Using smart cards

Since version 4.5.0 a PKCS#11 plugin for libstrongswan is available, which enables support for smart cards in the IKE daemon charon and the ipsec pki tool. Version 4.6.0 brought support for ECDSA, DH/ECDH and RNG.

The plugin is enabled with the --enable-pkcs11 configure option.


To use the plugin, the available PKCS#11 modules have to be configured in strongswan.conf.

key Default Description
libstrongswan.plugins.pkcs11.modules This section lists available PKCS#11 modules
libstrongswan.plugins.pkcs11.modules.<name>.path Full path to the shared object file of this PKCS#11 module
libstrongswan.plugins.pkcs11.modules.<name>.os_locking no Whether OS locking should be enabled for this module
libstrongswan.plugins.pkcs11.modules.<name>.load_certs yes Whether the PKCS#11 modules should load certificates from tokens (since 5.0.2)
libstrongswan.plugins.pkcs11.reload_certs no Whether the PKCS#11 modules should reload all certificates if charon receives a SIGHUP (since 5.0.2)
libstrongswan.plugins.pkcs11.use_dh no Whether the PKCS#11 modules should be used for DH and ECDH
libstrongswan.plugins.pkcs11.use_ecc no Whether the PKCS#11 modules should be used for ECDH and ECDSA public key operations.
ECDSA private keys can be used regardless of this option.
libstrongswan.plugins.pkcs11.use_hasher no Whether the PKCS#11 modules should be used to hash data
libstrongswan.plugins.pkcs11.use_pubkey no Whether the PKCS#11 modules should be used for public key operations, even for keys not stored on tokens
libstrongswan.plugins.pkcs11.use_rng no Whether the PKCS#11 modules should be used as RNG


libstrongswan {
  # ...
  plugins {
    pkcs11 {
      modules {
        my-xy-module {
          path = /path/to/pkcs11/


Certificates stored on smart cards are loaded automatically when the daemon is started. If the PKCS#11 module supports hot-plugging,
they are reloaded when a token gets inserted/removed later.

It is not necessary to specify leftcert=%smartcard... in ipsec.conf (before 5.0.2 it actually will fail if you do so). Instead the first certificate
matching the local identity (connections.<conn>.local<suffix>.id in swanctl.conf, leftid in ipsec.conf) will be used.

Beginning with 5.0.2 it is possible to select a specific certificate with leftcert using the same
syntax that is used in ipsec.secrets. This is helpful if multiple certificates for the same ID are stored on a token.

Since 5.5.2 specific certificates can also be loaded via swanctl.conf using connections.<conn>.local<suffix>.cert<suffix> sections.

To access the private key you have to specify the associated PIN in swanctl.conf (secrets.token<suffix> sections, since 5.5.2) or
ipsec.secrets (depending on the configuration reloading the secrets will prompt the user for the PIN).

NetworkManager makes the use of smart cards with IKEv2 even easier.