BLISS|bliss]] | |s|Bimodal Lattice Signature Scheme (BLISS) post-quantum computer signature scheme (since version:5.2.2)| |
| 19 | 49 | Tobias Brunner | |blowfish | |s|Blowfish cipher software implementation| |
| 20 | 49 | Tobias Brunner | |ccm | |s|CCM cipher mode wrapper| |
| 21 | 68 | Andreas Steffen | |chapoly | |s|ChaCha20/Poly1305 AEAD implementation (since version:5.3.3) and ChaCha20 XOF (since version:5.5.1)| |
| 22 | 49 | Tobias Brunner | |cmac |x|s|CMAC cipher mode wrapper| |
| 23 | 49 | Tobias Brunner | |[[ConstraintsPlugin|constraints]] |x|s|X.509 certificate advanced constraint checking| |
| 24 | 49 | Tobias Brunner | |ctr | |s|CTR cipher mode wrapper| |
| 25 | 50 | Martin Willi | |[[curl]] | |s|libcurl based HTTP/FTP fetcher| |
| 26 | 69 | Andreas Steffen | |curve25519 |x|s|X25519 DH group and Ed25519 public key authentication (since version:5.5.2)| |
| 27 | 49 | Tobias Brunner | |des |x|s|DES/3DES cipher software implementation| |
| 28 | 49 | Tobias Brunner | |dnskey |x|s|Parse "RFC 4034":http://tools.ietf.org/html/rfc4034 public keys| |
| 29 | 56 | Tobias Brunner | |files | |s|Fetcher for local file:// URIs (since version:5.3.0)| |
| 30 | 49 | Tobias Brunner | |fips-prf |x|s|PRF specified by FIPS, used by EAP-SIM/AKA algorithms| |
| 31 | 49 | Tobias Brunner | |gcm | |s|GCM cipher mode wrapper| |
| 32 | 49 | Tobias Brunner | |gcrypt | |s|Crypto backend based on libgcrypt, provides RSA/DH/ciphers/hashers/rng| |
| 33 | 49 | Tobias Brunner | |gmp |x|s|RSA/DH crypto backend based on libgmp| |
| 34 | 49 | Tobias Brunner | |hmac |x|s|HMAC wrapper using various hashers| |
| 35 | 64 | Tobias Brunner | |keychain | |e|Mac OS X Keychain Services credential set (since version:5.1.0)| |
| 36 | 49 | Tobias Brunner | |ldap | |s|LDAP fetching plugin based on libldap| |
| 37 | 49 | Tobias Brunner | |md4 | |s|MD4 hasher software implementation| |
| 38 | 1 | Martin Willi | |md5 |x|s|MD5 hasher software implementation| |
| 39 | 68 | Andreas Steffen | |mgf1 | |s|MGF1 mask generation function (since version:5.5.1)| |
| 40 | 49 | Tobias Brunner | |mysql | |s|MySQL database backend based on libmysqlclient| |
| 41 | 67 | Andreas Steffen | |[[NewHope|newhope]] | |s|Key exchange based on post-quantum computer New Hope algorithm (since version:5.5.1)| |
| 42 | 64 | Tobias Brunner | |nonce |x|s|Default nonce generation plugin (since version:5.0.0)| |
| 43 | 64 | Tobias Brunner | |[[NTRU|ntru]] | |s|Key exchange based on post-quantum computer NTRU encryption (since version:5.1.2)| |
| 44 | 49 | Tobias Brunner | |openssl | |s|Crypto backend based on OpenSSL, provides RSA/ECDSA/DH/ECDH/ciphers/hashers/HMAC/X.509/CRL/RNG| |
| 45 | 49 | Tobias Brunner | |padlock | |e|VIA padlock crypto backend, provides AES128/SHA1| |
| 46 | 49 | Tobias Brunner | |pem |x|s|PEM encoding/decoding routines| |
| 47 | 49 | Tobias Brunner | |pgp |x|s|PGP encoding/decoding routines| |
| 48 | 49 | Tobias Brunner | |pkcs1 |x|s|PKCS#1 encoding/decoding routines| |
| 49 | 49 | Tobias Brunner | |pkcs7 |x|s|PKCS#7 encoding/decoding routines| |
| 50 | 49 | Tobias Brunner | |pkcs8 |x|s|PKCS#8 decoding routines| |
| 51 | 49 | Tobias Brunner | |[[PKCS11Plugin|pkcs11]] | |s|PKCS#11 smartcard backend| |
| 52 | 64 | Tobias Brunner | |pkcs12 |x|s|PKCS#12 decoding routines (since version:5.1.0)| |
