Using smart cards¶
Since version 4.5.0 a PKCS#11 plugin for libstrongswan is available, which enables support for smart cards in the IKE daemon charon and the ipsec pki tool. Version 4.6.0 brought support for ECDSA, DH/ECDH and RNG.
The plugin is enabled with the --enable-pkcs11 configure option.
To use the plugin, the available PKCS#11 modules have to be configured in strongswan.conf.
| key | Type | Default | Description |
| libstrongswan.plugins.pkcs11.modules | Section | This section lists available PKCS#11 modules | |
| libstrongswan.plugins.pkcs11.modules.<name>.path | String | Full path to the shared object file of this PKCS#11 module | |
| libstrongswan.plugins.pkcs11.modules.<name>.os_locking | Boolean | no | Whether OS locking should be enabled for this module |
| libstrongswan.plugins.pkcs11.load_certs | Boolean | yes | Whether the PKCS#11 modules should load certificates from tokens (since 5.0.2) |
| libstrongswan.plugins.pkcs11.reload_certs | Boolean | no | Whether the PKCS#11 modules should reload all certificates if charon receives a SIGHUP (since 5.0.2) |
| libstrongswan.plugins.pkcs11.use_dh | Boolean | no | Whether the PKCS#11 modules should be used for DH and ECDH |
| libstrongswan.plugins.pkcs11.use_ecc | Boolean | no | Whether the PKCS#11 modules should be used for ECDH and ECDSA public key operations. ECDSA private keys can be used regardless of this option. |
| libstrongswan.plugins.pkcs11.use_hasher | Boolean | no | Whether the PKCS#11 modules should be used to hash data |
| libstrongswan.plugins.pkcs11.use_pubkey | Boolean | no | Whether the PKCS#11 modules should be used for public key operations, even for keys not stored on tokens |
| libstrongswan.plugins.pkcs11.use_rng | Boolean | no | Whether the PKCS#11 modules should be used as RNG |
Example:
libstrongswan {
# ...
plugins {
pkcs11 {
modules {
my-xy-module {
path = /path/to/pkcs11/lib.so
}
}
}
}
}
Certificates stored on smart cards will get loaded automatically when the daemon is started. If the PKCS#11 module supports hot-plugging,
they are reloaded when a token gets inserted/removed later.
It is not necessary to specify leftcert=%smartcard... in ipsec.conf (before 5.0.2 it actually will fail if you do so). Instead the first certificate matching the leftid parameter is used. Since 5.0.2 it is possible to select a specific certificate with leftcert using the same syntax used in ipsec.secrets.
To access the private key you have to specify the associated PIN in ipsec.secrets.
NetworkManager makes the use of smart cards with IKEv2 even easier.