The Linux IPsec ecosystem originated from FreeS/WAN project in the 1990s. The current major implementations share this lineage:
- Openswan (2003): First fork after FreeS/WAN discontinuation
- strongSwan (2005): Forked from Openswan with different architecture
- Libreswan (2013): Community fork of Openswan after developer disputes
// strongSwan's modular design example (vici interface)
vici = load_module("vici")
vici.subscribe("list-conns", callback=handle_conn_update)strongSwan uses a modular architecture with separate daemons for IKE (charon) and policy management (starter). Libreswan maintains the monolithic pluto daemon design from FreeS/WAN.
| Feature | strongSwan | Libreswan | Openswan |
|---|---|---|---|
| Android compatibility | Yes (IKEv2 EAP) | Limited | No |
| iOS/macOS | Full | Partial | No |
| Windows Native Client | Yes | Yes | No |
In recent tests (2023) with AES-256-GCM:
Throughput (Gbps): strongSwan 5.9.4: 2.7 Libreswan 4.9: 2.1 Openswan 3.2: 1.8
strongSwan IKEv2 with EAP
# /etc/ipsec.conf
conn myvpn
keyexchange=ikev2
ike=aes256-sha256-modp2048!
esp=aes256-sha256!
left=%any
leftauth=pubkey
leftcert=server.crt
right=%any
rightauth=eap-mschapv2
rightsourceip=10.0.0.0/24
eap_identity=%identityLibreswan L2TP/IPsec
# /etc/ipsec.d/myvpn.conf
conn myvpn
type=transport
authby=secret
pfs=no
rekey=yes
left=%defaultroute
right=%any
auto=addCVE History (last 5 years):
- strongSwan: 4 vulnerabilities (all medium severity)
- Libreswan: 7 vulnerabilities (1 critical)
- Openswan: 12 vulnerabilities (3 critical)
Choose strongSwan when:
- Mobile client support is required (Android/iOS)
- Need advanced features like EAP authentication
- Want regular security updates
Choose Libreswan when:
- Legacy system compatibility is needed
- Prefer RedHat/CentOS integration
- Simple site-to-site VPNs
Openswan should only be used for maintaining existing deployments.
All three support dual-stack IPv4/IPv6, but implementation varies:
# strongSwan IPv6 configuration example
conn ipv6vpn
left=2001:db8::1
leftsubnet=2001:db8:1::/64
right=%any
rightaddresspool=2001:db8:2::/112The Linux IPsec ecosystem originates from the original FreeS/WAN project (discontinued in 2004), which spawned three major forks:
FreeS/WAN (1996-2004)
├── Openswan (2003-2013)
│ └── Libreswan (2013-present)
└── strongSwan (2005-present)
| Feature | strongSwan | Libreswan | Openswan |
|---|---|---|---|
| Latest stable | 5.9.11 (2023) | 4.13 (2023) | 3.0.0 (2019) |
| IKEv2 support | Full | Full | Partial |
| IPv6 | Yes | Yes | Limited |
| DHCP | via plugins | Yes | Yes |
| EAP methods | 12+ types | 8 types | 6 types |
Sample configuration for Windows 10 IKEv2:
conn win10-ikev2
authby=rsa-sha256
ike=aes256-sha256-modp2048!
esp=aes256-sha256!
left=%defaultroute
leftsubnet=0.0.0.0/0
leftcert=server.crt
right=%any
rightauth=eap-mschapv2
rightsourceip=10.0.0.0/24
auto=add
Throughput tests on AWS c5.xlarge instances (AES-256-GCM):
- strongSwan: 850 Mbps
- Libreswan: 790 Mbps
- Openswan: 620 Mbps
Recent vulnerabilities (last 5 years):
strongSwan: 2 CVEs (both medium severity)
Libreswan: 4 CVEs (1 critical)
Openswan: 6 CVEs (2 critical)
Mobile client configuration (Android/iOS):
conn mobile-clients
keyexchange=ikev2
fragmentation=yes
rekey=no
left=%any
leftauth=pubkey
leftcert=host-cert.pem
leftsendcert=always
right=%any
rightauth=eap-tls
rightsendcert=never
eap_identity=%identity
auto=add
For enterprise environments:
- Use strongSwan when needing advanced EAP methods or PKI integration
- Choose Libreswan for RedHat/CentOS native integration
- Consider Openswan only for legacy systems
Key commands for strongSwan:
# Check status
swanctl --list-conns
swanctl --list-sas
# Debug logging
sudo ipsec start --nofork --debug-all
journalctl -fu strongswan