[strongSwan] What is the difference between libipsec and kernel_libipsec?

Tobias Brunner tobias at strongswan.org
Thu Jul 9 10:34:25 CEST 2015

Hi Dan,

> After doing some research it looks like I need to use the libipsec plugin.  
> Is that correct?

Not necessarily (it's usually preferable to use the kernel's IPsec
stack).  Perhaps you just need to load some missing kernel module (see
[1]) or change your ESP proposal because the kernel perhaps does not
support one of the negotiated algorithms.

> I see two configuration options:  --enable-kernel-libipsec and the
> --enable-libipsec.
> What's the difference and are they configured differently?

libipsec is the actual userland IPsec implementation, the
kernel-libipsec plugin is the middleware between IKE daemon and
libipsec.  Enabling kernel-libipsec automatically enables libipsec.


[1] https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules

More information about the Users mailing list