strongSwan - Design by Margo Galas <galas (at) solnet (dot) ch>

Main Sponsors

secunet

codelabs

Current Release: 5.9.3
Download - Changelog

strongSwan

 

the OpenSource IPsec-based VPN Solution

  • runs on Linux 2.6, 3.x and 4.x kernels, Android, FreeBSD, OS X, iOS and Windows
  • implements both the IKEv1 and IKEv2 (RFC 7296) key exchange protocols
  • Fully tested support of IPv6 IPsec tunnel and transport connections
  • Dynamical IP address and interface update with IKEv2 MOBIKE (RFC 4555)
  • Automatic insertion and deletion of IPsec-policy-based firewall rules
  • NAT-Traversal via UDP encapsulation and port floating (RFC 3947)
  • Support of IKEv2 message fragmentation (RFC 7383) to avoid issues with IP fragmentation
  • Dead Peer Detection (DPD, RFC 3706) takes care of dangling tunnels
  • Static virtual IPs and IKEv1 ModeConfig pull and push modes
  • XAUTH server and client functionality on top of IKEv1 Main Mode authentication
  • Virtual IP address pool managed by IKE daemon or SQL database
  • Secure IKEv2 EAP user authentication (EAP-SIM, EAP-AKA, EAP-TLS, EAP-TTLS, EAP-PEAP, EAP-MSCHAPv2, etc.)
  • Optional relaying of EAP messages to AAA server via EAP-RADIUS plugin
  • Support of IKEv2 Multiple Authentication Exchanges (RFC 4739)
  • Authentication based on X.509 certificates or preshared keys
  • Use of strong signature algorithms with Signature Authentication in IKEv2 (RFC 7427)
  • Retrieval and local caching of Certificate Revocation Lists via HTTP or LDAP
  • Full support of the Online Certificate Status Protocol (OCSP, RFC 2560).
  • CA management (OCSP and CRL URIs, default LDAP server)
  • Powerful IPsec policies based on wildcards or intermediate CAs
  • Storage of RSA private keys and certificates on a smartcard (PKCS #11 interface) or protected by a TPM 2.0
  • Modular plugins for crypto algorithms and relational database interfaces
  • Support of NIST elliptic curve DH groups and ECDSA signatures and certificates (Suite B, RFC 4869)
  • Support of X25519 elliptic curve DH group (RFC 8031) and Ed25519 signatures and certificates (RFC 8420)
  • Optional built-in integrity and crypto tests for plugins and libraries
  • Smooth Linux desktop integration via the strongSwan NetworkManager applet
  • Trusted Network Connect compliant to PB-TNC (RFC 5793), PA-TNC (RFC 5792), PT-TLS (RFC 6876), PT-EAP (RFC 7171) and SWIMA for PA-TNC (RFC 8412)

strongSwan VPN Client for Android 4 and newer

  • The free strongSwan App can be downloaded from Google Play. The VPN client supports IKEv2 only with EAP-MD5 or EAP-MSCHAPv2 password-based, or certificate based user authentication and certificate-based VPN gateway authentication.
  

strongSwan 5.x with Single Monolithic IKEv1/IKEv2 Daemon

  • The strongSwan 5.x branch supports both the IKEv1 and IKEv2 key exchange protocols in conjunction with the native NETKEY IPsec stack of the Linux kernel. The  charon IKE daemon is based on a modern object-oriented and multi-threaded concept, with 100% of the code being written in C. strongSwan's IKEv2 functionality has been successfully tested against 15 IKEv2 vendors during the third and fourth IKEv2 Interoperability Workshops in 2007 and 2008, respectively. The IKEv1 functionality has been re-implemented in 2012 from scratch by extending the source code of our successful IKEv2 charon daemon. IKEv1 interoperability has been tested against the existing strongSwan 4.6 pluto daemon and several third party products.

2021-07-06 info@strongswan.org