strongSwan User Documentation¶

• Table of contents
• strongSwan User Documentation
  • Features
  • Configuration Files
  • Configuration HOWTOs
  • Configuration Examples - strongSwan 4.x
  • Configuration Examples - strongSwan 5.x
  • Portability
  • Interoperability
  • Management Commands
  • Auxiliary Tools
  • Linux 2.6 IPsec
  • Frequently Asked Questions

Features¶

• Virtual IP via mode-config (IKEv1) or configuration payload (IKEv2)
• NAT Traversal
• MOBIKE
• Public Key Benchmark using various crypto libraries (gmp, gcrypt, openssl)
• Crypto tests provide a way to self-test used crypto implementations
• Integrity tests make sure that the daemons use plugins and libraries they were built against
• Plugin list gives an overview about all optionally loadable strongSwan plugins

Configuration Files¶

• ipsec.conf file
• ipsec.secrets file
• ipsec.d directory
• strongswan.conf file

Configuration HOWTOs¶

• NetworkManager client setup
• Authenticate road warriors using EAP-GTC and a PAM service
• Use a RADIUS AAA server to authenticate clients with EAP
• EAP-TLS certificate authentication
• Configure a failsafe strongSwan High Availability cluster
• Setting-up a simple CA using the strongSwan PKI tool
• CA management made easy using GUIs
• Hash-and-URL HOWTO
• SQLite HOWTO
• Logger configuration HOWTO
• Job priority management HOWTO
• IKE_SA lookup tuning HOWTO
• Mobile IPv6 HOWTO
• Smartcard HOWTO
• Aladdin eToken HOWTO
• Trusted Network Connect (TNC) HOWTO
• TNC IF-MAP HOWTO
• Setting up a VPN into the Amazon Public Cloud's VPC
• VPN Remote Access at HSR: Linux via Command Line

Configuration Examples - strongSwan 4.x¶

Dozens of both simple and advanced VPN scenarios:

• IKEv1 examples
• IKEv2 examples
• IPv6 examples
• Advanced Cipher Suite examples
• Integrity and Crypto Test examples
• IKEv2 High Availability example
• IKEv2 Hash-and-URL example
• IKEv2 Mediation Extension mediation service examples
• SQLite database backend examples

Configuration Examples - strongSwan 5.x¶

• IKEv1 examples
• IKEv2 examples
• IPv6 examples

Portability¶

• strongSwan on Maemo (Nokia N900) - NEW
• strongSwan on FreeBSD (IKEv2 only)
• strongSwan on Mac OS X (IKEv2 only)
• strongSwan on Android (IKEv2 only)
• strongSwan on OpenWrt

Interoperability¶

• Windows 7 with IKEv2
• Windows Vista with IKEv1
• Windows Suite B Support with IKEv1
• Apple iOS (iPhone, iPad) with IKEv1
• strongSwan Charon-Pluto with IKEv1

Management Commands¶

• The powerful ipsec command starts, stops and monitors IPsec connections.

Auxiliary Tools¶

• ipsec attest manages measurement reference values used for TPM-based remote attestation
• ipsec leases shows the assignment of virtual IP adresses stored in volatile memory
• ipsec openac generates X.509 attribute certificates
• ipsec pki generates and analyzes RSA/ECDSA private keys and X.509 certificates
• ipsec pool manages virtual IP address pools and attributes stored in an SQL database and provided by the attr-sql plugin
• ipsec scepclient implements the Simple Certificate Enrollment Protocol (SCEP)
• ipsec starter starts, stops, and configures the IKE daemons
• ipsec stroke controls the IKEv2 charon daemon
• ipsec whack controls the IKEv1 pluto daemon

Linux 2.6 IPsec¶

• Firewalling mit Linux 2.6 IPsec
• Linux netfilter IPsec policy matching

Frequently Asked Questions¶

• A FAQ is maintained here.