[strongSwan] Smartcard configuration on Strongswan
Kandy Palanisamy
kandy_pal at yahoo.com
Wed May 6 02:47:17 CEST 2015
Hi,
I am trying to set up smart card authentication in Strongswan using the software token (swtok) in OpenCryptoki. Strongswan loads the swtok, but it is not able to find the pkcs11 lib by keyid (find_lib_by_keyid fails based on debug messages I added). I am not sure what is the keyid to be put in ipsec.secrets? Found a reference that says it has to be CKA_ID, but not sure how to derive it from the key/cert file? The ipsec.secrets examples seem to use a simple number like 50. Could someone please help me?
Here is the error I am getting. (Complete log below).
May 5 15:34:29 ws-us charon: 00[CFG] find_lib_by_keyid: found PKCS#11 token 'my-opencryptoki-module': slot 3, current 3
May 5 15:34:29 ws-us charon: 00[CFG] find_lib_by_keyid exiting
May 5 15:34:29 ws-us charon: 00[CFG] no PKCS#11 module found having a keyid 01
May 5 15:34:29 ws-us charon: 00[LIB] building CRED_PRIVATE_KEY - (0) failed, tried 3 builders
ipsec.secrets: PIN %smartcard3:01 "xxxxxx"
Strongswan.conf looks like this:
plugins {
pkcs11 {
modules {
my-opencryptoki-module {
path = /usr/local/lib/pkcs11/PKCS11_API.so
}
}
}
}
}
I have loaded the privkey.der and cert.der into the software token using pkcs11-tool.
[root at localhost usr]# pkcs11-tool --module /usr/lib64/pkcs11/libopencryptoki.so --list-objects --login --pin xxxx
Using slot 0 with a present token (0x3)
Private Key Object; RSA
label: test
ID: 01
Usage: decrypt, sign, unwrap
Certificate Object, type = X.509 cert
label: test
ID: 01
[root at localhost usr]#
Complete Messages Log:
May 5 15:34:28 ws-us charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.3)
May 5 15:34:28 ws-us charon: 00[LIB] plugin 'aes': loaded successfully
::::
May 5 15:34:28 ws-us charon: 00[LIB] plugin 'gmp': loaded successfully
May 5 15:34:28 ws-us charon: 00[CFG] loaded PKCS#11 v2.20 library 'my-opencryptoki-module' (/usr/local/lib/pkcs11/PKCS11_API.so)
May 5 15:34:28 ws-us charon: 00[CFG] IBM: Meta PKCS11 LIBRARY v3.2
May 5 15:34:28 ws-us charon: 00[CFG] uses OS locking functions
May 5 15:34:28 ws-us charon: 00[CFG] found token in slot 'my-opencryptoki-module':3 (Linux)
May 5 15:34:28 ws-us charon: 00[CFG] SWToken (IBM Corp.: IBM SoftTok)
May 5 15:34:28 ws-us charon: 00[CFG] RSA_PKCS_KEY_PAIR_GEN 512-4096 [ GEN_KEY_PAIR ]
May 5 15:34:28 ws-us charon: 00[CFG] DES_KEY_GEN 8-8 [ GEN ]
May 5 15:34:28 ws-us charon: 00[CFG] DES3_KEY_GEN 24-24 [ GEN ]
