Autoconf Options

Please note: This page documents the ./configure options for the latest strongSwan release. Therefore, you should always use

./configure --help

to check which options are actually available for the release you are using.

--dir options

Some directories can be configure through --with options.

Option Default Description



where to put installation. Most Linux distributions use /usr



program executables



shared libraries



where to put configuration files. We strongly recommend /etc

--enable Options

The plugin list provides more information on specific plugins.

Option Since[1] Description



enable X.509 attribute certificate checking plugin


enable RFC 3779 address block constraint support plugin



enable Intel AES-NI crypto plugin


enable AF_ALG crypto interface to Linux Crypto API


enable ssh-agent signing plugin



enable AIK generator for TPM 1.2



enable all optional plugins and features (they can be disabled with their respective --disable options). Mainly intended for testing


enable Android specific plugin


enable Android specific logger plugin



enable build with AddressSanitizer (ASan)


enable SQL-based configuration attributes. This is a plugin for VPN gateways only, serving virtual IP addresses



use binutil’s libbfd to resolve backtraces for memory leaks and segfaults



enable deprecated Bimodal Lattice Signature Scheme (BLISS) software implementation plugin. Since a side-channel attack on our BLISS implementation has been reported, please use the NIST PQC (Post-Quantum Cryptography) Selected Algorithms and Round 4 Submissions signature algorithms offered by the post-quantum strongSwan 6.0 version instead.


enable Blowfish software implementation plugin



enable Botan crypto plugin. Requires Botan 2.8.0 or newer



enable plugin to automatically install bypass policies for local subnets


enable CCM AEAD wrapper crypto plugin



enables the ChaCha20/Poly1305 AEAD plugin



enable automatic certificate enrollment via EST or SCEP



enable installation of cert-enroll as a systemd timer


enable CSV export of expiration dates of used certificates



enable command line IKE client charon-cmd


enable IKE conformance test framework



enable conntrack based marks to select return path SA



enable plugin that collects several performance counters


enable IKEv2 plugin to couple peer certificates permanently to authentication



enable lcov coverage report generation[2]


enable counter mode wrapper crypto plugin


enable plugin to fetch files (CRL/OCSP) via libcurl. Requires the libcurl library



use dbghlp.dll on Windows to create and print backtraces for memory leaks and segfaults


enable DHCP based attribute provider plugin



enable plugin authenticating peers based on DNS CERT resource records protected by DNSSEC


enable advanced duplicate checking plugin using liveness checks


enable EAP AKA authentication plugin



enable EAP AKA backend plugin implementing 3GPP MILENAGE algorithms in software


enable EAP AKA backend plugin implementing 3GPP2 algorithms in software. Requires libgmp library



enable dynamic EAP proxy plugin


enable EAP GTC authentication plugin


enable EAP plugin providing EAP-Identity helper


build EAP MD5 (CHAP) authentication plugin


enable EAP MS-CHAPv2 authentication plugin


enable EAP PEAP authentication plugin


enable RADIUS proxy authentication plugin for EAP


enable EAP-SIM authentication plugin


enable EAP-SIM backend based on a triplets file


enable EAP-SIM backend based on a smartcard reader. Requires libpcsclite library


enable EAP-SIM/AKA pseudonym storage


enable EAP-SIM/AKA reauthentication data storage


enable EAP-SIM/AKA backend based on a triplet/quintuplet SQL database


enable EAP TLS authentication plugin


enable EAP TNC trusted network connect plugin


enable EAP TTLS authentication plugin



enable error notification plugin



enable plugin calling an external authorization script


enable ARP faking plugin that responds to ARP requests for virtual IPs assigned to peers


build libfast (FastCGI Application Server w/ templates)



enable simple file:// URI fetcher



enable plugin that forwards broadcast/multicast messages



enable fuzzing scripts (found in directory fuzz and intended for use on the OSS-Fuzz infrastructure)


enable gcrypt plugin. Requires the GNU libgcrypt library


use output of git describe as version information in executables


enable high availability cluster plugin


enable TNC Attestation IMC



enable TNC Hardcopy Device Integrity (HCD) IMC


enable TNC Operating System (OS) IMC


enable TNC Port Scanner IMC





enable TNC Test IMC


enable TNC Attestation IMV and the attest management tool.



