farp Plugin


The farp plugin for libcharon fakes ARP responses for requests to e.g. a virtual IP address to be assigned to a peer.

The plugin is disabled by default and can be enabled with the ./configure option



With the plugin enabled the IKEv2 daemon responds to ARP requests for IP addresses in the remote traffic selectors (e.g. virtual IP addresses that were handed out to clients but could be complete subnets) with its own MAC address.

In combination with the dhcp plugin this plugin lets a road-warrior fully act as a client on the local LAN of the responder.


Since strongSwan version 5.9.2 the plugin also works on Mac OSX and FreeBSD. That wasn’t the case for previous versions due to the implementation relying on AF/PF_PACKET sockets only. If you use such a version or don’t have the plugin available for other reasons, ARP proxying for virtual IP addresses an be achieved via the arp(8) utility and an updown script, e.g.

case $PLUTO_VERB in
        arp -s ${PLUTO_PEER_SOURCEIP4_1} auto pub
        arp -d ${PLUTO_PEER_SOURCEIP4_1} pub