| 53 | 49 | Tobias Brunner | |pubkey |x|s|Wrapper to handle raw public keys as trusted certificates| |
| 54 | 49 | Tobias Brunner | |random |x|s|RNG reading from /dev/[u]random| |
| 55 | 64 | Tobias Brunner | |rc2 |x|s|RC2 cipher software implementation (since version:5.1.0)| |
| 56 | 64 | Tobias Brunner | |rdrand | |e|High quality / high performance random source using the Intel _rdrand_ instruction found on Ivy Bridge processors (since version:5.0.2)| |
| 57 | 49 | Tobias Brunner | |revocation |x|s|X.509 CRL/OCSP revocation checking| |
| 58 | 1 | Martin Willi | |sha1 |x|s|SHA1 hasher software implementation| |
| 59 | 62 | Andreas Steffen | |sha2 |x|s|SHA2_224/SHA2_256/SHA2_384/SHA2_512 hasher software implementation| |
| 60 | 68 | Andreas Steffen | |sha3 | |s|SHA3_224/SHA3_256/SHA3_384/SHA3_512 hasher software implementation (since version:5.3.4) and SHAKE128/SHAKE256 XOF (since version:5.5.1)| |
| 61 | 49 | Tobias Brunner | |soup | |s|libsoup based HTTP fetcher| |
| 62 | 49 | Tobias Brunner | |sqlite | |s|SQLite database backend based on libsqlite3| |
| 63 | 64 | Tobias Brunner | |sshkey |x|s|SSH key decoding routines (since version:5.1.0)| |
| 64 | 49 | Tobias Brunner | |[[CryptoTest|test-vectors]] | |s|Set of test vectors for various algorithms| |
| 65 | 64 | Tobias Brunner | |unbound | |s|DNSSEC enabled resolver using libunbound (since version:5.0.3)| |
| 66 | 64 | Tobias Brunner | |[[winhttp]] | |s|WinHTTP based HTTP/HTTPS fetcher for Windows platform (since version:5.2.0)| |
| 67 | 49 | Tobias Brunner | |x509 |x|s|Advanced X.509 plugin for parsing/generating X.509 certificates/CRLs and OCSP messages| |
| 68 | 49 | Tobias Brunner | |xcbc |x|s|XCBC wrapper using various ciphers| |
| 69 | 49 | Tobias Brunner | |\4(level1).*libcharon plugins*| |
| 70 | 74 | Noel Kuntze | |[[AddrblockPlugin|addrblock]] | |s|Narrow traffic selectors to "RFC 3779":http://tools.ietf.org/html/rfc3779 address blocks in X.509 certificates| |
| 71 | 49 | Tobias Brunner | |android-dns | |s|[[Android]]-specific DNS handler plugin (since version:5.0.3)| |
| 72 | 49 | Tobias Brunner | |android-log | |s|[[Android]]-specific logger plugin| |
| 73 | 65 | Tobias Brunner | |[[AttrPlugin|attr]] |x|s|Provides IKE attributes configured in strongswan.conf| |
| 74 | 65 | Tobias Brunner | |[[AttrSQL|attr-sql]] | |s|Provides IKE attributes read from a database to peers| |
| 75 | 72 | Tobias Brunner | |[[bypass-lan]] | |e|Automatically installs and updates bypass policies for locally attached subnets (since version:5.5.2)| |
| 76 | 49 | Tobias Brunner | |[[CertExpire|certexpire]] | |s|Export expiration dates of used certificates| |
| 77 | 76 | Tobias Brunner | |[[counters]] | |s|Provides IKE performance counters (queryable via [[swanctl]]/[[vici]] or [[Ipseccommand|ipsec]]/stroke, since version:5.6.1)| |
| 78 | 49 | Tobias Brunner | |[[CertCoupling|coupling]] | |s|Permanent peer certificate coupling| |
| 79 | 78 | Andreas Steffen | |[[DHCPPlugin|dhcp]] | |s|Request [[VirtualIP|virtual IP]] address from a DHCP server| |
| 80 | 64 | Tobias Brunner | |[[connmark]] | |e|Plugin using Netfilter conntrack marks to handle multiple transport mode clients (for L2TP, since version:5.3.0)| |
