Discussion:
[strongSwan] Trouble configuring vpn connection to strongswan using smartcard
Nathan Hüsken
2018-07-16 20:46:33 UTC
Permalink
Hello Everyone,

I am new on this list, so hi :).

I have trouble configuring a connection to my strongswan server using a smartcard and I need some help debugging the problem.

I try to configure it via network-manager (with the module charon-nm). Here is the situation:

* If I use private key + certificate, everything is fine so the server seems to be setup correctly.
* I stored the certificate on the smartcard using pkcs15-init and it shows up using pkcs15-tool.
* If I use smartcard, I get prompted for my pin but then it says in the logs:

VPN connection: failed to connect: 'no usable smartcard certificate found.'

This is unfortunately not very informative. I wonder: Does it not find the certificate on the smartcard? Did I copy the wrong certificate?

Can I somehow get better logs about what is wrong?
Can I use smartcards with charon-cmd? Maybe that way I could find out more.

Thanks!
Nathan
Tobias Brunner
2018-07-17 09:01:32 UTC
Permalink
Hi Nathan,
    VPN connection: failed to connect: 'no usable smartcard certificate
found.'
This is unfortunately not very informative. I wonder: Does it not find
the certificate on the smartcard? Did I copy the wrong certificate?
Did you read the requirements at [1]?

Regards,
Tobias

[1]
https://wiki.strongswan.org/projects/strongswan/wiki/NetworkManager#Smart-card-requirements
Nathan Hüsken
2018-07-19 15:11:36 UTC
Permalink
Hey,

Thanks for the reply and help! I tried around a little more, everything seems fine.
pkcs15-tool --read-certificate 3 > cert.pem
pki --keyid --in cert.pem --type x509
subjectKeyIdentifier: <id>

OK, so far so good.

* look for a public key having the certificates subjectKeyIdentifier as ID
pkcs15-tool --read-public-key 3 > key.pem
pki --keyid --in key.pem --type pub
subjectKeyIdentifier: <id>

The ids match! So it should be fine!

* The certificate needs the TLS CLient Auth Extended Key usage flag.
openssl x509 -in cert.pem -text -noout
...
X509v3 Extended Key Usage:
TLS Web Client Authentication
...

Thank you for the help!

Any other help on why this does possibly not work?

Nathan


[1] https://wiki.strongswan.org/projects/strongswan/wiki/NetworkManager#Smart-card-requirements

​--

Dr. Nathan Hüsken

Cloud Developer

***@wintercloud.de

+49 151 703 478 84

wintercloud GmbH & Co. KG

Emil-Maier-Str. 16

69115 Heidelberg

wintercloud.de

Sitz der Kommanditgesellschaft: Heidelberg, Registernummer der Kommanditgesellschaft im Handelsregister: AG Mannheim HRA 707268

Komplementärin: junah GmbH, Sitz der Komplementärin: Heidelberg, Registernummer der Komplementärin im Handelsregister: AG Mannheim HRB 726538, Geschäftsführer der Komplementärin: Julian Wintermayr und Dr. Nathan Hüsken

USt-IdNr.: DE815676705​

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
​​
Hi Nathan,
- If I use smartcard, I get prompted for my pin but then it says in the
VPN connection: failed to connect: 'no usable smartcard certificate
found.'
This is unfortunately not very informative. I wonder: Does it not find
the certificate on the smartcard? Did I copy the wrong certificate?
Did you read the requirements at [1]?
Regards,
Tobias
[1]
https://wiki.strongswan.org/projects/strongswan/wiki/NetworkManager#Smart-card-requirements
Tobias Brunner
2018-07-19 15:29:37 UTC
Permalink
Hi Nathan,
Post by Nathan Hüsken
The ids match! So it should be fine!
Only with strongSwan >= 5.5.1, with older releases the cert/key has to
be stored using a CKA_ID that matches the SPKI (i.e. your cert/key with
CKA_ID 3 would never be used).
Post by Nathan Hüsken
Any other help on why this does possibly not work?
Do you have strongSwan >= 5.5.1 installed? Did you configure the pkcs11
plugin properly? Is it loaded and does it enumerate certificates when
charon-nm is started (check the log for details)?

Regards,
Tobias
Nathan Hüsken
2018-07-19 17:04:35 UTC
Permalink
Hey,

Ok, thanks for the tips. I am trying it with charon-cmd now, not network-manager. I followed the instructions from [1].

