[strongSwan] Trouble configuring vpn connection to strongswan using smartcard
tobias at strongswan.org
Thu Jul 19 19:17:49 CEST 2018
> In the logs I can see, that the private key seems to be loaded correctly:
> Jul 19 19:01:53 SuperSam charon: 14[CFG] loading secrets from '/etc/ipsec.secrets'
> Jul 19 19:01:53 SuperSam charon: 14[CFG] found key on PKCS#11 token 'opensc':0
> Jul 19 19:01:53 SuperSam charon: 14[CFG] loaded private key from %smartcard:3
In case this wasn't clear, the charon daemon has nothing to do with
charon-cmd or the charon-nm daemon (which is used by the NM plugin).
> I managed to configure strongswan (on the client side) so that the certificate is listed:
> > ipsec listcerts
> List of X.509 End Entity Certificates
> subject: "C=DE, O=example Company, CN=nathan at wintercloud.de"
> issuer: "C=DE, O=example Company, CN=strongSwan Root CA"
> validity: not before Jul 19 17:02:36 2018, ok
> not after Jul 18 17:02:36 2020, ok (expires in 729 days)
> serial: 4c:0f:51:f9:0c:bc:06:c9
> altNames: nathan at wintercloud.de
> flags: clientAuth
> authkeyId: 1b:52:a8:d6:bb:20:98:11:ca:28:52:71:07:89:46:84:bf:52:2d:36
> subjkeyId: d0:65:3c:1c:f4:4f:f6:77:7e:09:fb:d3:81:55:d3:d9:d9:99:69:c8
> pubkey: RSA 4096 bits, has private key
> keyid: 8f:38:18:ef:2e:52:63:c3:dd:7d:62:66:9d:31:91:ac:6c:f8:2e:c6
> subjkey: d0:65:3c:1c:f4:4f:f6:77:7e:09:fb:d3:81:55:d3:d9:d9:99:69:c8
> But it seems I am not able to use it with charon-cmd:
As I explained above, the charon daemon (including the output of the
ipsec script/stroke command, or swanctl/vici for that matter) has
nothing to do with charon-cmd (or charon-nm). But charon-nm should at
least load the certificate when it starts (via pkcs11 plugin, just like
charon does here).
> Do I have to add additonal options so that charon-cmd know that it should take the private key from the smartcard?
Yes, you'd have to do that. But it currently doesn't support it.
More information about the Users