strongSwan plugins » History » Version 83

« Previous - Version 83/84 (diff) - Next » - Current version
Tobias Brunner, 12.12.2019 13:48
drbg plugin added

strongSwan plugins

The strongSwan distribution ships with an ever growing list of plugins. This allows us to add extended and specialized features, but keep the core as small as possible.

Many components of strongSwan come with a set of plugins. The plugins for libstrongswan provide cryptographic backends, URI fetchers and database layers. The plugins of libhydra are usable by the IKE daemon charon (in earlier releases also by the IKEv1 daemon pluto) and starter. libcharon comes with a large set of very specialized plugins for specific needs.

Plugins for current releases

Plugin Name E S Description
E = Enabled by default (plugins can be enabled/disabled using their respective ./configure options)
S = Plugin status: s = stable, e = experimental, d = under development/incomplete
libstrongswan plugins
acert s Support of X.509 attribute certificates (since 5.1.3)
aes x s AES-128/192/256 cipher software implementation
aesni s Intel AES-NI crypto plugin (since 5.3.1)
af-alg s AF_ALG Linux crypto API interface, provides ciphers/hashers/hmac/xcbc
agent s RSA/ECDSA private key backend connecting to SSH-Agent
bliss s Bimodal Lattice Signature Scheme (BLISS) post-quantum computer signature scheme (since 5.2.2)
blowfish s Blowfish cipher software implementation
botan s Crypto backend based on Botan, provides RSA/ECDSA/DH/ECDH/X25519/ciphers/hashers/HMAC/RNG (since 5.7.0)
ccm s CCM cipher mode wrapper
chapoly s ChaCha20/Poly1305 AEAD implementation (since 5.3.3) and ChaCha20 XOF (since 5.5.1)
cmac x s CMAC cipher mode wrapper
constraints x s X.509 certificate advanced constraint checking
ctr s CTR cipher mode wrapper
curl s libcurl based HTTP/FTP fetcher
curve25519 x s X25519 DH group and Ed25519 public key authentication (since 5.5.2)
des x s DES/3DES cipher software implementation
dnskey x s Parse RFC 4034 public keys
drbg x s NIST Deterministic Random Bit Generator plugin based on AES-CTR and SHA2-HMAC modes. Required by the gmp and ntru plugins (since 5.8.2)
files s Fetcher for local file:// URIs (since 5.3.0)
fips-prf x s PRF specified by FIPS, used by EAP-SIM/AKA algorithms
gcm s GCM cipher mode wrapper
gcrypt s Crypto backend based on libgcrypt, provides RSA/DH/ciphers/hashers/rng
gmp x s RSA/DH crypto backend based on libgmp
hmac x s HMAC wrapper using various hashers
keychain e Mac OS X Keychain Services credential set (since 5.1.0)
ldap s LDAP fetching plugin based on libldap
md4 s MD4 hasher software implementation
md5 x s MD5 hasher software implementation
mgf1 s MGF1 mask generation function (since 5.5.1)
mysql s MySQL database backend based on libmysqlclient
newhope s Key exchange based on post-quantum computer New Hope algorithm (since 5.5.1)
nonce x s Default nonce generation plugin (since 5.0.0)
ntru s Key exchange based on post-quantum computer NTRU encryption (since 5.1.2)
openssl s Crypto backend based on OpenSSL, provides RSA/ECDSA/DH/ECDH/ciphers/hashers/HMAC/X.509/CRL/RNG
padlock e VIA padlock crypto backend, provides AES128/SHA1
pem x s PEM encoding/decoding routines
pgp x s PGP encoding/decoding routines
pkcs1 x s PKCS#1 encoding/decoding routines
pkcs7 x s PKCS#7 encoding/decoding routines
pkcs8 x s PKCS#8 decoding routines
pkcs11 s PKCS#11 smartcard backend
pkcs12 x s PKCS#12 decoding routines (since 5.1.0)
pubkey x s Wrapper to handle raw public keys as trusted certificates
random x s RNG reading from /dev/[u]random
rc2 x s RC2 cipher software implementation (since 5.1.0)
rdrand e High quality / high performance random source using the Intel rdrand instruction found on Ivy Bridge processors (since 5.0.2)
revocation x s X.509 CRL/OCSP revocation checking
sha1 x s SHA1 hasher software implementation