| 81 | 64 | Tobias Brunner | |dnscert | |s|Provides authentication via CERT RRs protected by DNSSEC (since version:5.1.1)| |
| 82 | 49 | Tobias Brunner | |[[Duplicheck|duplicheck]] | |s|Advanced duplicate checking with liveness test and notifications| |
| 83 | 49 | Tobias Brunner | |eap-aka | |s|Generic EAP-AKA protocol handler using different backends| |
| 84 | 73 | Tobias Brunner | |eap-aka-3gpp | |s|EAP-AKA backend implementing 3GPP MILENAGE algorithms in software (since version:5.6.0)| |
| 85 | 73 | Tobias Brunner | |eap-aka-3gpp2 | |s|EAP-AKA backend implementing 3GPP2 algorithms in software| |
| 86 | 64 | Tobias Brunner | |[[eap-dynamic]] | |s|EAP proxy plugin that dynamically selects an EAP method requested/supported by the client (since version:5.0.1)| |
| 87 | 49 | Tobias Brunner | |[[EapGtc|eap-gtc]] | |s|EAP-GTC protocol handler authenticating with XAuth backends| |
| 88 | 49 | Tobias Brunner | |eap-identity | |s|EAP-Identity identity exchange algorithm, to use with other EAP protocols| |
| 89 | 49 | Tobias Brunner | |eap-md5 | |s|EAP-MD5 protocol handler using passwords| |
| 90 | 49 | Tobias Brunner | |eap-mschapv2 | |s|EAP-MSCHAPv2 protocol handler using passwords/NT hashes| |
| 91 | 49 | Tobias Brunner | |eap-peap | |s|EAP-PEAP protocol handler, wraps other EAP methods securely| |
| 92 | 49 | Tobias Brunner | |[[EapRadius|eap-radius]] | |s|EAP server proxy plugin forwarding EAP conversations to a RADIUS server| |
| 93 | 49 | Tobias Brunner | |eap-sim | |s|Generic EAP-SIM protocol handler using different backends| |
| 94 | 49 | Tobias Brunner | |eap-sim-file | |s|EAP-SIM backend reading triplets from a file| |
| 95 | 49 | Tobias Brunner | |eap-sim-pcsc | |s|EAP-SIM backend based on a PC/SC smartcard reader| |
| 96 | 49 | Tobias Brunner | |eap-simaka-pseudonym | |s|EAP-SIM/AKA in-memory pseudonym identity database| |
| 97 | 49 | Tobias Brunner | |eap-simaka-reauth | |s|EAP-SIM/AKA in-memory reauthentication identity database| |
| 98 | 49 | Tobias Brunner | |[[EapSimakaSql|eap-simaka-sql]] | |s|EAP-SIM/AKA backend reading triplets/quintuplets from a SQL database| |
| 99 | 49 | Tobias Brunner | |[[EapTls|eap-tls]] | |s|EAP-TLS protocol handler, to authenticate with certificates in EAP| |
| 100 | 49 | Tobias Brunner | |eap-tnc | |s|EAP-TNC protocol handler, Trusted Network Connect in a TLS tunnel| |
| 101 | 49 | Tobias Brunner | |eap-ttls | |s|EAP-TTLS protocol handler, wraps other EAP methods securely| |
| 102 | 1 | Martin Willi | |[[ErrorNotifyPlugin|error-notify]] | |s|Notification about errors via UNIX socket (since version:5.0.2)| |
| 103 | 64 | Tobias Brunner | |[[ext-auth]] | |s|Invokes an external script for custom authorization rules (since version:5.2.1)| |
| 104 | 1 | Martin Willi | |[[FARPPlugin|farp]] | |s|Fakes ARP responses for requests to a [[VirtualIP|virtual IP address]] assigned to a peer| |
| 105 | 1 | Martin Willi | |[[forecast]] | |e|Multicast and broadcast forwarding plugin (since version:5.3.0)| |
| 106 | 64 | Tobias Brunner | |[[HighAvailability|ha]] | |s|High-Availability clustering| |
| 107 | 49 | Tobias Brunner | |ipseckey | |s|Provides authentication via IPSECKEY RRs protected by DNSSEC (since version:5.0.3)| |
| 108 | 64 | Tobias Brunner | |[[kernel-libipsec]] | |e|IPsec "kernel" interface in user-space using libipsec (since version:5.1.0)| |