enable TNC Hardcopy Device Integrity (HCD) IMV


enable TNC Operating System (OS) IMV


enable TNC Port Scanner IMV





enable TNC Test IMV


enable integrity testing of the daemon, libraries and loaded plugins



enable authentication plugin authenticatomg peers based on IPSECKEY DNS resource records protected by DNSSEC



enable Windows IP Helper based networking backend



enable libipsec-based user-space "kernel" interface


enable PF_KEYv2 NETKEY kernel interface


enable PF_ROUTE kernel interface. Required for FreeBSD and Mac OSX



enable Windows Filtering Platform IPsec backend



enable macOS Keychain Services credential set


enable user space IPsec implementation


enable LDAP fetcher to fetch files (CRLs) from an LDAP server. Requires OpenLDAP


enable malloc hooks to find memory leaks


enable plugin to control LEDs on IKEv2 activity using the Linux kernel LED subsystem


enable load testing plugin for IKEv2 daemon


enable lock/mutex profiling code



use thread ID if available instead of an incremented value starting from 1 to identify threads


enable fast virtual IP lookup and notification plugin


build the deprecated strongSwan manager web application


enable MD4 software implementation plugin. Required for eap-mschapv2 plugin


enable deprecated mediation client web front end and daemon plugin


enable IKEv2 Mediation Extension


enable deprecated mediation server web front end and daemon plugin



enable MGF1 software implementation plugin


build monolithic versions of libstrongswan and libcharon that include all enabled plugins


enable MySQL database support. Requires libmysqlclient_r



enable deprecated NewHope post-quantum key exchange plugin. Use the post-quantum strongSwan 6.0 version instead


enable NetworkManager backend



enable deprecated NTRUEncrypt key exchange plugin. Use the post-quantum strongSwan 6.0 version instead


enable [OpenSSL] crypto plugin. Requires libcrypto library



enable OCSP responder accessing OpenXPKI MySQL/MariaDB certificate database



enable macOS SystemConfiguration attribute handler



enable plugin to request P-CSCF server addresses from an ePDG (RFC 7651)


enable padlock crypto plugin. Requires a VIA Padlock crypto engine



enable build of provided perl CPAN modules e.g. for the vici protocol



enable installation of provided CPAN modules


enable PKCS#11 crypto token support plugin



enable build of provided python eggs e.g. for the vici protocol



enable local installation of provided python eggs


enable plugin to inject and process custom RADIUS attributes as IKEv2 client


enable Intel RDRAND random generator plugin



enable build of provided ruby gems e.g. for the vici protocol



enable local installation of provided ruby gems



enable development/debugging plugin that saves IKE and ESP keys in Wireshark format



enable SELinux support for labeled IPsec and the selinux plugin



enable SHA3 and SHAKE software implementation plugin


enable deprecated XML configuration and control interface. Requires libxml library.


enable dynamic socket implementation for charon



enable Winsock2 based socket implementation for charon


enable fetcher plugin to fetch from HTTP URIs. Requires libsoup library


enable SQL database configuration backend


enable SQLite database support. Requires libsqlite3 library



enable charon Windows service



enable systemd specific IKE daemon charon-systemd



enable plugin to handle cert lifetimes with invalid system time gracefully


enable crypto test vectors plugin



enable charon-tkm an IKEv2 daemon that is backed by a Trusted Key Manager (TKM).


enable TNC Client Server (TNCCS) 1.1 protocol plugin. Requires libxml2 library


enable TNC Client Server (TNCCS) 2.0 protocol plugin


enable TNC Client Server (TNCCS) dynamic protocol discovery plugin


enable TNC IF-MAP 2.0 client plugin


enable TNC Integrity Measurement Collector (IMC) manager plugin


enable TNC Integrity Measurement Validator (IMV) manager plugin


enable TNC Policy Decision Point plugin plugin



enable plugin to access persistent RSA and ECDSA private keys bound to Trusted Platform Module 2.0



enable TPM 1.2 TrouSerS library. Requires libtspi library



enable TPM 2.0 TSS2 library. Requires libtss2 library


enable OpenWRT UCI configuration plugin


DNSSEC-enabled resolver plugin based on libunbound


enable Cisco Unity extension plugin



use libunwind to create backtraces for memory leaks and segfaults



enable extended compiler warnings and -Werror (auto-enabled when building from the repository)


enable peer identity whitelisting plugin



enable WinHTTP based HTTP/HTTPS fetching plugin



enable wolfSSL crypto plugin. Requires libwolfssl library


enable XAuth backend using EAP methods to verify password



enable XAuth pseudo-backend that does not actually verify or even request any credentials


enable XAuth backend using PAM to verify passwords

--disable Options

The plugin list provides more information on specific plugins.

