StrongSwan

Strongswan (own spelling " strongSwan ", the English stronghold and swan loosely translated to "strong swan " ) is a complete IPsec implementation for the Linux kernel 2.6 and 3.x.

History and more details

As one of the two successors of the FreeS / WAN project Strongswan is also under the GNU General Public License. The project is supervised by Andreas Steffen, Professor of Security and Communication at the University of Applied Sciences Rapperswil ( Switzerland ). Software architect and lead developer of the IKEv2 keying daemon is Martin Willi. NAT Traversal for IKEv2 was contributed by Tobias Brunner and Daniel Röthlisberger.

The focus of the Strongswan project is on strong authentication using X.509 certificates, and optional secure storage of private keys on smart cards with the assistance of the standardized PKCS # 11 interface. Strongswan supports CRLs and Online Certificate Status Protocol (OCSP ).

A unique feature is the use of X.509 attribute certificates, which make it possible to implement complex access control mechanisms based on group memberships.

However Strongswan is easy to adjust and works seamlessly with almost any other IPsec implementations (or implementations), especially with different VPN products for the operating system Windows and Mac platforms.

Strongswan also supports fully the new edition (english version) 2 of the Internet Key Exchange protocol ( IKEv2 ), which is described by the RFC 4306 and an IPsec tunnel is built by an exchange of only four messages. The conventional IKEv1 protocol requires for nine messages. With the edition 4.3 Multiple Authentication Exchanges also ( according to RFC 4739 ) are supported. Tobias Brunner wrote the extension of IKEv2 Mediation Extension.

Topology

Simulation environment

Strongswan can be tested in a simple aufzusetzenden simulation environment that is based on User Mode Linux (UML ). A network of eight virtual machines allows the user to track a variety of VPN scenarios. It is also practically demonstrated how IPsec connections using the NAT Traversal protocol ( RFC 3947 ) can be placed on one or two NAT routers.