| 109 | 65 | Tobias Brunner | |kernel-netlink |x|s|IPsec/Networking kernel interface using Linux Netlink| |
| 110 | 64 | Tobias Brunner | |[[kernel-iph]] | |e|Networking backend for the Windows platform, based on IPHelper APIs (since version:5.2.0)| |
| 111 | 65 | Tobias Brunner | |kernel-pfkey | |e|IPsec kernel interface using PF_KEY| |
| 112 | 65 | Tobias Brunner | |kernel-pfroute | |e|Networking kernel interface using PF_ROUTE| |
| 113 | 64 | Tobias Brunner | |[[kernel-wfp]] | |e|IPsec backend for the Windows platform, using the Windows Filtering Platform (since version:5.2.0)| |
| 114 | 49 | Tobias Brunner | |led | |s|Let Linux LED subsystem LEDs blink on IKE activity| |
| 115 | 1 | Martin Willi | |[[Lookip|lookip]] | |s|Virtual IP lookup facility using a UNIX socket (since version:5.0.2)| |
| 116 | 64 | Tobias Brunner | |[[LoadTests|load-tester]] | |s|Perform IKE load tests against self or a gateway| |
| 117 | 49 | Tobias Brunner | |maemo | |e|Maemo 5 configuration/control backend, works with Maemo strongSwan applet| |
| 118 | 49 | Tobias Brunner | |medcli | |d|Web interface based mediation client interface| |
| 119 | 49 | Tobias Brunner | |medsrv | |d|Web interface based mediation server interface| |
| 120 | 49 | Tobias Brunner | |osx-attr | |e|Mac OS X SystemConfiguration attribute handler (since version:5.1.0)| |
| 121 | 66 | Tobias Brunner | |p-cscf | |s|Plugin that requests P-CSCF server addresses from an ePDG via IKEv2 (since version:5.4.0)| |
| 122 | 64 | Tobias Brunner | |[[RadAttrPlugin|radattr]] | |s|Plugin to inject and process custom RADIUS attributes as IKEv2 client| |
| 123 | 65 | Tobias Brunner | |[[ResolvePlugin|resolve]] |x|s|Writes name servers received via IKE to a resolv.conf file or installs them via resolvconf(8)| |
| 124 | 49 | Tobias Brunner | |[[SMP|smp]] | |d|XML based strongSwan Management Protocol| |
| 125 | 49 | Tobias Brunner | |socket-default |x|s|Default socket implementation for IKE messages, enabled if pluto disabled| |
| 126 | 49 | Tobias Brunner | |socket-dynamic | |e|Dynamic binding socket implementation, capable of sending IKE messages on any port| |
| 127 | 64 | Tobias Brunner | |[[socket-win]] | |s|Socket implementation for IKE messages on Windows, based on Winsock2 APIs (since version:5.2.0)| |
| 128 | 1 | Martin Willi | |[[SQL|sql]] | |s|SQL configuration backend reading configurations/credentials from a database| |
| 129 | 75 | Tobias Brunner | |stroke |x|s|Deprecated stroke configuration/control backend, to use with ipsec script and starter| |
| 130 | 1 | Martin Willi | |[[IfMap|tnc-ifmap]] | |s|Trusted Network Connect IF-MAP 2.0 client| |
| 131 | 49 | Tobias Brunner | |[[TrustedNetworkConnect|tnc-pdp]] | |s|Trusted Network Connect Policy Decision Point with RADIUS server interface| |
| 132 | 64 | Tobias Brunner | |[[SystimeFixPlugin|systime-fix]] | |s|Handle invalid system time when checking certificates (since version:5.0.3)| |
| 133 | 49 | Tobias Brunner | |uci | |d|OpenWRT UCI configuration backend| |
| 134 | 49 | Tobias Brunner | |unit-tests | |d|Unit tests to run during daemon startup| |
| 135 | 64 | Tobias Brunner | |[[UnityPlugin|unity]] | |s|Cisco Unity extensions for IKEv1 (since version:5.0.1)| |
