[strongSwan] ipsec.secrets loading p12 file fail due to no CRED_CONTAINER during enumeration

Peter Hsiang phsiang at nvidia.com
Tue Feb 5 20:24:09 CET 2019 

Hi Tobias,

You are right.  The plugin pkcs12 is not being loaded.
By adding the ! to force loading it, confirms failure to load this plugin.
Checking the items per the wiki, they look fine.  What else could be missing?

1) The pkcs12 plugin is present.
  $ find |grep pkcs12.so
  ./lib/ipsec/plugins/libstrongswan-pkcs12.so

-------------------------------------------------------------------
2) strongswan.conf does include strongswan.d/charon:

charon {
load = random nonce aes md5 sha1 sha2 pem pkcs8 pkcs12 curve25519 gmp x509 curl revocation hmac gcm stroke kernel-netlink socket-default eap-tls updown

multiple_authentication=no
plugins {
 include strongswan.d/charon/*.conf
}

syslog {
 daemon {
  tls = 2
 }
}

}

include strongswan.d/*.conf

-------------------------------------------------------------------
3) pkcs12.conf does have load=yes

/etc/strongswan.d/charon# cat pkcs12.conf
pkcs12 {

    # Whether to load the plugin. Can also be an integer to increase the
    # priority of this plugin.
    load = yes

}

-------------------------------------------------------------------
4) Yes I compiled strongswan myself.
Here is the configuration:

./configure --prefix=/usr --sysconfdir=/etc \
--enable-monolithic --enable-openssl --enable-kernel-libipsec \
--enable-eap-identity --enable-eap-mschapv2 --enable-eap-md5 --enable-eap-aka \
--enable-eap-tls --enable-eap-ttls --enable-error-notify \
--enable-eap-aka-3gpp --enable-eap-aka-3gpp2 \
--enable-eap-peap --enable-eap-dynamic --enable-ipseckey \
--enable-eap-sim --enable-eap-sim-file --enable-acert \
--enable-agent --enable-files --enable-ctr --enable-ccm

I believe pkcs12 is enabled by default.  Perhaps it's missing other packages?

Thanks,
Peter


________________________________
From: Tobias Brunner <tobias at strongswan.org>
Sent: Tuesday, February 5, 2019 12:12 AM
To: Peter Hsiang; users at lists.strongswan.org
Subject: Re: [strongSwan] ipsec.secrets loading p12 file fail due to no CRED_CONTAINER during enumeration

Hi Peter,

> Any idea why there is no pkcs12 in the log message?

https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#Plugin-is-missing

Regards,
Tobias

-----------------------------------------------------------------------------------
This email message is for the sole use of the intended recipient(s) and may contain
confidential information.  Any unauthorized review, use, disclosure or distribution
is prohibited.  If you are not the intended recipient, please contact the sender by
reply email and destroy all copies of the original message.
-----------------------------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190205/8dd3b10c/attachment.html>

More information about the Users mailing list