Plugin List
The strongSwan distribution ships with an ever growing list of plugins. This allows us to add extended and specialized features, but keep the core as small as possible.
Many strongSwan component libraries come with a set of plugins. The plugins for
libstrongswan
e.g. provide cryptographic backends, URI fetchers and database
layers whereas libcharon
comes with a large set of very specialized plugins
for specific needs.
libstrongswan Plugins
Plugin Name | E[1] | S[2] | Description |
---|---|---|---|
acert |
s |
Support of X.509 attribute certificates |
|
aes |
s |
AES-128/192/256 cipher software implementation |
|
aesni |
s |
Intel AES-NI crypto plugin |
|
af-alg |
s |
AF_ALG Linux kernel crypto API |
|
agent |
s |
RSA/ECDSA private key backend connecting to ssh-agent |
|
blowfish |
s |
Blowfish cipher software implementation |
|
botan |
s |
Crypto backend based on the Botan library |
|
ccm |
s |
CCM cipher mode wrapper |
|
chapoly |
s |
ChaCha20/Poly1305 AEAD implementation and ChaCha20 XOF |
|
cmac |
x |
s |
CMAC cipher mode wrapper |
x |
s |
X.509 certificate advanced constraint checking |
|
ctr |
s |
CTR cipher mode wrapper |
|
s |
libcurl based HTTP/FTP fetcher |
||
curve25519 |
s |
X25519 DH group and Ed25519 public key authentication |
|
des |
s |
DES/3DES cipher software implementation |
|
dnskey |
x |
s |
Parse DNS public keys |
drbg |
x |
s |
NIST Deterministic Random Bit Generator based on AES-CTR and HMAC-SHA2 modes |
files |
s |
Fetcher for local file:// URIs |
|
fips-prf |
s |
PRF specified by FIPS, used by EAP-SIM/AKA algorithms |
|
gcm |
s |
GCM cipher mode wrapper |
|
gcrypt |
s |
Crypto backend based on libgcrypt |
|
gmp |
s |
RSA/DH crypto backend based on libgmp |
|
hmac |
s |
HMAC wrapper using various hashers |
|
kdf |
x |
s |
IKEv2 key derivation wrapper using various PRFs |
keychain |
e |
macOS Keychain Services credential set |
|
ldap |
s |
LDAP fetching plugin based on libldap |
|
md4 |
s |
MD4 hasher software implementation |
|
md5 |
s |
MD5 hasher software implementation |
|
mgf1 |
s |
MGF1 mask generation function |
|
ml |
e |
Module-Lattice-based crypto (ML-KEM) |
|
mysql |
s |
MySQL database backend based on libmysqlclient |
|
nonce |
x |
s |
Default nonce generation plugin |
openssl |
x |
s |
Crypto backend based on the OpenSSL library |
s |
OCSP responder accessing OpenXPKI MySQL/MariaDB certificate database |
||
padlock |
e |
VIA padlock crypto backend, provides AES128/SHA1 |
|
pem |
x |
s |
PEM encoding/decoding routines |
pgp |
x |
s |
PGP encoding/decoding routines |
pkcs1 |
x |
s |
PKCS#1 encoding/decoding routines |
pkcs7 |
x |
s |
PKCS#7 encoding/decoding routines |
pkcs8 |
x |
s |
PKCS#8 decoding routines |
s |
PKCS#11 smart card backend |
||
pkcs12 |
s |
PKCS#12 decoding routines |
|
pubkey |
x |
s |
Wrapper to handle raw public keys as trusted certificates |
random |
x |
s |
RNG reading from /dev/[u]random |
rc2 |
s |
RC2 cipher software implementation |
|
rdrand |
e |
High quality / high performance random source using the Intel rdrand instruction |
|
revocation |
x |
s |
X.509 CRL/OCSP revocation checking |
sha1 |
s |
SHA1 hasher software implementation |
|
sha2 |
s |
SHA-2 hasher software implementation |
|
sha3 |
s |
SHA-3 hasher and SHAKE128/SHAKE256 XOF software implementation |
|
soup |
s |
libsoup based HTTP fetcher |
|
sqlite |
s |
SQLite database backend based on libsqlite3 |
|
sshkey |
x |
s |
SSH key decoding routines |
s |
Set of test vectors for various algorithms |
||
unbound |
s |
DNSSEC enabled resolver using libunbound |
|
s |
WinHTTP based HTTP/HTTPS fetcher for Windows platform |
||
wolfssl |
s |
Crypto backend based on the wolfSSL library |
|
x509 |
x |
s |
Advanced X.509 plugin for parsing/generating X.509 certificates/CRLs and OCSP messages |
xcbc |
