Project

General

Profile

strongSwan User Documentation

Frequently Asked Questions

Important articles

Features

Configuration Files

General Options

Used by swanctl and the preferred vici plugin

Used by starter and the deprecated stroke plugin

IKE and ESP Cipher Suites

Benchmarks

HOWTOs

Configuration Examples

Dozens of both simple and advanced VPN scenarios are available. Please make sure to read the ConfigurationExamplesNotes.

Modern vici-based Scenarios

These scenarios use the modern Versatile IKE Control Interface (VICI) as implemented by vici plugin and the swanctl command line tool.

Legacy stroke-based Scenarios

These scenarios use the deprecated stroke interface as implemented by the stroke plugin and the ipsec command line tool.

Portability

Interoperability

Management Commands

  • The powerful swanctl command starts, stops and monitors IPsec connections.
  • The legacy ipsec command is deprecated but currently still supported.

Auxiliary Tools

  • charon-cmd a simple command line IKE client
  • pki generates and analyzes RSA/ECDSA private keys and X.509 certificates
  • ipsec attest manages measurement reference values used for TPM-based remote attestation
  • ipsec leases shows the assignment of virtual IP adresses stored in volatile memory
  • ipsec pool manages virtual IP address pools and attributes stored in an SQL database and provided by the attr-sql plugin
  • ipsec scepclient implements the Simple Certificate Enrollment Protocol (SCEP)
  • ipsec starter starts, stops, and configures the IKE daemons
  • ipsec stroke controls the IKE charon daemon
  • ipsec conftest is a tool to test IKEv2 implementations
  • pt-tls-client using PT-TLS to collect integrity measurement information
  • sw-collector Extracts software installation events from dpkg history log
  • sec-updater Extracts security update information of Linux distributions