Plugin List

The strongSwan distribution ships with an ever growing list of plugins. This allows us to add extended and specialized features, but keep the core as small as possible.

Many strongSwan component libraries come with a set of plugins. The plugins for libstrongswan e.g. provide cryptographic backends, URI fetchers and database layers whereas libcharon comes with a large set of very specialized plugins for specific needs.

libstrongswan Plugins

Plugin Name E[1] S[2] Description

acert

s

Support of X.509 attribute certificates

aes

s

AES-128/192/256 cipher software implementation

aesni

s

Intel AES-NI crypto plugin

af-alg

s

AF_ALG Linux kernel crypto API

agent

s

RSA/ECDSA private key backend connecting to ssh-agent

blowfish

s

Blowfish cipher software implementation

botan

s

Crypto backend based on the Botan library

ccm

s

CCM cipher mode wrapper

chapoly

s

ChaCha20/Poly1305 AEAD implementation and ChaCha20 XOF

cmac

x

s

CMAC cipher mode wrapper

constraints

x

s

X.509 certificate advanced constraint checking

ctr

s

CTR cipher mode wrapper

curl

s

libcurl based HTTP/FTP fetcher

curve25519

s

X25519 DH group and Ed25519 public key authentication

des

s

DES/3DES cipher software implementation

dnskey

x

s

Parse DNS public keys

drbg

x

s

NIST Deterministic Random Bit Generator based on AES-CTR and HMAC-SHA2 modes

files

s

Fetcher for local file:// URIs

fips-prf

s

PRF specified by FIPS, used by EAP-SIM/AKA algorithms

gcm

s

GCM cipher mode wrapper

gcrypt

s

Crypto backend based on libgcrypt

gmp

s

RSA/DH crypto backend based on libgmp

hmac

s

HMAC wrapper using various hashers

kdf

x

s

IKEv2 key derivation wrapper using various PRFs

keychain

e

macOS Keychain Services credential set

ldap

s

LDAP fetching plugin based on libldap

md4

s

MD4 hasher software implementation

md5

s

MD5 hasher software implementation

mgf1

s

MGF1 mask generation function

ml

e

Module-Lattice-based crypto (ML-KEM)

mysql

s

MySQL database backend based on libmysqlclient

nonce

x

s

Default nonce generation plugin

openssl

x

s

Crypto backend based on the OpenSSL library

openxpki

s

OCSP responder accessing OpenXPKI MySQL/MariaDB certificate database

padlock

e

VIA padlock crypto backend, provides AES128/SHA1

pem

x

s

PEM encoding/decoding routines

pgp

x

s

PGP encoding/decoding routines

pkcs1

x

s

PKCS#1 encoding/decoding routines

pkcs7

x

s

PKCS#7 encoding/decoding routines

pkcs8

x

s

PKCS#8 decoding routines

pkcs11

s

PKCS#11 smart card backend

pkcs12

s

PKCS#12 decoding routines

pubkey

x

s

Wrapper to handle raw public keys as trusted certificates

random

x

s

RNG reading from /dev/[u]random

rc2

s

RC2 cipher software implementation

rdrand

e

High quality / high performance random source using the Intel rdrand instruction

revocation

x

s

X.509 CRL/OCSP revocation checking

sha1

s

SHA1 hasher software implementation

sha2

s

SHA-2 hasher software implementation

sha3

s

SHA-3 hasher and SHAKE128/SHAKE256 XOF software implementation

soup

s

libsoup based HTTP fetcher

sqlite

s

SQLite database backend based on libsqlite3

sshkey

x

s

SSH key decoding routines

test-vectors

s

Set of test vectors for various algorithms

unbound

s

DNSSEC enabled resolver using libunbound

winhttp

s

WinHTTP based HTTP/HTTPS fetcher for Windows platform

wolfssl

s

Crypto backend based on the wolfSSL library

x509

x

s

Advanced X.509 plugin for parsing/generating X.509 certificates/CRLs and OCSP messages