x |
s |
XCBC wrapper using various ciphers |
libcharon Plugins
Plugin Name | E[1] | S[2] | Description |
---|---|---|---|
s |
Narrow traffic selectors to RFC 3779 address blocks in X.509 certificates |
||
android-dns |
s |
Android-specific DNS handler plugin |
|
android-log |
s |
Android-specific logger plugin |
|
x |
s |
Provides IKE attributes configured in strongswan.conf |
|
s |
Provides IKE attributes read from a database to peers |
||
e |
Automatically installs and updates bypass policies for locally attached subnets |
||
s |
Export expiration dates of used certificates |
||
e |
Plugin using Netfilter conntrack marks to handle multiple transport mode clients (for L2TP) |
||
s |
Provides IKE performance counters (queryable via vici and
e.g. the |
||
s |
Permanent peer certificate coupling |
||
s |
Request virtual IP address from a DHCP server |
||
dnscert |
s |
Provides authentication via CERT RRs protected by DNSSEC |
|
s |
Advanced duplicate checking with liveness test and notifications |
||
eap-aka |
s |
Generic EAP-AKA protocol handler using different backends |
|
eap-aka-3gpp |
s |
EAP-AKA backend implementing 3GPP MILENAGE algorithms in software |
|
eap-aka-3gpp2 |
s |
EAP-AKA backend implementing 3GPP2 algorithms in software |
|
s |
EAP proxy plugin that dynamically selects an EAP method requested/supported by the client |
||
s |
EAP-GTC protocol handler authenticating with XAuth backends |
||
eap-identity |
s |
EAP-Identity identity exchange algorithm, to use with other EAP protocols |
|
eap-md5 |
s |
EAP-MD5 protocol handler using passwords |
|
eap-mschapv2 |
s |
EAP-MSCHAPv2 protocol handler using passwords/NT hashes |
|
eap-peap |
s |
EAP-PEAP protocol handler, wraps other EAP methods securely |
|
s |
EAP server proxy plugin forwarding EAP conversations to a RADIUS server |
||
eap-sim |
s |
Generic EAP-SIM protocol handler using different backends |
|
eap-sim-file |
s |
EAP-SIM backend reading triplets from a file |
|
eap-sim-pcsc |
s |
EAP-SIM backend based on a PC/SC smartcard reader |
|
eap-simaka-pseudonym |
s |
EAP-SIM/AKA in-memory pseudonym identity database |
|
eap-simaka-reauth |
s |
EAP-SIM/AKA in-memory reauthentication identity database |
|
s |
EAP-SIM/AKA backend reading triplets/quintuplets from a SQL database |
||
s |
EAP-TLS protocol handler, to authenticate with certificates in EAP |
||
eap-tnc |
s |
EAP-TNC protocol handler, Trusted Network Connect in a TLS tunnel |
|
eap-ttls |
s |
EAP-TTLS protocol handler, wraps other EAP methods securely |
|
s |
Notification about errors via UNIX socket |
||
s |
Invokes an external script for custom authorization rules |
||
s |
Fakes ARP responses for requests to a virtual IP assigned to a peer |
||
e |
Multicast and broadcast forwarding plugin |
||
s |
High Availability clustering |
||
ipseckey |
s |
Provides authentication via IPSECKEY RRs protected by DNSSEC |
|
e |
IPsec "kernel" interface in user-space using libipsec |
||
kernel-netlink |
x |
s |
IPsec/Networking kernel interface using Linux Netlink |
e |
Networking backend for the Windows platform, based on IPHelper APIs |
||
kernel-pfkey |
e |
IPsec kernel interface using PF_KEY |
|
kernel-pfroute |
e |
Networking kernel interface using PF_ROUTE |
|
e |
IPsec backend for the Windows platform, using the Windows Filtering Platform |
||
led |
s |
Let Linux LED subsystem LEDs blink on IKE activity |
|
s |
Perform IKE load tests against self or a gateway |
||
s |
Virtual IP lookup facility using a UNIX socket |
||
medcli |
d |
Web interface based mediation client interface |
|
medsrv |
d |
Web interface based mediation server interface |
|
osx-attr |
e |
macOS SystemConfiguration attribute handler |
|
p-cscf |
s |
Plugin that requests P-CSCF server addresses from an ePDG (RFC 7651) |
|
s |
