Rothirsch Technologies Hintergrund



Docdate 2018.06.02
Hardware Banana Pi m64
OperatingSystem Armbian 4.14 nightly build


In this tutorial we will describe a site2site VPN tunnel connection between to companies using a single-board-computer.



The bpi-m64 we use in this tutorial has 4 cores. To compile as fast as possible we execute make jobs with 4 cores -j4

Install dependencies

apt update && apt-get -qq -y upgrade
apt -y install build-essential bzip2    

Reboot after upgrade

On my Armbian system I had the problem that I wasn’t able to start strongswan after I installed it. It looked like that there were missing modules in the kernel configuration. After a time I found on the Armbian Forum that the only problem was that I had to reboot because apt upgrade did a kernel upgrade. So reboot now.

Compile dependencies (libgmp)

mkdir /opt/gmp_src
cd /opt/
apt -y install lzip
lzip --decompress *.lz
tar xf *.tar -C /opt/gmp_src --strip-components=1
cd gmp_src
make -j4
make check
make install

Compile strongswan (latest)

mkdir /opt/strongswan
cd /opt/
tar xjvf strongswan.tar.bz2 -C /opt/strongswan --strip-components=1
cd strongswan

You can add different functionalities to the strongswan configuration

./configure --prefix=/usr --sysconfdir=/etc

e.g. if you wanna connect Windows 7/10 clients with user and password authentication

./configure --prefix=/usr --sysconfdir=/etc --enable-eap-identity --enable-eap-mschapv2 --enable-md4

You can find different options on the strongswan wiki page:

make -j4
make install

Add startup script to /etc/init.d/strongswan

Create the file /etc/init.d/strongswan and copy the next lines into it.

#! /bin/sh
# Provides: vpn
# Required-Start: $network $local_fs
# Required-Stop: $network $local_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Strongswan IPsec services

# Author: Rene Mayrhofer

# PATH should only include /usr/* if it runs after the script
DESC=“strongswan IPsec services”

# Exit if the package is not installed
[ -x “$DAEMON” ] || exit 0

# Read configuration variable file if it is present
[ -r /etc/default/$NAME ] && . /etc/default/$NAME

# Load the VERBOSE setting and other rcS variables
. /lib/init/

# Define LSB log_* functions.
# Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
. /lib/lsb/init-functions

# Function that starts the daemon/service
  # Return
  # 0 if daemon has been started
  # 1 if daemon was already running
  # 2 if daemon could not be started
  start-stop-daemon –start –quiet –pidfile $PIDFILE –exec $DAEMON –test > /dev/null \
      || return 1
  start-stop-daemon –start –quiet –pidfile $PIDFILE –exec $DAEMON – start \
      || return 2

# Function that stops the daemon/service
  # Return
  # 0 if daemon has been stopped
  # 1 if daemon was already stopped
  # 2 if daemon could not be stopped
  # other if a failure occurred
  # give the proper signal to stop
  start-stop-daemon –start –quiet –pidfile $PIDFILE –exec $DAEMON – stop \
      || return 2
  # but kill if that didn’t work
  start-stop-daemon –stop –quiet –retry=TERM/30/KILL/5 –pidfile $PIDFILE –name $NAME
  [ “$RETVAL” = 2 ] && return 2
  # Wait for children to finish too if this is a daemon that forks
  # and if the daemon is only ever run from this initscript.
  # If the above conditions are not satisfied then add some other code
  # that waits for the process to drop all resources that could be
  # needed by services started subsequently. A last resort is to
  # sleep for some time.
  start-stop-daemon –stop –quiet –oknodo –retry=0/30/KILL/5 –exec $DAEMON
  [ “$?” = 2 ] && return 2
  # Many daemons don’t delete their pidfiles when they exit.
  rm -f $PIDFILE
  return “$RETVAL”

