Join Log in
Score:0
rBeal avatar Server

using strongswan with pkcs11 and yubikey

us flag
rBeal

I am trying to deploy a new VPN configuration in my enterprise.

I have successfully established a connection between my computer and my vpn ipsec server in certificate mode.

I uploaded the p12 file in my yubikey which contains my private key, the pub key of the server and the CA.

$ pkcs11-tool --test --login

Using slot 0 with a present token (0x0)
Logging in to "uid=r.beal,dc=ldap-...".
Please enter User PIN: 
C_SeedRandom() and C_GenerateRandom():
  seeding (C_SeedRandom) not supported
  seems to be OK
Digests:
  all 4 digest functions seem to work
  MD5: OK
  SHA-1: OK
  RIPEMD160: OK
Signatures (currently only for RSA)
  testing key 0 (PIV AUTH key) 
  all 4 signature functions seem to work
  testing signature mechanisms:
    RSA-X-509: OK
    RSA-PKCS: OK
    SHA1-RSA-PKCS: OK
    MD5-RSA-PKCS: OK
    RIPEMD160-RSA-PKCS: OK
    SHA256-RSA-PKCS: OK
Verify (currently only for RSA)
  testing key 0 (PIV AUTH key)
    RSA-X-509: OK
    RSA-PKCS: OK
    SHA1-RSA-PKCS: OK
    MD5-RSA-PKCS: OK
    RIPEMD160-RSA-PKCS: OK
Decryption (currently only for RSA)
  testing key 0 (PIV AUTH key)
    RSA-X-509: OK
    RSA-PKCS: OK
No errors

I added this section in swanctl.conf file :

secrets {
    tokenyubikey {
        pin = 123456
        slot = 0
        handle = 1 # From what i understood, it's here that my crt is
        module = yubi-module
    }
}

And this section in /etc/strongswan.d/charon/pkcs11.conf file :

yubi-module {
    #path = /usr/lib/libykcs11.so
    path = /usr/lib/pkcs11/opensc-pkcs11.so
}

When I use the yubikey pkcs11 module :

00[CFG] PKCS11 module '<name>' lacks library path
00[CFG] loaded PKCS#11 v2.40 library 'yubi-module' (/usr/lib/libykcs11.so)
00[CFG]   Yubico (www.yubico.com): PKCS#11 PIV Library (SP-800-73) v2.21
00[CFG]   found token in slot 'yubi-module':0 (Yubico YubiKey OTP+FIDO+CCID 00 00)
00[CFG]     YubiKey PIV #16616360 (Yubico (www.yubico.com): YubiKey YK5)
00[CFG]     loaded untrusted cert 'X.509 Certificate for PIV Authentication'
00[CFG]     loaded untrusted cert 'X.509 Certificate for PIV Attestation'

And when use module is opensc :

00[CFG] PKCS11 module '<name>' lacks library path
00[CFG] loaded PKCS#11 v2.20 library 'yubi-module' (/usr/lib/pkcs11/opensc-pkcs11.so)
00[CFG]   OpenSC Project: OpenSC smartcard framework v0.22
00[CFG]   found token in slot 'yubi-module':0 (Yubico YubiKey OTP+FIDO+CCID 00 00)
00[CFG]     uid=r.beal,dc=ldap-.. (piv_II: PKCS#15 emulate)
00[CFG]     loaded untrusted cert 'Certificate for PIV Authentication'

Which module should I use ?

