strongswan.conf configuration reference

strongswan.conf configures the strongSwan daemon (charon) and its plugins. It uses a hierarchical key-value format with {} sections. The distributed default strongswan.conf uses modular loading:

charon {
  load_modular = yes
  plugins {
    include strongswan.d/charon/*.conf
  }
}

include strongswan.d/*.conf

Place your site-specific settings in files under strongswan.d/ rather than editing the main strongswan.conf directly. This simplifies package upgrades.

charon section

The charon section configures the IKE daemon.

Core settings

load_modular

boolean

default:"no"

Use modular plugin loading controlled by per-plugin .conf files in strongswan.d/charon/. When yes, the load keyword in the main config is ignored and each plugin’s own config file controls whether it is loaded.

threads

number

default:"16"

Number of worker threads for processing IKE messages and crypto operations. Increase on high-throughput systems.

ikesa_table_size

number

default:"1"

Size of the hash table used to index IKE SAs.

ikesa_table_segments

number

default:"1"

Number of segments in the IKE SA hash table for locking granularity.

Network and routing

install_routes

boolean

default:"yes"

Install routes into the routing table for IPsec tunnel traffic selectors. Disable if you manage routes externally.

install_virtual_ip

boolean

default:"yes"

Install negotiated virtual IP addresses on the local interface. Disable if your OS or routing daemon manages virtual IPs.

install_virtual_ip_on

string

Interface name on which to install virtual IP addresses. Defaults to the interface used for the IKE SA.

keep_alive

number

default:"20"

NAT keepalive interval in seconds. Sends UDP keepalive packets to maintain NAT mappings.

prefer_best_path

boolean

default:"no"

During MOBIKE path re-selection, prefer the path with the lowest route metric over the currently active path.

IKE SA management

half_open_timeout

number

default:"30"

Timeout in seconds to close IKE SAs that have not completed authentication. Protects against half-open SA exhaustion attacks.

max_ikesa_half_open

number

Maximum number of simultaneously half-open IKE SAs. New connections are refused when the limit is reached.

reuse_ikesa

boolean

default:"yes"

Re-use existing IKE SAs when initiating additional CHILD SAs to the same remote address and identity, rather than creating a new IKE SA.

retry_initiate_interval

number

default:"0"

Interval in seconds between retries when connection initiation fails. 0 disables retry.

send_vendor_id

boolean

default:"no"

Send the strongSwan vendor ID payload in IKE exchanges. Enables vendor-specific features but reveals the software identity.

Certificate and revocation

cache_crls

boolean

default:"no"

Cache downloaded CRLs to the local filesystem under /etc/ipsec.d/crls/.

ocsp_nonce_len

number

default:"32"

Length of OCSP nonce values in bytes. 0 disables nonces.

x509_strict

boolean

default:"no"

Apply strict X.509 certificate validation. Rejects certificates that do not conform strictly to RFC 5280.

Security

i_dont_care_about_security_and_use_aggressive_mode_psk

boolean

default:"no"

Permit IKEv1 Aggressive Mode with PSK authentication. Disabled by default because Aggressive Mode PSK is vulnerable to offline dictionary attacks. Only enable if peer compatibility requires it.

rdn_matching

string

default:"strict"

Distinguished Name matching mode for wildcard remote identity matching. Accepted values: strict, reordered, relaxed.

Logging configuration

Logging is configured inside the charon section using filelog and syslog subsections.

charon {
  filelog {
    /var/log/strongswan.log {
      default = 1
      append = yes
      flush_line = yes
      ike = 2
      net = 1
      cfg = 1
    }
    stderr {
      default = 1
    }
  }
  syslog {
    daemon {
      default = 1
    }
  }
}

Log levels

Level	Meaning
`-1`	Absolute silence
`0`	Errors only
`1`	Informational (recommended for production)
`2`	Control-flow debug
`3`	Detailed debug
`4`	Full trace (very verbose)

Log subsystems

Within a log target, each subsystem level can be set independently:

Key	Subsystem
`ike`	IKE SA establishment and management
`chd`	CHILD SA establishment
`net`	IKE network I/O
`enc`	Message encoding/decoding
`cfg`	Configuration loading
`knl`	Kernel interface (policies, SAs)
`esp`	ESP processing
`mgr`	IKE SA manager
`lib`	libstrongswan

default sets the level for all subsystems not explicitly listed in the same block.

filelog options

append

boolean

default:"yes"

Append to the log file. Set to no to truncate the file on daemon start.

flush_line

boolean

default:"no"

Flush the log file after each line. Useful for real-time monitoring but reduces write performance.

time_format

string

strftime(3) format string for log timestamps. Example: "%b %e %T".

ike_name

boolean

default:"no"

Include the IKE SA name in each log line.

Plugin configuration

Plugins are configured in subsections under charon.plugins. With load_modular = yes, each plugin also has a dedicated file in strongswan.d/charon/<plugin>.conf.

eap-radius

charon {
  plugins {
    eap-radius {
      servers {
        main {
          address = radius.example.com
          secret = sharedsecret
          auth_port = 1812
          acct_port = 1813
        }
      }
      nas_identifier = strongSwan
    }
  }
}

attr

Pushes configuration attributes (DNS, routes) to clients:

charon {
  plugins {
    attr {
      dns = 8.8.8.8, 8.8.4.4
      split_include = 10.0.0.0/8
    }
  }
}

dhcp

Obtains virtual IPs and attributes from a DHCP server:

charon {
  plugins {
    dhcp {
      server = 192.168.1.1
      identity_lease = yes
    }
  }
}

kernel-netlink (Linux)

charon {
  plugins {
    kernel-netlink {
      fwmark = !0x4000
      mtu = 1400
    }
  }
}

plugins.kernel-netlink.fwmark

string

Netfilter mark applied to IKE packets. Use !<mark> to exclude marked packets from IPsec policies (useful to avoid routing loops).

plugins.kernel-netlink.mtu

number

MTU set on the virtual IP interface.

Full minimal example

charon {
  load_modular = yes
  threads = 16
  install_routes = yes
  install_virtual_ip = yes
  cache_crls = no
  reuse_ikesa = yes
  send_vendor_id = no
  keep_alive = 20
  half_open_timeout = 30

  filelog {
    /var/log/strongswan.log {
      default = 1
      append = yes
      flush_line = yes
    }
  }
  syslog {
    daemon {
      default = 1
    }
  }

  plugins {
    include strongswan.d/charon/*.conf
  }
}

include strongswan.d/*.conf

Documentation Index

​charon section

​Core settings

​Network and routing

​IKE SA management

​Certificate and revocation

​Security

​Logging configuration

​Log levels

​Log subsystems

​filelog options

​Plugin configuration

​eap-radius

​attr

​dhcp

​kernel-netlink (Linux)

​Full minimal example

charon section

Core settings

Network and routing

IKE SA management

Certificate and revocation

Security

Logging configuration

Log levels

Log subsystems

filelog options

Plugin configuration

eap-radius

attr

dhcp

kernel-netlink (Linux)

Full minimal example