Using smart cards with IKEv2¶
Since version 4.5.0 a PKCS#11 plugin for libstrongswan is available, which enables support for smart cards in the IKEv2 daemon charon and the ipsec pki tool. Version 4.6.0 brought support for ECDSA, DH/ECDH and RNG.
The plugin is enabled with the --enable-pkcs11 configure option.
To use the plugin, the available PKCS#11 modules have to be configured in strongswan.conf.
| key | Type | Default | Description |
| libstrongswan.plugins.pkcs11.modules | Section | This section lists available PKCS#11 modules | |
| libstrongswan.plugins.pkcs11.modules.<name>.path | String | Full path to the shared object file of this PKCS#11 module | |
| libstrongswan.plugins.pkcs11.modules.<name>.os_locking | Boolean | no | Whether OS locking should be enabled for this module |
| libstrongswan.plugins.pkcs11.use_dh | Boolean | no | Whether the PKCS#11 modules should be used for DH and ECDH |
| libstrongswan.plugins.pkcs11.use_ecc | Boolean | no | Whether the PKCS#11 modules should be used for ECDH and ECDSA public key operations. ECDSA private keys can be used regardless of this option. |
| libstrongswan.plugins.pkcs11.use_hasher | Boolean | no | Whether the PKCS#11 modules should be used to hash data |
| libstrongswan.plugins.pkcs11.use_pubkey | Boolean | no | Whether the PKCS#11 modules should be used for public key operations, even for keys not stored on tokens |
| libstrongswan.plugins.pkcs11.use_rng | Boolean | no | Whether the PKCS#11 modules should be used as RNG |
Example:
libstrongswan {
# ...
plugins {
pkcs11 {
modules {
my-xy-module {
path = /path/to/pkcs11/lib.so
}
}
}
}
}
Certificates stored on smart cards will get loaded automatically when the daemon is started. If the PKCS#11 module supports hot-plugging,
they are reloaded when a token gets inserted/removed later. You don't have to specify leftcert=%smartcard in ipsec.conf (it actually will fail
if you do so). Instead the first certificate matching the leftid parameter is used.
To access the private key you have to specify the associated PIN in ipsec.secrets.
NetworkManager makes the use of smart cards with IKEv2 even easier.