strongSwan

the OpenSource IPsec-based VPN Solution for Linux:

  • runs both on Linux 2.4 (KLIPS IPsec) and Linux 2.6 (NETKEY IPsec) kernels
  • implements both the IKEv1 and IKEv2 (RFC 4306) key exchange protocols
  • Fully tested support of IPv6 IPsec tunnel connections
  • Dynamical IP address and interface update with IKEv2 MOBIKE (RFC 4555)
  • Fast connection startup and periodic update using ipsec starter
  • Automatic insertion and deletion of IPsec policy based firewall rules
  • Strong 3DES, AES, Serpent, Twofish, or Blowfish encryption
  • NAT-Traversal via UDP encapsulation and port floating (RFC 3947)
  • Static Virtual IPs and IKE Mode Config Pull and Push modes
  • XAUTH server and client functionality on top of IKE Main Mode authentication
  • Dead Peer Detection (DPD, RFC 3706) takes care of dangling tunnels
  • Authentication based on X.509 certificates or preshared keys
  • Generation of a default self-signed certificate during first strongSwan startup
  • Retrieval and local caching of Certificate Revocation Lists via HTTP or LDAP
  • Full support of the Online Certificate Status Protocol (OCSP, RCF 2560).
  • CA management (OCSP and CRL URIs, default LDAP server)
  • Powerful IPsec policies based on wildcards or intermediate CAs
  • Group policies based on X.509 attribute certificates ( RFC 3281)
  • Optional storage of RSA private keys and certificates on a smartcard
  • Smartcard access via standardized PKCS #11 interface 
  • PKCS #11 proxy function offering RSA decryption services via whack
  • strongSwan Manager - a graphical management interface for IKEv2
  • NEW: Modular plugins for crypto algorithms and relational database interfaces

Visit us at LinuxTag in Berlin (booth 107 in hall 7.2a)

strongSwan 4.2 with IKEv1 and IKEv2 for Linux 2.6 kernels

  • The strongSwan 4.2 branch supports both the IKEv1 and IKEv2 key exchange protocols in conjunction with the native NETKEY IPsec stack of the Linux 2.6 kernel. The IKEv1 keying daemon pluto has been inherited from the strongSwan 2.8 branch whereas the IKEv2 keying daemon charon is based on a totally new object-oriented and multi-threaded concept, with 100% of the code being written in C. strongSwan's IKEv2 functionality was first presented at LinuxTag 2006 and has now been successfully tested against 12 IKEv2 vendors during the recent IKEv2 Interoperability Workshop.
  • strongSwan 4.2 is the official strongSwan distribution that will be actively maintained and continually enriched with new features.

strongSwan 2.8 with IKEv1 for Linux 2.4 and 2.6 kernels

  • The strongSwan 2.8 branch is a descendant of the well-known FreeS/WAN project and has been supplemented over the years with a rich set of additional features such as X.509 certificate and PKCS#11 smartcard support, NAT traversal, XAUTH, etc. The IKEv1 keying daemon pluto can be used either with FreeS/WAN's KLIPS IPsec stack on Linux 2.4 kernels or with the native NETKEY IPsec stack on Linux 2.6 kernels.
  • Maintenance of the strongSwan 2.8 branch has been discontinued in December 2007. If possible please migrate your application to the strongSwan 4.2 branch.
 
02.04.2008  info@strongswan.org Home