strongSwan User Documentation

Frequently Asked Questions

Important articles


Configuration Files

General Options

Used by swanctl and the vici plugin

Used by starter and the stroke plugin

IKE and ESP Cipher Suites



Configuration Examples

Dozens of both simple and advanced VPN scenarios (please make sure to read ConfigurationExamplesNotes):

strongSwan 5.x

strongSwan 4.x



Management Commands

  • The powerful ipsec command starts, stops and monitors IPsec connections.
  • The alternative swanctl tool provides a new and portable configuration interface.

Auxiliary Tools

  • charon-cmd a simple command line IKE client
  • pki generates and analyzes RSA/ECDSA private keys and X.509 certificates
  • ipsec attest manages measurement reference values used for TPM-based remote attestation
  • ipsec leases shows the assignment of virtual IP adresses stored in volatile memory
  • ipsec pool manages virtual IP address pools and attributes stored in an SQL database and provided by the attr-sql plugin
  • ipsec scepclient implements the Simple Certificate Enrollment Protocol (SCEP)
  • ipsec starter starts, stops, and configures the IKE daemons
  • ipsec stroke controls the IKE charon daemon
  • ipsec conftest is a tool to test IKEv2 implementations
  • pt-tls-client using PT-TLS to collect integrity measurement information
  • sw-collector Extracts software installation events from dpkg history log