[strongSwan] Trouble configuring vpn connection to strongswan using smartcard

Nathan Hüsken nathan at wintercloud.de
Thu Jul 19 19:05:50 CEST 2018 

Hey,

Oh, I forgot to mention:

ipsec --version
Linux strongSwan U5.6.2/K4.15.0-24-generic
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.

So the version seems to be fine.

Best,
Nathan

​--

Dr. Nathan Hüsken

Cloud Developer

nathan at wintercloud.de

+49 151 703 478 84

wintercloud GmbH & Co. KG

Emil-Maier-Str. 16

69115 Heidelberg

wintercloud.de

Sitz der Kommanditgesellschaft: Heidelberg, Registernummer der Kommanditgesellschaft im Handelsregister: AG Mannheim HRA 707268

Komplementärin: junah GmbH, Sitz der Komplementärin: Heidelberg, Registernummer der Komplementärin im Handelsregister: AG Mannheim HRB 726538, Geschäftsführer der Komplementärin: Julian Wintermayr und Dr. Nathan Hüsken

USt-IdNr.: DE815676705​

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On 19 July 2018 7:04 PM, Nathan Hüsken <nathan at wintercloud.de> wrote:

> ​​
> 
> Hey,
> 
> Ok, thanks for the tips. I am trying it with charon-cmd now, not network-manager. I followed the instructions from [1].
> 
> In the logs I can see, that the private key seems to be loaded correctly:
> 
> Jul 19 19:01:53 SuperSam charon: 14[CFG] loading secrets from '/etc/ipsec.secrets'
> 
> Jul 19 19:01:53 SuperSam charon: 14[CFG] found key on PKCS#11 token 'opensc':0
> 
> Jul 19 19:01:53 SuperSam charon: 14[CFG] loaded private key from %smartcard:3
> 
> I managed to configure strongswan (on the client side) so that the certificate is listed:
> 
> > ipsec listcerts
> 
>     List of X.509 End Entity Certificates
>     
> 
> subject: "C=DE, O=example Company,CN=nathan at wintercloud.de"
> 
> issuer: "C=DE, O=example Company, CN=strongSwan Root CA"
> 
> validity: not before Jul 19 17:02:36 2018, ok
> 
> not after Jul 18 17:02:36 2020, ok (expires in 729 days)
> 
> serial: 4c:0f:51:f9:0c:bc:06:c9
> 
> altNames: nathan at wintercloud.de
> 
> flags: clientAuth
> 
> authkeyId: 1b:52:a8:d6:bb:20:98:11:ca:28:52:71:07:89:46:84:bf:52:2d:36
> 
> subjkeyId: d0:65:3c:1c:f4:4f:f6:77:7e:09:fb:d3:81:55:d3:d9:d9:99:69:c8
> 
> pubkey: RSA 4096 bits, has private key
> 
> keyid: 8f:38:18:ef:2e:52:63:c3:dd:7d:62:66:9d:31:91:ac:6c:f8:2e:c6
> 
> subjkey: d0:65:3c:1c:f4:4f:f6:77:7e:09:fb:d3:81:55:d3:d9:d9:99:69:c8
> 
> But it seems I am not able to use it with charon-cmd:
> 
> > charon-cmd --host <my-host> --identity nathan at wintercloud.de --cert <path-to-server-cert> --profile ikev2-pub
> 
>     ...
>     05[CFG] missing private key for profile ikev2-pub
>     ...
>     
> 
> The identiy is the one from the certificate. Do I have to add additonal options so that charon-cmd know that it should take the private key from the smartcard?
> 
> Thanks!
> 
> Nathan
> 
> [1]: https://wiki.strongswan.org/projects/strongswan/wiki/SmartCards
> 
> --
> 
> Dr. Nathan Hüsken
> 
> Cloud Developer
> 
> nathan at wintercloud.de
> 
> +49 151 703 478 84
> 
> wintercloud GmbH & Co. KG
> 
> Emil-Maier-Str. 16
> 
> 69115 Heidelberg
> 
> wintercloud.de
> 
> Sitz der Kommanditgesellschaft: Heidelberg, Registernummer der Kommanditgesellschaft im Handelsregister: AG Mannheim HRA 707268
> 
> Komplementärin: junah GmbH, Sitz der Komplementärin: Heidelberg, Registernummer der Komplementärin im Handelsregister: AG Mannheim HRB 726538, Geschäftsführer der Komplementärin: Julian Wintermayr und Dr. Nathan Hüsken
> 
> USt-IdNr.: DE815676705
> 
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> 
> On 19 July 2018 5:29 PM, Tobias Brunner tobias at strongswan.org wrote:
> 
> > Hi Nathan,
> > 
> > > The ids match! So it should be fine!
> > 
> > Only with strongSwan >= 5.5.1, with older releases the cert/key has to
> > 
> > be stored using a CKA_ID that matches the SPKI (i.e. your cert/key with
> > 
> > CKA_ID 3 would never be used).
> > 
> > > Any other help on why this does possibly not work?
> > 
> > Do you have strongSwan >= 5.5.1 installed? Did you configure the pkcs11
> > 
> > plugin properly? Is it loaded and does it enumerate certificates when
> > 
> > charon-nm is started (check the log for details)?
> > 
> > Regards,
> > 
> > Tobias

More information about the Users mailing list