StrongSwan is a free, open-source IPsec-based VPN client available for most operating systems. It implements both the IKEv1 and IKEv2 key exchange protocols to exchange cryptic certification keys between hosts and clients. There are a lot of technical terms to understand here, starting with IPsec and then moving on to IKE.
strongSwan VPN
Understanding and working with project strongSwan is no child’s play, rather it requires deep knowledge and a sound understanding of Internet Protocols and other security features related to it.
Here is the list of features sourced from the official strongSwan website, the list may include some difficult terms but inquisitiveness has always been the biggest teacher. So head up to Google or Bing, and search and know more about them:
- Runs on Linux 2.6, 3.x and 4.x kernels, Android, FreeBSD, OS X and Windows
- Implements both the IKEv1 and IKEv2 (RFC 7296) key exchange protocols
- Fully tested support of IPv6 IPsec tunnel and transport connections
- Dynamical IP address and interface update with IKEv2 MOBIKE (RFC 4555)
- Automatic insertion and deletion of IPsec-policy-based firewall rules
- NAT-Traversal via UDP encapsulation and port floating (RFC 3947)
- Support of IKEv2 message fragmentation (RFC 7383) to avoid issues with IP fragmentation
- Dead Peer Detection (DPD, RFC 3706) takes care of dangling tunnels
- Static virtual IPs and IKEv1 ModeConfig pull and push modes
- XAUTH server and client functionality on top of IKEv1 Main Mode authentication
- Virtual IP address pool managed by IKE daemon or SQL database
- Secure IKEv2 EAP user authentication (EAP-SIM, EAP-AKA, EAP-TLS, EAP-MSCHAPv2, etc.)
- Optional relaying of EAP messages to AAA server via EAP-RADIUS plugin
- Support of IKEv2 Multiple Authentication Exchanges (RFC 4739)
- Authentication based on X.509 certificates or preshared keys
- Use of strong signature algorithms with Signature Authentication in IKEv2 (RFC 7427)
- Retrieval and local caching of Certificate Revocation Lists via HTTP or LDAP
- Full support of the Online Certificate Status Protocol (OCSP, RFC 2560).
- CA management (OCSP and CRL URIs, default LDAP server)
- Powerful IPsec policies based on wildcards or intermediate CAs
- Storage of RSA private keys and certificates on a smartcard (PKCS #11 interface)
- Modular plugins for crypto algorithms and relational database interfaces
- Support of elliptic curve DH groups and ECDSA certificates (Suite B, RFC 4869)
- Optional built-in integrity and crypto tests for plugins and libraries
- Smooth Linux desktop integration via the strongSwan NetworkManager applet
- Trusted Network Connect compliant to PB-TNC (RFC 5793) and PA-TNC (RFC 5792)
strongSwan is fully functional on Linux operating systems, and distribution packages are also available. Still, no distribution package is available for Windows yet, and you need to build the code yourself using the MinGW toolchain. Not all the features are available on Windows, and many limitations are associated with the project. To run strongSwan properly, you need to disable the native IKE service on Windows and a few others.
Installation and configuration on Windows are tedious for now, but the project is expected to develop installable binary packages soon to make them easier.
You can read more about strongSwan for Windows OS here.
The strongSwan project is maintained by Andreas Steffen, a professor of Security in Communications at the University of Applied Sciences in Rapperswil, Switzerland. It is also sponsored by major IT security companies, including Secunet, Sophos, and Revosec.
strongSwan is a well-written implementation of IPsec. It is completely open source and available free of cost. You can download it, build it yourself, and then create your own virtual network. Although it requires some technical knowledge to understand the workings and the code, you can check out the project documentation to learn more about it and read the installation instructions and other details.
What is StrongSwan VPN?
As the name suggests, strongSwan is a VPN app built upon IPsec. Its main intention is top-notch security. The best part is that you can download and use it on multiple platforms, including Windows, Android, Mac, Linux, etc.
How do I configure StrongSwan site to site VPN?
To configure strongSwan site-to-site VPN, you need a few things. For example, the virtual server requires a public IP address, private IP address, gateway, etc. Secondly, you need a virtual server and a remote server so that the remote server can be used as a virtual private network. Next, you must have the external address and Subnet mask in 1.1.1.1 format.
Go here if you are looking for some free VPN software for your Window PC.
