[strongSwan] Questions on Strongswan

nagaraj nagaraj2 at gmail.com
Mon Apr 16 20:38:54 CEST 2012

Hi, I have some questions regarding the usage of strongswan for which
I could not find any answers. Could some body please reply if you have
answers to any of these questions ?

Thanks & Regards,

1: Is a fallback to IKEv1 supported when IKEv2 does not succeed with a
remote peer ?

2: Is IPSec tunnel mode supported with AH/ESP bundle ?

3: What counters are available for IKE besides message counters ?

4: What alarms/traps are supported for IKE?

5: Are the following IKE modes supported ?
 a) Server side certificate based, client-side pre-shared key based (mixed)

6: What counters are available for IKE beside message counters ?
Please list protocol as well as debugging counters

7: What mechanisms are available for periodically exporting these counters ?

8: Which SNMP MIBS are supported ?

9: I guess Charon daemon creates policies by itself. If we use the
mode auto=route then the first outbound IP packet will trigger the
negotiation of an IPsec SA.

Here is an example of one of the config files, strongswan.conf which
Charon uses to install policies
# /etc/strongswan.conf - strongSwan configuration file

charon {
 load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509
revocation hmac xcbc stroke kernel-netlink socket-default updown
 multiple_authentication = no

However it is not clear to me how various parameters like security
protocols (AH, ESP) are configured per ip address per port. Please

10: Is there support for address/port groups as part of the IPSec policy ?

More information about the Users mailing list