--help Prints usage information and a short summary of the available options.
--version
Prints the strongSwan version.
--debuglevel
Sets the default log level (defaults to 1). level is a number between -1 and 4. Refer to
strongswan.conf for options that allow a more fine-grained configuration of the logging output.
--hosthostname
DNS name or IP address to connect to.
--identityidentity
Identity the client uses for the IKE exchange.
--eap-identityidentity
Identity the client uses for EAP authentication.
--xauth-usernameusername
Username the client uses for XAuth authentication.
--remote-identityidentity
Server identity to expect, defaults to hostname.
--certpath
Trusted certificate, either for authentication or trust chain validation. To provide more than
one certificate multiple --cert options can be used.
--rsapath
RSA private key to use for authentication (if a password is required, it will be requested on
demand). For other key types use --priv.
--privpath
Private key to use for authentication (if a password is required, it will be requested on demand).
--p12path
PKCS#12 file with private key and certificates to use for authentication and trust chain
validation (if a password is required it will be requested on demand).
--agent[=socket]
Use SSH agent for authentication. If socket is not specified it is read from the SSH_AUTH_SOCK
environment variable.
--local-tssubnet
Additional traffic selector to propose for our side, the requested virtual IP address will always
be proposed.
--remote-tssubnet
Traffic selector to propose for remote side, defaults to 0.0.0.0/0.
--ike-proposalproposal
IKE proposal to offer instead of default. For IKEv1, a single proposal consists of one encryption
algorithm, an integrity/PRF algorithm and a DH group. IKEv2 can propose multiple algorithms of the
same kind. To specify multiple proposals, repeat the option.
--esp-proposalproposal
ESP proposal to offer instead of default. For IKEv1, a single proposal consists of one encryption
algorithm, an integrity algorithm and an optional DH group for Perfect Forward Secrecy rekeying.
IKEv2 can propose multiple algorithms of the same kind. To specify multiple proposals, repeat the
option.
--ah-proposalproposal
AH proposal to offer instead of ESP. For IKEv1, a single proposal consists of an integrity
algorithm and an optional DH group for Perfect Forward Secrecy rekeying. IKEv2 can propose
multiple algorithms of the same kind. To specify multiple proposals, repeat the option.
--profilename
Authentication profile to use, the list of supported profiles can be found in the AuthenticationProfiles sections below. Defaults to ikev2-pub if a private key was supplied, and to ikev2-eap
otherwise.
IKEv2AuthenticationProfilesikev2-pub
IKEv2 with public key client and server authentication
ikev2-eap
IKEv2 with EAP client authentication and public key server authentication
ikev2-pub-eap
IKEv2 with public key and EAP client authentication (RFC 4739) and public key server
authentication
IKEv1AuthenticationProfiles
The following authentication profiles use either Main Mode or Aggressive Mode, the latter is denoted with
a -am suffix.
ikev1-pub, ikev1-pub-am
IKEv1 with public key client and server authentication
ikev1-xauth, ikev1-xauth-am
IKEv1 with public key client and server authentication, followed by client XAuth authentication
ikev1-xauth-psk, ikev1-xauth-psk-am
IKEv1 with pre-shared key (PSK) client and server authentication, followed by client XAuth
authentication (INSECURE!)
ikev1-hybrid, ikev1-hybrid-am
IKEv1 with public key server authentication only, followed by client XAuth authentication
Install Now
