Project

General

Profile

Issue #845

Problem with StrongSwan (5.1.2) and USB eToken Aladdin

Added by Michal Tabacek almost 6 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
libstrongswan
Affected version:
5.1.2
Resolution:
No change required

Description

Hi,
I have a problem with Aladdin eToken PRO and StrongSwan. eToken PRO works fine with others applications (XCA and other) but not with StrongSwan. I have StrongSwan 5.1.2 and Ubuntu 14.04 64bit.
I think that the configuration in ipsec.conf and ipsec.secret it's ok. I have installed opensc, openct, pcscd, libccid, libpscslite1, pcsc-tools and pkiclient for eToken (libeTPkcs11.so).
I use module libeTPkcs11.so. I initialize token with XCA, pkcs11-tool.
When I want to run ipsec, every time there is an error in finding the key and certificate (no PKCS#11 module found having a keyid 78:ce:d5:5d:d8:d5:cb:64), but KeyID is correct.
Also i try initialize token with pks15-init, and store key and certificate, but result is the same. I don't know, where is a problem, when token works correct with others application.
I attach configuration files and control lists. In strongswan.conf I load all plugins.

/etc/ipsec.conf

conn %default
ikelifetime=60m
keylife=20m
keyingtries=1
keyexchange=ikev2

conn host-host-tunnel
left=192.168.1.102
leftcert=%smartcard:78ced55dd8d5cb64 #leftcert=%smartcard0@pkiclient:78ced55dd8d5cb64
#leftid=client-klientTest
leftfirewall=no
right=192.168.1.105
rightsubnet=20.1.0.0/24
rightid=server

/etc/ipsec.secret
: PIN %smartcard:78ced55dd8d5cb64 "123456" #leftcert=%smartcard0@pkiclient:78ced55dd8d5cb64

strongswan.d/charon/pkcs11.conf
pkcs11 {
modules {
pkiclient {
path = /usr/lib64/libeTPkcs11.so
}
}
}

I try use also opensc module, but the result is the same as with libeTPkcs11.so.
opensc {
path = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
}

Certificate and keys on token:
Using slot 0 with a present token (0x0)
Public Key Object; RSA 2048 bits
label: client-klientTest
ID: 78ced55dd8d5cb64
Usage: encrypt, verify, wrap
Private Key Object; RSA
label: client-klientTest
ID: 78ced55dd8d5cb64
Usage: decrypt, sign, unwrap
Certificate Object, type = X.509 cert
label: client-klientTest
ID: 78ced55dd8d5cb64

root@ubuntu2:/etc# ipsec restart --nofork
Stopping strongSwan IPsec failed: starter is not running
Starting strongSwan 5.1.2 IPsec [starter]...
00[DMN] Starting IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-32-generic, x86_64)
00[CFG] loaded PKCS#11 v2.1 library 'pkiclient' (/usr/lib64/libeTPkcs11.so)
00[CFG] Aladdin Ltd.: eToken PKCS#11 v5.0
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG] loaded ca certificate "C=CZ, ST=NA, L=Ostrava, O=TEST, OU=VS, CN=TEST CA, N=EasyRSA, E=me@myhost.mydomain" from '/etc/ipsec.d/cacerts/ca.crt'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG] no PKCS#11 module found having a keyid 78:ce:d5:5d:d8:d5:cb:64
00[LIB] building CRED_PRIVATE_KEY - ANY failed, tried 4 builders
00[LIB] loaded plugins: charon test-vectors pkcs11 aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown eap-identity addrblock
00[LIB] unable to load 5 plugin features (5 due to unmet dependencies)
00[LIB] dropped capabilities, running as uid 0, gid 0
00[JOB] spawning 16 worker threads
charon (4363) started after 40 ms
12[CFG] received stroke: add connection 'host-host-tunnel'
12[CFG] PKCS#11 certificate 78:ce:d5:5d:d8:d5:cb:64 not found
12[LIB] building CRED_CERTIFICATE - X509 failed, tried 5 builders
12[CFG] loading certificate from '%smartcard:78ced55dd8d5cb64' failed
12[CFG] added configuration 'host-host-tunnel'