xcbc

x

s

XCBC wrapper using various ciphers

libcharon Plugins

Plugin Name E[1] S[2] Description

addrblock

s

Narrow traffic selectors to RFC 3779 address blocks in X.509 certificates

android-dns

s

Android-specific DNS handler plugin

android-log

s

Android-specific logger plugin

attr

x

s

Provides IKE attributes configured in strongswan.conf

attr-sql

s

Provides IKE attributes read from a database to peers

bypass-lan

e

Automatically installs and updates bypass policies for locally attached subnets

certexpire

s

Export expiration dates of used certificates

connmark

e

Plugin using Netfilter conntrack marks to handle multiple transport mode clients (for L2TP)

counters

s

Provides IKE performance counters (queryable via vici and e.g. the swanctl --counters command

coupling

s

Permanent peer certificate coupling

dhcp

s

Request virtual IP address from a DHCP server

dnscert

s

Provides authentication via CERT RRs protected by DNSSEC

duplicheck

s

Advanced duplicate checking with liveness test and notifications

eap-aka

s

Generic EAP-AKA protocol handler using different backends

eap-aka-3gpp

s

EAP-AKA backend implementing 3GPP MILENAGE algorithms in software

eap-aka-3gpp2

s

EAP-AKA backend implementing 3GPP2 algorithms in software

eap-dynamic

s

EAP proxy plugin that dynamically selects an EAP method requested/supported by the client

eap-gtc

s

EAP-GTC protocol handler authenticating with XAuth backends

eap-identity

s

EAP-Identity identity exchange algorithm, to use with other EAP protocols

eap-md5

s

EAP-MD5 protocol handler using passwords

eap-mschapv2

s

EAP-MSCHAPv2 protocol handler using passwords/NT hashes

eap-peap

s

EAP-PEAP protocol handler, wraps other EAP methods securely

eap-radius

s

EAP server proxy plugin forwarding EAP conversations to a RADIUS server

eap-sim

s

Generic EAP-SIM protocol handler using different backends

eap-sim-file

s

EAP-SIM backend reading triplets from a file

eap-sim-pcsc

s

EAP-SIM backend based on a PC/SC smartcard reader

eap-simaka-pseudonym

s

EAP-SIM/AKA in-memory pseudonym identity database

eap-simaka-reauth

s

EAP-SIM/AKA in-memory reauthentication identity database

eap-simaka-sql

s

EAP-SIM/AKA backend reading triplets/quintuplets from a SQL database

eap-tls

s

EAP-TLS protocol handler, to authenticate with certificates in EAP

eap-tnc

s

EAP-TNC protocol handler, Trusted Network Connect in a TLS tunnel

eap-ttls

s

EAP-TTLS protocol handler, wraps other EAP methods securely

error-notify

s

Notification about errors via UNIX socket

ext-auth

s

Invokes an external script for custom authorization rules

farp

s

Fakes ARP responses for requests to a virtual IP assigned to a peer

forecast

e

Multicast and broadcast forwarding plugin

ha

s

High Availability clustering

ipseckey

s

Provides authentication via IPSECKEY RRs protected by DNSSEC

kernel-libipsec

e

IPsec "kernel" interface in user-space using libipsec

kernel-netlink

x

s

IPsec/Networking kernel interface using Linux Netlink

kernel-iph

e

Networking backend for the Windows platform, based on IPHelper APIs

kernel-pfkey

e

IPsec kernel interface using PF_KEY

kernel-pfroute

e

Networking kernel interface using PF_ROUTE

kernel-wfp

e

IPsec backend for the Windows platform, using the Windows Filtering Platform

led

s

Let Linux LED subsystem LEDs blink on IKE activity

load-tester

s

Perform IKE load tests against self or a gateway

lookip

s

Virtual IP lookup facility using a UNIX socket

medcli

d

Web interface based mediation client interface

medsrv

d

Web interface based mediation server interface

osx-attr

e

macOS SystemConfiguration attribute handler

p-cscf

s

Plugin that requests P-CSCF server addresses from an ePDG (RFC 7651)

radattr

s

Plugin to inject and process custom RADIUS attributes as IKEv2 client

resolve

x

s

Writes name servers received via IKE to a resolv.conf file or installs them via resolvconf(8)

save-keys

s

Development/Debugging plugin that saves IKE and/or ESP keys to files compatible with Wireshark

