attr-sql Plugin


The attr-sql plugin for libcharon is similar to the attr plugin but stores the attributes in an SQL database instead of strongswan.conf.

The plugin is disabled by default and can be enabled with the ./configure option


Also required is support for either MySQL/MariaDB (--enable-mysql) or SQLite (--enable-sqlite) which enables the mysql or sqlite plugin, respectively.


Configured attributes are assigned to peers via CP configuration payloads (IKEv2) or via Mode Config (IKEv1). Attributes are only assigned to peers if they request a virtual IP.


The attr-sql plugin is configured using the following options in the charon.plugins.attr-sql section of strongswan.conf:

Key Default Description



Release all online leases during startup. Disable this to share the database between multiple VPN gateways


Database URI used to access the database



Enable logging of IP pool leases

Database Setup

To setup the database use the schema defined in the following SQL scripts:

These files contain the complete database schema, which also includes tables that are required by the sql plugin, only.

ipsec pool Tool

Attributes stored in the database can be managed using the ipsec pool utility.