-
Notifications
You must be signed in to change notification settings - Fork 17
strongswan
This was tested on strongswan 5.2.0 but should work on earlier versions as well.
sudo apt-get install libstrongswan-extra-plugins
The following was tested with RSA and ECDSA authentication.
Edit the pkcs11 strongswan configuration /etc/strongswan.d/charon/pkcs11.conf :
pkcs11 {
load = yes
load_certs = yes
...
# List of available PKCS#11 modules.
modules {
libp11client {
path = /usr/local/lib/libp11client.so
}
}
}
#Syntax is %smartcard<slot>:<keyid> "PIN"
: PIN %smartcard0:123456 "whatever_the_pin_is"
#Or use the %prompt instead of the PIN to ask for PIN during startup
Here is the ipsec.conf file on the side which has Caml Crush installed:
...
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
conn host-host-con
#Using IKEv2 for stronger crypto, ikev1 works as well
keyexchange=ikev2
type=transport
authby=pubkey
left=192.168.39.54
leftsubnet=192.168.39.54/32
#leftcert is no present as it is derived from PKCS#11 lookups
# and mapped to following leftid
leftid="C=FR, ST=IDF, O=TestPKI, CN=PKCS11IPSec"
leftfirewall=yes
right=192.168.39.5
rightsubnet=192.168.39.5/32
rightid="C=FR, ST=IDF, O=TestPKI, CN=ClassicIPSec"
#Sample suites, should be adapted to your requirements!
esp=aes256gcm128-sha256-modp2048!
ike=aes256gcm128-sha256-modp2048!
auto=add
The configuration has to be adapted on the other machine. Obviously, CA certificates must be installed in strongswan trust store (namely /etc/ipsec.d/cacerts/).
Restart strongswan and try to establish a connection:
ipsec restart
ipsec listcerts
ipsec rereadsecret
ipsec up host-host-con
Please note that strongswan expects the RSA public key on the token (it cannot derive it from the certificate).
Furthermore, it is assumed that RSA public key and the associated certificate are public PKCS#11 objects, meaning stored with CKA_PRIVATE
set to FALSE
.