diff --git a/pkgs/tools/networking/strongswan/default.nix b/pkgs/tools/networking/strongswan/default.nix
index c8cdac76f419..871cd3e8f473 100644
--- a/pkgs/tools/networking/strongswan/default.nix
+++ b/pkgs/tools/networking/strongswan/default.nix
@@ -13,7 +13,9 @@ stdenv.mkDerivation rec {
   buildInputs = [ gmp pkgconfig python autoreconfHook ];
 
   patches = [
+    ./ext_auth-path.patch
     ./firewall_defaults.patch
+    ./updown-path.patch
   ];
 
   configureFlags = [ "--enable-swanctl" "--enable-cmd" ];
diff --git a/pkgs/tools/networking/strongswan/ext_auth-path.patch b/pkgs/tools/networking/strongswan/ext_auth-path.patch
new file mode 100644
index 000000000000..397537ad8d84
--- /dev/null
+++ b/pkgs/tools/networking/strongswan/ext_auth-path.patch
@@ -0,0 +1,13 @@
+Index: strongswan-5.2.1/src/libcharon/plugins/ext_auth/ext_auth_listener.c
+===================================================================
+--- strongswan-5.2.1.orig/src/libcharon/plugins/ext_auth/ext_auth_listener.c
++++ strongswan-5.2.1/src/libcharon/plugins/ext_auth/ext_auth_listener.c
+@@ -101,6 +101,8 @@ METHOD(listener_t, authorize, bool,
+ 
+ 		*success = FALSE;
+ 
++		push_env(envp, countof(envp), "PATH=%s", getenv("PATH"));
++
+ 		push_env(envp, countof(envp), "IKE_UNIQUE_ID=%u",
+ 				 ike_sa->get_unique_id(ike_sa));
+ 		push_env(envp, countof(envp), "IKE_NAME=%s",
diff --git a/pkgs/tools/networking/strongswan/updown-path.patch b/pkgs/tools/networking/strongswan/updown-path.patch
new file mode 100644
index 000000000000..f01da7d7bce6
--- /dev/null
+++ b/pkgs/tools/networking/strongswan/updown-path.patch
@@ -0,0 +1,26 @@
+Index: strongswan-5.2.1/src/_updown/_updown.in
+===================================================================
+--- strongswan-5.2.1.orig/src/_updown/_updown.in
++++ strongswan-5.2.1/src/_updown/_updown.in
+@@ -125,7 +125,7 @@
+ #
+ 
+ # define a minimum PATH environment in case it is not set
+-PATH="/sbin:/bin:/usr/sbin:/usr/bin:@sbindir@"
++PATH="${PATH:-/sbin:/bin:/usr/sbin:/usr/bin}"
+ export PATH
+ 
+ # uncomment to log VPN connections
+Index: strongswan-5.2.1/src/libcharon/plugins/updown/updown_listener.c
+===================================================================
+--- strongswan-5.2.1.orig/src/libcharon/plugins/updown/updown_listener.c
++++ strongswan-5.2.1/src/libcharon/plugins/updown/updown_listener.c
+@@ -240,6 +240,8 @@ static void invoke_once(private_updown_l
+ 	process_t *process;
+ 	char *envp[128] = {};
+ 
++	push_env(envp, countof(envp), "PATH=%s", getenv("PATH"));
++
+ 	me = ike_sa->get_my_host(ike_sa);
+ 	other = ike_sa->get_other_host(ike_sa);
+