Project

General

Profile

Feature #815

How to load p12 credential by swanctl?

Added by Kuo-Hsien Liang over 5 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
libcharon
Target version:
Start date:
09.01.2015
Due date:
Estimated time:
Resolution:
Fixed

Description

Hi all,

I've managed to build and run strongSwan v5.2.1 in Windows 7.
Now I want to connect to a VPN server. All I have is the server name and a p12 file (and it's password).

That VPN server is work normally since I can connect to it through another VPN tool named "Shrew".

My first step is trying to load the p12 file with command: swanctl --load-creds.
I've tried putting the p12 file into all of the swanctl directories (like ecdsa, rsa,...), but non of them work.
Does somebody know what I've done wrong? Any clue is helpful for me, thanks.

Best Regards.

log4_150115.txt (1.38 KB) log4_150115.txt Kuo-Hsien Liang, 15.01.2015 12:12
log_150119.txt (2.02 KB) log_150119.txt Kuo-Hsien Liang, 19.01.2015 08:44

Associated revisions

Revision c7bb1dc3
Added by Martin Willi over 5 years ago

Merge branch 'swanctl-pkcs12'

Add support for loading PKCS#12 containers from a swanctl/pkcs12 directory.

Fixes #815.

History

#1 Updated by Martin Willi over 5 years ago

Hi,

Directly loading PKCS#12 containers is not yet supported by the swanctl backend. We might introduce a pkcs12 folder to load such files in a future release, but it is currently not implemented.

As a work-around, you may extract the certificates/private key and put individual files to the swanctl credential directories. The pki tool, by the way, introduced support for extracting PKCS#12 containers in 5.2.2.

Regards
Martin

#2 Updated by Kuo-Hsien Liang over 5 years ago

Hi Martin,

Thanks for your suggestion. I just extract it into x509.pem, x509ca.pem and rsa.pem, and put them into relative directories.
Now I can run "swanctl --load-creds" and "swanctl --load-conns" with no problem.

But when I run "swanctl --initiate --child child_001", there is no any "received package" after "sending packet"...
In the log file I attached, there is a kernel error code 0x00003601, which MSDN said it's "No policy configured".
I've tried most of configurable values like IPsec Mode, esp_proposals, ah_proposals, etc, but still keep receiving the same error code.
Could you help me out again? Thank you.

Here is my latest swanctl.conf:
connections {
conn_001 {
remote_addrs = alpha.consumervpn.XXXXX.com
local_001 {
id = myid_local001
auth = pubkey
certs = x509.pem
}
remote_001 {
id = myid_remote001
auth = pubkey
cacerts = x509ca.pem
}
children {
child_001 {
mode = tunnel
tfc_padding = mtu
start_action = none
rekey_time = 10m
}
}
version = 0
reauth_time = 60m
rekey_time = 20m
}
}
secrets {
rsa_001 {
file = rsa.pem
secret = XXXX
}
}

#3 Updated by Martin Willi over 5 years ago

Please open a separate ticket for a new issue or use the mailing list for questions, thanks.

But when I run "swanctl --initiate --child child_001", there is no any "received package" after "sending packet"...

If the IKE message gets dropped by kernel, most likely the IKE bypass policy does not work as expected. Maybe you should try to skip the --install command if you --initiate anyway.

#4 Updated by Kuo-Hsien Liang over 5 years ago

Hi Martin,

Thanks for your update. Actually I've tried with or without "swanctl --install", but both get the same error...

However, I just tried the same binary in my another PC, it got totally different result as the attached log.
This time there is packet received, but at the end it says "received AUTHENTICATION_FAILED notify error".

So I suppose my original issue should be caused by my system's environment setting, maybe we can postpone it for now.

But for the second issue, I suppose it should be caused by incorrect swanctl.conf setting?
May I ask for clue for this kind of error? thanks again.
Regards
Clare

#5 Updated by Martin Willi over 5 years ago

  • Tracker changed from Issue to Feature
  • Category set to libcharon
  • Status changed from New to Closed
  • Assignee set to Martin Willi
  • Target version set to 5.3.0
  • Resolution set to Fixed

With the referenced merge, swanctl supports loading PKCS#12 containers from the swanctl/pkcs12 directory.

Also available in: Atom PDF