sha2 x s SHA2_224/SHA2_256/SHA2_384/SHA2_512 hasher software implementation
sha3 s SHA3_224/SHA3_256/SHA3_384/SHA3_512 hasher software implementation (since 5.3.4) and SHAKE128/SHAKE256 XOF (since 5.5.1)
soup s libsoup based HTTP fetcher
sqlite s SQLite database backend based on libsqlite3
sshkey x s SSH key decoding routines (since 5.1.0)
test-vectors s Set of test vectors for various algorithms
unbound s DNSSEC enabled resolver using libunbound (since 5.0.3)
winhttp s WinHTTP based HTTP/HTTPS fetcher for Windows platform (since 5.2.0)
wolfssl s Crypto backend based on wolfSSL, provides RSA/ECDSA/DH/ECDH/X25519/Ed25519/ciphers/hashers/HMAC/RNG (since 5.8.0)
x509 x s Advanced X.509 plugin for parsing/generating X.509 certificates/CRLs and OCSP messages
xcbc x s XCBC wrapper using various ciphers
libcharon plugins
addrblock s Narrow traffic selectors to RFC 3779 address blocks in X.509 certificates
android-dns s Android-specific DNS handler plugin (since 5.0.3)
android-log s Android-specific logger plugin
attr x s Provides IKE attributes configured in strongswan.conf
attr-sql s Provides IKE attributes read from a database to peers
bypass-lan e Automatically installs and updates bypass policies for locally attached subnets (since 5.5.2)
certexpire s Export expiration dates of used certificates
counters s Provides IKE performance counters (queryable via swanctl/vici or ipsec/stroke, since 5.6.1)
coupling s Permanent peer certificate coupling
dhcp s Request virtual IP address from a DHCP server
connmark e Plugin using Netfilter conntrack marks to handle multiple transport mode clients (for L2TP, since 5.3.0)
dnscert s Provides authentication via CERT RRs protected by DNSSEC (since 5.1.1)
duplicheck s Advanced duplicate checking with liveness test and notifications
eap-aka s Generic EAP-AKA protocol handler using different backends
eap-aka-3gpp s EAP-AKA backend implementing 3GPP MILENAGE algorithms in software (since 5.6.0)
eap-aka-3gpp2 s EAP-AKA backend implementing 3GPP2 algorithms in software
eap-dynamic s EAP proxy plugin that dynamically selects an EAP method requested/supported by the client (since 5.0.1)
eap-gtc s EAP-GTC protocol handler authenticating with XAuth backends
eap-identity s EAP-Identity identity exchange algorithm, to use with other EAP protocols
eap-md5 s EAP-MD5 protocol handler using passwords
eap-mschapv2 s EAP-MSCHAPv2 protocol handler using passwords/NT hashes
eap-peap s EAP-PEAP protocol handler, wraps other EAP methods securely
eap-radius s EAP server proxy plugin forwarding EAP conversations to a RADIUS server
eap-sim s Generic EAP-SIM protocol handler using different backends
eap-sim-file s EAP-SIM backend reading triplets from a file
eap-sim-pcsc s EAP-SIM backend based on a PC/SC smartcard reader
eap-simaka-pseudonym s EAP-SIM/AKA in-memory pseudonym identity database
eap-simaka-reauth s EAP-SIM/AKA in-memory reauthentication identity database
eap-simaka-sql s EAP-SIM/AKA backend reading triplets/quintuplets from a SQL database
eap-tls s EAP-TLS protocol handler, to authenticate with certificates in EAP
eap-tnc s EAP-TNC protocol handler, Trusted Network Connect in a TLS tunnel
eap-ttls s EAP-TTLS protocol handler, wraps other EAP methods securely
error-notify s Notification about errors via UNIX socket (since 5.0.2)
ext-auth s Invokes an external script for custom authorization rules (since 5.2.1)
farp s Fakes ARP responses for requests to a virtual IP address assigned to a peer
forecast e Multicast and broadcast forwarding plugin (since 5.3.0)
ha s High-Availability clustering
ipseckey s Provides authentication via IPSECKEY RRs protected by DNSSEC (since 5.0.3)
kernel-libipsec e IPsec "kernel" interface in user-space using libipsec (since 5.1.0)
kernel-netlink x s IPsec/Networking kernel interface using Linux Netlink