root@ubuntu2:/etc# ipsec up host-host-tunnel
initiating IKE_SA host-host-tunnel[1] to 192.168.1.105
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.1.102[500] to 192.168.1.105[500] (1212 bytes)
received packet: from 192.168.1.105[500] to 192.168.1.102[500] (465 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
received cert request for "C=CZ, ST=NA, L=Ostrava, O=TEST, OU=VS, CN=TEST CA, N=EasyRSA, E=me@myhost.mydomain"
sending cert request for "C=CZ, ST=NA, L=Ostrava, O=TEST, OU=VS, CN=TEST CA, N=EasyRSA, E=me@myhost.mydomain"
no private key found for 'client-klientTest'
establishing connection 'host-host-tunnel' failed

Thank you for response


Related issues

Related to Feature #490: charon-nm fails to find private key if CKA_ID doesn't match the x509 subject key idClosed16.01.2014

History

#1 Updated by Martin Willi almost 6 years ago

  • Status changed from New to Feedback
  • Assignee set to Martin Willi

Hi,

there is an error in finding the key and certificate (no PKCS#11 module found having a keyid 78:ce:d5:5d:d8:d5:cb:64), but KeyID is correct.

00[CFG] loaded PKCS#11 v2.1 library 'pkiclient' (/usr/lib64/libeTPkcs11.so)
00[CFG] Aladdin Ltd.: eToken PKCS#11 v5.0

While the PKCS#11 library is loaded successfully, it seems that strongSwan does not find any slots or tokens in it. These should be found dynamically without further configuration, and looks here something like:

00[CFG] loaded PKCS#11 v2.20 library 'suisseid' (/usr/lib/libcvP11.so)
00[CFG]   cv cryptovision GmbH: cv PKCS#11 module v5.1
00[CFG]   found token in slot 'suisseid':1 (ACS ACR38U-CCID 00 00)
00[CFG]     SwissSignID (SwissSign: CardOS V4.3B)

Most likely C_GetSlotList returns zero; Try to add some debug statements to the get_slot_list() function. Also, you may try to use FALSE as first parameter to each C_GetSlotList invocation to see if that changes anything.

Regards
Martin

#2 Updated by Michal Tabacek almost 6 years ago

Hi,
thank you for your response.

While the PKCS#11 library is loaded successfully, it seems that strongSwan does not find any slots or tokens in it. These should be found dynamically without further configuration, and looks here something like:

00[CFG] loaded PKCS#11 v2.20 library 'suisseid' (/usr/lib/libcvP11.so)
00[CFG] cv cryptovision GmbH: cv PKCS#11 module v5.1
00[CFG] found token in slot 'suisseid':1 (ACS ACR38U-CCID 00 00)
00[CFG] SwissSignID (SwissSign: CardOS V4.3B)

I finally achieved something like this and token was found dynamically. But it is interesting, when I use on Ubuntu apt-get install strongswan and strongswan-plugin-pkcs11, token not found. When I compile strongswan 5.1.2 yourself from source code, there is no problem and the token is found dynamically.
I attach control lists.

