[strongSwan] Question regarding smartcard configuration
Marian Thieme
marian.thieme at gmail.com
Mon Dec 21 23:19:42 CET 2015
Hello strongswan-user-list,
I am working on a StrongSwan Test setup on FreeBSD 10.2-release.
The installed version of strongswan is: strongswan-5.3.3_1 (compiled
using ports with pkcs11 module enabled)
I am following the ikev2/host2host transport example configuration.
(https://www.strongswan.org/uml/testresults/ikev2/host2host-transport/)
In addition I want to implement smartcard authentication. I am studying
the documentation provided by you from here:
https://wiki.strongswan.org/projects/strongswan/wiki/SmartCards
I tried something like that:
: PIN %smartcard1 at opensc:01 %prompt
in ipsec.secrets. As you can see I referred to the pkcs11 module as
"opensc" and defined variable
libstrongswan.plugins.pkcs11.modules.opensc.path=/usr/local/lib/opensc-pkcs11.so
(see below content of file strongswan.conf)
However charon says (/var/log/charon.log)
Dec 21 23:17:46 13[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
Dec 21 23:17:46 13[LIB] engine 'opensc' is not available
Dec 21 23:17:46 13[LIB] building CRED_PRIVATE_KEY - ANY failed, tried 4
builders
Questions:
1. How to successfully load the pcks11 module ?
2. Which key ID I have to use in ipsec.secrets ?
More details:
the private keys and certificates of my card using pkcs15-tool is as
follows:
pkcs15-tool -kc
X.509 Certificate [Marian Thieme AUT 10]
Object Flags : [0x2], modifiable
Authority : no
Path : 4444444444444001
ID : 1234567890abcdef123456789abcdef123456789
Encoded serial : 01 02 1234567890ABCDEF
X.509 Certificate [Marian Thieme ENC 11]
Object Flags : [0x2], modifiable
Authority : no
Path : 4444444444444002
ID : 1234567890abcdef123456789abcdef123456789
Encoded serial : 01 02 1234567890ABCDEF
Private RSA Key [Marian Thieme AUT 10]
Object Flags : [0x3], private, modifiable
Usage : [0x26], decrypt, sign, unwrap
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
ModLength : 2048
Key ref : 1 (0x1)
Native : yes
Path : 55555555555555555501
Auth ID : 01
ID : 1234567890abcdef123456789abcdef123456789
MD:guid : {12345678-abcd-0123-4567-890abcdef012}
:cmap flags : 0x0
:sign : 0
:key-exchange: 0
Private RSA Key [Marian Thieme ENC 11]
Object Flags : [0x3], private, modifiable
Usage : [0x26], decrypt, sign, unwrap
Access Flags : [0x9], sensitive, neverExtract
ModLength : 2048
Key ref : 2 (0x2)
Native : yes
Path : 55555555555555555502
Auth ID : 01
ID : 1234567890abcdef123456789abcdef123456789
MD:guid : {12345678-abcd-0123-4567-890abcdef012}
:cmap flags : 0x0
:sign : 0
:key-exchange: 0
--- End of pkcs15-tool output ---
cat /usr/local/etc/ipsec.secrets
# /etc/ipsec.secrets - strongSwan IPsec secrets file
#: RSA myKey.der
: PIN %smartcard1 at opensc:01 %prompt
--- End of ipsec.secrets ---
cat /usr/local/etc/strongswan.conf
# /etc/strongswan.conf - strongSwan configuration file
# transport mode example
charon {
#load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl
#revocation hmac xcbc stroke kernel-netlink socket-default updown
multiple_authentication = no
# two defined file loggers
filelog {
/var/log/charon.log {
# add a timestamp prefix
time_format = %b %e %T
# prepend connection name, simplifies grepping
ike_name = yes
# overwrite existing files
append = no
# increase default loglevel for all daemon subsystems
default = 4444
# flush each line to disk
flush_line = yes
}
stderr {
# more detailed loglevel for a specific subsystem,
# overriding the default loglevel.
ike = 2
knl = 3
}
}
}
libstrongswan {
plugins {
pkcs11 {
modules {
opensc {
path = /usr/local/lib/opensc-pkcs11.so
}
}
}
}
}
--- End of strongswan.conf ---
ipsec.conf is identical to the host2host-transport example (except for
specific values like emailaddress, ip, ...).
More information about the Users
mailing list