Strongswan on openSuSe 11.2 quick setup

The purpose of this story is to help OpenSuSe 11.2 users easily install and configure Strongswan VPN IKE2: gateway RSA authentication with X.509 certificate. Strongswan is probably one of the best VPN solutions nowadays on the market, if not the best!

In order to explain that simply, imagines the following totally fictional story. A Bulgarian student lives and studies in Germany and during his education he constantly needs access to network resources that are in Bulgaria. By coincidence his mother has a desktop computer in Bulgaria that is constantly connected to the network for 12,72 Euros a month. The Desktop PC has two network cards: the first has the static private IP address and the second has static public IP and is connected to fiber-optic channel with upload of ~2 Megabyte and ~18 Megabyte download. The student is thinking maybe he can use that desktop computer as a proxy in order to get to those resources that are not in Internet but are in one of the Intranets in Bulgaria. The student configures SSH on one of the high ports and makes sure that only private key authentication is allowed on that server. After that he configures port forwarding of port 3128 to localhost:3128 in putty and together with Firefox and FoxyProxy(one of the thousands plug-ins for Firefox) he is using that proxy without no trouble. After a while one of his German colleagues asks him to help him find a particular file that is not available on the web. The student knows that that file could be downloaded from the one of the closed internal networks in Bulgaria and he decide to help his German friend. After seeing what kinds of resources are available in that closed network the German friend begs him about the possibility to frequently use that proxy. The student does not want to give his friend a real account to that server, but he also knows that if he tries to open the squid port in that network one of the mean administrators will simply put deny access list for his static IP address. The student decides to implement a VPN connection. He is very concern about the security and he decides that the whole bandwidth should be encrypted. The student thinks for a while and sets the requirements for his network. He decides to have the following services running behind that desktop.
A. When configuring squid the student devices to set the TAG’s in squid.conf “forwarded_for off” and “via off”.
B. Samba server in order to share the downloaded resources easily. The student knows that samba server could be mounted locally on any windows machine.
C. Make sure that the users of that desktop PC which are using only Skype and Firefox will not suffer from his actions, thus he also plans to use traffic shaper in order to leave them enough bandwidth in case the student wants to switch x11vnc or they are working on that PC.


The student has installed OpenSuSe 11.2 on that PC and configures a domain name to point to that public IP address of that PC. He chooses the name
From now the student calls that desktop PC “” and his personal home laptop in Germany “client”. Because the student suggest using RSA authentication with X.509 certificates, those certificates has to be generated first.

First he needs to install strongswan and couple of utilities that might be useful.
zypper install openssl strongswan iputils
ipsec restart

Later on, he will install squid and samba and HTB traffic shaper.

He can create the certificates in two ways:
A. the easy one (edit “openssl.cnf” and issue couple of commands in the terminal)
B. the super easy one (use an script “/usr/share/ssl/misc/” )
He decides to use the easy way and thus generate 3 certificates.
A. one for the certificate authority(this will be also hosted on
B. one for the server side certificate for .
C. one for the client certificate (for me).
Before generating the certificates he goes and edit the file /etc/ssl/openssl.cnf
The student makes sure that he is editing the following lines there. The first two lines are very important especially if he is using Windows 7 or Windows Vista as an IPSec client.
Requirements for Certificates used with Windows 7: strongSwan - Win7CertReq - strongSwan

extendedKeyUsage = serverAuth
subjectAltName =
dir = /etc/ipsec.d # Where everything is kept
certificate = $dir/cacerts/cacert.pem # The CA certificate
default_days = 3650 # This means the certificates will be valid 10 years.
**default_bits = 2048 **
countryName_default = BG
stateOrProvinceName_default = Plovdivska
localityName_default = Plovdiv
0.organizationName_default = BlaBla
Now that he is done with the openssl.cnf file he can go and generate the certificates. He goes to the folder /etc/ipsec.d/ and creates two files there: “index.txt” and “serial”. Using vim or emacs he types into “serial” two zeros “00”. Saves and exit.

