Feature #815

How to load p12 credential by swanctl?

Added by Kuo-Hsien Liang over 7 years ago. Updated over 7 years ago.

Target version:
Start date:
Due date:
Estimated time:


Hi all,

I've managed to build and run strongSwan v5.2.1 in Windows 7.
Now I want to connect to a VPN server. All I have is the server name and a p12 file (and it's password).

That VPN server is work normally since I can connect to it through another VPN tool named "Shrew".

My first step is trying to load the p12 file with command: swanctl --load-creds.
I've tried putting the p12 file into all of the swanctl directories (like ecdsa, rsa,...), but non of them work.
Does somebody know what I've done wrong? Any clue is helpful for me, thanks.

Best Regards.

log4_150115.txt (1.38 KB) log4_150115.txt Kuo-Hsien Liang, 15.01.2015 12:12
log_150119.txt (2.02 KB) log_150119.txt Kuo-Hsien Liang, 19.01.2015 08:44

Associated revisions

Revision c7bb1dc3
Added by Martin Willi over 7 years ago

Merge branch 'swanctl-pkcs12'

Add support for loading PKCS#12 containers from a swanctl/pkcs12 directory.

Fixes #815.


#1 Updated by Martin Willi over 7 years ago


Directly loading PKCS#12 containers is not yet supported by the swanctl backend. We might introduce a pkcs12 folder to load such files in a future release, but it is currently not implemented.

As a work-around, you may extract the certificates/private key and put individual files to the swanctl credential directories. The pki tool, by the way, introduced support for extracting PKCS#12 containers in 5.2.2.


#2 Updated by Kuo-Hsien Liang over 7 years ago

Hi Martin,

Thanks for your suggestion. I just extract it into x509.pem, x509ca.pem and rsa.pem, and put them into relative directories.
Now I can run "swanctl --load-creds" and "swanctl --load-conns" with no problem.

But when I run "swanctl --initiate --child child_001", there is no any "received package" after "sending packet"...
In the log file I attached, there is a kernel error code 0x00003601, which MSDN said it's "No policy configured".
I've tried most of configurable values like IPsec Mode, esp_proposals, ah_proposals, etc, but still keep receiving the same error code.
Could you help me out again? Thank you.

Here is my latest swanctl.conf:
connections {
conn_001 {
remote_addrs =
local_001 {
id = myid_local001
auth = pubkey
certs = x509.pem
remote_001 {
id = myid_remote001
auth = pubkey
cacerts = x509ca.pem
children {
child_001 {
mode = tunnel
tfc_padding = mtu
start_action = none
rekey_time = 10m
version = 0
reauth_time = 60m
rekey_time = 20m
secrets {
rsa_001 {
file = rsa.pem
secret = XXXX

#3 Updated by Martin Willi over 7 years ago

Please open a separate ticket for a new issue or use the mailing list for questions, thanks.

But when I run "swanctl --initiate --child child_001", there is no any "received package" after "sending packet"...

If the IKE message gets dropped by kernel, most likely the IKE bypass policy does not work as expected. Maybe you should try to skip the --install command if you --initiate anyway.

#4 Updated by Kuo-Hsien Liang over 7 years ago

Hi Martin,

Thanks for your update. Actually I've tried with or without "swanctl --install", but both get the same error...

However, I just tried the same binary in my another PC, it got totally different result as the attached log.
This time there is packet received, but at the end it says "received AUTHENTICATION_FAILED notify error".

So I suppose my original issue should be caused by my system's environment setting, maybe we can postpone it for now.

But for the second issue, I suppose it should be caused by incorrect swanctl.conf setting?
May I ask for clue for this kind of error? thanks again.

#5 Updated by Martin Willi over 7 years ago

  • Tracker changed from Issue to Feature
  • Category set to libcharon
  • Status changed from New to Closed
  • Assignee set to Martin Willi
  • Target version set to 5.3.0
  • Resolution set to Fixed

With the referenced merge, swanctl supports loading PKCS#12 containers from the swanctl/pkcs12 directory.

Also available in: Atom PDF