Hey, Ok, thanks for the tips. I am trying it with charon-cmd now, not network-manager. I followed the instructions from [1].
In the logs I can see, that the private key seems to be loaded correctly: Jul 19 19:01:53 SuperSam charon: 14[CFG] loading secrets from '/etc/ipsec.secrets' Jul 19 19:01:53 SuperSam charon: 14[CFG] found key on PKCS#11 token 'opensc':0 Jul 19 19:01:53 SuperSam charon: 14[CFG] loaded private key from %smartcard:3 I managed to configure strongswan (on the client side) so that the certificate is listed: > ipsec listcerts List of X.509 End Entity Certificates subject: "C=DE, O=example Company, CN=nat...@wintercloud.de" issuer: "C=DE, O=example Company, CN=strongSwan Root CA" validity: not before Jul 19 17:02:36 2018, ok not after Jul 18 17:02:36 2020, ok (expires in 729 days) serial: 4c:0f:51:f9:0c:bc:06:c9 altNames: nat...@wintercloud.de flags: clientAuth authkeyId: 1b:52:a8:d6:bb:20:98:11:ca:28:52:71:07:89:46:84:bf:52:2d:36 subjkeyId: d0:65:3c:1c:f4:4f:f6:77:7e:09:fb:d3:81:55:d3:d9:d9:99:69:c8 pubkey: RSA 4096 bits, has private key keyid: 8f:38:18:ef:2e:52:63:c3:dd:7d:62:66:9d:31:91:ac:6c:f8:2e:c6 subjkey: d0:65:3c:1c:f4:4f:f6:77:7e:09:fb:d3:81:55:d3:d9:d9:99:69:c8 But it seems I am not able to use it with charon-cmd: > charon-cmd --host <my-host> --identity nathan\@wintercloud.de --cert <path-to-server-cert> --profile ikev2-pub ... 05[CFG] missing private key for profile ikev2-pub ... The identiy is the one from the certificate. Do I have to add additonal options so that charon-cmd know that it should take the private key from the smartcard? Thanks! Nathan [1]: https://wiki.strongswan.org/projects/strongswan/wiki/SmartCards -- Dr. Nathan Hüsken Cloud Developer nat...@wintercloud.de +49 151 703 478 84 wintercloud GmbH & Co. KG Emil-Maier-Str. 16 69115 Heidelberg wintercloud.de Sitz der Kommanditgesellschaft: Heidelberg, Registernummer der Kommanditgesellschaft im Handelsregister: AG Mannheim HRA 707268 Komplementärin: junah GmbH, Sitz der Komplementärin: Heidelberg, Registernummer der Komplementärin im Handelsregister: AG Mannheim HRB 726538, Geschäftsführer der Komplementärin: Julian Wintermayr und Dr. Nathan Hüsken USt-IdNr.: DE815676705 ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On 19 July 2018 5:29 PM, Tobias Brunner <tob...@strongswan.org> wrote: > > > Hi Nathan, > > > The ids match! So it should be fine! > > Only with strongSwan >= 5.5.1, with older releases the cert/key has to > > be stored using a CKA_ID that matches the SPKI (i.e. your cert/key with > > CKA_ID 3 would never be used). > > > Any other help on why this does possibly not work? > > Do you have strongSwan >= 5.5.1 installed? Did you configure the pkcs11 > > plugin properly? Is it loaded and does it enumerate certificates when > > charon-nm is started (check the log for details)? > > Regards, > > Tobias