[strongSwan] Trouble configuring vpn connection to strongswan using smartcard
nathan at wintercloud.de
Thu Jul 19 19:41:51 CEST 2018
Ok, now I am a little confused.
I wanted to use the network-manager (in the end, the config has to be usable by people scared of the command line).
There is an option: "Smartcard". If choose it, it asks me for the pin of the smart card (but complains, that there are not usable certificates on the smartcard).
If charon-nm doest not support reading the private key from the smartcard, what is the point of this option?
What am I missing here?
Dr. Nathan Hüsken
nathan at wintercloud.de
+49 151 703 478 84
wintercloud GmbH & Co. KG
Sitz der Kommanditgesellschaft: Heidelberg, Registernummer der Kommanditgesellschaft im Handelsregister: AG Mannheim HRA 707268
Komplementärin: junah GmbH, Sitz der Komplementärin: Heidelberg, Registernummer der Komplementärin im Handelsregister: AG Mannheim HRB 726538, Geschäftsführer der Komplementärin: Julian Wintermayr und Dr. Nathan Hüsken
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On 19 July 2018 7:17 PM, Tobias Brunner <tobias at strongswan.org> wrote:
> Hi Nathan,
> > In the logs I can see, that the private key seems to be loaded correctly:
> > Jul 19 19:01:53 SuperSam charon: 14[CFG] loading secrets from '/etc/ipsec.secrets'
> > Jul 19 19:01:53 SuperSam charon: 14[CFG] found key on PKCS#11 token 'opensc':0
> > Jul 19 19:01:53 SuperSam charon: 14[CFG] loaded private key from %smartcard:3
> In case this wasn't clear, the charon daemon has nothing to do with
> charon-cmd or the charon-nm daemon (which is used by the NM plugin).
> > I managed to configure strongswan (on the client side) so that the certificate is listed:
> > > ipsec listcerts
> > List of X.509 End Entity Certificates
> > subject: "C=DE, O=example Company, CN=nathan at wintercloud.de"
> > issuer: "C=DE, O=example Company, CN=strongSwan Root CA"
> > validity: not before Jul 19 17:02:36 2018, ok
> > not after Jul 18 17:02:36 2020, ok (expires in 729 days)
> > serial: 4c:0f:51:f9:0c:bc:06:c9
> > altNames: nathan at wintercloud.de
> > flags: clientAuth
> > authkeyId: 1b:52:a8:d6:bb:20:98:11:ca:28:52:71:07:89:46:84:bf:52:2d:36
> > subjkeyId: d0:65:3c:1c:f4:4f:f6:77:7e:09:fb:d3:81:55:d3:d9:d9:99:69:c8
> > pubkey: RSA 4096 bits, has private key
> > keyid: 8f:38:18:ef:2e:52:63:c3:dd:7d:62:66:9d:31:91:ac:6c:f8:2e:c6
> > subjkey: d0:65:3c:1c:f4:4f:f6:77:7e:09:fb:d3:81:55:d3:d9:d9:99:69:c8
> > But it seems I am not able to use it with charon-cmd:
> As I explained above, the charon daemon (including the output of the
> ipsec script/stroke command, or swanctl/vici for that matter) has
> nothing to do with charon-cmd (or charon-nm). But charon-nm should at
> least load the certificate when it starts (via pkcs11 plugin, just like
> charon does here).
> > Do I have to add additonal options so that charon-cmd know that it should take the private key from the smartcard?
> Yes, you'd have to do that. But it currently doesn't support it.
More information about the Users