strongSwan is a multiplatform IPsec implementation. The focus of the project is on strong authentication mechanisms using X.509 public key certificates and optional secure storage of private keys and certificates on smartcards through a standardized PKCS#11 interface and on TPM 2.0.
strongSwan supports IKEv1 and fully implements IKEv2.
IKEv1 and IKEv2 features
strongSwan offers plugins, enhancing its functionality. The user can choose among three crypto libraries.
Using the openssl plugin, strongSwan supports Elliptic Curve Cryptography both for IKEv2 and IKEv1, so that interoperability with Microsoft's Suite B implementation on Vista, Win 7, Server 2008, etc. is possible.
Automatic assignment of virtual IP addresses to VPN clients from one or several address pools using either the IKEv1 ModeConfig or IKEv2 Configuration payload. The pools are either volatile or stored in a SQLite or MySQL database.
The ipsec poolcommand line utility allows the management of IP address pools and configuration attributes like internal DNS and NBNS servers.
IKEv2 only features
The IKEv2 daemon is inherently multi-threaded.
The IKEv2 daemon comes with a High-Availability option based on Cluster IP where currently a cluster of two hosts does active load-sharing and each host can take over the ESP and IKEv2 states without rekeying if the other host fails.
The following EAP authentication methods are supported: AKA and SIM including the management of multiple SIM cards, MD5, MSCHAPv2, GTC, TLS, TTLS. EAP-MSCHAPv2 authentication based on user passwords and EAP-TLS with user certificates are interoperable with the Windows 7 Agile VPN Client.
The EAP-RADIUS plugin relays EAP packets to one or multiple AAA servers.
Support of RFC 5998 EAP-Only Authentication in conjunction with strong mutual authentication methods like e.g. EAP-TLS.
Support of RFC 4739 IKEv2 Multiple Authentication Exchanges.
Support of RFC 5685 IKEv2 Redirection.
Support of the RFC 4555 Mobility and Multihoming Protocol which allows dynamic changes of the IP address and/or network interface without IKEv2 rekeying. MOBIKE is also supported by the Windows 7 Agile VPN Client.
The strongSwan IKEv2 NetworkManager applet supports EAP, X.509 certificate and PKCS#11 smartcard based authentication. Assigned DNS servers are automatically installed and removed again in /etc/resolv.conf.
Support of Trusted Network Connect. A strongSwan VPN client can act as a TNC client and a strongSwan VPN gateway as a Policy Enforcement Point and optionally as a co-located TNC server. The following TCG interfaces are supported: IF-IMC 1.2, IF-IMV 1.2, IF-PEP 1.1, IF-TNCCS 1.1, IF-TNCCS 2.0, IF-M 1.0, and IF-MAP 2.0.
The IKEv2 daemon has been fully ported to the Android operating system including integration into the Android VPN applet. It has also been ported to the Maemo, FreeBSD and macOS operating systems.
The focus of the strongSwan project lies on strong authentication by means of X.509 certificates, as well as the optional safe storage of private keys on smart cards using the standardized PKCS#11 interface, strongSwan certificate check lists and On-line Certificate Status Protocol. An important capability is the use of X.509 Certificate Attributes, which permits it to utilize complex access control mechanisms on the basis of group memberships. strongSwan comes with a simulation environment based on KVM. A network of eight virtual hosts allows the user to enact a multitude of site-to-site and roadwarrior VPN scenarios.