root@ubuntu2:/etc# ipsec restart --nofork
Stopping strongSwan IPsec...
Starting strongSwan 5.1.2 IPsec [starter]...
00[DMN] Starting IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-45-generic, x86_64)
00[CFG] loaded PKCS#11 v2.20 library 'opensc' (/usr/lib/opensc-pkcs11.so)
00[CFG]   OpenSC (www.opensc-project.org): Smart card PKCS#11 API v0.0
00[CFG]   found token in slot 'opensc':1 (Aladdin eToken PRO 64 00 00)
00[CFG]     OpenSC Card (Michal) (OpenSC Project: PKCS#15)
00[LIB] building CRED_CERTIFICATE - X509 failed, tried 2 builders
00[CFG]     loading cert 'Certificate' failed
00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
00[CFG]   loaded ca certificate "C=CZ, ST=NA, L=Ostrava, O=TEST, OU=VS, CN=TEST CA, N=EasyRSA, E=me@myhost.mydomain" from '/usr/local/etc/ipsec.d/cacerts/ca.crt'
00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[CFG] found key on PKCS#11 token 'opensc':1
00[CFG]   loaded private key from %smartcard:fd7f61b4c6a4158c885148971ce54898428f0f32
00[LIB] loaded plugins: charon pkcs11 aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic
00[LIB] unable to load 6 plugin features (6 due to unmet dependencies)
00[JOB] spawning 16 worker threads
06[CFG] module 'opensc' does not support hot-plugging, cancelled
charon (45319) started after 2800 ms
04[CFG] received stroke: add connection 'host-host-tunnel'
04[CFG]   loaded certificate "C=CZ, ST=NA, L=Ostrava, O=TEST, OU=VS, CN=client-klientTest, N=EasyRSA, E=me@myhost.mydomain" from '%smartcard:fd7f61b4c6a4158c885148971ce54898428f0f32'
04[CFG] added configuration 'host-host-tunnel'
root@ubuntu2:/etc# ipsec up host-host-tunnel
initiating IKE_SA host-host-tunnel[1] to 192.168.1.104
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.1.109[500] to 192.168.1.104[500] (708 bytes)
received packet: from 192.168.1.104[500] to 192.168.1.109[500] (465 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
received cert request for "C=CZ, ST=NA, L=Ostrava, O=TEST, OU=VS, CN=TEST CA, N=EasyRSA, E=me@myhost.mydomain" 
sending cert request for "C=CZ, ST=NA, L=Ostrava, O=TEST, OU=VS, CN=TEST CA, N=EasyRSA, E=me@myhost.mydomain" 
authentication of 'client-klientTest' (myself) with RSA signature successful
sending end entity cert "C=CZ, ST=NA, L=Ostrava, O=TEST, OU=VS, CN=client-klientTest, N=EasyRSA, E=me@myhost.mydomain" 
establishing CHILD_SA host-host-tunnel
generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 192.168.1.109[4500] to 192.168.1.104[4500] (2012 bytes)
received packet: from 192.168.1.104[4500] to 192.168.1.109[4500] (1820 bytes)
parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) ]
received end entity cert "C=CZ, ST=NA, L=Ostrava, O=TEST, OU=VS, CN=server, N=EasyRSA, E=me@myhost.mydomain" 
  using certificate "C=CZ, ST=NA, L=Ostrava, O=TEST, OU=VS, CN=server, N=EasyRSA, E=me@myhost.mydomain" 
  using trusted ca certificate "C=CZ, ST=NA, L=Ostrava, O=TEST, OU=VS, CN=TEST CA, N=EasyRSA, E=me@myhost.mydomain" 
checking certificate status of "C=CZ, ST=NA, L=Ostrava, O=TEST, OU=VS, CN=server, N=EasyRSA, E=me@myhost.mydomain" 
certificate status is not available
  reached self-signed root ca with a path length of 0
authentication of 'server' with RSA signature successful
IKE_SA host-host-tunnel[1] established between 192.168.1.109[client-klientTest]...192.168.1.104[server]
scheduling reauthentication in 2573s
maximum IKE_SA lifetime 3113s
connection 'host-host-tunnel' established successfully

I also tried StrongSwan 5.2.2 compile yourself and when use ipsec restart i have this problem.... charon has died -- restart scheduled (5sec), charon refused to be started. I looked on the internet, but I can't find the right solution. I interested what it is due.

root@ubuntu3:/etc# ipsec restart --nofork
Stopping strongSwan IPsec failed: starter is not running
Starting strongSwan 5.2.2 IPsec [starter]...
00[DMN] Starting IKE charon daemon (strongSwan 5.2.2, Linux 3.13.0-45-generic, x86_64)
00[CFG] loaded PKCS#11 v2.20 library 'opensc' (/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so)
00[CFG]   OpenSC (www.opensc-project.org): Smart card PKCS#11 API v0.0
charon has died -- restart scheduled (5sec)
charon refused to be started
....