May 5 15:34:28 ws-us charon: 00[CFG] RSA_PKCS 512-4096 [ ENCR DECR SIGN SIGN_RCVR VRFY VRFY_RCVR WRAP UNWRAP ]
May 5 15:34:28 ws-us charon: 00[CFG] RSA_PKCS_PSS 1024-4096 [ SIGN VRFY ]
May 5 15:34:28 ws-us charon: 00[CFG] SHA1_RSA_PKCS_PSS 1024-4096 [ SIGN VRFY ]
May 5 15:34:28 ws-us charon: 00[CFG] SHA256_RSA_PKCS_PSS 1024-4096 [ SIGN VRFY ]
May 5 15:34:28 ws-us charon: 00[CFG] SHA384_RSA_PKCS_PSS 1024-4096 [ SIGN VRFY ]
May 5 15:34:28 ws-us charon: 00[CFG] SHA512_RSA_PKCS_PSS 1024-4096 [ SIGN VRFY ]
May 5 15:34:28 ws-us charon: 00[CFG] RSA_X_509 512-4096 [ ENCR DECR SIGN SIGN_RCVR VRFY VRFY_RCVR WRAP UNWRAP ]
May 5 15:34:28 ws-us charon: 00[CFG] RSA_PKCS_OAEP 1024-4096 [ ENCR DECR WRAP UNWRAP ]
May 5 15:34:28 ws-us charon: 00[CFG] MD5_RSA_PKCS 512-4096 [ SIGN VRFY ]
May 5 15:34:28 ws-us charon: 00[CFG] SHA1_RSA_PKCS 512-4096 [ SIGN VRFY ]
May 5 15:34:28 ws-us charon: 00[CFG] DH_PKCS_DERIVE 512-2048 [ DERIVE ]
May 5 15:34:28 ws-us charon: 00[CFG] DH_PKCS_KEY_PAIR_GEN 512-2048 [ GEN_KEY_PAIR ]
May 5 15:34:28 ws-us charon: 00[CFG] DES_ECB 8-8 [ ENCR DECR WRAP UNWRAP ]
May 5 15:34:28 ws-us charon: 00[CFG] DES_CBC 8-8 [ ENCR DECR WRAP UNWRAP ]
May 5 15:34:28 ws-us charon: 00[CFG] DES_CBC_PAD 8-8 [ ENCR DECR WRAP UNWRAP ]
May 5 15:34:28 ws-us charon: 00[CFG] DES3_ECB 24-24 [ ENCR DECR WRAP UNWRAP ]
May 5 15:34:28 ws-us charon: 00[CFG] DES3_CBC 24-24 [ ENCR DECR WRAP UNWRAP ]
May 5 15:34:28 ws-us charon: 00[CFG] DES3_CBC_PAD 24-24 [ ENCR DECR WRAP UNWRAP ]
May 5 15:34:28 ws-us charon: 00[CFG] SHA_1 0-0 [ DGST ]
May 5 15:34:28 ws-us charon: 00[CFG] SHA_1_HMAC 0-0 [ SIGN VRFY ]
May 5 15:34:28 ws-us charon: 00[CFG] SHA_1_HMAC_GENERAL 0-0 [ SIGN VRFY ]
May 5 15:34:28 ws-us charon: 00[CFG] SHA256 0-0 [ DGST ]
May 5 15:34:28 ws-us charon: 00[CFG] SHA256_HMAC 0-0 [ SIGN VRFY ]
May 5 15:34:28 ws-us charon: 00[CFG] SHA256_HMAC_GENERAL 0-0 [ SIGN VRFY ]
May 5 15:34:28 ws-us charon: 00[CFG] SHA384 0-0 [ DGST ]
May 5 15:34:28 ws-us charon: 00[CFG] SHA384_HMAC 0-0 [ SIGN VRFY ]
May 5 15:34:28 ws-us charon: 00[CFG] SHA384_HMAC_GENERAL 0-0 [ SIGN VRFY ]
May 5 15:34:28 ws-us charon: 00[CFG] SHA512 0-0 [ DGST ]
May 5 15:34:28 ws-us charon: 00[CFG] SHA512_HMAC 0-0 [ SIGN VRFY ]
May 5 15:34:28 ws-us charon: 00[CFG] SHA512_HMAC_GENERAL 0-0 [ SIGN VRFY ]
May 5 15:34:28 ws-us charon: 00[CFG] MD5 0-0 [ DGST ]
May 5 15:34:28 ws-us charon: 00[CFG] MD5_HMAC 0-0 [ SIGN VRFY ]
May 5 15:34:28 ws-us charon: 00[CFG] MD5_HMAC_GENERAL 0-0 [ SIGN VRFY ]
May 5 15:34:28 ws-us charon: 00[CFG] SSL3_PRE_MASTER_KEY_GEN 48-48 [ GEN ]
May 5 15:34:28 ws-us charon: 00[CFG] SSL3_MASTER_KEY_DERIVE 48-48 [ DERIVE ]
