strongSwan

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

strongSwan
Developer(s)Andreas Steffen, Martin Willi & Tobias Brunner
Stable release
v5.7.0 / September 24, 2018; 42 days ago (2018-09-24)[1]
Preview release
v5.7.0rc2 / September 18, 2018; 48 days ago (2018-09-18) (Released now as stable)
Repository Edit this at Wikidata
Written inC
Operating systemLinux, Android, Maemo, FreeBSD, macOS, Windows
TypeIPsec
LicenseGNU General Public License
Websitewww.strongswan.org

strongSwan is a multiplatform IPsec implementation. The focus of the project is on strong authentication mechanisms using X.509 public key certificates and optional secure storage of private keys and certificates on smartcards through a standardized PKCS#11 interface and on TPM 2.0.

Overview[edit]

The project is maintained by Andreas Steffen who is a professor for Security in Communications at the University of Applied Sciences in Rapperswil, Switzerland.[2]

As a descendant of the FreeS/WAN project, strongSwan continues to be released under the GPL license.[3] It supports certificate revocation lists and the Online Certificate Status Protocol (OCSP). A unique feature is the use of X.509 attribute certificates to implement access control schemes based on group memberships. StrongSwan interoperates with other IPsec implementations, including various Microsoft Windows and macOS VPN clients. The modular strongSwan 5.0 branch fully implements the Internet Key Exchange (IKEv2) protocol defined by RFC 5996.[4]

Features[edit]

strongSwan supports IKEv1 and fully implements IKEv2.[4]

IKEv1 and IKEv2 features[edit]

  • strongSwan offers plugins, enhancing its functionality. The user can choose among three crypto libraries (legacy [non-US] FreeS/WAN, OpenSSL, and gcrypt).
  • Using the openssl plugin, strongSwan supports Elliptic Curve Cryptography (ECDH groups and ECDSA certificates and signatures) both for IKEv2 and IKEv1, so that interoperability with Microsoft's Suite B implementation on Vista, Win 7, Server 2008, etc. is possible.
  • Automatic assignment of virtual IP addresses to VPN clients from one or several address pools using either the IKEv1 ModeConfig or IKEv2 Configuration payload. The pools are either volatile (i.e. RAM-based) or stored in a SQLite or MySQL database (with configurable lease-times).
  • The ipsec pool command line utility allows the management of IP address pools and configuration attributes like internal DNS and NBNS servers.

IKEv2 only features[edit]

  • The IKEv2 daemon is inherently multi-threaded (16 threads by default). It has been shown that up to 20,000 concurrent IPsec tunnels can be handled on industry-grade VPN gateways[citation needed].
  • The IKEv2 daemon comes with a High-Availability option based on Cluster IP where currently a cluster of two hosts does active load-sharing and each host can take over the ESP and IKEv2 states without rekeying if the other host fails.
  • The following EAP authentication methods are supported: AKA and SIM including the management of multiple [U]SIM cards, MD5, MSCHAPv2, GTC, TLS, TTLS. EAP-MSCHAPv2 authentication based on user passwords and EAP-TLS with user certificates are interoperable with the Windows 7 Agile VPN Client.
  • The EAP-RADIUS plugin relays EAP packets to one or multiple AAA servers (e.g. FreeRADIUS or Active Directory).
  • Support of RFC 5998 EAP-Only Authentication in conjunction with strong mutual authentication methods like e.g. EAP-TLS.
  • Support of RFC 4739 IKEv2 Multiple Authentication Exchanges.
  • Support of RFC 5685 IKEv2 Redirection.
  • Support of the RFC 4555 Mobility and Multihoming Protocol (MOBIKE) which allows dynamic changes of the IP address and/or network interface without IKEv2 rekeying. MOBIKE is also supported by the Windows 7 Agile VPN Client.
  • The strongSwan IKEv2 NetworkManager applet supports EAP, X.509 certificate and PKCS#11 smartcard based authentication. Assigned DNS servers are automatically installed and removed again in /etc/resolv.conf.
  • Support of Trusted Network Connect (TNC). A strongSwan VPN client can act as a TNC client and a strongSwan VPN gateway as a Policy Enforcement Point (PEP) and optionally as a co-located TNC server. The following TCG interfaces are supported: IF-IMC 1.2, IF-IMV 1.2, IF-PEP 1.1, IF-TNCCS 1.1, IF-TNCCS 2.0 (RFC 5793 PB-TNC), IF-M 1.0 (RFC 5792 PA-TNC), and IF-MAP 2.0.
  • The IKEv2 daemon has been fully ported to the Android operating system including integration into the Android VPN applet. It has also been ported to the Maemo, FreeBSD and macOS operating systems.

KVM simulation environment[edit]

The focus of the strongSwan project lies on strong authentication by means of X.509 certificates, as well as the optional safe storage of private keys on smart cards using the standardized PKCS#11 interface, strongSwan certificate check lists and On-line Certificate Status Protocol (OCSP).

An important capability is the use of X.509 Certificate Attributes, which permits it to utilize complex access control mechanisms on the basis of group memberships.

strongSwan comes with a simulation environment based on KVM. A network of eight virtual hosts allows the user to enact a multitude of site-to-site and roadwarrior VPN scenarios.


See also[edit]

References[edit]

  1. ^ strongSwan - Download
  2. ^ "Advisors: Prof. Dr. Andreas Steffen". University of Applied Sciences. Retrieved 2017-10-31.
  3. ^ "strongSwan - Download: License statement". 2015-09-06. Retrieved 2015-09-28.
  4. ^ a b "strongSwan: the OpenSource IPsec-based VPN Solution". 2015-09-06. Retrieved 2015-09-28.

External links[edit]