do_reload() {
  $DAEMON reload
  return 0

case “$1” in
  [ “$VERBOSE” != no ] && log_daemon_msg “Starting $DESC” “$NAME”
  case “$?” in
      0|1) [ “$VERBOSE” != no ] && log_end_msg 0 ;;
      2) [ “$VERBOSE” != no ] && log_end_msg 1 ;;
  [ “$VERBOSE” != no ] && log_daemon_msg “Stopping $DESC” “$NAME”
  case “$?” in
      0|1) [ “$VERBOSE” != no ] && log_end_msg 0 ;;
      2) [ “$VERBOSE” != no ] && log_end_msg 1 ;;
  $DAEMON status
  log_daemon_msg “Reloading $DESC” “$NAME”
  log_end_msg $?
  log_daemon_msg “Restarting $DESC” “$NAME”
  case “$?” in
      case “$?” in
          0) log_end_msg 0 ;;
          1) log_end_msg 1 ;; # Old process is still running
          *) log_end_msg 1 ;; # Failed to start
      # Failed to stop
      log_end_msg 1
  echo “Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}” >&2
  exit 3


Config: /etc/init.d/strongswan


Autostart Strongswan

chmod 755 /etc/init.d/strongswan
systemctl enable strongswan
strongswan.service is not a native service, redirecting to systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable strongswan
insserv: warning: current start runlevel(s) (empty) of script `strongswan’ overrides LSB defaults (2 3 4 5).
insserv: warning: current stop runlevel(s) (0 1 2 3 4 5 6) of script `strongswan’ overrides LSB defaults (0 1 6).


Now you can reboot or simply restart the strongswan service

service strongswan restart
service strongswan status
$ service strongswan status
● strongswan.service - LSB: Strongswan IPsec services
   Loaded: loaded (/etc/init.d/strongswan; generated; vendor preset: enabled)
   Active: active (running) since Mon 2018-06-04 16:17:02 UTC; 1min 56s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 884 ExecStart=/etc/init.d/strongswan start (code=exited, status=0/SUCCESS)
    Tasks: 18 (limit: 4915)
   CGroup: /system.slice/strongswan.service
           ├─1110 /usr/libexec/ipsec/starter –daemon

Installation done

CA Setup

Goal of this tutorial is to set up a certificate authority. This so called CA creates certificates for your clients which will be used for authenticating connecting clients. Feel free to read more about it on Wikipedia:

CA environment

We will use two bpi-m64 SBCs as server on this site.

  • One server (CA) creates and manages certificates
  • One server (ipsec Gateway) serves as gateway and has an owncloud instance installed for sharing certificates


Flash armbian to two bpi-m64. You can do it with this tutorial and connect to it with SSH.

We will name the CA as ca and the gateway as gw. Change the name bananpi-m64 in following files

vi /etc/hosts
vi /etc/hostname

Gateway server

Connect with the gateway and install OwnCloud on it.

Create Store

mkdir -p /var/www/html/data/root/files/ca_transfer/
cd /var/www/html/
sudo -u www-data php occ files:scan --all

After then install Strongswan

CA server


Maybe you have to setup a mailserver first. At least you have to install and configure sSMTP on this server.


We’ll use an user named ca for the management of the CA.

adduser ca
Adding user `ca’ …
Adding new group `ca’ (1001) …
Adding new user ca' (1001) with groupca’ …
Creating home directory `/home/ca’ …
Copying files from `/etc/skel’ …
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for ca
Enter the new value, or press ENTER for the default
    Full Name []:
    Room Number []:
    Work Phone []:
    Home Phone []:
    Other []:
Is the information correct? [Y/n]


Because the user has to install packages later on, we have to add him to the sudoers list

usermod -aG sudo ca


Add a host config do your /home/ca/.ssh/config so you can connect to the server with ssh gw

mkdir /home/ca/.ssh
vi /home/ca/.ssh/config
Host gw
    User root
    Port 22

Also configure the connection to this server so you don’t need a password. Described here

Git repository

Download the CA environment from github to the server named ca

apt-get update
apt-get install git
cd /opt/
git clone
chown -R ca: RT-Blog-CA
chmod -R 700 RT-Blog-CA
cd RT-Blog-CA

Copy the file central/templates/ to The def_locl will not be overwritten by a git pull and is ignored in the .gitignore file.

Here you can define

  • mail address from where you will receive mails
  • ownCloud things should be right already
  • the ssh name of your gateway ipsecgw=“gw”

CA Config

Create CA

For this tutorial you have to be connected to the ca server (that one you installed in the last tutorial) over ssh. Change to the directory of the git repository you have downloaded.

cd /opt/RT-Blog-CA

Here you can easily create a new CA with the script createCA

pwgen: is not installed
uuid-runtime: is not installed
The script found missing dependencies. Install them first.


