Show pageOld revisionsBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ====== StrongSwan Primer ====== ===== What is StrongSwan ===== * //StrongSwan is a comprehensive implementation of the Internet Key Exchange (IKE) protocols that allows securing IP traffic in policy- and route-based IPsec scenarios from simple to very complex.// **(From the StrongSwan website)** --------- ===== Our Implementation ===== * From the statement above we see that StrongSwan implements the following: * IKE protocols * Policy or route based IPsec * The implementation of these can vary from simple to very complex. * In RADIUSdesk our philosophy always been to keep things as simple as possible because //Simplicity is the ultimate sophistication.// * Our implementation uses certificates (PKI) and route-based IPsec (xfrm interfaces) similar to the other VPN implementations like Wireguard and OpenVPN. --------- ===== IKE ===== * Internet Key Exchange (IKE, versioned as IKEv1 and IKEv2) is the protocol used to set up a security association (SA) in the IPsec protocol suite. * IKE has come a long way and evolved over time. * Initially things like NAT traversal and a client whose public address changes were not supported. * With IKEv2 these shortcomings were addressed making the StrongSwan implementation just as versatile as other modern VPN solutions. ---------- ===== Some basic concepts and terminology with StrongSwan ===== * StrongSwan has been around for a long time and it also have been and still is under active development. * This is both a strength and a weakness. * The strength means there are lots of documentation around and there are many existing deployments. * The weakness is that there was a major change in terms of config and even architecture between older and more recent versions of StrongSwan. * You thus have to be careful when consulting documentation on StrongSwan. * Most AI engines mess up in this area and I would recommend to use the documentation on the StrongSwan website as the first choice. * Although we will revisit it later in other Wiki pages keep the following three components / items in mind. * **Charon**. The charon daemon was built from scratch to implement the IKEv2 protocol for the strongSwan project. This can be considered the kernel of StrongSwan. * **Vici**. The vici plugin for libcharon provides the Versatile IKE Control Interface (VICI). We use **Vici** to communicate with **Charon**. * **Swanctl**. Swanctl is a command line utility to configure, control and monitor the IKE charon daemon via the vici interface plugin. Swanctl is also used by the startup scripts to load client configs. * We will work mostly (directly or indirectly with swanctl). * Although there are many other plugins available and part of StrongSwan, we stick to these three items for now to prevent from getting overwhelmed. * To recap, **Charon** is in the center, **Vici** sits on top of it. **Swanctl** is on the outside, using Vici to speak with Charon. technical/strongswan-primer.txt Last modified: 2026/01/12 06:13by system