May 5 15:34:28 ws-us charon: 00[CFG] SSL3_KEY_AND_MAC_DERIVE 48-48 [ DERIVE ]
May 5 15:34:28 ws-us charon: 00[CFG] SSL3_MD5_MAC 384-384 [ SIGN VRFY ]
May 5 15:34:28 ws-us charon: 00[CFG] SSL3_SHA1_MAC 384-384 [ SIGN VRFY ]
May 5 15:34:28 ws-us charon: 00[CFG] AES_KEY_GEN 16-32 [ GEN ]
May 5 15:34:28 ws-us charon: 00[CFG] AES_ECB 16-32 [ ENCR DECR WRAP UNWRAP ]
May 5 15:34:28 ws-us charon: 00[CFG] AES_CBC 16-32 [ ENCR DECR WRAP UNWRAP ]
May 5 15:34:28 ws-us charon: 00[CFG] AES_CBC_PAD 16-32 [ ENCR DECR WRAP UNWRAP ]
May 5 15:34:28 ws-us charon: 00[LIB] plugin 'pkcs11': loaded successfully
:::
May 5 15:34:29 ws-us charon: 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
May 5 15:34:29 ws-us charon: 00[CFG] loaded IKE secret for %any
May 5 15:34:29 ws-us charon: 00[CFG] secret: 73:70:69:64:65:72:63:6c:6f:75:64
May 5 15:34:29 ws-us charon: 00[CFG] find_lib_by_keyid: found PKCS#11 token 'my-opencryptoki-module': slot 3, current 3
May 5 15:34:29 ws-us charon: 00[CFG] find_lib_by_keyid exiting
May 5 15:34:29 ws-us charon: 00[CFG] no PKCS#11 module found having a keyid 01
May 5 15:34:29 ws-us charon: 00[LIB] building CRED_PRIVATE_KEY - (0) failed, tried 3 builders
:::
May 5 15:34:29 ws-us charon: 00[DMN] loaded plugins: aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem fips-prf gmp pkcs11 xcbc hmac attr kernel-netlink resolve socket-raw stroke updown
May 5 15:34:29 ws-us charon: 00[JOB] spawning 16 worker threads
May 5 15:34:29 ws-us charon: 02[CFG] module 'my-opencryptoki-module' does not support hot-plugging, cancelled
May 5 15:34:29 ws-us charon: 10[CFG] received stroke: add connection 'conn-whale-cert'
May 5 15:34:29 ws-us charon: 10[CFG] conn conn-whale-cert
May 5 15:34:29 ws-us charon: 10[CFG] left=10.1.11.81
May 5 15:34:29 ws-us charon: 10[CFG] leftsubnet=172.16.1.0/24
May 5 15:34:29 ws-us charon: 10[CFG] leftsourceip=(null)
May 5 15:34:29 ws-us charon: 10[CFG] leftauth=pubkey
May 5 15:34:29 ws-us charon: 10[CFG] leftauth2=(null)
May 5 15:34:29 ws-us charon: 10[CFG] leftid=@test.testdom.com
May 5 15:34:29 ws-us charon: 10[CFG] leftid2=(null)
May 5 15:34:29 ws-us charon: 10[CFG] leftcert=(null)
May 5 15:34:29 ws-us charon: 10[CFG] leftcert2=(null)
May 5 15:34:29 ws-us charon: 10[CFG] leftca=(null)
May 5 15:34:29 ws-us charon: 10[CFG] leftca2=(null)
May 5 15:34:29 ws-us charon: 10[CFG] leftgroups=(null)
May 5 15:34:29 ws-us charon: 10[CFG] leftupdown=(null)
May 5 15:34:29 ws-us charon: 10[CFG] right=10.1.11.15
May 5 15:34:29 ws-us charon: 10[CFG] rightsubnet=192.168.1.0/24
May 5 15:34:29 ws-us charon: 10[CFG] rightsourceip=(null)