Most likely C_GetSlotList returns zero; Try to add some debug statements to the get_slot_list() function. Also, you may try to use FALSE as first parameter to each C_GetSlotList invocation to see if that changes anything.

If I understand well, change the parameter to FALSE in the source code for compilation.

Thank you for response
Regards
Michal

#3 Updated by Christian R. almost 6 years ago

Hey guys,

I'm having the same problem with stongswan on XUbuntu 14.04.1 and an Athena IDProtect v2 as roadwarrior with the charon-nm. The smartcard is working in Firefox as it sould. The middleware is installed and working nice.
I tried strongswan via "apt-get", 5.0.0, 5.1.2, 5.2.2 from source. I also tried to set first argument of C_GetSlotList to FALSE.

These are my compile options:

strongswan
./configure --sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib --disable-aes --disable-des --disable-md5 --disable-sha1 --disable-sha2 --disable-fips-prf --disable-gmp --enable-openssl --enable-nm --enable-agent --enable-eap-gtc --enable-eap-md5 --enable-eap-mschapv2 --enable-eap-identity --enable-pkcs11

networkManager-plugin (1.3.1)
./configure --sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib/NetworkManager --with-charon=/usr/lib/ipsec/charon-nm

I use the default config expanded with

/etc/strongswan.conf

...
libstrongswan {
    plugins {
        pkcs11 {
            modules {
                athena {
                    path = /lib/libASEP11.so
                }
            }
        }
    }
}

/etc/strongswan.d/charon/pkcs11.conf

...
    modules {
        athena {
            path = /lib/libASEP11.so
        }
    }
...

When starting the VPN with the network-manager, smartcard is accessed (blinking) and PIN is requested. But it fails on getting the key.

