[strongSwan] Trouble configuring vpn connection to strongswan using smartcard

Tobias Brunner tobias at strongswan.org
Thu Jul 19 19:17:49 CEST 2018


Hi Nathan,

> In the logs I can see,  that the private key seems to be loaded correctly:
> 
>     Jul 19 19:01:53 SuperSam charon: 14[CFG] loading secrets from '/etc/ipsec.secrets'
>     Jul 19 19:01:53 SuperSam charon: 14[CFG] found key on PKCS#11 token 'opensc':0
>     Jul 19 19:01:53 SuperSam charon: 14[CFG]   loaded private key from %smartcard:3

In case this wasn't clear, the charon daemon has nothing to do with
charon-cmd or the charon-nm daemon (which is used by the NM plugin).

> I managed to configure strongswan (on the client side) so that  the certificate is listed:
> 
>     > ipsec listcerts
>     List of X.509 End Entity Certificates
>     
>       subject:  "C=DE, O=example Company, CN=nathan at wintercloud.de"
>       issuer:   "C=DE, O=example Company, CN=strongSwan Root CA"
>       validity:  not before Jul 19 17:02:36 2018, ok
>                  not after  Jul 18 17:02:36 2020, ok (expires in 729 days)
>       serial:    4c:0f:51:f9:0c:bc:06:c9
>       altNames:  nathan at wintercloud.de
>       flags:     clientAuth 
>       authkeyId: 1b:52:a8:d6:bb:20:98:11:ca:28:52:71:07:89:46:84:bf:52:2d:36
>       subjkeyId: d0:65:3c:1c:f4:4f:f6:77:7e:09:fb:d3:81:55:d3:d9:d9:99:69:c8
>       pubkey:    RSA 4096 bits, has private key
>       keyid:     8f:38:18:ef:2e:52:63:c3:dd:7d:62:66:9d:31:91:ac:6c:f8:2e:c6
>       subjkey:   d0:65:3c:1c:f4:4f:f6:77:7e:09:fb:d3:81:55:d3:d9:d9:99:69:c8
> 
> But it seems I am not able to use it with charon-cmd:

As I explained above, the charon daemon (including the output of the
ipsec script/stroke command, or swanctl/vici for that matter) has
nothing to do with charon-cmd (or charon-nm).  But charon-nm should at
least load the certificate when it starts (via pkcs11 plugin, just like
charon does here).

> Do I have to add additonal options so that charon-cmd know that it should take the private key from the smartcard?

Yes, you'd have to do that.  But it currently doesn't support it.

Regards,
Tobias


More information about the Users mailing list