strongSwan User Documentation » History » Version 162
« Previous -
Version 162/180
(diff) -
Next » -
Current version
Andreas Steffen, 29.08.2017 13:16
strongSwan User Documentation¶
- Table of contents
- strongSwan User Documentation
Frequently Asked Questions¶
- A list of Frequently Asked Questions is maintained here.
Important articles¶
- Introduction to strongSwan
- Taking traffic dumps correctly
- Security Recommendations
- Setting-up a simple CA using the strongSwan PKI tool
- Before you ask for help, read this article
- strongSwan on cloud platforms
- Usable configuration examples for roadwarrior, site-to-site and host-to-host transport mode scenarios
Features¶
- Virtual IP via mode-config (IKEv1) or configuration payload (IKEv2)
- NAT Traversal
- MOBIKE
- Crypto tests provide a way to self-test used crypto implementations
- Integrity tests make sure that the daemons use plugins and libraries they were built against
- Plugin list gives an overview about all optionally loadable strongSwan plugins
Configuration Files¶
General Options¶
- strongswan.conf file
- strongswan.d directory
Used by swanctl and the preferred vici plugin¶
- swanctl.conf file
- swanctl directory
Used by starter and the deprecated stroke plugin¶
- ipsec.conf file
- ipsec.secrets file
- ipsec.d directory
IKE and ESP Cipher Suites¶
Benchmarks¶
- Public Key Benchmark using various crypto libraries (gmp, gcrypt, openssl)
- Raspberry Pi 2 ESP Benchmark
HOWTOs¶
- Configuring rekeying and reauthentication
- Parallel IPsec processing using pcrypt
- Information about route based VPNs (Virtual Tunnel Interfaces (VTIs))
- NetworkManager client setup
- Authenticate road warriors using EAP-GTC and a PAM service
- Use a RADIUS AAA server to authenticate clients with EAP
- EAP-TLS certificate authentication
- Configure a failsafe strongSwan High Availability cluster
- Setting-up a simple CA using the strongSwan PKI tool
- CA management made easy using GUIs
- Post-Quantum Bimodal Lattice Signature Scheme (BLISS) HOWTO
- Hash-and-URL HOWTO
- SQLite HOWTO
- Logger configuration HOWTO
- Job priority management HOWTO
- IKE_SA lookup tuning HOWTO
- Mobile IPv6 HOWTO
- Smartcard HOWTO
- Using TPM 2.0 keys with the strongSwan PKI tool and IKE daemon
- Trusted Network Connect (TNC) HOWTO
- Android BYOD Security based on TNC
- TNC IF-MAP HOWTO
- strongTNC Policy Manager HOWTO
- Linux Integrity Measurement Architecture (IMA)
- Setting up a VPN into the Amazon Public Cloud's VPC
- Running strongSwan in Network Namespaces on Linux
Configuration Examples¶
Dozens of both simple and advanced VPN scenarios are available. Please make sure to read the ConfigurationExamplesNotes.
Modern vici-based Scenarios¶
These scenarios use the modern Versatile IKE Control Interface (VICI) as implemented by vici plugin and the swanctl command line tool.
- IKEv2 examples
- IPv6 examples
- Integrity and Crypto Test examples
- IKEv2 Hash-and-URL example
- SQLite database backend examples
Legacy stroke-based Scenarios¶
These scenarios use the deprecated stroke interface as implemented by the stroke plugin and the ipsec command line tool.
- IKEv2 examples
- IKEv1 examples
- IPv6 examples
- Advanced Cipher Suite examples
- IKEv2 High Availability examples
- IKEv2 Mediation Extension mediation service examples
Portability¶
- strongSwan on Android
- strongSwan on FreeBSD
- strongSwan on Mac OS X
- strongSwan on Windows
- strongSwan on OpenWrt
- strongSwan on Maemo (Nokia N900)
Interoperability¶
- Windows 7 and newer with IKEv2
- Windows Vista with IKEv1
- Windows Suite B Support with IKEv1
- Apple iOS (iPhone, iPad) and Mac OS X with IKEv1/IKEv2
- strongSwan 4.x (pluto) - 5.x (charon) with IKEv1
- Blackberry OS 10 with IKEv2
Management Commands¶
- The powerful ipsec command starts, stops and monitors IPsec connections.
- The alternative swanctl tool provides a new and portable configuration interface.
Auxiliary Tools¶
- charon-cmd a simple command line IKE client
- pki generates and analyzes RSA/ECDSA private keys and X.509 certificates
- ipsec attest manages measurement reference values used for TPM-based remote attestation
- ipsec leases shows the assignment of virtual IP adresses stored in volatile memory
- ipsec pool manages virtual IP address pools and attributes stored in an SQL database and provided by the attr-sql plugin
- ipsec scepclient implements the Simple Certificate Enrollment Protocol (SCEP)
- ipsec starter starts, stops, and configures the IKE daemons
- ipsec stroke controls the IKE charon daemon
- ipsec conftest is a tool to test IKEv2 implementations
- pt-tls-client using PT-TLS to collect integrity measurement information
- sw-collector Extracts software installation events from dpkg history log
- sec-updater Extracts security update information of Linux distributions