Plugin to inject and process custom RADIUS attributes as IKEv2 client |
||
x |
s |
Writes name servers received via IKE to a resolv.conf file or installs them via resolvconf(8) |
|
s |
Development/Debugging plugin that saves IKE and/or ESP keys to files compatible with Wireshark |
||
s |
SELinux support plugin for labeled IPsec |
||
smp |
d |
XML based strongSwan Management Protocol |
|
socket-default |
x |
s |
Default socket implementation for IKE messages |
socket-dynamic |
e |
Dynamic binding socket implementation, capable of sending IKE messages on any port |
|
s |
Socket implementation for IKE messages on Windows, based on Winsock2 APIs |
||
s |
SQL configuration backend reading configurations/credentials from a database |
||
stroke |
s |
Deprecated stroke configuration/control backend, to use with ipsec script and starter |
|
s |
TNC IF-MAP 2.0 client |
||
tnc-pdp |
s |
TNC Policy Decision Point with RADIUS server interface |
|
s |
Handle invalid system time when checking certificates |
||
uci |
d |
OpenWRT UCI configuration backend |
|
s |
Cisco Unity extensions for IKEv1 |
||
x |
s |
Shell script invocation during tunnel up/down events |
|
x |
s |
Versatile IKE Control Interface |
|
s |
Check authenticated identities against a whitelist |
||
s |
XAuth backend that uses EAP methods to verify passwords |
||
xauth-generic |
x |
s |
Generic XAuth backend that provides passwords from credential sets |
s |
XAuth backend that does not do any authentication |
||
s |
XAuth backend that uses PAM modules to verify passwords |
libtnccs Plugins
Plugin Name | E[1] | S[2] | Description |
---|---|---|---|
tnccs-11 |
s |
TNC Client-Server (TNCCS) protocol version 1.1 |
|
tnccs-20 |
s |
TNC Client-Server (TNCCS) protocol version 2.0 |
|
tnccs-dynamic |
s |
TNC Client-Server (TNCCS) dynamic protocol discovery |
|
tnc-tnccs |
s |
Manages the TNC Client-Server (TNCCS) connection layer |
|
tnc-imc |
s |
Manages TNC Integrity Measurement Collectors (IMCs) |
|
tnc-imv |
s |
Manages TNC Integrity Measurement Validators (IMVs) |
Default Plugins
The following 25 plugins are built and loaded by default:
Plugin Name | E[1] | S[2] | Description |
---|---|---|---|
cmac |
x |
s |
CMAC cipher mode wrapper |
x |
s |
X.509 certificate advanced constraint checking |
|
dnskey |
x |
s |
Parse RFC 4034 public keys |
drbg |
x |
s |
NIST Deterministic Random Bit Generator based on AES-CTR and HMAC-SHA2 modes.
Required by the |
kdf |
x |
s |
IKEv2 key derivation wrapper using various PRFs |
nonce |
x |
s |
Default nonce generation plugin |
openssl |
x |
s |
Crypto backend based on the OpenSSL library |
pem |
x |
s |
PEM encoding/decoding routines |
pgp |
x |
s |
PGP encoding/decoding routines |
pkcs1 |
x |
s |
PKCS#1 encoding/decoding routines |
pkcs7 |
x |
s |
PKCS#7 encoding/decoding routines |
pkcs8 |
x |
s |
PKCS#8 decoding routines |
pubkey |
x |
s |
Wrapper to handle raw public keys as trusted certificates |
random |
x |
s |
RNG reading from /dev/[u]random |
revocation |
x |
s |
X.509 CRL/OCSP revocation checking |
sshkey |
x |
s |
SSH key decoding routines |
x509 |
x |
s |
Advanced X.509 plugin for parsing/generating X.509 certificates/CRLs and OCSP messages |
xcbc |
x |
s |
XCBC wrapper using various ciphers |
libstrongswan |
18 |
||
x |
s |
Provides IKE attributes configured in strongswan.conf |
|
kernel-netlink |
x |
s |
IPsec/Networking kernel interface using Linux Netlink |
x |
s |
Writes name servers received via IKE to a resolv.conf file or installs them via resolvconf(8) |
|
socket-default |
x |
s |
Default socket implementation for IKE messages |
x |
s |
Shell script invocation during tunnel up/down events |
|
x |
s |
Versatile IKE Control Interface |
|
xauth-generic |
x |
s |
Generic XAuth backend that provides passwords from credential sets |
libcharon |
7 |