<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
Hello,<br>
<br>
I'm changing my config from using swanctl to the
networkmanager-strongswan plugin.<br>
I have trouble using a smartcard with charon-nm.<br>
<br>
Charon-nm is configured with the right pkcs11 plugin/module/lib and
I can see in the logs : <br>
<blockquote>May 20 09:09:32 OR6240941 charon-nm: 00[CFG] loaded
PKCS#11 v2.40 library 'tpm2-pkcs11'
(/usr/lib64/pkcs11/libtpm2_pkcs11.so)<br>
May 20 09:09:32 OR6240941 charon-nm: 00[CFG]
tpm2-software.github.io: TPM2.0 Cryptoki v0.0<br>
May 20 09:09:32 OR6240941 charon-nm: 00[CFG] found token in slot
'tpm2-pkcs11':1 (tpm2-token Infineon)<br>
May 20 09:09:32 OR6240941 charon-nm: 00[CFG] tpm2-token
(Infineon: SLB9670)<br>
May 20 09:09:32 OR6240941 charon-nm: 00[CFG] found token in slot
'tpm2-pkcs11':2 ( Infineon)<br>
May 20 09:09:32 OR6240941 charon-nm: 00[CFG] (Infineon:
SLB9670)<br>
May 20 09:09:32 OR6240941 charon-nm: 00[KNL] received netlink
error: Address family not supported by protocol (97)<br>
May 20 09:09:32 OR6240941 charon-nm: 00[KNL] unable to create IPv6
routing table rule<br>
May 20 09:09:32 OR6240941 NetworkManager[13100]: <info>
[1621501772.1373]
vpn-connection[0x55a76cba84e0,1f9098ba-4328-4a23-ad17-e503456c2d04,"swanboottoken",0]:
Saw the service appear; activating connection<br>
May 20 09:09:32 OR6240941 charon-nm: 00[CFG]
C_GetAttributeValue(NULL) error: ATTRIBUTE_TYPE_INVALID<br>
May 20 09:09:32 OR6240941 charon-nm: 00[LIB] loaded plugins:
nm-backend charon-nm ldap pkcs11 tpm aes des rc2 sha2 sha1 md5
mgf1 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8
sshkey pem openssl fips-prf gmp curve25519 xcbc cmac hmac drbg
curl kernel-netlink socket-default<br>
May 20 09:09:32 OR6240941 charon-nm: 00[LIB] dropped capabilities,
running as uid 105, gid 101<br>
May 20 09:09:32 OR6240941 charon-nm: 00[JOB] spawning 16 worker
threads<br>
May 20 09:09:32 OR6240941 charon-nm: 01[CFG] module 'tpm2-pkcs11'
does not support hot-plugging, cancelled<br>
May 20 09:09:32 OR6240941 NetworkManager[13100]: <info>
[1621501772.1439]
vpn-connection[0x55a76cba84e0,1f9098ba-4328-4a23-ad17-e503456c2d04,"swanboottoken",0]:
VPN connection: (ConnectInteractive) reply received<br>
May 20 09:09:32 OR6240941 charon-nm: 06[CFG] received initiate for
NetworkManager connection swanboottoken<br>
May 20 09:09:32 OR6240941 charon-nm: 06[CFG] using CA certificate,
gateway identity '<vpn name>'<br>
May 20 09:09:32 OR6240941 NetworkManager[13100]: <warn>
[1621501772.1468]
vpn-connection[0x55a76cba84e0,1f9098ba-4328-4a23-ad17-e503456c2d04,"swanboottoken",0]:
VPN connection: failed to connect: 'no usable smartcard
certificate found.'<br>
<br>
<br>
</blockquote>
I now the certificate/private key is working outside the
smartcard/token.<br>
Following smartcard requierements, i have the public key available
without login, the ID on the certificate match the private key and
the public key (it's not the subjectKeyIdentifier but i'm using
strongswan 5.8.2).<br>
<br>
The line C_GetAttributeValue(NULL) error: ATTRIBUTE_TYPE_INVALID
might be the root cause, since my certificate has not the "TLS
Client Auth" extended key usage, but "TLS Web Client Authentication,
IPSec User, ipsec Internet Ket Exchange".<br>
Since the certificate work outside the smartcard I'm not sure this
is wrong.<br>
<br>
Is there a way to get more debugging logs from charon-nm/pkcs11 ?<br>
<br>
<br>
Regards,<br>
Marc <br>
</body>
</html>