Version 1/4
-
Next » -
Current version
Tobias Brunner, 25.02.2011 18:02
Some documentation on smart card support in IKEv2
Using smart cards with IKEv2¶
Since version 4.5.0 a PKCS#11 plugin for libstrongswan is available, which enables support for smart cards in the IKEv2 daemon charon and the ipsec pki tool.
The plugin is enabled with the --enable-pkcs11 configure option.
To use the plugin, the available PKCS#11 modules have to be configured in strongswan.conf.
| key | Type | Default | Description |
| libstrongswan.plugins.pkcs11.modules | Section | This section lists available PKCS#11 modules | |
| libstrongswan.plugins.pkcs11.modules.<name>.path | String | Full path to the shared object file of this PKCS#11 module | |
| libstrongswan.plugins.pkcs11.modules.<name>.os_locking | Boolean | no | Whether OS locking should be enabled for this module |
| libstrongswan.plugins.pkcs11.use_hasher | Boolean | no | Whether the PKCS#11 modules should be used to hash data |
Example:
libstrongswan {
# ...
plugins {
pkcs11 {
modules {
my-xy-module {
path = /path/to/pkcs11/lib.so
}
}
}
}
}
Certificates stored on smart cards will get loaded automatically when the daemon is started. If the PKCS#11 module supports hot-plugging,
they are reloaded when a token gets inserted/removed later. You don't have to specify leftcert=%smartcard in ipsec.conf (it actually will fail
if you do so). Instead the first certificate matching the leftid parameter is used.
To access the private key you have to specify the associated PIN in ipsec.secrets.
NetworkManager makes the use of smart cards with IKEv2 even easier.