syslog

Feb 12 14:37:26 mobil-1 NetworkManager[753]: <info> Starting VPN service 'strongswan'...
Feb 12 14:37:26 mobil-1 NetworkManager[753]: <info> VPN service 'strongswan' started (org.freedesktop.NetworkManager.strongswan), PID 3177
Feb 12 14:37:26 mobil-1 charon-nm: 00[DMN] Starting charon NetworkManager backend (strongSwan 5.2.2)
Feb 12 14:37:27 mobil-1 charon-nm: 00[CFG] loaded PKCS#11 v2.20 library 'athena' (/lib/libASEP11.so)
Feb 12 14:37:27 mobil-1 charon-nm: 00[CFG]   Athena Smartcard Solutions: ASE Cryptoki v3.1
Feb 12 14:37:27 mobil-1 charon-nm: 00[CFG]   uses OS locking functions
Feb 12 14:37:27 mobil-1 charon-nm: 00[CFG]   found token in slot 'athena':0 (Athena IDProtect Key v2 [Main Interface] 00 00)
Feb 12 14:37:27 mobil-1 charon-nm: 00[CFG]     <CARDNAME> (Athena Smartcard Solutions: IDProtect)
Feb 12 14:37:27 mobil-1 charon-nm: 00[LIB] created TUN device: tun0
Feb 12 14:37:27 mobil-1 NetworkManager[753]:    SCPlugin-Ifupdown: devices added (path: /sys/devices/virtual/net/tun0, iface: tun0)
Feb 12 14:37:27 mobil-1 NetworkManager[753]:    SCPlugin-Ifupdown: device added (path: /sys/devices/virtual/net/tun0, iface: tun0): no ifupdown configuration found.
Feb 12 14:37:27 mobil-1 NetworkManager[753]: <warn> /sys/devices/virtual/net/tun0: couldn't determine device driver; ignoring...
Feb 12 14:37:27 mobil-1 NetworkManager[753]: <info> VPN service 'strongswan' appeared; activating connections
Feb 12 14:37:27 mobil-1 charon-nm: 00[CFG]     loaded untrusted cert '<CLIENT-CERT ON SMARTCARD>'
Feb 12 14:37:27 mobil-1 charon-nm: 00[CFG]     loaded untrusted cert '<CA-CERT>'
Feb 12 14:37:27 mobil-1 charon-nm: 00[LIB] loaded plugins: nm-backend charon-nm pkcs11 rc2 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 sshkey pem openssl agent xcbc cmac hmac kernel-netlink socket-default eap-identity eap-md5 eap-gtc eap-mschapv2
Feb 12 14:37:27 mobil-1 charon-nm: 00[LIB] unable to load 5 plugin features (5 due to unmet dependencies)
Feb 12 14:37:27 mobil-1 charon-nm: 00[JOB] spawning 16 worker threads
Feb 12 14:37:31 mobil-1 NetworkManager[753]: <info> VPN plugin state changed: starting (3)
Feb 12 14:37:31 mobil-1 charon-nm: 06[CFG] received initiate for NetworkManager connection swan
Feb 12 14:37:31 mobil-1 charon-nm: 06[CFG] using CA certificate, gateway identity '<VPN GATEWAY URL>'
Feb 12 14:37:31 mobil-1 charon-nm: 06[CFG] no PKCS#11 module found having a keyid 12:c6:84:ad:b7:7a:ad:f1:3a:a1:3d:2b:27:62:97:0b:16:c5:44:4b
Feb 12 14:37:31 mobil-1 charon-nm: 06[LIB] building CRED_PRIVATE_KEY - ANY failed, tried 5 builders
Feb 12 14:37:31 mobil-1 NetworkManager[753]: <info> VPN connection 'swan' (Connect) reply received.
Feb 12 14:37:31 mobil-1 NetworkManager[753]: <warn> VPN connection 'swan' failed to connect: 'no usable smartcard certificate found.'.
Feb 12 14:37:31 mobil-1 NetworkManager[753]: <info> Policy set 'Kabelnetzwerkverbindung 1' (eth0) as default for IPv4 routing and DNS.
Feb 12 14:37:31 mobil-1 NetworkManager[753]: <warn> error disconnecting VPN: Could not process the request because no VPN connection was active.
Feb 12 14:37:36 mobil-1 charon-nm: 00[DMN] signal of type SIGTERM received. Shutting down
Feb 12 14:37:37 mobil-1 NetworkManager[753]:    SCPlugin-Ifupdown: devices removed (path: /sys/devices/virtual/net/tun0, iface: tun0)
Feb 12 14:37:37 mobil-1 NetworkManager[753]: <warn> VPN service 'strongswan' died with signal 6
Feb 12 14:37:37 mobil-1 NetworkManager[753]: <info> VPN service 'strongswan' disappeared

[replaced some things with <...>, because they are named to specific]

Did I miss something in the config?
(I know, that the smartcard is not officially supported, but charon seems to get it via the libASEP11.so)

#4 Updated by Tobias Brunner almost 6 years ago

Feb 12 14:37:31 mobil-1 charon-nm: 06[CFG] no PKCS#11 module found having a keyid 12:c6:84:ad:b7:7a:ad:f1:3a:a1:3d:2b:27:62:97:0b:16:c5:44:4b

As described on NetworkManager the CKA_ID of the private key has to match the subjectKeyIdentifier (or a hash of the subjectPublicKey) of the certificate. If that's not the case the NM plugin can't work with the credentials on your token. You may try strongSwan from the command line for more flexibility in defining keys (see PKCS11Plugin).

#5 Updated by Christian R. almost 6 years ago

Tobias Brunner wrote:

[...]

As described on NetworkManager the CKA_ID of the private key has to match the subjectKeyIdentifier (or a hash of the subjectPublicKey) of the certificate. If that's not the case the NM plugin can't work with the credentials on your token. You may try strongSwan from the command line for more flexibility in defining keys (see PKCS11Plugin).

This seems the part where I fail... How to get or set the CKA_ID of the private key? (any hint would be very helpful)

Ok. forget what I asked... I can modify the CKA_ID with the middleware. now my CKA_ID is subjectKeyIdentifier without the ":" (they seem not to be allowed). But it also doesnt' work. will try a bit further and report back...

