Plugin Load Options

Many components of strongSwan have a modular design, features can be added or removed using a growing list of plugins. This allows us to keep the footprint small while adding new functionality.

Currently Loaded Plugins

The list of loaded plugins is logged by the IKE daemon and can also be seen in the output of swanctl --stats or ipsec statusall. Other tools often list the plugins they load in the output of --help (e.g. pki or swanctl itself).

Compile Time Plugin Configuration

The recommended way to enable or disable plugins is during compile time. The ./configure script has many --enable/--disable options to enable or disable specific plugins. The daemon and other tools automatically load the plugins enabled/disabled during ./configure; there is no need to manually specify the plugins to use during runtime.

Using this compile-time generated plugin has some advantages, including:
  • Proper load order of all plugin (since 5.1.0 this it not so important anymore, the order simply indicates the preference if two plugins provide the same feature)
  • Gets updated automatically with new strongSwan releases: This is very important, as we might move core functionality you rely on to plugins.

Runtime Plugin Configuration

The plugins to load can be specified in strongswan.conf. There are two options to do so.

Modular Configuration

Since 5.1.2 the charon.load_modular option enables the dynamic construction of the list of plugins to load.

If the option is enabled, the plugin loader uses the individual load setting for each plugin (charon.plugins.<plugin>.load)
to decide whether to load it or not. Besides simply enabling/disabling plugins the load setting accepts a numeric priority
value, which the plugin loader uses to decide in which order plugins are loaded. Plugins with the same priority are loaded
according to the default load order, unknown plugins with the same priority are loaded first and in alphabetical order.
The default priority is 1, and can also be negative to simplify moving a plugin to the end of the list.

The load_modular option can also be enabled for other components, but only for charon are the default configuration snippets
installed in strongswan.d/charon and included in the default strongswan.conf file (see source:conf/strongswan.conf).
But the default snippets are also installed in the $prefix/share/strongswan/templates directory for reference.

Since 5.5.0 charon.plugins.<plugin>.load may also be used to modify the default plugin list (i.e. if charon.load_modular
is disabled). Disabling the load setting of a plugin will disable that plugin and, as described above, configuring a numeric
priority allows reordering the plugin. However, unlike with charon.load_modular enabled plugins for which load is unspecified
are loaded by default but unknown plugins are not, even if their load setting is enabled (i.e. only with charon.load_modular
enabled is the plugin list constructed completely dynamically based on only the explicitly enabled plugins).

Static Load List

Most components can read the plugin list from strongswan.conf, for example, the IKE daemon charon reads the charon.load
key to load plugins (only if the charon.load_modular option is disabled, see above).

It is not recommended to specify the plugin list manually, unless you exactly know the implications!

The load directive is helpful for developers or for testing frameworks. While you might get your scenario running
with a manually specified plugin list, it might not work anymore after a strongSwan update. Use the generated plugin list instead.

For example, you'll see such load statements in the strongswan.conf files of the example/test scenarios of our TestingEnvironment.
Refer to ConfigurationExamplesNotes for details.

Disable Warning

If you really need to define a static plugin load directive, you can disable the warning by setting

starter {
    load_warning = no

in strongswan.conf or by providing the --disable-load-warning option during configuration.

Strict Plugins

In the static load directive, you can mark specific plugins as critical: If loading a critical plugin fails, the daemon does not start.
To mark a plugin as critical, append a ! to its name.

Static Plugin Features

Plugin features, which are usually loaded dynamically from a plugin via the plugin_t::get_features callback (source:src/libstrongswan/plugins/plugin.h#L41),
may also be added statically from a (modified) library or executable by using the plugin_loader_t::add_static_feature method (see source:src/libstrongswan/plugins/plugin_loader.h#L38).