strongSwan Client Support

Remote Access client with IKEv2 has the ability to use the strongSwan Client.

strongSwan Client Installation

For strongSwan client installation, follow the instructions in the strongSwan documentation.

strongSwan Client Configuration

The configuration contains these sections:

Section Description


This section describes:

  • The "ipsec.conf" file

  • The "ipsec.secrets" file

  • The "strongswan.conf" file

  • The "cacerts" folder

  • The "certs" folder

  • The "private" folder

Username and Password

This section describes:

  • The "ipsec.conf" file

  • The "ipsec.secrets" file

  • The "strongswan.conf" file

Features Configuration

This section describes:

  • The "pfs" feature

  • The "reauth" feature

  • The "rekey" feature

  • The strict use of IKE and ESP methods

  • Dead Peer Detection (DPD)

Special Configuration

This section describes:

  • How to use an encrypted private key to connect

  • The encryption domain

Debian and Ubuntu Special Configuration

To use EAP authentication on Debian and Ubuntu machines, you must run these commands to install the required plugins before a strongSwan restart:

  • sudo apt-get install libstrongswan-extra-plugins

  • sudo apt-get install libcharon-extra-plugins

Useful strongSwan Commands

On CentOS and Fedora, the primary command is: strongswan.

On Ubuntu and Debian, the primary command is: ipsec.

  • "strongswan restart", or "ipsec restart"

    Terminates all IPsec connections, stops the IKE daemon "charon", parses the "ipsec.conf" file, and starts the IKE daemon "charon".

  • "strongswan rereadsecrets", or "ipsec rereadsecrets"

    Reads all secrets defined in the ipsec.secrets file and updates them.

  • "strongswan update", or "ipsec update"

    Determines any changes in the "ipsec.conf" file and updates the configuration on the active IKE daemon "charon".

    Configuration changes do not affect established connections.

    Note - To use changes in the "ipsec.conf" or "ipsec.secrets" file, you must run the command with the "rereadsecrets" options (not with the "update" option). For full command syntax, go to the web site (see the IpsecCommand section).

How to Convert a P12 File into a Private Key and Public Cert

  • XCA Tool

    • Use the XCA tool.

    • Download it from the site in the XCA directory.

  • OpenSSL Commands

    • openssl pkcs12 -in <P12_CERTIFICATE>.p12 -clcerts -nokeys -out <EXTRACTED_CERTIFICATE>.crt

    • openssl pkcs12 -in <P12_CERTIFICATE>.p12 -nocerts -out <EXTRACTED_PRIVATE>.key

Known Limitations

  • Simultaneous Login

    Two simultaneous connections for the same user are not supported. Each connection must be an individual user or the first connection disconnects.

  • Office Mode with Multiple External Interfaces

    Enhancements for Gateways with multiple external interfaces require NAT-T usage on the client side.

    Enforcement requires the NAT-T environment, or the configuration of "forceencaps = yes" in the "ipsec.conf" file.

  • Back Connection

    Connections from the encryption domain to the assigned IP address of the client by the Security Gateway are not supported.

  • Realms

    Realms are not supported. The client uses “Legacy authentication”.

  • Machine Authentication

    Machine authentication is not supported.

  • Two-Factor Authentication

    Two-Factor Authentication is not supported.

  • Encryption Domain

    Encryption domain changes must deploy on the client side with configuration file changes in some scenarios.

  • Advanced Remote Access features are not supported

    • Certificate enrollment.

    • Link Selection.

    • Location Awareness.

    • Multiple Entry Point (MEP).

    • Secondary Connect.

    • Secure Configuration Verification (SCV).

    • Visitor Mode.

  • IPv6

    IPv6 is not supported.

  • Certificate Usage

    The customer deploys the certificates.

  • Certificate Authentication

    Certificate authentication with ICAClosed Internal Certificate Authority. A component on Check Point Management Server that issues certificates for authentication. is only supported without a CRL check.