**cd /etc/ipsec.d/ **
**touch index.txt **
touch serial
Now he can generate the Certificate Authority. He types pwd in order to be sure that he is in the same directory “/etc/ipsec.d/”
**Generate the CA **

openssl req -x509 -newkey rsa:2048 -keyout private/cakey.pem -out cacerts/cacert.pem
After he answers the question two files will be created:
a) /etc/ipsec.d/private/cakey.pem
b) /etc/ipsec.d/cacerts/cacert.pem
Generate the certificate

The students need to create first certificate for his mother, although she will not be using it he knows that he has to do it. The student checks again that he typed in the common name question the name he supplied in the subjectAltName = In this case it is “
openssl req -newkey rsa:2048 -keyout private/maikaKey.pem -out reqs/maikaReq.pem
openssl ca -in reqs/maikaReq.pem -out certs/maikaCert.pem –notext
The first command creates the certificate maikaKey.pem and the certificate request maikaReq.pem. The second command is signing the certificate by the CA that he has generated before. During the certificate generation the student has supplied a password. Let’s say that the password was the word “secret”. Now he opens the file /etc/ipsec.secrets and types the following line into it:
: RSA maikaKey.pem "secret"
After that he checks if the certificate private key is really seen by the system and issue:
# ipsec listall
He checks if the maika key has the private key and looks for the following line
pubkey: RSA 2048 bits, has private key
It’s all good
Generate the Client Certificates

Now the Student is generating now his own certificate that he will use. He is doing the same what he has done for the server certificate, but just because he is forced to use windows 7 because of propriety software written only for windows he has to export that certificate in different format, which is readable in windows. If the student was using only Linux, the live would be so much easier; he would not had to execute the third command. He was pissed off.
openssl req -newkey rsa:2048 -keyout private/clientKey.pem -out reqs/clientReq.pem
openssl ca -in reqs/clientReq.pem -out certs/clientCert.pem –notext
openssl pkcs12 -export -inkey private/clientKey.pem -in certs/clientCert.pem -name “client” -certfile cacerts/cacert.pem -caname “Tnet Root CA” -out clientCert.p12
After the students exports the file clientCert.p12 he copies the file and follows the instructions of strongswan to import it into the system.
strongSwan - Win7EapCert - strongSwan

Configure /etc/ ipsec.conf

He opens the main configuration file. The student has tested this configuration only for IKE version 2. He knows that they are two very important parameters: “lefthostaccess=yes” and “leftfirewall=yes”.

config setup
** crlcheckinterval=180**
** plutostart=no**
** charondebug=“cfg 4”**
** strictcrlpolicy=no**
** charonstart=yes**

conn %default
** ikelifetime=60m**
** keylife=20m**
** rekeymargin=3m**
** keyingtries=1**
** keyexchange=ikev2**
** leftcert=maikaCert.pem**
** leftfirewall=yes**
** lefthostaccess=yes**

conn nat-t
** leftsubnet=**
** right=%any**
** rightsubnet=**
** rightsourceip=**
** auto=add**
** auth=esp**
Edit the Firewall

The student opens Yast firewall and opens UPD ports 500 and 4500 on the external interface (not the internal on).
yast firewall
Allowed Services -> Advanced -> UDP port 500 4500
Start the IPSec

chkconfig -s ipsec on
ipsec start

How it is the time to test it he tries to establish a connection. He screams TI IS ALIVE!
**Routing **

After the student has done all this he only needs to set the routing on windows. He puts a permanent (-p) route to that network and uses the IP address he got from the strongswan as a gateway, in his case it was
route add mask metric 1 –p
He tries to ping and everything works.
The student had two network card is that desktop PC but he is thinking, “what if he didn’t had two network cards but only one?”. Then he remembers that he can fake a network card interface easily in Linux and he can put as many IP addresses on that interface as he wish, so he goes to the directory “/etc/sysconfig/network/”, finds the configuration file for the interface in his case it is ifcfg-eth0. He makes a copy of it with the name ifcfg-br1 and assign over yast internal zone to that interface. ifcfg-eth0 is his external zone because that is that interface with his public IP address. The student knows that this is a bridge as this if he makes an error in his firewall configuration he can expose himself to the local network traffic circling in the local desktop network.

And the Student can always add IP addresses like this

LABEL1=‘fake card’

After he gave to that interface an IP address with the mask, he knows that he can have only 62 friend using the proxy because his pull of addresses is which means addresses from till But what will happen with the bandwidth if all of them decide to download over that proxy.
Subneting and traffic shaping

Now the student is thinking well I have to create 62 certificates for 62 friend that can use this proxy, but I want 50 % of the bandwidth for me only and 25 % for parents and the rest for everyone else; Well the student is lazy and decides to do the rest of the story the next weekend and he will post it in different forum for traffic shaping. Coming soon!

In the steps related to generating the server certificate, you have us issue “ipsec listall” to verify that the certificate has been loaded. In my experience, that doesn’t produce any output unless “ipsec start” has been issued, which doesn’t occur until a later step.

Other than that small detail, I’ve found this tutorial very helpful. Thank you.