[strongSwan] Trouble configuring vpn connection to strongswan using smartcard

Nathan Hüsken nathan at wintercloud.de
Thu Jul 19 19:41:51 CEST 2018 

Hey,

Ok, now I am a little confused.

I wanted to use the network-manager (in the end, the config has to be usable by people scared of the command line).
There is an option: "Smartcard". If choose it, it asks me for the pin of the smart card (but complains, that there are not usable certificates on the smartcard).

If charon-nm doest not support reading the private key from the smartcard, what is the point of this option?

What am I missing here?

Many thanks!
Nathan


​--

Dr. Nathan Hüsken

Cloud Developer

nathan at wintercloud.de

+49 151 703 478 84

wintercloud GmbH & Co. KG

Emil-Maier-Str. 16

69115 Heidelberg

wintercloud.de

Sitz der Kommanditgesellschaft: Heidelberg, Registernummer der Kommanditgesellschaft im Handelsregister: AG Mannheim HRA 707268

Komplementärin: junah GmbH, Sitz der Komplementärin: Heidelberg, Registernummer der Komplementärin im Handelsregister: AG Mannheim HRB 726538, Geschäftsführer der Komplementärin: Julian Wintermayr und Dr. Nathan Hüsken

USt-IdNr.: DE815676705​

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On 19 July 2018 7:17 PM, Tobias Brunner <tobias at strongswan.org> wrote:

> ​​
> 
> Hi Nathan,
> 
> > In the logs I can see, that the private key seems to be loaded correctly:
> > 
> >     Jul 19 19:01:53 SuperSam charon: 14[CFG] loading secrets from '/etc/ipsec.secrets'
> >     Jul 19 19:01:53 SuperSam charon: 14[CFG] found key on PKCS#11 token 'opensc':0
> >     Jul 19 19:01:53 SuperSam charon: 14[CFG]   loaded private key from %smartcard:3
> >     
> 
> In case this wasn't clear, the charon daemon has nothing to do with
> 
> charon-cmd or the charon-nm daemon (which is used by the NM plugin).
> 
> > I managed to configure strongswan (on the client side) so that the certificate is listed:
> > 
> >     > ipsec listcerts
> >     List of X.509 End Entity Certificates
> >     
> >       subject:  "C=DE, O=example Company, CN=nathan at wintercloud.de"
> >       issuer:   "C=DE, O=example Company, CN=strongSwan Root CA"
> >       validity:  not before Jul 19 17:02:36 2018, ok
> >                  not after  Jul 18 17:02:36 2020, ok (expires in 729 days)
> >       serial:    4c:0f:51:f9:0c:bc:06:c9
> >       altNames:  nathan at wintercloud.de
> >       flags:     clientAuth 
> >       authkeyId: 1b:52:a8:d6:bb:20:98:11:ca:28:52:71:07:89:46:84:bf:52:2d:36
> >       subjkeyId: d0:65:3c:1c:f4:4f:f6:77:7e:09:fb:d3:81:55:d3:d9:d9:99:69:c8
> >       pubkey:    RSA 4096 bits, has private key
> >       keyid:     8f:38:18:ef:2e:52:63:c3:dd:7d:62:66:9d:31:91:ac:6c:f8:2e:c6
> >       subjkey:   d0:65:3c:1c:f4:4f:f6:77:7e:09:fb:d3:81:55:d3:d9:d9:99:69:c8
> >     
> > 
> > But it seems I am not able to use it with charon-cmd:
> 
> As I explained above, the charon daemon (including the output of the
> 
> ipsec script/stroke command, or swanctl/vici for that matter) has
> 
> nothing to do with charon-cmd (or charon-nm). But charon-nm should at
> 
> least load the certificate when it starts (via pkcs11 plugin, just like
> 
> charon does here).
> 
> > Do I have to add additonal options so that charon-cmd know that it should take the private key from the smartcard?
> 
> Yes, you'd have to do that. But it currently doesn't support it.
> 
> Regards,
> 
> Tobias

More information about the Users mailing list