In the logs I can see, that the private key seems to be loaded correctly:

Jul 19 19:01:53 SuperSam charon: 14[CFG] loading secrets from '/etc/ipsec.secrets'
Jul 19 19:01:53 SuperSam charon: 14[CFG] found key on PKCS#11 token 'opensc':0
Jul 19 19:01:53 SuperSam charon: 14[CFG] loaded private key from %smartcard:3
ipsec listcerts
List of X.509 End Entity Certificates

subject: "C=DE, O=example Company, CN=***@wintercloud.de"
issuer: "C=DE, O=example Company, CN=strongSwan Root CA"
validity: not before Jul 19 17:02:36 2018, ok
not after Jul 18 17:02:36 2020, ok (expires in 729 days)
serial: 4c:0f:51:f9:0c:bc:06:c9
altNames: ***@wintercloud.de
flags: clientAuth
authkeyId: 1b:52:a8:d6:bb:20:98:11:ca:28:52:71:07:89:46:84:bf:52:2d:36
subjkeyId: d0:65:3c:1c:f4:4f:f6:77:7e:09:fb:d3:81:55:d3:d9:d9:99:69:c8
pubkey: RSA 4096 bits, has private key
keyid: 8f:38:18:ef:2e:52:63:c3:dd:7d:62:66:9d:31:91:ac:6c:f8:2e:c6
subjkey: d0:65:3c:1c:f4:4f:f6:77:7e:09:fb:d3:81:55:d3:d9:d9:99:69:c8
...
05[CFG] missing private key for profile ikev2-pub
...

The identiy is the one from the certificate. Do I have to add additonal options so that charon-cmd know that it should take the private key from the smartcard?

Thanks!
Nathan

[1]: https://wiki.strongswan.org/projects/strongswan/wiki/SmartCards

​--

Dr. Nathan Hüsken

Cloud Developer

***@wintercloud.de

+49 151 703 478 84

wintercloud GmbH & Co. KG

Emil-Maier-Str. 16

69115 Heidelberg

wintercloud.de

Sitz der Kommanditgesellschaft: Heidelberg, Registernummer der Kommanditgesellschaft im Handelsregister: AG Mannheim HRA 707268

Komplementärin: junah GmbH, Sitz der Komplementärin: Heidelberg, Registernummer der Komplementärin im Handelsregister: AG Mannheim HRB 726538, Geschäftsführer der Komplementärin: Julian Wintermayr und Dr. Nathan Hüsken

USt-IdNr.: DE815676705​

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
​​
Hi Nathan,
Post by Nathan Hüsken
The ids match! So it should be fine!
Only with strongSwan >= 5.5.1, with older releases the cert/key has to
be stored using a CKA_ID that matches the SPKI (i.e. your cert/key with
CKA_ID 3 would never be used).
Post by Nathan Hüsken
Any other help on why this does possibly not work?
Do you have strongSwan >= 5.5.1 installed? Did you configure the pkcs11
plugin properly? Is it loaded and does it enumerate certificates when
charon-nm is started (check the log for details)?
Regards,
Tobias
Nathan Hüsken
2018-07-19 17:05:50 UTC
Permalink
Hey,

Oh, I forgot to mention:

ipsec --version
Linux strongSwan U5.6.2/K4.15.0-24-generic
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.

So the version seems to be fine.

Best,
Nathan

​--

Dr. Nathan Hüsken

Cloud Developer

***@wintercloud.de

+49 151 703 478 84

wintercloud GmbH & Co. KG

Emil-Maier-Str. 16

69115 Heidelberg

wintercloud.de

Sitz der Kommanditgesellschaft: Heidelberg, Registernummer der Kommanditgesellschaft im Handelsregister: AG Mannheim HRA 707268

Komplementärin: junah GmbH, Sitz der Komplementärin: Heidelberg, Registernummer der Komplementärin im Handelsregister: AG Mannheim HRB 726538, Geschäftsführer der Komplementärin: Julian Wintermayr und Dr. Nathan Hüsken

