StrongSwan is a free open-source IPsec based VPN client that is available for most of the operating systems out there. It implements both the IKEv1 and IKEv2 key exchange protocols to exchange cryptic certification keys between hosts and clients. There are a lot of technical terms to understands here, starting with IPsec and then moving on to IKE.
strongSwan VPN
Understanding and working with project strongSwan is no childs play, rather it requires deep knowledge and a sound understanding of Internet Protocols and other security features related to it.
Here is the list of features sourced from the official strongSwan website, the list may include some difficult terms but inquisitiveness has always been the biggest teacher. So head up to Google or Bing, and search and know more about them:
Runs on Linux 2.6, 3.x and 4.x kernels, Android, FreeBSD, OS X and Windows
Implements both the IKEv1 and IKEv2 (RFC 7296) key exchange protocols
Fully tested support of IPv6 IPsec tunnel and transport connections
Dynamical IP address and interface update with IKEv2 MOBIKE (RFC 4555)
Automatic insertion and deletion of IPsec-policy-based firewall rules
NAT-Traversal via UDP encapsulation and port floating (RFC 3947)
Support of IKEv2 message fragmentation (RFC 7383) to avoid issues with IP fragmentation
Dead Peer Detection (DPD, RFC 3706) takes care of dangling tunnels
Static virtual IPs and IKEv1 ModeConfig pull and push modes
XAUTH server and client functionality on top of IKEv1 Main Mode authentication
Virtual IP address pool managed by IKE daemon or SQL database
Secure IKEv2 EAP user authentication (EAP-SIM, EAP-AKA, EAP-TLS, EAP-MSCHAPv2, etc.)
Optional relaying of EAP messages to AAA server via EAP-RADIUS plugin
Support of IKEv2 Multiple Authentication Exchanges (RFC 4739)
Authentication based on X.509 certificates or preshared keys
Use of strong signature algorithms with Signature Authentication in IKEv2 (RFC 7427)
Retrieval and local caching of Certificate Revocation Lists via HTTP or LDAP
Full support of the Online Certificate Status Protocol (OCSP, RFC 2560).
CA management (OCSP and CRL URIs, default LDAP server)
Powerful IPsec policies based on wildcards or intermediate CAs
Storage of RSA private keys and certificates on a smartcard (PKCS #11 interface)
Modular plugins for crypto algorithms and relational database interfaces
Support of elliptic curve DH groups and ECDSA certificates (Suite B, RFC 4869)
Optional built-in integrity and crypto tests for plugins and libraries
Smooth Linux desktop integration via the strongSwan NetworkManager applet
Trusted Network Connect compliant to PB-TNC (RFC 5793) and PA-TNC (RFC 5792)
strongSwan is fully functional on Linux Based operating systems and distribution packages are also available but for Windows, no distribution package is available yet and you need to build the code yourself using MinGW toolchain. All the features are not available on Windows and there are a lot of limitations associated with the project. For running strongSwan properly you need to disable the native IKE service on Windows and a few other things.
Installation and configuration on Windows is a tedious task for now, but it is expected that the project would come up with installable binary packages soon to make the installation and configuration an easier task. You can read more about strongSwan for Windows OS
here.
strongSwan project is being maintained by Andreas Steffen, who is a professor for Security in Communications at the University of Applied Sciences in Rapperswil, Switzerland. Also, the project is being sponsored by major IT security companies and Secunet, Sophos, Revosec being one of them.
strongSwan is a \well-written implementation of IPsec. It is completely open source and available free of cost. You can
download it, build it yourself and then create your own virtual network. Although it requires some technical knowledge to understand the working and the code as well. But you can check out the the project documentation to know more about it and read the installation instructions and other details.
twc
