Using smart cards¶
Since version 4.5.0 a PKCS#11 plugin for libstrongswan is available, which enables support for smart cards in the IKE daemon charon and the ipsec pki tool. Version 4.6.0 brought support for ECDSA, DH/ECDH and RNG.
The plugin is enabled with the --enable-pkcs11
configure option.
Configuration¶
To use the plugin, the available PKCS#11 modules have to be configured in strongswan.conf.
key | Default | Description |
libstrongswan.plugins.pkcs11.modules | This section lists available PKCS#11 modules | |
libstrongswan.plugins.pkcs11.modules.<name>.path | Full path to the shared object file of this PKCS#11 module | |
libstrongswan.plugins.pkcs11.modules.<name>.os_locking | no | Whether OS locking should be enabled for this module |
libstrongswan.plugins.pkcs11.modules.<name>.load_certs | yes | Whether the PKCS#11 modules should load certificates from tokens (since 5.0.2) |
libstrongswan.plugins.pkcs11.reload_certs | no | Whether the PKCS#11 modules should reload all certificates if charon receives a SIGHUP (since 5.0.2) |
libstrongswan.plugins.pkcs11.use_dh | no | Whether the PKCS#11 modules should be used for DH and ECDH |
libstrongswan.plugins.pkcs11.use_ecc | no | Whether the PKCS#11 modules should be used for ECDH and ECDSA public key operations. ECDSA private keys can be used regardless of this option. |
libstrongswan.plugins.pkcs11.use_hasher | no | Whether the PKCS#11 modules should be used to hash data |
libstrongswan.plugins.pkcs11.use_pubkey | no | Whether the PKCS#11 modules should be used for public key operations, even for keys not stored on tokens |
libstrongswan.plugins.pkcs11.use_rng | no | Whether the PKCS#11 modules should be used as RNG |
Example:
libstrongswan { # ... plugins { pkcs11 { modules { my-xy-module { path = /path/to/pkcs11/lib.so } } } } }
Behavior¶
Certificates stored on smart cards are loaded automatically when the daemon is started. If the PKCS#11 module supports hot-plugging,
they are reloaded when a token gets inserted/removed later.
It is not necessary to specify leftcert=%smartcard... in ipsec.conf (before 5.0.2 it actually will fail if you do so). Instead the first certificate
matching the local identity (connections.<conn>.local<suffix>.id in swanctl.conf, leftid in ipsec.conf) will be used.
Beginning with 5.0.2 it is possible to select a specific certificate with leftcert using the same
syntax that is used in ipsec.secrets. This is helpful if multiple certificates for the same ID are stored on a token.
Since 5.5.2 specific certificates can also be loaded via swanctl.conf using connections.<conn>.local<suffix>.cert<suffix> sections.
To access the private key you have to specify the associated PIN in swanctl.conf (secrets.token<suffix> sections, since 5.5.2) or
ipsec.secrets (depending on the configuration reloading the secrets will prompt the user for the PIN).
NetworkManager makes the use of smart cards with IKEv2 even easier.