Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/strongswan/strongswan/llms.txt

Use this file to discover all available pages before exploring further.

strongSwan’s cryptographic subsystem is fully plugin-based. Plugins implement standard interfaces defined in libstrongswan and register algorithm providers at startup. When multiple plugins provide the same algorithm, the one with the highest configured priority wins. This lets you choose between crypto backends (for example, OpenSSL vs. wolfSSL), add hardware acceleration, or meet compliance requirements (for example, FIPS mode via OpenSSL).

Crypto backend plugins

PluginPrimary sourceProvides
opensslOpenSSL / LibreSSLRSA, ECDSA, EdDSA, DH, ECDH, AES, SHA-1/2/3, ChaCha20-Poly1305, and more
botanBotan libraryModern, header-only C++ crypto; broad algorithm coverage
wolfsslwolfSSL (CyaSSL)Embedded-focused TLS/crypto library
gcryptlibgcrypt (GnuPG)GNU crypto library; RSA, DH, AES, SHA
gmpGNU MPRSA and classic DH (Diffie-Hellman) via big-integer arithmetic
aesniCPU instructionAES-NI hardware acceleration (x86/x86-64)
af-algLinux kernelOffload crypto to kernel via AF_ALG socket interface
rdrandCPU instructionIntel RDRAND hardware random number generator
padlockVIA hardwareVIA Padlock hardware crypto engine
openssl is the most common backend and is recommended for most deployments. It provides the widest algorithm coverage and is required for EAP-MSCHAPv2 (which needs MD4 and DES from OpenSSL’s legacy provider).

Algorithm-specific plugins

These plugins ship implementations of individual algorithms. They are used when no full-featured backend is loaded or when a specific implementation is preferred:
PluginAlgorithms
aesAES-128/192/256 (software)
sha1SHA-1
sha2SHA-256, SHA-384, SHA-512
sha3SHA-3 (Keccak)
des3DES (legacy)
blowfishBlowfish (legacy)
md5MD5
md4MD4 (needed for MSCHAPv2)
hmacHMAC construction
cmacCMAC construction
xcbcXCBC-MAC
gcmGCM AEAD mode
ccmCCM AEAD mode
ctrCTR mode
chapolyChaCha20-Poly1305
curve25519X25519 DH and Ed25519 signatures
fips_prfFIPS PRF for EAP-SIM/AKA
drbgNIST SP 800-90A DRBG (HMAC-DRBG)
nonceNonce generation
randomEntropy source (/dev/urandom)

Post-quantum cryptography

The ml plugin implements ML-KEM (CRYSTALS-Kyber, FIPS 203) for hybrid key exchange in IKEv2. Combined with a classical Diffie-Hellman group, it provides quantum-resistant key establishment:
swanctl.conf
connections {
  example {
    proposals = aes256gcm16-prfsha384-x25519-ke1_kyber768    # hybrid: X25519 + ML-KEM-768
    children {
      net {
        esp_proposals = aes256gcm16
      }
    }
  }
}
The curve25519 plugin provides both X25519 (ECDH) and Ed25519 (signatures) without depending on OpenSSL.

OpenSSL plugin configuration

/etc/strongswan.d/charon/openssl.conf
plugins {
  openssl {
    load = yes
    # Load legacy provider for MD4/DES (required for EAP-MSCHAPv2)
    load_legacy = yes
    # FIPS mode: 0=disabled, 1=enabled, 2=Suite B (pre-3.0)
    # With OpenSSL 3+, any non-zero value loads the fips and base providers
    fips_mode = 0
  }
}
With OpenSSL 3+, setting load_legacy = no disables MD4 and DES. This breaks EAP-MSCHAPv2. Keep load_legacy = yes if you support Windows clients using password authentication.

Checking loaded algorithms

To see which algorithms are available from currently loaded plugins: 
swanctl --list-algs
Example output (truncated): 
encryption:
  AES_CBC[openssl]
  AES_GCM_16[openssl]
  CHACHA20_POLY1305[openssl]
integrity:
  HMAC_SHA2_256_128[openssl]
  HMAC_SHA2_512_256[openssl]
prf:
  PRF_HMAC_SHA2_256[openssl]
dh-groups:
  CURVE_25519[curve25519]
  ECP_384[openssl]
  MODP_2048[openssl]
The plugin name in brackets shows which plugin provides each algorithm. If a group you expect (for example, MODP_4096) is absent, the providing plugin is not loaded.

Configuring proposals in swanctl.conf

Algorithm selection in swanctl.conf uses proposal strings. Only algorithms available from loaded plugins can be negotiated.
swanctl.conf
connections {
  example {
    # IKE SA algorithms (encryption-integrity-prf-dhgroup)
    proposals = aes256-sha256-prfsha256-x25519

    children {
      net {
        # ESP/CHILD SA algorithms
        esp_proposals = aes256gcm16-x25519
      }
    }
  }
}
AEAD algorithms such as aes256gcm16 and chacha20poly1305 provide both encryption and integrity. When using an AEAD cipher in ESP proposals, you do not need a separate integrity algorithm.