#6 Updated by Tobias Brunner almost 6 years ago

As described on NetworkManager the CKA_ID of the private key has to match the subjectKeyIdentifier (or a hash of the subjectPublicKey) of the certificate. If that's not the case the NM plugin can't work with the credentials on your token. You may try strongSwan from the command line for more flexibility in defining keys (see PKCS11Plugin).

This seems the part where I fail... How to get or set the CKA_ID of the private key? (any hint would be very helpful)

You can see the IDs with e.g. pkcs15-tool --dump (or --list-keys to only list private keys).

If you use pkcs15-init to load your private key onto the token (--store-private-key) you can add the --id option to set the ID (e.g. --id 12c684adb77aadf13aa13d2b2762970b16c5444b to match your certificate, you can determine the subjectKeyId via pki --print).

I don't think pkcs15-init can change the ID but it's possible to do so with pkcs11-tool, in your case:

pkcs11-tool --module /lib/libASEP11.so --login --type privkey --id <old ID> --set-id 12c684adb77aadf13aa13d2b2762970b16c5444b

#7 Updated by Michal Tabacek almost 6 years ago

Hi,
I have a problem with strongswan (5.1.2) network manager plugin (1.3.1). My connection with USB eToken from the command line established successfully as I wrote in the last post. But when I try to establish a VPN connection with network manager plugin does not work.
And Ubuntu show a information window with this text .... The VPN connection "xxxxx" failed because it failed to start service vpn.
I install strongswan and network plugin with this tutorial https://wiki.strongswan.org/projects/strongswan/wiki/NetworkManager#Smart-card-requirements
I read Smart card requirements and I think that everything is OK, private, public key and certificate have the same ID. Certificate have TLS Client Auth Extended Key usage, public key is readable without login.

syslog
It seems that the manager does not want to load the PKCS11 module. I don't know where is a problem.

Feb 16 19:45:25 ubuntu4 NetworkManager[903]: <info> Starting VPN service 'strongswan'...
Feb 16 19:45:25 ubuntu4 NetworkManager[903]: <info> VPN service 'strongswan' started (org.freedesktop.NetworkManager.strongswan), PID 2962
Feb 16 19:45:25 ubuntu4 charon-nm: 00[DMN] Starting charon NetworkManager backend (strongSwan 5.1.2)
Feb 16 19:45:25 ubuntu4 NetworkManager[903]:    SCPlugin-Ifupdown: devices added (path: /sys/devices/virtual/net/tun0, iface: tun0)
Feb 16 19:45:25 ubuntu4 NetworkManager[903]:    SCPlugin-Ifupdown: device added (path: /sys/devices/virtual/net/tun0, iface: tun0): no ifupdown configuration found.
Feb 16 19:45:25 ubuntu4 NetworkManager[903]: <warn> /sys/devices/virtual/net/tun0: couldn't determine device driver; ignoring...
Feb 16 19:45:25 ubuntu4 charon-nm: 00[LIB] created TUN device: tun0
Feb 16 19:45:25 ubuntu4 NetworkManager[903]: <info> VPN service 'strongswan' appeared; activating connections
Feb 16 19:45:25 ubuntu4 charon-nm: 00[LIB] loaded plugins: nm-backend charon-nm pkcs11 aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 sshkey pem openssl fips-prf gmp xcbc cmac hmac ctr ccm gcm kernel-netlink socket-default eap-identity
Feb 16 19:45:25 ubuntu4 NetworkManager[903]: <info> VPN plugin state changed: init (1)
Feb 16 19:45:25 ubuntu4 charon-nm: 00[LIB] unable to load 5 plugin features (5 due to unmet dependencies)
Feb 16 19:45:25 ubuntu4 charon-nm: 00[LIB] dropped capabilities, running as uid 0, gid 0
Feb 16 19:45:25 ubuntu4 charon-nm: 00[JOB] spawning 16 worker threads

