[strongSwan] ikev2 smartcard support

Peter Winterer winterer at informatik.uni-freiburg.de
Thu Dec 2 10:57:38 CET 2010


Hi all!
i'm testing smartcard- and usb-token support with ikev2.
After applying some patches from martin, smartcard support in strongswan
(ikev2) works great for me. Take a look at [1] to find the patches and
some hints about the config in ikev2.

I was able to successfully test the following devices:
- Fetian SmartCard
- Aladdins eToken
- Fetian ePass PKI Token

Now, I'm trying to get smartcard support to work with the NetworkManager
plugin. However, I can't establish a vpn tunnel. I think it's not a
smartcard issue, something seems to be missconfigured. This
configuration however is working with the normal Certificate
NetworkManager setup (without smartcard)

Thanks
peter

[1] https://lists.strongswan.org/pipermail/users/2010-November/005560.html


Here are the config/logs:

client-log:

00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.0)
00[CFG] loaded PKCS#11 v2.20 library 'openSC' (/usr/lib/opensc-pkcs11.so)
00[CFG]   OpenSC (www.opensc-project.org): Smart card PKCS#11 API v0.0
00[CFG]   found token in slot 'openSC':1 (Feitian SCR301 00 00)
00[CFG]     Peter (User PIN) (EnterSafe: PKCS#15)
00[CFG]     loaded trusted cert 'Certificate'
00[CFG]     loaded trusted cert 'Certificate'
..
NetworkManager[910]: <info> VPN service
'org.freedesktop.NetworkManager.strongswan' appeared, activating connections
00[DMN] loaded plugins: random x509 revocation pubkey pkcs1 pgp pem
openssl agent pkcs11 xcbc hmac attr kernel-netlink resolve
socket-default eap-md5 eap-gtc eap-mschapv2 nm
..
NetworkManager connection Mobile Pools Crypto Stick
10[CFG] using gateway certificate, identity 'C=DE, O=MoPo WLAN Test,
CN=vpn-mopo.vpn.test.de'
NetworkManager[910]: <info> VPN plugin state changed: 3
10[CFG] found key on PKCS#11 token 'openSC':1
10[CFG] using smartcard certificate 'winterer at informatik.test.de'
10[IKE] initiating IKE_SA Mobile Pools Crypto Stick[1] to 10.1.0.2
10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) ]
10[NET] sending packet: from 192.168.5.22[500] to 10.1.0.2[500]
NetworkManager[910]: <info> VPN connection 'Mobile Pools Crypto Stick'
(Connect) reply received.
16[NET] received packet: from 10.1.0.2[500] to 192.168.5.22[500]
16[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
16[IKE] local host is behind NAT, sending keep alives
16[IKE] received cert request for "C=DE, O=MoPo WLAN Test, CN=MoPo Root-CA"
16[IKE] sending cert request for "C=DE, O=MoPo WLAN Test, CN=MoPo Root-CA"
16[IKE] authentication of 'wintererATinformatik.test.de' (myself) with
RSA signature successful
16[IKE] sending end entity cert "C=DE, O=MoPo WLAN Test, CN=Peter"
16[IKE] establishing CHILD_SA Mobile Pools Crypto Stick
16[ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH
CP(ADDR DNS DNS NBNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR)
N(MULT_AUTH) N(EAP_ONLY) ]
..
01[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
01[IKE] received AUTHENTICATION_FAILED notify error


gateway-log:
...
13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
13[NET] sending packet: from 10.1.0.2[500] to 10.206.3.148[500]
04[NET] received packet: from 10.206.3.148[4500] to 10.1.0.2[4500]
04[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH CP(ADDR
DNS DNS NBNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH)
N((16417)) ]
04[IKE] received cert request for "C=DE, O=MoPo WLAN Test, CN=MoPo Root-CA"
04[IKE] received end entity cert "C=DE, O=MoPo WLAN Test, CN=Peter Winterer"
04[CFG] looking for peer configs matching 10.1.0.2[C=DE, O=MoPo WLAN
Test, CN=vpn-mopo.vpn.test.de]...10.206.3.148[wintererATinformatik.test.de]
15[CFG] no matching peer config found
...


gateway config:
this config works with NetworkManager Clients:
...
conn rw2-intern
    right=%any
    rightid="C=DE, O=MoPo WLAN Test, CN=*"
    left=10.1.0.2
    leftsubnet=0.0.0.0/0
    leftcert=cert.pem

I tried this config too, with no success:
conn mopo-sc-intern
    right=%any
    left=10.1.0.2
    leftsubnet=0.0.0.0/0
    leftcert=cert.pem
    rightid=ATinformatik.test.de
    auto=add










More information about the Users mailing list