VPN Strongswan IKEv2 setup issues

Hi there,
i use Netgeat X4S device and want to run a ikev2 VPN. I`ve tried the following guide:

But already at the Installation itself i get some Errors
"opkg install strongswan-minimal strongswan-mod-eap-mschapv2 strongswan-mod-eap-identity strongswan-mod-constraints strongswan-mod-md5 strongswan-mod-pem strongswan-mod-pkcs1 strongswan-mod-revocation"
"Collected errors:

  • pkg_run_script: package "kmod-ipt-ipsec" postinst script returned status 255.
  • opkg_configure: kmod-ipt-ipsec.postinst returned 255."

When i go on, and try to restart ipsec i get
"root@Router:~# ipsec start
/usr/sbin/ipsec: exec: line 328: /usr/lib/ipsec/starter: not found
root@Router:~# service ipsec start
/usr/sbin/ipsec: exec: line 328: /usr/lib/ipsec/starter: not found"
Fixed by installing "strongswan-mod-stroke" package, i get the following message on Startup and dont see any processes running.

"root@Router:/etc/strongswan.d/charon# service ipsec start
no files found matching '/etc/strongswan.d/*.conf'
Starting strongSwan 5.5.1 IPsec [starter]..."

I see no process running, ipsec statusall gives nothing back so i dont think it starts up...

Any idea how to fix this or what i did wrong?


Ok seems i need to reboot to get running strongswan, anyway i were not successfull yet to establish a connection while it Claims "IKE authentication credentials are unacceptable"
But i dont get the error until now, everything Looks good at ipsec statusall
"Status of IKE charon daemon (strongSwan 5.5.1, Linux 4.4.61, armv7l):
uptime: 17 minutes, since May 07 20:26:39 2017
worker threads: 10 of 16 idle, 6/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon test-vectors ldap pkcs11 aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm curl mysql sqlite attr kernel-netlink resolve socket-default connmark forecast farp stroke smp updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap dhcp whitelist led duplicheck addrblock unity
Virtual IP pools (size/online/offline): 254/0/0
Listening IP addresses:
ikev2: %any...%any IKEv2, dpddelay=300s
ikev2: local: [Router] uses public key authentication
ikev2: cert: "C=DE, ST=BW, CN=public.address"
ikev2: remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any'
ikev2: child: === dynamic TUNNEL, dpdaction=clear
Security Associations (0 up, 0 connecting):

  • the client trusts the CA...
  • username/password looks good
  • certificate includes everything from dns name to ip

Seems the first error message caused this problem i had (so basically a Firewall problem)
I`ve uninstalled everything with
opkg remove strongswan* --autoremove
opkg remove kmod-ipt-ipsec --autoremove
Installed everything as described in the link (+strongswan-mod-stroke +strongswan-mod-sha2 +kmod-ipt-ipsec ), had no kmod-ipt-ipsec error, doesnt change the configuration, just rebooted after installing.
Everything works.

Oh one small hint for the Installation guide, if you choose on Windows 10 the VPN Mode IKEv2 you get a split tunneling, only the Networks "behind" the router get routed to the VPN. You have to leave this setting untouched on "automatic" so split tunneling is disabled and any traffic goes through the tunnel. If you already changed this, you cant change it back on an easy way, delete and recreate the tunnel.

've finally been able to get ikev2 enabled strongswan to work on a openwrt router, iOS and OS X Sierra.

The step-by-step recipe (guide) is available as a separate post titled - Strongswan configuration recipe for turris omnia at the URL below:


1 Like