strongSwan User Documentation » History » Version 129
« Previous -
Version 129/184
(diff) -
Next » -
Current version
Tobias Brunner, 18.07.2014 10:32
etoken howto was removed
strongSwan User Documentation¶
- Table of contents
- strongSwan User Documentation
- Configuration Examples
Introduction to strongSwan¶
Features¶
- Virtual IP via mode-config (IKEv1) or configuration payload (IKEv2)
- NAT Traversal
- MOBIKE
- Public Key Benchmark using various crypto libraries (gmp, gcrypt, openssl)
- Crypto tests provide a way to self-test used crypto implementations
- Integrity tests make sure that the daemons use plugins and libraries they were built against
- Plugin list gives an overview about all optionally loadable strongSwan plugins
Configuration Files¶
General Options¶
- strongswan.conf file
- strongswan.d directory
Used by starter and the stroke plugin¶
- ipsec.conf file
- ipsec.secrets file
- ipsec.d directory
Used by swanctl¶
- swanctl.conf file
- swanctl directory
Configuration HOWTOs¶
- NetworkManager client setup
- Authenticate road warriors using EAP-GTC and a PAM service
- Use a RADIUS AAA server to authenticate clients with EAP
- EAP-TLS certificate authentication
- Configure a failsafe strongSwan High Availability cluster
- Setting-up a simple CA using the strongSwan PKI tool
- CA management made easy using GUIs
- Hash-and-URL HOWTO
- SQLite HOWTO
- Logger configuration HOWTO
- Job priority management HOWTO
- IKE_SA lookup tuning HOWTO
- Mobile IPv6 HOWTO
- Smartcard HOWTO
- Trusted Network Connect (TNC) HOWTO
- Android BYOD Security based on TNC
- TNC IF-MAP HOWTO
- strongTNC Policy Manager HOWTO
- Linux Integrity Measurement Architecture (IMA)
- Setting up a VPN into the Amazon Public Cloud's VPC
Configuration Examples¶
Modern vici-based Scenarios¶
These scenarios use the modern Versatile IKE Control Interface (VICI) as implemented by vici plugin and the swanctl command line tool.
- IKEv2 examples
- IKEv1 examples
- IPv6 examples
- Advanced Cipher Suite examples
- Integrity and Crypto Test examples
- IKEv2 High Availability examples
- IKEv2 Mediation Extension mediation service examples
- IKEv2 Hash-and-URL example
- SQLite database backend examples
Legacy stroke-based Scenarios¶
These scenarios use the deprecated stroke interface as implemented by the stroke plugin and the ipsec command line tool.
Dozens of both simple and advanced VPN scenarios are available. Please make sure to read the ConfigurationExamplesNotes.
Portability¶
- strongSwan on Android
- strongSwan on FreeBSD
- strongSwan on Mac OS X
- strongSwan on Windows
- strongSwan on OpenWrt
- strongSwan on Maemo (Nokia N900)
Interoperability¶
- Windows 7 with IKEv2
- Windows Vista with IKEv1
- Windows Suite B Support with IKEv1
- Apple iOS (iPhone, iPad) and Mac OS X with IKEv1
- BlackBerry OS with IKEv1 or IKEv2
- strongSwan 4.x (pluto) - 5.x (charon) with IKEv1
Management Commands¶
- The powerful ipsec command starts, stops and monitors IPsec connections.
- The alternative swanctl tool provides a new and portable configuration interface.
Auxiliary Tools¶
- charon-cmd a simple command line IKE client
- ipsec attest manages measurement reference values used for TPM-based remote attestation
- ipsec leases shows the assignment of virtual IP adresses stored in volatile memory
- ipsec pki generates and analyzes RSA/ECDSA private keys and X.509 certificates
- ipsec pool manages virtual IP address pools and attributes stored in an SQL database and provided by the attr-sql plugin
- ipsec scepclient implements the Simple Certificate Enrollment Protocol (SCEP)
- ipsec starter starts, stops, and configures the IKE daemons
- ipsec stroke controls the IKE charon daemon
- ipsec conftest is a tool to test IKEv2 implementations