The first execution informs us about missing dependencies. So we’ll install them.

sudo apt install pwgen uuid-runtime

Now we can execute the script again

Choose a company domain name (like “domain.local”): domain.local
Using company name: domain.local …

Choose a shortname for the CA like ca2k: ca1k
Using CA name: ca1k …

You will now create a subject for your CA. These are information
the strongswan gateway will use to identify the senders and receivers
Additionally this script saves the parameters you choose as default
values for later use.
CA Country (2 Letters): : AT
CA State: : Puxtehude
CA City: : Stadt
CA Company Name: : Testfirma
CA Unit (Company: Server/Client (specific): : TF - Servers (CA 1k)

Your server name like ca.domain.local
CA CommonName: : ca.domain.local
CA nsComment (optional): :

What will the generale liftime of a certificate, created with this CA, be?
You have to reissue any certificate after this periode
The certificate of the CA itself has a lifetime of 3 year (1095 days)
CA Certificate Lifetime (30): : 30
Using Subject: /C=AT/ST=Puxtehude/L=Stadt/O=Testfirma/OU=TF - Servers (CA 1k)/CN=ca.domain.local

A 4096bit key length can result in MTU issues on some ISPs
For higher compatibility, e.g. for mobile devices, use a smaller length like
2048bit but you have to reissue them more often. It’s not recommended to use
a key lenght less than 1024bit. For a site to site connection you
should probably use the 4096bit lenght.
Key length (1024|2048|4096): 1024

In some situations VPN clients and servers reading if the Domain name
of the ipsec gateway exists and resolves to the IP Adress of the gateway.
So if you use this parameter wrong your certificates will not authenticate.
Please add ‘DNS:’ at the beginning if you use a DNS Name.
Please add ‘IP:’ before the IP if you use a static IP.
Server (IP:… or DNS:…): DNS:gx.domain.local

New password: Iujae3ieeKapah7u

Create CA…
Making CA certificate …
/C=AT/ST=Puxtehude/L=Stadt/O=Testfirma/OU=TF - Servers (CA 1k)/CN=ca.domain.localGenerating a 1024 bit RSA private key
writing new private key to ‘./demoCA/private/cakey.pem’
Using configuration from /opt/RT-Blog-CA/.tmp/294c1056-9957-4591-8123-ff4e1a717ddf/openssl.cnf
Can’t open ./demoCA/index.txt.attr for reading, No such file or directory
281472947608016:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:74:fopen(‘./demoCA/index.txt.attr’,‘r’)
281472947608016:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:81:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            Not Before: Jul 3 13:42:21 2018 GMT
            Not After : Jul 2 13:42:21 2021 GMT
            countryName = AT
            stateOrProvinceName = Puxtehude
            organizationName = Testfirma
            organizationalUnitName = TF - Servers (CA 1k)
            commonName = ca.domain.local
        X509v3 extensions:
            X509v3 Subject Key Identifier:
            X509v3 Authority Key Identifier:
                DirName:/C=AT/ST=Puxtehude/O=Testfirma/OU=TF - Servers (CA 1k)/CN=ca.domain.local

            X509v3 Basic Constraints:
Certificate is to be certified until Jul 2 13:42:21 2021 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

Move all files and information into destination directory…

Your certificate authority has been created!
All files are in:


The script tells you anything you have to know. Fill everything out like you want it to be. On this site we have created a CA with following conditions

  • The domain is: domain.local
  • The shortname of the ca is: ca1k
  • This is because we will use a 1024 bit key. But you can name the CA like you want
  • Shortname for your Country: AT
  • State name: Puxtehude
  • City name: Stadt
  • Company name: Testfirma
  • Unitname to use for this certificate: TF - Servers (CA 1k)
  • CommonName (Hostname with domain): ca.domain.local
  • Certificate Lifetime: 30 days
  • Key length: 1024
  • Gateways address. DNS:gx.domain.local

So this is it. You created your first CA.


Look at this:

Strongswan on ARM