Hello,
I'm changing my config from using swanctl to the
networkmanager-strongswan plugin.
I have trouble using a smartcard with charon-nm.
Charon-nm is configured with the right pkcs11 plugin/module/lib and I
can see in the logs :
May 20 09:09:32 OR6240941 charon-nm: 00[CFG] loaded PKCS#11 v2.40
library 'tpm2-pkcs11' (/usr/lib64/pkcs11/libtpm2_pkcs11.so)
May 20 09:09:32 OR6240941 charon-nm: 00[CFG]
tpm2-software.github.io: TPM2.0 Cryptoki v0.0
May 20 09:09:32 OR6240941 charon-nm: 00[CFG] found token in slot
'tpm2-pkcs11':1 (tpm2-token Infineon)
May 20 09:09:32 OR6240941 charon-nm: 00[CFG] tpm2-token
(Infineon: SLB9670)
May 20 09:09:32 OR6240941 charon-nm: 00[CFG] found token in slot
'tpm2-pkcs11':2 ( Infineon)
May 20 09:09:32 OR6240941 charon-nm: 00[CFG] (Infineon: SLB9670)
May 20 09:09:32 OR6240941 charon-nm: 00[KNL] received netlink error:
Address family not supported by protocol (97)
May 20 09:09:32 OR6240941 charon-nm: 00[KNL] unable to create IPv6
routing table rule
May 20 09:09:32 OR6240941 NetworkManager[13100]: <info>
[1621501772.1373]
vpn-connection[0x55a76cba84e0,1f9098ba-4328-4a23-ad17-e503456c2d04,"swanboottoken",0]:
Saw the service appear; activating connection
May 20 09:09:32 OR6240941 charon-nm: 00[CFG]
C_GetAttributeValue(NULL) error: ATTRIBUTE_TYPE_INVALID
May 20 09:09:32 OR6240941 charon-nm: 00[LIB] loaded plugins:
nm-backend charon-nm ldap pkcs11 tpm aes des rc2 sha2 sha1 md5 mgf1
random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 sshkey
pem openssl fips-prf gmp curve25519 xcbc cmac hmac drbg curl
kernel-netlink socket-default
May 20 09:09:32 OR6240941 charon-nm: 00[LIB] dropped capabilities,
running as uid 105, gid 101
May 20 09:09:32 OR6240941 charon-nm: 00[JOB] spawning 16 worker threads
May 20 09:09:32 OR6240941 charon-nm: 01[CFG] module 'tpm2-pkcs11'
does not support hot-plugging, cancelled
May 20 09:09:32 OR6240941 NetworkManager[13100]: <info>
[1621501772.1439]
vpn-connection[0x55a76cba84e0,1f9098ba-4328-4a23-ad17-e503456c2d04,"swanboottoken",0]:
VPN connection: (ConnectInteractive) reply received
May 20 09:09:32 OR6240941 charon-nm: 06[CFG] received initiate for
NetworkManager connection swanboottoken
May 20 09:09:32 OR6240941 charon-nm: 06[CFG] using CA certificate,
gateway identity '<vpn name>'
May 20 09:09:32 OR6240941 NetworkManager[13100]: <warn>
[1621501772.1468]
vpn-connection[0x55a76cba84e0,1f9098ba-4328-4a23-ad17-e503456c2d04,"swanboottoken",0]:
VPN connection: failed to connect: 'no usable smartcard certificate
found.'
I now the certificate/private key is working outside the smartcard/token.
Following smartcard requierements, i have the public key available
without login, the ID on the certificate match the private key and the
public key (it's not the subjectKeyIdentifier but i'm using strongswan
5.8.2).
The line C_GetAttributeValue(NULL) error: ATTRIBUTE_TYPE_INVALID might
be the root cause, since my certificate has not the "TLS Client Auth"
extended key usage, but "TLS Web Client Authentication, IPSec User,
ipsec Internet Ket Exchange".
Since the certificate work outside the smartcard I'm not sure this is wrong.
Is there a way to get more debugging logs from charon-nm/pkcs11 ?
Regards,
Marc
