Skip to main content

Quickstart

Set up your first VPN tunnel in minutes with site-to-site or roadwarrior configuration

Installation

Install strongSwan on Linux, from source or via package managers

swanctl Configuration

Learn the modern swanctl.conf format for defining connections and credentials

VICI Protocol

Programmatically control and monitor the charon daemon via the VICI interface

What is strongSwan?

strongSwan is an open-source, standards-compliant IPsec VPN solution. It runs on Linux, Android, FreeBSD, macOS, Windows, and other platforms, implementing both IKEv1 and IKEv2 key exchange protocols. The core daemon, charon, handles all IKE negotiation and IPsec security association management. It is controlled via the swanctl command-line tool and the VICI (Versatile IKE Control Interface) protocol.

Key capabilities

IKEv1 & IKEv2

Full implementation of both IKE versions with support for all standard authentication methods

Flexible Authentication

X.509 certificates, PSK, EAP (MD5, MSCHAPv2, TLS, PEAP, RADIUS), XAuth, and more

Plugin Architecture

70+ plugins for cryptography, kernel integration, EAP methods, and protocol extensions

PKI Toolchain

Built-in pki tool for generating CAs, certificates, CRLs, and PKCS#12 bundles

Virtual IP Pools

Assign virtual IP addresses to roadwarrior clients from configurable address pools

High Availability

HA clustering support for active-passive gateway failover

TPM 2.0 Support

Secure key storage using Trusted Platform Module hardware

RADIUS Integration

EAP-RADIUS plugin for centralized authentication against RADIUS servers

Architecture overview

┌─────────────────────────────────────────────────┐
│                  User Space                       │
│                                                   │
│   swanctl ──── VICI ──── charon daemon           │
│                              │                    │
│                         ┌────┴────┐               │
│                         │Plugins  │               │
│                         │ kernel  │               │
│                         │ crypto  │               │
│                         │  eap    │               │
│                         └────┬────┘               │
└──────────────────────────────┼────────────────────┘

┌──────────────────────────────┼────────────────────┐
│                 Kernel Space  │                    │
│                               ▼                    │
│              XFRM / PF_KEY (IPsec SA/SP)          │
└─────────────────────────────────────────────────  ┘
The charon IKE daemon runs in user space and communicates with the Linux kernel’s XFRM framework (or PF_KEY on BSD) to install IPsec Security Associations (SAs) and Security Policies (SPs). The swanctl tool connects to charon via the Unix socket at /var/run/charon.vici using the VICI protocol.

Configuration approach

strongSwan uses a two-file configuration approach:
FilePurpose
/etc/swanctl/swanctl.confVPN connections, credentials, IP pools
/etc/strongswan.confDaemon settings, plugin configuration, logging
The modern configuration interface uses swanctl with swanctl.conf. The legacy ipsec command with ipsec.conf is deprecated but still supported via the stroke plugin.

Common deployment scenarios

Build docs developers (and LLMs) love

Get started for freeTalk to us