Feb 16 19:45:31 ubuntu4 charon-nm: 06[CFG] received initiate for NetworkManager connection strongswan
Feb 16 19:45:31 ubuntu4 charon-nm: 06[CFG] using gateway certificate, identity 'C=CZ, ST=NA, L=Ostrava, O=TEST, OU=VS, CN=server, N=EasyRSA, E=me@myhost.mydomain'
Feb 16 19:45:31 ubuntu4 NetworkManager[903]: <info> VPN plugin state changed: starting (3)
Feb 16 19:45:31 ubuntu4 NetworkManager[903]: <info> VPN connection 'strongswan' (Connect) reply received.
Feb 16 19:45:31 ubuntu4 NetworkManager[903]: <warn> VPN connection 'strongswan' failed to connect: 'no usable smartcard certificate found.'.
Feb 16 19:45:31 ubuntu4 NetworkManager[903]: <info> Policy set 'strongswan' (eth0) as default for IPv4 routing and DNS.
Feb 16 19:45:31 ubuntu4 NetworkManager[903]: <warn> error disconnecting VPN: Could not process the request because no VPN connection was active.

Feb 16 19:45:37 ubuntu4 charon-nm: 00[DMN] signal of type SIGTERM received. Shutting down
Feb 16 19:45:37 ubuntu4 NetworkManager[903]:    SCPlugin-Ifupdown: devices removed (path: /sys/devices/virtual/net/tun0, iface: tun0)
Feb 16 19:45:37 ubuntu4 NetworkManager[903]: <info> VPN service 'strongswan' disappeared

Thank you for response
Michal

#8 Updated by Tobias Brunner almost 6 years ago

private, public key and certificate have the same ID

Just to clarify the same ID is not enough, the ID must actually match the subjectKeyIdentifier of the certificate (or a hash of the subjectPublicKey). ipsec --print can show you this identifier.

It seems that the manager does not want to load the PKCS11 module.

How did you configure the module? If you used the charon.plugins.pkcs11.modules section in strongswan.conf that won't work for the NM plugin. The daemon there is called charon-nm so you'll have to use charon-nm.plugins.pkcs11.modules. Alternatively, you can define the modules in libstrongswan.plugins.pkcs11.modules so the settings apply to both daemons.

#9 Updated by Christian R. almost 6 years ago

Tobias Brunner wrote:

You can see the IDs with e.g. pkcs15-tool --dump (or --list-keys to only list private keys).

If you use pkcs15-init to load your private key onto the token (--store-private-key) you can add the --id option to set the ID (e.g. --id 12c684adb77aadf13aa13d2b2762970b16c5444b to match your certificate, you can determine the subjectKeyId via pki --print).
...

Thank you very much for your effort. I'm one step closer to the solution. For "debugging" I now use the normal charon daemon without nm.

Nevertheless, this is drivin me nuts... I need to set the ID in the ipsec.secret and ipsec.conf. I am not able to edit the CKA_ID of the Athena IDPotect Laser nor the OpenPGP V2...

Problem is:
OpenPGP card is just not able to edit CKA_ID, it's always "03"... But it can hold X.509 certs ;)
Athena middleware gives me the ability to change CKA_ID, BUT in ASCII. So the result is some hex code I would need to know. The easiest way is to set "01" in the middleware which results in "3031" for the CKA_ID.

Question:
Is it planned to introduce a config file for charon-nm? So I would be able to manually select the Slot and ID.

#10 Updated by Tobias Brunner almost 6 years ago

Question:
Is it planned to introduce a config file for charon-nm? So I would be able to manually select the Slot and ID.

No, there are currently no plans to do so.

#11 Updated by Raphael Geissert over 4 years ago

Tobias Brunner wrote:

private, public key and certificate have the same ID

Just to clarify the same ID is not enough, the ID must actually match the subjectKeyIdentifier of the certificate (or a hash of the subjectPublicKey). ipsec --print can show you this identifier.

By all means this looks like a dup of #490.

#12 Updated by Tobias Brunner over 4 years ago

  • Related to Feature #490: charon-nm fails to find private key if CKA_ID doesn't match the x509 subject key id added

#13 Updated by Tobias Brunner over 4 years ago

  • Status changed from Feedback to Closed
  • Resolution set to No change required

Closing this as the original issue was solved and the NM/CKA_ID issue is tracked in #490.

Also available in: Atom PDF