kernel-iph e Networking backend for the Windows platform, based on IPHelper APIs (since 5.2.0)
kernel-pfkey e IPsec kernel interface using PF_KEY
kernel-pfroute e Networking kernel interface using PF_ROUTE
kernel-wfp e IPsec backend for the Windows platform, using the Windows Filtering Platform (since 5.2.0)
led s Let Linux LED subsystem LEDs blink on IKE activity
lookip s Virtual IP lookup facility using a UNIX socket (since 5.0.2)
load-tester s Perform IKE load tests against self or a gateway
maemo e Maemo 5 configuration/control backend, works with Maemo strongSwan applet
medcli d Web interface based mediation client interface
medsrv d Web interface based mediation server interface
osx-attr e Mac OS X SystemConfiguration attribute handler (since 5.1.0)
p-cscf s Plugin that requests P-CSCF server addresses from an ePDG via IKEv2 (since 5.4.0)
radattr s Plugin to inject and process custom RADIUS attributes as IKEv2 client
resolve x s Writes name servers received via IKE to a resolv.conf file or installs them via resolvconf(8)
save-keys s Development/Debugging plugin that saves IKE and/or ESP keys to files compatible with Wireshark (since 5.6.2)
smp d XML based strongSwan Management Protocol
socket-default x s Default socket implementation for IKE messages, enabled if pluto disabled
socket-dynamic e Dynamic binding socket implementation, capable of sending IKE messages on any port
socket-win s Socket implementation for IKE messages on Windows, based on Winsock2 APIs (since 5.2.0)
sql s SQL configuration backend reading configurations/credentials from a database
stroke x s Deprecated stroke configuration/control backend, to use with ipsec script and starter
tnc-ifmap s Trusted Network Connect IF-MAP 2.0 client
tnc-pdp s Trusted Network Connect Policy Decision Point with RADIUS server interface
systime-fix s Handle invalid system time when checking certificates (since 5.0.3)
uci d OpenWRT UCI configuration backend
unit-tests d Unit tests to run during daemon startup
unity s Cisco Unity extensions for IKEv1 (since 5.0.1)
updown x s Shell script invocation during tunnel up/down events
vici x s Versatile IKE Configuration Interface (since 5.2.0, enabled since 5.4.0)
whitelist s Check authenticated identities against a whitelist
xauth-eap s XAuth backend that uses EAP methods to verify passwords (since 5.0.0)
xauth-generic x s Generic XAuth backend that provides passwords from ipsec.secrets and other credential sets (since 5.0.0)
xauth-noauth s XAuth backend that does not do any authentication (since 5.0.3)
xauth-pam s XAuth backend that uses PAM modules to verify passwords (since 5.0.1)
libtnccs plugins
tnccs-11 s Trusted Network Connect protocol version 1.1
tnccs-20 s Trusted Network Connect protocol version 2.0
tnccs-dynamic s Trusted Network Connect Dynamic protocol discovery
tnc-imc s Trusted Network Connect Integrity Measurement Collectors
tnc-imv s Trusted Network Connect Integrity Measurement Validators
libtpmtss plugins
tpm s Access persistent RSA and ECDSA private keys bound to Trusted Platform Module 2.0 (since 5.5.2)

Removed plugins

Plugin Name E S Description
pluto plugins
xauth x s XAUTH authentication (removed with 5.0.0)
libhydra plugins
All plugins were moved to libcharon with 5.4.0 (attr, attr-sql and resolve already with 5.3.0)
kernel-klips e IPsec kernel interface to an older KLIPS version (removed with 5.2.0)
libcharon plugins
android s Android configuration/control backend, worked with the Android VPN applet patch. It was removed with 5.0.3. The DNS handler was moved to a separate plugin.
nm s NetworkManager configuration/control backend, works with NetworkManager strongSwan applet. Contained in a separate executable since 5.0.0
socket-raw x s RAW socket allowing charon to run parallel with pluto, enabled if pluto enabled (removed with 5.0.1)