strongSwan
the OpenSource IPsec-based VPN Solution
- runs on Linux 2.6, 3.x, 4.x and 5.x kernels, Android, FreeBSD, OS X, iOS and Windows
- implements both the IKEv1 and IKEv2 (RFC 7296) key exchange protocols
- Fully tested support of IPv6 IPsec tunnel and transport connections
- Dynamical IP address and interface update with IKEv2 MOBIKE (RFC 4555)
- Automatic insertion and deletion of IPsec-policy-based firewall rules
- NAT-Traversal via UDP encapsulation and port floating (RFC 3947)
- Support of IKEv2 message fragmentation (RFC 7383) to avoid issues with IP fragmentation
- Dead Peer Detection (DPD, RFC 3706) takes care of dangling tunnels
- Static virtual IPs and IKEv1 ModeConfig pull and push modes
- XAUTH server and client functionality on top of IKEv1 Main Mode authentication
- Virtual IP address pool managed by IKE daemon or SQL database
- Secure IKEv2 EAP user authentication (EAP-SIM, EAP-AKA, EAP-TLS, EAP-TTLS, EAP-PEAP, EAP-MSCHAPv2, etc.)
- Optional relaying of EAP messages to AAA server via EAP-RADIUS plugin
- Support of IKEv2 Multiple Authentication Exchanges (RFC 4739)
- Authentication based on X.509 certificates or preshared keys
- Use of strong signature algorithms with Signature Authentication in IKEv2 (RFC 7427)
- Retrieval and local caching of Certificate Revocation Lists via HTTP or LDAP
- Full support of the Online Certificate Status Protocol (OCSP, RFC 2560).
- CA management (OCSP and CRL URIs, default LDAP server)
- Powerful IPsec policies based on wildcards or intermediate CAs
- Storage of RSA private keys and certificates on a smartcard (PKCS #11 interface) or protected by a TPM 2.0
- Modular plugins for crypto algorithms and relational database interfaces
- Support of NIST elliptic curve DH groups and ECDSA signatures and certificates (Suite B, RFC 4869)
- Support of X25519 elliptic curve DH group (RFC 8031) and Ed25519 signatures and certificates (RFC 8420)
- Optional built-in integrity and crypto tests for plugins and libraries
- Smooth Linux desktop integration via the strongSwan NetworkManager applet
- Trusted Network Connect compliant to PB-TNC (RFC 5793), PA-TNC (RFC 5792), PT-TLS (RFC 6876), PT-EAP (RFC 7171) and SWIMA for PA-TNC (RFC 8412)
strongSwan VPN Client for Android 4 and newer
|
![]() |
strongSwan 5.x with Single Monolithic IKEv1/IKEv2 Daemon
|
2022-05-03 info@strongswan.org