USt-IdNr.: DE815676705​

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
Post by Nathan Hüsken
​​
Hey,
Ok, thanks for the tips. I am trying it with charon-cmd now, not network-manager. I followed the instructions from [1].
Jul 19 19:01:53 SuperSam charon: 14[CFG] loading secrets from '/etc/ipsec.secrets'
Jul 19 19:01:53 SuperSam charon: 14[CFG] found key on PKCS#11 token 'opensc':0
Jul 19 19:01:53 SuperSam charon: 14[CFG] loaded private key from %smartcard:3
ipsec listcerts
List of X.509 End Entity Certificates
issuer: "C=DE, O=example Company, CN=strongSwan Root CA"
validity: not before Jul 19 17:02:36 2018, ok
not after Jul 18 17:02:36 2020, ok (expires in 729 days)
serial: 4c:0f:51:f9:0c:bc:06:c9
flags: clientAuth
authkeyId: 1b:52:a8:d6:bb:20:98:11:ca:28:52:71:07:89:46:84:bf:52:2d:36
subjkeyId: d0:65:3c:1c:f4:4f:f6:77:7e:09:fb:d3:81:55:d3:d9:d9:99:69:c8
pubkey: RSA 4096 bits, has private key
keyid: 8f:38:18:ef:2e:52:63:c3:dd:7d:62:66:9d:31:91:ac:6c:f8:2e:c6
subjkey: d0:65:3c:1c:f4:4f:f6:77:7e:09:fb:d3:81:55:d3:d9:d9:99:69:c8
...
05[CFG] missing private key for profile ikev2-pub
...
The identiy is the one from the certificate. Do I have to add additonal options so that charon-cmd know that it should take the private key from the smartcard?
Thanks!
Nathan
[1]: https://wiki.strongswan.org/projects/strongswan/wiki/SmartCards
--
Dr. Nathan Hüsken
Cloud Developer
+49 151 703 478 84
wintercloud GmbH & Co. KG
Emil-Maier-Str. 16
69115 Heidelberg
wintercloud.de
Sitz der Kommanditgesellschaft: Heidelberg, Registernummer der Kommanditgesellschaft im Handelsregister: AG Mannheim HRA 707268
Komplementärin: junah GmbH, Sitz der Komplementärin: Heidelberg, Registernummer der Komplementärin im Handelsregister: AG Mannheim HRB 726538, Geschäftsführer der Komplementärin: Julian Wintermayr und Dr. Nathan Hüsken
USt-IdNr.: DE815676705
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
Hi Nathan,
Post by Nathan Hüsken
The ids match! So it should be fine!
Only with strongSwan >= 5.5.1, with older releases the cert/key has to
be stored using a CKA_ID that matches the SPKI (i.e. your cert/key with
CKA_ID 3 would never be used).
Post by Nathan Hüsken
Any other help on why this does possibly not work?
Do you have strongSwan >= 5.5.1 installed? Did you configure the pkcs11
plugin properly? Is it loaded and does it enumerate certificates when
charon-nm is started (check the log for details)?
Regards,
Tobias
Tobias Brunner
2018-07-19 17:17:49 UTC
Permalink
Hi Nathan,
Post by Nathan Hüsken
Jul 19 19:01:53 SuperSam charon: 14[CFG] loading secrets from '/etc/ipsec.secrets'
Jul 19 19:01:53 SuperSam charon: 14[CFG] found key on PKCS#11 token 'opensc':0
Jul 19 19:01:53 SuperSam charon: 14[CFG] loaded private key from %smartcard:3
In case this wasn't clear, the charon daemon has nothing to do with
charon-cmd or the charon-nm daemon (which is used by the NM plugin).
Post by Nathan Hüsken
ipsec listcerts
List of X.509 End Entity Certificates
issuer: "C=DE, O=example Company, CN=strongSwan Root CA"
validity: not before Jul 19 17:02:36 2018, ok
not after Jul 18 17:02:36 2020, ok (expires in 729 days)
serial: 4c:0f:51:f9:0c:bc:06:c9
flags: clientAuth
authkeyId: 1b:52:a8:d6:bb:20:98:11:ca:28:52:71:07:89:46:84:bf:52:2d:36
subjkeyId: d0:65:3c:1c:f4:4f:f6:77:7e:09:fb:d3:81:55:d3:d9:d9:99:69:c8
pubkey: RSA 4096 bits, has private key
keyid: 8f:38:18:ef:2e:52:63:c3:dd:7d:62:66:9d:31:91:ac:6c:f8:2e:c6
subjkey: d0:65:3c:1c:f4:4f:f6:77:7e:09:fb:d3:81:55:d3:d9:d9:99:69:c8
As I explained above, the charon daemon (including the output of the
ipsec script/stroke command, or swanctl/vici for that matter) has
nothing to do with charon-cmd (or charon-nm). But charon-nm should at
least load the certificate when it starts (via pkcs11 plugin, just like
charon does here).
Post by Nathan Hüsken
Do I have to add additonal options so that charon-cmd know that it should take the private key from the smartcard?
Yes, you'd have to do that. But it currently doesn't support it.

Regards,
Tobias
Nathan Hüsken
2018-07-19 17:41:51 UTC
Permalink
Hey,

Ok, now I am a little confused.

I wanted to use the network-manager (in the end, the config has to be usable by people scared of the command line).
There is an option: "Smartcard". If choose it, it asks me for the pin of the smart card (but complains, that there are not usable certificates on the smartcard).

If charon-nm doest not support reading the private key from the smartcard, what is the point of this option?

What am I missing here?

