Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
| technical:strongswan-primer [2026/01/10 20:50] – system | technical:strongswan-primer [2026/01/12 06:13] (current) – [What is StrongSwan] system | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== StrongSwan Primer ====== | ====== StrongSwan Primer ====== | ||
| ===== What is StrongSwan ===== | ===== What is StrongSwan ===== | ||
| - | * Their Summary: | + | * // |
| --------- | --------- | ||
| Line 11: | Line 11: | ||
| * The implementation of these can vary from simple to very complex. | * The implementation of these can vary from simple to very complex. | ||
| * In RADIUSdesk our philosophy always been to keep things as simple as possible because // | * In RADIUSdesk our philosophy always been to keep things as simple as possible because // | ||
| - | * Our implementation uses certificates (PKI) and Route based IPsec (xfrm interfaces) similar to the other VPN implementations like Wireguard and OpenVPN. | + | * Our implementation uses certificates (PKI) and route-based IPsec (xfrm interfaces) similar to the other VPN implementations like Wireguard and OpenVPN. |
| --------- | --------- | ||
| Line 20: | Line 20: | ||
| * Initially things like NAT traversal and a client whose public address changes were not supported. | * Initially things like NAT traversal and a client whose public address changes were not supported. | ||
| * With IKEv2 these shortcomings were addressed making the StrongSwan implementation just as versatile as other modern VPN solutions. | * With IKEv2 these shortcomings were addressed making the StrongSwan implementation just as versatile as other modern VPN solutions. | ||
| + | |||
| + | ---------- | ||
| ===== Some basic concepts and terminology with StrongSwan ===== | ===== Some basic concepts and terminology with StrongSwan ===== | ||
| Line 27: | Line 29: | ||
| * The weakness is that there was a major change in terms of config and even architecture between older and more recent versions of StrongSwan. | * The weakness is that there was a major change in terms of config and even architecture between older and more recent versions of StrongSwan. | ||
| * You thus have to be careful when consulting documentation on StrongSwan. | * You thus have to be careful when consulting documentation on StrongSwan. | ||
| - | * Most AI engines mess up in this area and I would recommend to use the documentation on the StrongSwan website as the first choice. | + | * Most AI engines mess up in this area and I would recommend to use the documentation on the StrongSwan website as the first choice. |
| + | * Although we will revisit it later in other Wiki pages keep the following three components / items in mind. | ||
| + | * **Charon**. The charon daemon was built from scratch to implement the IKEv2 protocol for the strongSwan project. This can be considered the kernel of StrongSwan. | ||
| + | * **Vici**. The vici plugin for libcharon provides the Versatile IKE Control Interface (VICI). We use **Vici** to communicate with **Charon**. | ||
| + | * **Swanctl**. Swanctl is a command line utility to configure, control and monitor the IKE charon daemon via the vici interface plugin. Swanctl is also used by the startup scripts to load client configs. | ||
| + | * We will work mostly (directly or indirectly with swanctl). | ||
| + | * Although there are many other plugins available and part of StrongSwan, we stick to these three items for now to prevent from getting overwhelmed. | ||
| + | * To recap, **Charon** is in the center, **Vici** sits on top of it. **Swanctl** is on the outside, using Vici to speak with Charon. | ||