strongSwan User Documentation » History » Version 182
« Previous -
Version 182/184
(diff) -
Next » -
Current version
Noel Kuntze, 11.04.2021 05:57
AVM FRITZ (FRITZ!Box, ...) brand devices
strongSwan User Documentation¶
- Table of contents
- strongSwan User Documentation
If you need help or have questions, check these articles first¶
- A list of Frequently Asked Questions is maintained here
- Before you ask for help, read this article
- Commercial Support
- Known Issues caused by third party software
Important articles¶
- Introduction to strongSwan
- Taking traffic dumps correctly
- Security Recommendations
- Setting up a simple CA using the strongSwan PKI tool
- strongSwan on cloud platforms
- Third Party provided tools for strongSwan
Features¶
- Virtual IP via mode-config (IKEv1) or configuration payload (IKEv2)
- NAT Traversal
- MOBIKE
- Crypto tests provide a way to self-test used crypto implementations
- Integrity tests make sure that the daemons use plugins and libraries they were built against
- Plugin list gives an overview about all optionally loadable strongSwan plugins
Configuration Examples¶
Modern vici-based Scenarios¶
These scenarios use the modern Versatile IKE Control Interface (VICI) as implemented by vici plugin and the swanctl command line tool.
- IKEv2 examples
- IKEv1 examples
- IPv6 examples
- Advanced Cipher Suite examples
- Integrity and Crypto Test examples
- IKEv2 High Availability examples
- IKEv2 Mediation Extension mediation service examples
- IKEv2 Hash-and-URL example
- SQLite database backend examples
Legacy stroke-based Scenarios¶
These scenarios use the deprecated stroke interface as implemented by the stroke plugin and the ipsec command line tool.
Dozens of both simple and advanced VPN scenarios are available. Please make sure to read the ConfigurationExamplesNotes.
Configuration Files¶
General Options¶
- strongswan.conf file
- strongswan.d directory
Used by swanctl and the preferred vici plugin¶
- swanctl.conf file
- swanctl directory
Used by starter and the deprecated stroke plugin¶
- ipsec.conf file
- ipsec.secrets file
- ipsec.d directory
IKE and ESP Cipher Suites¶
Benchmarks¶
- Public Key Benchmark using various crypto libraries (gmp, gcrypt, openssl)
- Raspberry Pi 2 ESP Benchmark
Platform Security¶
- Smartcard HOWTO
- Using TPM 2.0 Keys with strongSwan (Updated 2021)
- Trusted Network Connect (TNC) HOWTO
- strongTNC Policy Manager HOWTO
- Linux Integrity Measurement Architecture (IMA)
- Android BYOD Security based on TNC
- TNC IF-MAP HOWTO
HOWTOs¶
- Configuring rekeying and reauthentication
- Parallel IPsec processing using pcrypt
- Information about route based VPNs (Virtual Tunnel Interfaces (VTIs))
- NetworkManager client setup
- Authenticate road warriors using EAP-GTC and a PAM service
- Use a RADIUS AAA server to authenticate clients with EAP
- EAP-TLS certificate authentication
- Configure a failsafe strongSwan High Availability cluster
- Setting-up a simple CA using the strongSwan PKI tool
- CA management made easy using GUIs
- Post-Quantum Bimodal Lattice Signature Scheme (BLISS) HOWTO
- Hash-and-URL HOWTO
- SQLite HOWTO
- Logger configuration HOWTO
- Job priority management HOWTO
- IKE_SA lookup tuning HOWTO
- Mobile IPv6 HOWTO
- Setting up a VPN into the Amazon Public Cloud's VPC
- Running strongSwan in Network Namespaces on Linux
Portability¶
- strongSwan on Android
- strongSwan on FreeBSD
- strongSwan on Mac OS X
- strongSwan on Windows
- strongSwan on OpenWrt
- strongSwan on Maemo (Nokia N900)
Interoperability¶
- Windows 7 and newer with IKEv2
- Windows Suite B Support with IKEv1
- Apple iOS (iPhone, iPad) and Mac OS X with IKEv1/IKEv2
- strongSwan 4.x (pluto) - 5.x (charon) with IKEv1
- Blackberry OS 10 with IKEv2
- CISCO brand devices
- Fortinet brand devices
- Check Point brand devices
- AVM FRITZ (FRITZ!Box, ...) brand devices
Management Commands¶
- The powerful swanctl command starts, stops and monitors IPsec connections.
- The legacy ipsec command is deprecated but currently still supported.
Auxiliary Tools¶
- charon-cmd a simple command line IKE client
- pki generates and analyzes RSA/ECDSA private keys and X.509 certificates
- ipsec attest manages measurement reference values used for TPM-based remote attestation
- ipsec leases shows the assignment of virtual IP adresses stored in volatile memory
- ipsec pool manages virtual IP address pools and attributes stored in an SQL database and provided by the attr-sql plugin
- ipsec scepclient implements the Simple Certificate Enrollment Protocol (SCEP)
- ipsec starter starts, stops, and configures the IKE daemons
- ipsec stroke controls the IKE charon daemon
- ipsec conftest is a tool to test IKEv2 implementations
- pt-tls-client using PT-TLS to collect integrity measurement information
- sw-collector Extracts software installation events from dpkg history log
- sec-updater Extracts security update information of Linux distributions