All - I have been struggling with StrongSwan for a number of days, and finally have a solution to my problem, so I'm posting it here. Apologies if this is common knowledge now, but my problem is reproducible on fresh installs of 15.1 and 15.2, Google failed to help, Bugzilla shows nothing relevant, and https://lists.opensuse.org/cgi-bin/search.cgi?query=strongswan&list=opensuse is currently returning a 500 server error. Therefore, I'm posting the solution I found here, for the archives, and I do have two procedural questions at the end. SYMPTOMS: I had been using Strongswan on several OpenSuse servers in different locations to provide VPN service to my users. I had two types of users - Android clients, and Windows 10 clients. A number of months ago, most likely after a zypper update, Strongswan just... stopped working. No clients of either type could connect to *any* of my servers. My clients could connect to other providers, but it seemed all of my servers just stopped working. The servers had initially been configured with the relevant yast2 snapin, which had created simple /etc/ipsec.conf and /etc/ipsec.secrets files, and which had worked for over a year. Everything was easy, fine, and reliable... until it wasn't. No matter what configurations I tried, either using yast2 or manually editing the ipsec.* files, I could not get any clients to connect. Upon checking the log files, I was noticing things like: no authorities found, 0 unloaded no pools found, 0 unloaded no connections found, 0 unloaded No matter what I tried in ipsec.conf, nothing was being recognized. CAUSES IDENTIFIED: At some point in an update, the behavior of strongswan changed without warning. Strongswan started *ignoring* the /etc/ipsec.conf file completely. Digging into the documentation, I discovered that /etc/ipsec.conf was being deprecated by the Strongswan team in favor of /etc/swanctl/swanctl.conf. HOWEVER, that change was *not* picked up on by yast2. Yast2 continues to pretend to configure VPNs, and appears to function properly; however, it writes an /etc/ipsec.conf file each time, which is ignored by Strongswan. TESTS RUN: I tried removing /etc/swanctl/swanctl.conf (a basically blank file with just comments in it anyway) to see if Strongswan would fall back to /etc/ipsec.conf. It did not. I confirmed that the deprecated "stroke" plugin was present, it is, and it's supposed to load /etc/ipsec.conf, but it does not. I did a fresh, clean install of OpenSuSE 15.1, and confirmed the same behavior there. I also did a clean install of 15.2, and that behavior persists: Strongswan completely ignores /etc/ipsec.conf, Yast2 ignores everything else, and only works with /etc/ipsec.conf. SOLUTION: The only solution I was able to find was to abandon Yast2 and /etc/ipsec.conf, and create an actual /etc/swanctl structure, set it up and run it. The internet has a number of configuration examples attempting to explain this.... and none of them work. There are many people out there also who ask questions, and come back and say, "Oh, I fixed it," but they never post their fixes, and leave the world hanging. I am therefore providing herethe configuration steps and control file I used to make Strongswan work on OpenSuse 15.1 and 15.2 for both Android (IKEV1) clients and Windows 10 (IKEV2) clients, simultaneously. This setup assumes your server has a fully-qualified name, resolves on the internet, and has an SSL certificate to match that name. It is for a server, on the internet, serving roaming "road warrior" clients. First, setup the directories, and copy in your keys: mkdir /etc/swanctl/private /etc/swanctl/x509 /etc/swanctl/x509ca cp your.private.key /etc/swanctl/private cp your.public.crt /etc/swanctl/x509/ cp your.cert.chain /etc/swanctl/x509ca/ Then, create your /etc/swanctl/swanctl.conf file: -----begin-below-this-line----- connections { ikev1-psk-xauth { version = 1 proposals = aes256-sha256-modp1024,aes256-sha1-modp1024,aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,default rekey_time = 0s pools = primary-pool-ipv4 fragmentation = yes dpd_delay = 30s dpd_timeout = 90s local-1 { auth = psk } remote-1 { auth = psk } remote-2 { auth = xauth } children { ikev1-psk-xauth { local_ts = 0.0.0.0/0 rekey_time = 0s dpd_action = clear esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes192-sha256-ecp256-modp3072,default } } } ikev2-pubkey { version = 2 proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-ecp521,aes192-sha256-modp3072,aes256-sha256-modp2048,aes256-sha1-modp1024,default pools = primary-pool-ipv4 local { auth = pubkey certs = your.public.crt id = your.server.fqdn } remote { auth = eap-mschapv2 eap_id = %any } children { ikev2-pubkey-child { local_ts = 0.0.0.0/0 esp_proposals = aes192gcm16-aes128gcm16-prfsha256-ecp256-modp3072,aes256-sha256-modp2048,aes256-sha1-modp1024,default } } } } pools { primary-pool-ipv4 { addrs = 192.168.100.0/24 dns = 1.1.1.1, 8.8.8.8 } } secrets { ike-one { secret = "yourprivatepresharedkey" } eap-youruserid { id = youruserid secret = "yourpersonalvpnpassword" } } -----end-above-this-line----- For clarity, he first section supports Android clients using the native OS VPN setup. The second section supports Windows 10 clients using the native OS VPN setup in "IKEV2" mode. Anything that you might have to change in the above file starts with "your". If you run a firewall, you must of course open the relevant ports; iptables rules look like: iptables -A INPUT -p 50 -j ACCEPT iptables -A INPUT -p udp --dport 500 -j ACCEPT iptables -A INPUT -p udp --dport 4500 -j ACCEPT iptables -A FORWARD -s 192.168.100.0/24 -j ACCEPT iptables -A FORWARD -d 192.168.100.0/24 -j ACCEPT iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -j MASQUERADE After installing the above, and restarting Strongswan, my /var/log/messages shows: swanctl[18023]: loaded pool 'primary-pool-ipv4' successfully loaded 1 pools, 0 unloaded loaded connection 'ikev1-psk-xauth' loaded connection 'ikev2-pubkey' successfully loaded 2 connections, 0 unloaded ... and everything just works. I have not tested on IOS or Apple yet, but I expect they will work, and can follow up if additional changes were needed. Again, I'm sorry if this is common knowledge now, or if I'm missing something obvious, but since Yast2 still fails, and no examples worked, I wanted to log this in here for our community. QUESTIONS Does anyone here have guidance or an opinion on whether this information should be sent to a different list (e.g. opensuse-support) ? Does anyone here have guidance or an opinion on whether this should be bug reported? Thank you again for your patience. Glen -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org