diff --git a/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-params.nix b/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-params.nix
index 2b28b57963e1..17bd632dc180 100644
--- a/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-params.nix
+++ b/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-params.nix
@@ -19,7 +19,7 @@ in {
   '';
 
   cache_crls = mkYesNoParam no ''
-    Whether Certicate Revocation Lists (CRLs) fetched via HTTP or LDAP
+    Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP
     should be saved under a unique file name derived from the public
     key of the Certification Authority (CA) to
     <literal>/etc/ipsec.d/crls</literal> (stroke) or
diff --git a/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-plugins-params.nix b/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-plugins-params.nix
index 5fd2b4b0c0a4..116fb6d00a2c 100644
--- a/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-plugins-params.nix
+++ b/nixos/modules/services/networking/strongswan-swanctl/strongswan-charon-plugins-params.nix
@@ -423,6 +423,12 @@ lib : with (import ./param-constructors.nix lib); {
     nodes. Set to 0 to disable.
   '';
 
+  ha.buflen = mkIntParam 2048 ''
+    Buffer size for received HA messages. For IKEv1 the public DH factors are
+    also transmitted so depending on the DH group the HA messages can get quite
+    big (the default should be fine up to <literal>modp4096</literal>).
+  '';
+
   ha.fifo_interface = mkYesNoParam yes "";
 
   ha.heartbeat_delay = mkIntParam 1000 "";
@@ -461,7 +467,7 @@ lib : with (import ./param-constructors.nix lib); {
     If the maximum Netlink socket receive buffer in bytes set by
     receive_buffer_size exceeds the system-wide maximum from
     <literal>/proc/sys/net/core/rmem_max</literal>, this option can be used to
-    override the limit. Enabling this option requires special priviliges
+    override the limit. Enabling this option requires special privileges
     (CAP_NET_ADMIN).
   '';
 
@@ -482,6 +488,12 @@ lib : with (import ./param-constructors.nix lib); {
     MTU to set on installed routes, 0 to disable.
   '';
 
+  kernel-netlink.process_rules = mkYesNoParam no ''
+    Whether to process changes in routing rules to trigger roam events. This is
+    currently only useful if the kernel based route lookup is used (i.e. if
+    route installation is disabled or an inverted fwmark match is configured).
+  '';
+
   kernel-netlink.receive_buffer_size = mkIntParam 0 ''
     Maximum Netlink socket receive buffer in bytes. This value controls how many
     bytes of Netlink messages can be received on a Netlink socket. The default
@@ -845,6 +857,25 @@ lib : with (import ./param-constructors.nix lib); {
     Whether OCSP validation should be enabled.
   '';
 
+  save-keys.load = mkYesNoParam no ''
+    Whether to load the plugin.
+  '';
+
+  save-keys.esp = mkYesNoParam no ''
+    Whether to save ESP keys.
+  '';
+
+  save-keys.ike = mkYesNoParam no ''
+    Whether to save IKE keys.
+  '';
+
+  save-keys.wireshark_keys = mkOptionalStrParam ''
+    Directory where the keys are stored in the format supported by Wireshark.
+    IKEv1 keys are stored in the <literal>ikev1_decryption_table</literal> file.
+    IKEv2 keys are stored in the <literal>ikev2_decryption_table</literal> file.
+    Keys for ESP CHILD_SAs are stored in the <literal>esp_sa</literal> file.
+  '';
+
   socket-default.fwmark = mkOptionalStrParam ''
     Firewall mark to set on outbound packets (a possible use case are
     host-to-host tunnels with kernel-libipsec).
diff --git a/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix b/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix
index 39d184131c36..939f58e2bab9 100644
--- a/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix
+++ b/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix
@@ -583,9 +583,10 @@ in {
         <literal>rsa-2048-ecdsa-256</literal>). To limit the acceptable set of
         hashing algorithms for trustchain validation, append hash algorithms to
         pubkey or a key strength definition (for example
-        <literal>pubkey-sha1-sha256</literal> or
-        <literal>rsa-2048-ecdsa-256-sha256-sha384-sha512</literal>). Unless
-        disabled in <literal>strongswan.conf</literal>, or explicit IKEv2
+        <literal>pubkey-sha256-sha512</literal>,
+        <literal>rsa-2048-sha256-sha384-sha512</literal> or
+        <literal>rsa-2048-sha256-ecdsa-256-sha256-sha384</literal>).
+        Unless disabled in <literal>strongswan.conf</literal>, or explicit IKEv2
         signature constraints are configured (refer to the description of the
         <option>local</option> section's <option>auth</option> keyword for
         details), such key types and hash algorithms are also applied as