selinux

s

SELinux support plugin for labeled IPsec

smp

d

XML based strongSwan Management Protocol

socket-default

x

s

Default socket implementation for IKE messages

socket-dynamic

e

Dynamic binding socket implementation, capable of sending IKE messages on any port

socket-win

s

Socket implementation for IKE messages on Windows, based on Winsock2 APIs

sql

s

SQL configuration backend reading configurations/credentials from a database

stroke

s

Deprecated stroke configuration/control backend, to use with ipsec script and starter

tnc-ifmap

s

TNC IF-MAP 2.0 client

tnc-pdp

s

TNC Policy Decision Point with RADIUS server interface

systime-fix

s

Handle invalid system time when checking certificates

uci

d

OpenWRT UCI configuration backend

unity

s

Cisco Unity extensions for IKEv1

updown

x

s

Shell script invocation during tunnel up/down events

vici

x

s

Versatile IKE Control Interface

whitelist

s

Check authenticated identities against a whitelist

xauth-eap

s

XAuth backend that uses EAP methods to verify passwords

xauth-generic

x

s

Generic XAuth backend that provides passwords from credential sets

xauth-noauth

s

XAuth backend that does not do any authentication

xauth-pam

s

XAuth backend that uses PAM modules to verify passwords

libtpmtss Plugins

Plugin Name E[1] S[2] Description

tpm

s

Access persistent RSA and ECDSA private keys bound to a TPM 2.0. Optionally use the TPM 2.0 as a true random number source.

libtnccs Plugins

Plugin Name E[1] S[2] Description

tnccs-11

s

TNC Client-Server (TNCCS) protocol version 1.1

tnccs-20

s

TNC Client-Server (TNCCS) protocol version 2.0

tnccs-dynamic

s

TNC Client-Server (TNCCS) dynamic protocol discovery

tnc-tnccs

s

Manages the TNC Client-Server (TNCCS) connection layer

tnc-imc

s

Manages TNC Integrity Measurement Collectors (IMCs)

tnc-imv

s

Manages TNC Integrity Measurement Validators (IMVs)

Default Plugins

The following 25 plugins are built and loaded by default:

Plugin Name E[1] S[2] Description

cmac

x

s

CMAC cipher mode wrapper

constraints

x

s

X.509 certificate advanced constraint checking

dnskey

x

s

Parse RFC 4034 public keys

drbg

x

s

NIST Deterministic Random Bit Generator based on AES-CTR and HMAC-SHA2 modes. Required by the gmp plugin

kdf

x

s

IKEv2 key derivation wrapper using various PRFs

nonce

x

s

Default nonce generation plugin

openssl

x

s

Crypto backend based on the OpenSSL library

pem

x

s

PEM encoding/decoding routines

pgp

x

s

PGP encoding/decoding routines

pkcs1

x

s

PKCS#1 encoding/decoding routines

pkcs7

x

s

PKCS#7 encoding/decoding routines

pkcs8

x

s

PKCS#8 decoding routines

pubkey

x

s

Wrapper to handle raw public keys as trusted certificates

random

x

s

RNG reading from /dev/[u]random

revocation

x

s

X.509 CRL/OCSP revocation checking

sshkey

x

s

SSH key decoding routines

x509

x

s

Advanced X.509 plugin for parsing/generating X.509 certificates/CRLs and OCSP messages

xcbc

x

s

XCBC wrapper using various ciphers

libstrongswan

18

attr

x

s

Provides IKE attributes configured in strongswan.conf

kernel-netlink

x

s

IPsec/Networking kernel interface using Linux Netlink

resolve

x

s

Writes name servers received via IKE to a resolv.conf file or installs them via resolvconf(8)

socket-default

x

s

Default socket implementation for IKE messages

updown

x

s

Shell script invocation during tunnel up/down events

vici

x

s

Versatile IKE Control Interface

xauth-generic

x

s

Generic XAuth backend that provides passwords from credential sets

libcharon

7


1. E = Enabled by default (plugins can be enabled/disabled using their respective ./configure options)
2. S = Plugin status: s = stable, e = experimental, d = under development/incomplete