strongSwan User Documentation¶

• Table of contents
• strongSwan User Documentation
  • If you need help or have questions, check these articles first
  • Important articles
  • Features
  • Configuration Examples
    • Modern vici-based Scenarios
    • Legacy stroke-based Scenarios
  • Configuration Files
    • General Options
    • Used by swanctl and the preferred vici plugin
    • Used by starter and the deprecated stroke plugin
    • IKE and ESP Cipher Suites
  • Benchmarks
  • Platform Security
  • HOWTOs
  • Portability
  • Interoperability
  • Management Commands
  • Auxiliary Tools

If you need help or have questions, check these articles first¶

• A list of Frequently Asked Questions is maintained here
• Before you ask for help, read this article
• Commercial Support
• Known Issues caused by third party software

Important articles¶

• Introduction to strongSwan
  • Forwarding and Split-Tunneling
• Taking traffic dumps correctly
• Security Recommendations
• Setting up a simple CA using the strongSwan PKI tool
• strongSwan on cloud platforms
• Third Party provided tools for strongSwan

Features¶

• Virtual IP via mode-config (IKEv1) or configuration payload (IKEv2)
• NAT Traversal
• MOBIKE
• Crypto tests provide a way to self-test used crypto implementations
• Integrity tests make sure that the daemons use plugins and libraries they were built against
• Plugin list gives an overview about all optionally loadable strongSwan plugins

Configuration Examples¶

Modern vici-based Scenarios¶

These scenarios use the modern Versatile IKE Control Interface (VICI) as implemented by vici plugin and the swanctl command line tool.

• IKEv2 examples
• IPv6 examples
• Integrity and Crypto Test examples
• IKEv2 High Availability examples
• IKEv2 Mediation Extension mediation service examples
• IKEv2 Hash-and-URL example
• SQLite database backend examples

Legacy stroke-based Scenarios¶

These scenarios use the deprecated stroke interface as implemented by the stroke plugin and the ipsec command line tool.

• IKEv2 examples
• IKEv1 examples
• IPv6 examples
• Advanced Cipher Suite examples

Dozens of both simple and advanced VPN scenarios are available. Please make sure to read the ConfigurationExamplesNotes.

• Complete list of scenarios
• Directly usable example configurations for common scenarios

Configuration Files¶

General Options¶

• strongswan.conf file
• strongswan.d directory

Used by swanctl and the preferred vici plugin¶

• swanctl.conf file
• swanctl directory

• Migrating from ipsec.conf to swanctl.conf

Used by starter and the deprecated stroke plugin¶

• ipsec.conf file
• ipsec.secrets file
• ipsec.d directory

IKE and ESP Cipher Suites¶

• IKEv1 Cipher Suites
• IKEv2 Cipher Suites

Benchmarks¶

• Public Key Benchmark using various crypto libraries (gmp, gcrypt, openssl)
• Raspberry Pi 2 ESP Benchmark

Platform Security¶

• Smartcard HOWTO
• Using TPM 2.0 Keys with strongSwan (Updated 2021)
• Trusted Network Connect (TNC) HOWTO
• strongTNC Policy Manager HOWTO
• Linux Integrity Measurement Architecture (IMA)
• Android BYOD Security based on TNC
• TNC IF-MAP HOWTO

HOWTOs¶

• Configuring rekeying and reauthentication
• Parallel IPsec processing using pcrypt
• Information about route based VPNs (Virtual Tunnel Interfaces (VTIs))
• NetworkManager client setup
• Authenticate road warriors using EAP-GTC and a PAM service
• Use a RADIUS AAA server to authenticate clients with EAP
• EAP-TLS certificate authentication
• Configure a failsafe strongSwan High Availability cluster
• Setting-up a simple CA using the strongSwan PKI tool
• CA management made easy using GUIs
• Post-Quantum Bimodal Lattice Signature Scheme (BLISS) HOWTO
• Hash-and-URL HOWTO
• SQLite HOWTO
• Logger configuration HOWTO
• Job priority management HOWTO
• IKE_SA lookup tuning HOWTO
• Mobile IPv6 HOWTO
• Setting up a VPN into the Amazon Public Cloud's VPC
• Running strongSwan in Network Namespaces on Linux

Portability¶

• strongSwan on Android
• strongSwan on FreeBSD
• strongSwan on Mac OS X
• strongSwan on Windows
• strongSwan on OpenWrt
• strongSwan on Maemo (Nokia N900)

Interoperability¶

• Windows 7 and newer with IKEv2
• Windows Suite B Support with IKEv1
• Apple iOS (iPhone, iPad) and Mac OS X with IKEv1/IKEv2
• strongSwan 4.x (pluto) - 5.x (charon) with IKEv1
• Blackberry OS 10 with IKEv2
• CISCO brand devices
• Fortinet brand devices
• Check Point brand devices
• AVM FRITZ (FRITZ!Box, ...) brand devices

Management Commands¶

• The powerful swanctl command starts, stops and monitors IPsec connections.
• The legacy ipsec command is deprecated but currently still supported.

Auxiliary Tools¶

• charon-cmd a simple command line IKE client
• pki generates and analyzes RSA/ECDSA private keys and X.509 certificates

• ipsec attest manages measurement reference values used for TPM-based remote attestation
• ipsec leases shows the assignment of virtual IP adresses stored in volatile memory
• ipsec pool manages virtual IP address pools and attributes stored in an SQL database and provided by the attr-sql plugin
• ipsec scepclient implements the Simple Certificate Enrollment Protocol (SCEP)
• ipsec starter starts, stops, and configures the IKE daemons
• ipsec stroke controls the IKE charon daemon
• ipsec conftest is a tool to test IKEv2 implementations

• pt-tls-client using PT-TLS to collect integrity measurement information
• sw-collector Extracts software installation events from dpkg history log
• sec-updater Extracts security update information of Linux distributions