| 136 | 53 | Martin Willi | |[[updown]] |x|s|Shell script invocation during tunnel up/down events| |
| 137 | 65 | Tobias Brunner | |[[Vici|vici]] |x|s|Versatile IKE Configuration Interface (since version:5.2.0, enabled since version:5.4.0)| |
| 138 | 49 | Tobias Brunner | |[[Whitelist|whitelist]] | |s|Check authenticated identities against a whitelist| |
| 139 | 64 | Tobias Brunner | |[[XAuthEAP|xauth-eap]] | |s|XAuth backend that uses EAP methods to verify passwords (since version:5.0.0)| |
| 140 | 64 | Tobias Brunner | |xauth-generic |x|s|Generic XAuth backend that provides passwords from [[XauthSecret|ipsec.secrets]] and other credential sets (since version:5.0.0)| |
| 141 | 64 | Tobias Brunner | |[[XauthNoauth|xauth-noauth]] | |s|XAuth backend that does not do any authentication (since version:5.0.3)| |
| 142 | 64 | Tobias Brunner | |[[XAuthPAM|xauth-pam]] | |s|XAuth backend that uses PAM modules to verify passwords (since version:5.0.1)| |
| 143 | 49 | Tobias Brunner | |\4(level1).*libtnccs plugins*| |
| 144 | 49 | Tobias Brunner | |[[TrustedNetworkConnect|tnccs-11]] | |s|Trusted Network Connect protocol version 1.1| |
| 145 | 49 | Tobias Brunner | |[[TrustedNetworkConnect|tnccs-20]] | |s|Trusted Network Connect protocol version 2.0| |
| 146 | 49 | Tobias Brunner | |[[TrustedNetworkConnect|tnccs-dynamic]] | |s|Trusted Network Connect Dynamic protocol discovery| |
| 147 | 49 | Tobias Brunner | |[[TrustedNetworkConnect|tnc-imc]] | |s|Trusted Network Connect Integrity Measurement Collectors| |
| 148 | 1 | Martin Willi | |[[TrustedNetworkConnect|tnc-imv]] | |s|Trusted Network Connect Integrity Measurement Validators| |
| 149 | 70 | Andreas Steffen | |\4(level1).*libtpmtss plugins*| |
| 150 | 70 | Andreas Steffen | |[[TpmPlugin|tpm]] | |s|Access persistent RSA and ECDSA private keys bound to Trusted Platform Module 2.0 (since version:5.5.2)| |
| 151 | 49 | Tobias Brunner | |
| 152 | 47 | Andreas Steffen | h2. Removed plugins |
| 153 | 47 | Andreas Steffen | |
| 154 | 25 | Tobias Brunner | |*Plugin Name* |*E*|*S*|*Description*| |
| 155 | 49 | Tobias Brunner | |\4(level1).*pluto plugins*| |
| 156 | 49 | Tobias Brunner | |xauth |x|s|XAUTH authentication (removed with version:5.0.0)| |
| 157 | 64 | Tobias Brunner | |\4(level1).*libhydra plugins*| |
| 158 | 65 | Tobias Brunner | |\4(level2).All plugins were moved to _libcharon_ with version:5.4.0 (_attr_, _attr-sql_ and _resolve_ already with version:5.3.0)| |
| 159 | 49 | Tobias Brunner | |kernel-klips | |e|IPsec kernel interface to an older KLIPS version (removed with version:5.2.0)| |
| 160 | 49 | Tobias Brunner | |\4(level1).*libcharon plugins*| |
| 161 | 64 | Tobias Brunner | |android | |s|[[Android]] configuration/control backend, worked with the [[AndroidFrontend|Android VPN applet patch]]. It was removed with version:5.0.3. The DNS handler was moved to a separate plugin.| |
| 162 | 64 | Tobias Brunner | |[[NetworkManager|nm]] | |s|NetworkManager configuration/control backend, works with NetworkManager strongSwan applet. Contained in a separate executable since version:5.0.0| |
| 163 | 64 | Tobias Brunner | |socket-raw |x|s|RAW socket allowing charon to run parallel with pluto, enabled if pluto enabled (removed with version:5.0.1)| |