Many thanks!
Nathan


​--

Dr. Nathan Hüsken

Cloud Developer

***@wintercloud.de

+49 151 703 478 84

wintercloud GmbH & Co. KG

Emil-Maier-Str. 16

69115 Heidelberg

wintercloud.de

Sitz der Kommanditgesellschaft: Heidelberg, Registernummer der Kommanditgesellschaft im Handelsregister: AG Mannheim HRA 707268

Komplementärin: junah GmbH, Sitz der Komplementärin: Heidelberg, Registernummer der Komplementärin im Handelsregister: AG Mannheim HRB 726538, Geschäftsführer der Komplementärin: Julian Wintermayr und Dr. Nathan Hüsken

USt-IdNr.: DE815676705​

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
Post by Tobias Brunner
​​
Hi Nathan,
Post by Nathan Hüsken
Jul 19 19:01:53 SuperSam charon: 14[CFG] loading secrets from '/etc/ipsec.secrets'
Jul 19 19:01:53 SuperSam charon: 14[CFG] found key on PKCS#11 token 'opensc':0
Jul 19 19:01:53 SuperSam charon: 14[CFG] loaded private key from %smartcard:3
In case this wasn't clear, the charon daemon has nothing to do with
charon-cmd or the charon-nm daemon (which is used by the NM plugin).
Post by Nathan Hüsken
ipsec listcerts
List of X.509 End Entity Certificates
issuer: "C=DE, O=example Company, CN=strongSwan Root CA"
validity: not before Jul 19 17:02:36 2018, ok
not after Jul 18 17:02:36 2020, ok (expires in 729 days)
serial: 4c:0f:51:f9:0c:bc:06:c9
flags: clientAuth
authkeyId: 1b:52:a8:d6:bb:20:98:11:ca:28:52:71:07:89:46:84:bf:52:2d:36
subjkeyId: d0:65:3c:1c:f4:4f:f6:77:7e:09:fb:d3:81:55:d3:d9:d9:99:69:c8
pubkey: RSA 4096 bits, has private key
keyid: 8f:38:18:ef:2e:52:63:c3:dd:7d:62:66:9d:31:91:ac:6c:f8:2e:c6
subjkey: d0:65:3c:1c:f4:4f:f6:77:7e:09:fb:d3:81:55:d3:d9:d9:99:69:c8
As I explained above, the charon daemon (including the output of the
ipsec script/stroke command, or swanctl/vici for that matter) has
nothing to do with charon-cmd (or charon-nm). But charon-nm should at
least load the certificate when it starts (via pkcs11 plugin, just like
charon does here).
Post by Nathan Hüsken
Do I have to add additonal options so that charon-cmd know that it should take the private key from the smartcard?
Yes, you'd have to do that. But it currently doesn't support it.
Regards,
Tobias
Tobias Brunner
2018-07-19 17:50:25 UTC
Permalink
Hi Nathan,
Post by Nathan Hüsken
I wanted to use the network-manager (in the end, the config has to be usable by people scared of the command line).
There is an option: "Smartcard". If choose it, it asks me for the pin of the smart card (but complains, that there are not usable certificates on the smartcard).
If charon-nm doest not support reading the private key from the smartcard, what is the point of this option?
What am I missing here?
You are confusing charon-cmd and NM/charon-nm (and perhaps charon).
charon-nm supports private keys on smartcards (with the already
mentioned limitations), as does charon (with more flexibility),
charon-cmd does not.

Regards,
Tobias
Nathan Hüsken
2018-07-20 17:23:23 UTC
Permalink
Hey,

OK, in the end my mistake was, that I believed the pkcs#11 Plugin was enabled in charon-nm, as it was only enabled in strongswan itself. It works now.
Thanks for pointing that out and thanks for all the help!

Nathan


​--

Dr. Nathan Hüsken

Cloud Developer

***@wintercloud.de

+49 151 703 478 84

wintercloud GmbH & Co. KG

Emil-Maier-Str. 16

69115 Heidelberg

wintercloud.de

Sitz der Kommanditgesellschaft: Heidelberg, Registernummer der Kommanditgesellschaft im Handelsregister: AG Mannheim HRA 707268

Komplementärin: junah GmbH, Sitz der Komplementärin: Heidelberg, Registernummer der Komplementärin im Handelsregister: AG Mannheim HRB 726538, Geschäftsführer der Komplementärin: Julian Wintermayr und Dr. Nathan Hüsken

USt-IdNr.: DE815676705​

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
Post by Tobias Brunner
​​
Hi Nathan,
Post by Nathan Hüsken
I wanted to use the network-manager (in the end, the config has to be usable by people scared of the command line).
There is an option: "Smartcard". If choose it, it asks me for the pin of the smart card (but complains, that there are not usable certificates on the smartcard).
If charon-nm doest not support reading the private key from the smartcard, what is the point of this option?
What am I missing here?
You are confusing charon-cmd and NM/charon-nm (and perhaps charon).
charon-nm supports private keys on smartcards (with the already
mentioned limitations), as does charon (with more flexibility),
charon-cmd does not.
Regards,
Tobias
Loading...