May 5 15:34:29 ws-us charon: 10[CFG] rightauth=pubkey
May 5 15:34:29 ws-us charon: 10[CFG] rightauth2=(null)
May 5 15:34:29 ws-us charon: 10[CFG] rightid=@whale.testdom.com
May 5 15:34:29 ws-us charon: 10[CFG] rightid2=(null)
May 5 15:34:29 ws-us charon: 10[CFG] rightcert=(null)
May 5 15:34:29 ws-us charon: 10[CFG] rightcert2=(null)
May 5 15:34:29 ws-us charon: 10[CFG] rightca=(null)
May 5 15:34:29 ws-us charon: 10[CFG] rightca2=(null)
May 5 15:34:29 ws-us charon: 10[CFG] rightgroups=(null)
May 5 15:34:29 ws-us charon: 10[CFG] rightupdown=(null)
May 5 15:34:29 ws-us charon: 10[CFG] eap_identity=(null)
May 5 15:34:29 ws-us charon: 10[CFG] aaa_identity=(null)
May 5 15:34:29 ws-us charon: 10[CFG] ike=aes128-sha1-aesxcbc-modp2048!
May 5 15:34:29 ws-us charon: 10[CFG] esp=aes128-3des-null-sha1-aesxcbc-modp1024-modp2048!
May 5 15:34:29 ws-us charon: 10[CFG] dpddelay=30
May 5 15:34:29 ws-us charon: 10[CFG] dpdaction=0
May 5 15:34:29 ws-us charon: 10[CFG] closeaction=0
May 5 15:34:29 ws-us charon: 10[CFG] mediation=no
May 5 15:34:29 ws-us charon: 10[CFG] mediated_by=(null)
May 5 15:34:29 ws-us charon: 10[CFG] me_peerid=(null)
May 5 15:34:29 ws-us charon: 10[KNL] getting interface name for 10.1.11.15
May 5 15:34:29 ws-us charon: 10[KNL] 10.1.11.15 is not a local address
May 5 15:34:29 ws-us charon: 10[KNL] getting interface name for 10.1.11.81
May 5 15:34:29 ws-us charon: 10[KNL] 10.1.11.81 is on interface eth0
May 5 15:34:29 ws-us charon: 10[CFG] added configuration 'conn-whale-cert'
May 5 15:34:29 ws-us charon: 11[CFG] received stroke: initiate 'conn-whale-cert'
::
May 5 15:34:29 ws-us charon: 11[IKE] initiating IKE_SA conn-whale-cert[1] to 10.1.11.15
May 5 15:34:29 ws-us charon: 11[IKE] IKE_SA conn-whale-cert[1] state change: CREATED => CONNECTING
::
May 5 15:34:29 ws-us charon: 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
::
May 5 15:34:29 ws-us charon: 13[NET] received packet: from 10.1.11.15[500] to 10.1.11.81[500]
May 5 15:34:29 ws-us charon: 13[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
::
May 5 15:34:29 ws-us charon: 13[IKE] no private key found for 'test.testdom.com'
May 5 15:34:29 ws-us charon: 13[MGR] checkin and destroy IKE_SA conn-whale-cert[1]
May 5 15:34:29 ws-us charon: 13[IKE] IKE_SA conn-whale-cert[1] state change: CONNECTING => DESTROYING
May 5 15:34:29 ws-us charon: 13[MGR] check-in and destroy of IKE_SA successful
ThanksKandy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150506/f4ae8166/attachment-0001.html>
More information about the Users
mailing list