Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/strongswan/strongswan/llms.txt

Use this file to discover all available pages before exploring further.

strongswan.conf is the global configuration file for the strongSwan daemon. It controls the behavior of charon, configures logging, and sets per-plugin options. File location: /etc/strongswan.conf
The default strongswan.conf uses load_modular = yes and includes plugin configs from strongswan.d/charon/*.conf. This keeps the main file minimal and lets packages manage their own plugin settings.

charon section

The charon section configures the IKE daemon. All options also apply to charon-cmd and other charon-based binaries by using their respective section name.

Core options

OptionDefaultDescription
load_modularnoDetermine which plugins to load via each plugin’s load option instead of a single list
threads16Number of worker threads. Several are reserved for internal tasks, so avoid setting this too low
install_routesyesInstall routes into a separate routing table for established IPsec tunnels
install_virtual_ipyesInstall virtual IP addresses on the local system
install_virtual_ip_onInterface name for virtual IP installation. Defaults to the outbound interface
cache_crlsnoSave fetched CRLs to /etc/swanctl/x509crl/ for reuse across restarts
reuse_ikesayesInitiate new CHILD_SAs within existing IKE_SAs when possible
send_vendor_idnoInclude the strongSwan vendor ID payload in IKE exchanges
make_before_breakyesUse make-before-break reauthentication to minimize connectivity gaps
port500Local UDP port for IKE. 0 allocates a random port
port_nat_t4500Local UDP port for NAT-T. Must differ from port
mobike(from conn)Global MOBIKE default
dpd_delay(from conn)Global DPD default

DPD and retransmission

OptionDefaultDescription
retransmit_tries5Number of retransmission attempts before giving up
retransmit_timeout4.0Seconds before sending the first retransmit
retransmit_base1.8Exponential back-off base for retransmission intervals
retransmit_jitter0Maximum jitter percentage applied to retransmission timeouts
half_open_timeout30Seconds before an unfinished IKE_SA is discarded

DoS protection

OptionDefaultDescription
dos_protectionyesEnable cookie-based DoS protection
cookie_threshold30Number of half-open IKE_SAs that activate the cookie mechanism
block_threshold5Maximum half-open IKE_SAs per peer IP before blocking
ikesa_limit0Maximum total concurrent IKE_SAs. 0 means unlimited

Plugin loading

strongswan.conf
charon {
    load_modular = yes
    plugins {
        include strongswan.d/charon/*.conf
    }
}

include strongswan.d/*.conf
When load_modular = yes, each plugin’s config file in strongswan.d/charon/ contains a load option. Set it to yes, no, or a numeric priority.
strongswan.d/charon/openssl.conf
plugins {
    openssl {
        load = yes
    }
}

charon-systemd section

When running strongSwan under systemd, use charon-systemd in place of charon in strongswan.conf. It adds a native systemd journal logger.
strongswan.conf (systemd)
charon-systemd {
    journal {
        default = 1
        ike     = 2
        cfg     = 2
    }
}
The journal section accepts the same subsystem/level syntax as other loggers (see Logging configuration below).

Logging configuration

strongSwan supports three logger backends: file, syslog, and (with systemd) the journal. All are configured inside the charon section.

Log levels

LevelMeaning
-1Silent — no output
0Errors only
1Basic informational messages (default)
2More verbose informational messages
3Debug output
4Full debug with raw data

Log subsystems

Common subsystem identifiers:
SubsystemArea
dmnDaemon core
mgrIKE_SA manager
ikeIKE exchanges
chdCHILD_SA
jobJob processing
cfgConfiguration backend
knlKernel interface
netNetwork socket
encEncoding/decoding
tlsTLS
espESP/AH
liblibstrongswan

File logger

strongswan.conf
charon {
    filelog {
        /var/log/charon.log {
            default     = 1
            ike         = 2
            time_format = %b %e %T
            append      = yes
            flush_line  = yes
        }
        stderr {
            default = 0
        }
    }
}
OptionDefaultDescription
default1Default log level for subsystems not explicitly configured
<subsystem>defaultLog level for a specific subsystem
appendyesAppend to existing log file instead of truncating
flush_linenoFlush after each line (disables block buffering)
time_formatstrftime(3) format string for timestamps
ike_namenoPrefix each entry with the IKE_SA name and unique ID

Syslog logger

strongswan.conf
charon {
    syslog {
        identifier = charon
        daemon {
            default = 1
            ike     = 2
        }
        auth {
            default = 0
            ike     = 1
        }
    }
}
Supported facilities: daemon, auth, authpriv, user, kern, lpr, mail, news, syslog, uucp, and local0local7.
OptionDefaultDescription
default1Default log level
ike_namenoPrefix each entry with the IKE_SA name and ID
map_level-1Map strongSwan levels to syslog priorities. -1 sends everything as LOG_INFO

Complete example

strongswan.conf
charon {
    load_modular = yes
    threads      = 16

    install_routes     = yes
    install_virtual_ip = yes
    cache_crls         = yes
    send_vendor_id     = yes
    reuse_ikesa        = no

    plugins {
        include strongswan.d/charon/*.conf
    }

    filelog {
        /var/log/charon.log {
            default     = 1
            ike         = 2
            knl         = 2
            time_format = %Y-%m-%d %T
            append      = yes
            flush_line  = yes
        }
        stderr {
            default = 0
        }
    }

    syslog {
        daemon {
            default = 1
        }
    }
}

include strongswan.d/*.conf