[strongSwan] migrating from swanctl to networkmanager

mbalembo marc.balemboy at csgroup.eu
Thu May 20 12:10:36 CEST 2021 

Hello,

I'm changing my config from using swanctl to the 
networkmanager-strongswan plugin.
I have trouble using a smartcard with charon-nm.

Charon-nm is configured with the right pkcs11 plugin/module/lib and I 
can see in the logs :

    May 20 09:09:32 OR6240941 charon-nm: 00[CFG] loaded PKCS#11 v2.40
    library 'tpm2-pkcs11' (/usr/lib64/pkcs11/libtpm2_pkcs11.so)
    May 20 09:09:32 OR6240941 charon-nm: 00[CFG]
    tpm2-software.github.io: TPM2.0 Cryptoki v0.0
    May 20 09:09:32 OR6240941 charon-nm: 00[CFG]   found token in slot
    'tpm2-pkcs11':1 (tpm2-token                      Infineon)
    May 20 09:09:32 OR6240941 charon-nm: 00[CFG]     tpm2-token
    (Infineon: SLB9670)
    May 20 09:09:32 OR6240941 charon-nm: 00[CFG]   found token in slot
    'tpm2-pkcs11':2 (                                Infineon)
    May 20 09:09:32 OR6240941 charon-nm: 00[CFG]       (Infineon: SLB9670)
    May 20 09:09:32 OR6240941 charon-nm: 00[KNL] received netlink error:
    Address family not supported by protocol (97)
    May 20 09:09:32 OR6240941 charon-nm: 00[KNL] unable to create IPv6
    routing table rule
    May 20 09:09:32 OR6240941 NetworkManager[13100]: <info>
    [1621501772.1373]
    vpn-connection[0x55a76cba84e0,1f9098ba-4328-4a23-ad17-e503456c2d04,"swanboottoken",0]:
    Saw the service appear; activating connection
    May 20 09:09:32 OR6240941 charon-nm: 00[CFG]
    C_GetAttributeValue(NULL) error: ATTRIBUTE_TYPE_INVALID
    May 20 09:09:32 OR6240941 charon-nm: 00[LIB] loaded plugins:
    nm-backend charon-nm ldap pkcs11 tpm aes des rc2 sha2 sha1 md5 mgf1
    random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 sshkey
    pem openssl fips-prf gmp curve25519 xcbc cmac hmac drbg curl
    kernel-netlink socket-default
    May 20 09:09:32 OR6240941 charon-nm: 00[LIB] dropped capabilities,
    running as uid 105, gid 101
    May 20 09:09:32 OR6240941 charon-nm: 00[JOB] spawning 16 worker threads
    May 20 09:09:32 OR6240941 charon-nm: 01[CFG] module 'tpm2-pkcs11'
    does not support hot-plugging, cancelled
    May 20 09:09:32 OR6240941 NetworkManager[13100]: <info>
    [1621501772.1439]
    vpn-connection[0x55a76cba84e0,1f9098ba-4328-4a23-ad17-e503456c2d04,"swanboottoken",0]:
    VPN connection: (ConnectInteractive) reply received
    May 20 09:09:32 OR6240941 charon-nm: 06[CFG] received initiate for
    NetworkManager connection swanboottoken
    May 20 09:09:32 OR6240941 charon-nm: 06[CFG] using CA certificate,
    gateway identity '<vpn name>'
    May 20 09:09:32 OR6240941 NetworkManager[13100]: <warn>
    [1621501772.1468]
    vpn-connection[0x55a76cba84e0,1f9098ba-4328-4a23-ad17-e503456c2d04,"swanboottoken",0]:
    VPN connection: failed to connect: 'no usable smartcard certificate
    found.'


I now the certificate/private key is working outside the smartcard/token.
Following smartcard requierements, i have the public key available 
without login, the ID on the certificate match the private key and the 
public key (it's not the subjectKeyIdentifier  but i'm using strongswan 
5.8.2).

The line C_GetAttributeValue(NULL) error: ATTRIBUTE_TYPE_INVALID might 
be the root cause, since my certificate has not the "TLS Client Auth" 
extended key usage, but "TLS Web Client Authentication, IPSec User, 
ipsec Internet Ket Exchange".
Since the certificate work outside the smartcard I'm not sure this is wrong.

Is there a way to get more debugging logs from charon-nm/pkcs11 ?


Regards,
Marc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210520/deddcfd3/attachment.html>

More information about the Users mailing list