Option Since[1] Description


disable default AES software implementation plugin


disable strongswan.conf based configuration of DNS and WINS server attributes[3]


disable the build of the IKEv1/IKEv2 keying charon daemon


disable CMAC crypto implementation plugin


disable advanced X.509 constraint checking plugin



disable plugin providing X25519 DH group and Ed25519 public key authentication



disable all features that are enabled by default. Basically it’s short for removing all options listed in this section.


disable default DES/3DES software implementation plugin


disable DNS Resource Records key decoding plugin



disable the NIST Deterministic Random Bit Generator plugin


disable default FIPS PRF software implementation plugin


disable GCM AEAD wrapper crypto plugin (was disabled by default prior to 5.9.8)


disable default GNU Multi Precision based public key cryptography implementation plugin. Requires libgmp library.


disable default HMAC crypto implementation plugin


disable IKEv1 protocol support in charon daemon


disable IKEv2 protocol support in charon daemon



disable default KDF (prf+) implementation plugin


disable default Netlink kernel interface


disable the charon plugin load option warning in starter


disable default MD5 software implementation plugin


disable nonce generation plugin


disable PEM decoding plugin


disable PGP key decoding plugin


disable PKCS#1 key decoding plugin


disable PKCS#7 container support plugin


disable PKCS#8 private key decoding plugin



disable PKCS#12 container support plugin



disable pki public key and certificate utility


disable default RAW public key support plugin


disable default RNG implementation using the raw /dev/[u]random devices



disable RC2 software implementation plugin


disable writing DNS information received via configuration payload to /etc/resolv.conf. This is a plugin for VPN clients only


disable X.509 CRL/OCSP revocation check plugin


disable the build of additional utilities found in scripts directory


disable default SHA-1 software implementation plugin


disable default SHA-256/SHA-384/SHA-512 software implementation plugin


disable default socket implementation for charon daemon



disable SSH key decoding plugin


disable legacy stroke configuration backend for charon daemon



disable swanctl configuration and control tool


disable updown firewall script plugin



disable the Versatile IKE Control Interface (VICI) plugin for charon daemon


disable default X.509 certificate implementation plugin


disable generic XAauth backend


disable default XCBC crypto implementation plugin

--with Options

Option Description [Default]


set capability dropping library. Currently supported values are libcap and native [no]


UDP port used by charon daemon locally. Set to 0 to allocate randomly. [500]


UDP port used by charon daemon locally in case a NAT situation is detected (must be different from charon-udp-port). Set to 0 to allocate randomly. [4500]


directory for D-Bus policies for the NetworkManager backend charon-nm. [/usr/share/dbus-1/system.d]


install strongSwan development headers to DIR []


set OpenSSL FIPS mode: disabled (0), enabled (1), Suite B enabled (2). [0]


-fsanitize=fuzzer or path to libFuzzer.a. A local driver is used if not specified


change group of charon daemon to GROUP after startup. [root]


set the installation path of IMC and IMV dynamic libraries. [IPSECLIBDIR/imcvs]


installation path for ipsec tools. [LIBEXECDIR/ipsec]


installation path for ipsec libraries libstrongswan, libcharon, etc. [LIBDIR/ipsec]


change the name of the ipsec script. [ipsec]


linux header files to be used. [../include]

--with-mpz_powm_sec= YES|NO

use the more side-channel resistant mpz_powm_sec in libgmp if available. [yes]


directory the NetworkManager backend uses to look up trusted root certificates. [/usr/share/ca-certificates]


path for PID and UNIX socket files. [/var/run]


installation path for plugins. [IPSECLIBDIR/plugins]


force the use of a specific printf()-hook implementation (auto, builtin, glibc, vstr). [auto]


path to install python eggs to. [main site-packages directory]


set the device for true random data. [/dev/random]


set the file to store DNS server information. [SYSCONFDIR/resolv.conf]


routing table for IPsec source routes (set to 0 to use default routing table). [220]


priority for IPsec routing table [220].


path to install ruby gems to. [gem environment gemdir]


set the strongswan.conf file location. [SYSCONFDIR/strongswan.conf]


directory for systemd service files. [pkg-config --variable=systemdsystemunitdir systemd]


swanctl directory for swanctl.conf configuration files and credentials. [SYSCONFDIR/swanctl]


set the device for pseudo random data. [/dev/urandom]


change user of charon daemon to USER after startup. [root]


The following configuration example builds a strongSwan IKEv2 charon-systemd daemon supporting the authentication methods pubkey, psk, eap-md5 and eap-tls. All crypto functions are based on the openssl plugin. Private keys and X.509 certificates can be securely stored in a TPM 2.0 device. Additionally the swanctl and pki tools are built. Also support for the updown firewall script support is enabled.

./configure --prefix=/usr --sysconfdir=/etc --disable-defaults --enable-silent-rules  \
    --enable-charon --enable-systemd --enable-ikev2 --enable-vici --enable-swanctl    \
    --enable-nonce --enable-random --enable-drbg --enable-openssl --enable-curl       \
    --enable-pem --enable-x509 --enable-constraints --enable-revocation --enable-pki  \
    --enable-pubkey --enable-socket-default --enable-kernel-netlink --enable-resolve  \
    --enable-eap-identity --enable-eap-md5 --enable-eap-dynamic --enable-eap-tls      \
    --enable-updown --enable-tss-tss2 --enable-tpm

1. First strongSwan version to support this option
2. This disables any optimization, so it shouldn’t be enabled when building production releases
3. This is a plugin for VPN gateways only, serving internal DNS and WINS nameserver information