Kernel backend plugins are responsible for installing IPsec Security Associations (SAs) and Security Policies (SPs) into the operating system, and for managing routes for tunneled traffic. Exactly one kernel interface plugin must be loaded at runtime.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/strongswan/strongswan/llms.txt
Use this file to discover all available pages before exploring further.
Available kernel plugins
| Plugin | Platform | Interface | Notes |
|---|---|---|---|
kernel-netlink | Linux | XFRM via Netlink | Default for Linux; supports XFRM interfaces |
kernel-pfkey | Linux, BSD | PF_KEY socket | Legacy Linux; native on BSD kernels |
kernel-pfroute | FreeBSD, macOS | PF_ROUTE socket | Handles routing on BSD; used alongside kernel-pfkey |
kernel-libipsec | Any | User-space libipsec | Software IPsec via TUN device; no XFRM required |
kernel-iph | Windows | IP Helper API | SA/SP management on Windows |
kernel-wfp | Windows | Windows Filtering Platform | Policy enforcement on Windows |
kernel-netlink (Linux)
kernel-netlink is the standard plugin for Linux. It communicates with the kernel’s XFRM framework via Netlink sockets to install xfrm_state (SAs) and xfrm_policy (SPs).
XFRM interfaces
XFRM interfaces (available since Linux 4.19) provide a virtual network interface for IPsec traffic, avoiding the need for route-based workarounds. Configure them inswanctl.conf using if_id_in and if_id_out:
swanctl.conf
install_routes_xfrmi = yes in the plugin configuration:
/etc/strongswan.d/charon/kernel-netlink.conf
Firewall marks
Usefwmark to direct traffic to a specific routing table while exempting IKE traffic:
/etc/strongswan.d/charon/kernel-netlink.conf
Key configuration options
| Option | Default | Description |
|---|---|---|
fwmark | — | Firewall mark on the routing rule (format: [!]mark[/mask]) |
install_routes_xfrmi | no | Install routes for SAs using XFRM interfaces |
mtu | 0 | MTU on installed routes (0 = kernel default) |
mss | 0 | MSS clamping on installed routes (0 = disabled) |
roam_events | yes | Trigger roam events on interface/address/route changes |
receive_buffer_size | 8388608 | Netlink socket receive buffer (bytes) |
xfrm_acq_expires | 165 | Lifetime of XFRM acquire state (seconds) |
port_bypass | no | Use port-based instead of socket-based IKE bypass policies |
kernel-pfkey (BSD / legacy Linux)
kernel-pfkey uses the PF_KEY socket interface (RFC 2367) to manage SAs. On Linux it is superseded by kernel-netlink but remains useful for BSD kernels.
On FreeBSD and macOS, load kernel-pfkey together with kernel-pfroute:
- FreeBSD / macOS strongswan.conf
strongswan.conf
/etc/strongswan.d/charon/kernel-pfkey.conf
/etc/strongswan.d/charon/kernel-pfroute.conf
| Option | Default | Description |
|---|---|---|
route_via_internal | no | Route via the internal (traffic selector) interface rather than the external interface |
events_buffer_size | 0 | Receive buffer size for the event socket (0 = OS default) |
kernel-pfroute (FreeBSD / macOS)
kernel-pfroute handles routing table management on BSD-family systems using the PF_ROUTE socket. It is always paired with kernel-pfkey.
| Option | Default | Description |
|---|---|---|
mtu | 1400 | MTU set on TUN devices created for virtual IPs |
vip_wait | 1000 | Milliseconds to wait for virtual IP addresses to appear or disappear |
kernel-libipsec (user-space)
kernel-libipsec implements IPsec entirely in user space using strongSwan’s libipsec library. It creates a TUN device and performs ESP encapsulation/decapsulation without involving the kernel XFRM or PF_KEY interfaces.
This is the appropriate choice for:
- Android (XFRM not available to unprivileged apps)
- Platforms without kernel IPsec support
- Testing and development environments
/etc/strongswan.d/charon/kernel-libipsec.conf
kernel-libipsec still requires a routing plugin. On Linux, load it alongside kernel-netlink (which handles routes only, not SAs).
Choosing a kernel plugin
- Linux (typical)
- Linux (user-space IPsec)
- FreeBSD / macOS
strongswan.conf