When I run the ipsec daemon

# ipsec restart --nofork
Starting strongSwan 5.9.3 IPsec [starter]...
00[DMN] Starting IKE charon daemon (strongSwan 5.9.3, Linux 5.14.15-arch1-1, x86_64)
00[CFG] PKCS11 module '<name>' lacks library path
00[CFG] loaded PKCS#11 v2.20 library 'yubi-module' (/usr/lib/pkcs11/opensc-pkcs11.so)
00[CFG]   OpenSC Project: OpenSC smartcard framework v0.22
00[CFG]   found token in slot 'yubi-module':0 (Yubico YubiKey OTP+FIDO+CCID 00 00)
00[CFG]     uid=r.beal,dc=ldap-.. (piv_II: PKCS#15 emulate)
00[CFG]     loaded untrusted cert 'Certificate for PIV Authentication'
00[CFG] attr-sql plugin: database URI not set
00[NET] using forecast interface wlan0
00[CFG] joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG]   loaded ca certificate "C=FR, ST=Idf, L=City, O=company, OU=company, CN=company, [email protected]" from '/etc/ipsec.d/cacerts/ca.pem'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG] sql plugin: database URI not set
00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory
00[CFG] loaded 0 RADIUS server configurations
00[CFG] HA config misses local/remote address
00[CFG] no script for ext-auth script defined, disabled
00[LIB] loaded plugins: charon ldap pkcs11 aesni aes des rc2 sha2 sha3 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ntru drbg newhope bliss curl mysql sqlite attr kernel-netlink resolve socket-default bypass-lan connmark forecast farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp radattr unity counters
00[LIB] dropped capabilities, running as uid 0, gid 0
00[JOB] spawning 16 worker threads
06[IKE] installed bypass policy for 172.17.0.0/16
06[IKE] installed bypass policy for 192.168.1.0/24
06[IKE] installed bypass policy for ::1/128
06[IKE] installed bypass policy for fe80::/64
02[CFG]   found token in slot 'yubi-module':0 (Yubico YubiKey OTP+FIDO+CCID 00 00)
02[CFG]     uid=r.beal,dc=ldap-.. (piv_II: PKCS#15 emulate)
02[CFG]     loaded untrusted cert 'Certificate for PIV Authentication'
charon (10359) started after 120 ms
11[CFG] received stroke: add connection 'test'
11[CFG]   loaded certificate "C=FR, ST=Idf, L=City, O=company, OU=company, CN=uid=r.beal,dc=ldap,dc=company,dc=fr, [email protected]" from '/etc/swanctl/x509/r.beal.pem'
11[CFG]   id 'UID=r.beal, DC=ldap, DC=company, DC=fr' not confirmed by certificate, defaulting to 'C=FR, ST=Idf, L=City, O=company, OU=company, CN=uid=r.beal,dc=ldap,dc=company,dc=fr, [email protected]'
11[CFG] added configuration 'test'

The smartcard is present !

Now I am trying to connect to the VPN (/etc/ipsec.conf) :

conn test
     right=1.2.3.4 <= the public ip of my vpn server
     rightid=remote_id_of_the_server
     leftcert=/etc/swanctl/x509/r.beal.pem
     leftid=my_mail
     left=%defaultroute
     #leftcert=%smartcard
     auto=add

I put the CA in /etc/ipsec.d/cacerts/

ipsec log :

01[CFG] received stroke: initiate 'test'
09[IKE] initiating IKE_SA test[1] to 1.2.3.4
09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
09[NET] sending packet: from 192.168.1.199[500] to 1.2.3.4[500] (1000 bytes)
10[NET] received packet: from 1.2.3.4[500] to 192.168.1.199[500] (38 bytes)
10[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
10[IKE] peer didn't accept DH group ECP_256, it requested MODP_2048
10[IKE] initiating IKE_SA test[1] to 1.2.3.4
10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
10[NET] sending packet: from 192.168.1.199[500] to 1.2.3.4[500] (1192 bytes)
06[NET] received packet: from 1.2.3.4[500] to 192.168.1.199[500] (481 bytes)
06[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(CHDLESS_SUP) ]
06[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
06[IKE] local host is behind NAT, sending keep alives
06[IKE] remote host is behind NAT
06[IKE] received cert request for "C=FR, ST=Idf, L=City, O=company, OU=company, CN=company, [email protected]"
06[IKE] sending cert request for "C=FR, ST=Idf, L=City, O=company, OU=company, CN=company, [email protected]"
06[IKE] no private key found for 'C=FR, ST=Idf, L=City, O=company, OU=company, CN=uid=r.beal,dc=ldap,dc=company,dc=fr, [email protected]'

There is a begin of connection ! What should I do to make ipsec use the private key inside my smartcard ?

I saw this post : "NO_PROPOSAL_CHOSEN" when trying to authenticate with a certificate from smartcard using swanctl Have I the same problem? I tried to copy all the certs in the x509 directory but I have the same error 'no private key found'.

EDIT ===

Now when I call "swanctl --load-creds" ipsec finds the private key and uses it !

But I have now a network problem.

16[IKE] authentication of 'compagny.com' with RSA_EMSA_PKCS1_SHA2_256 successful
16[IKE] IKE_SA test[1] established between 192.168.1.199[[email protected]]...1.2.3.4[compagny.com]
16[IKE] scheduling reauthentication in 10059s
16[IKE] maximum IKE_SA lifetime 10599s
16[CFG] handling UNITY_SPLITDNS_NAME attribute failed
16[CFG] handling INTERNAL_IP4_NETMASK attribute failed
16[IKE] installing DNS server 172.22.0.17 to /etc/resolv.conf
16[IKE] installing new virtual IP 10.66.0.5
16[IKE] received TS_UNACCEPTABLE notify, no CHILD_SA built
16[IKE] failed to establish CHILD_SA, keeping IKE_SA
16[IKE] received AUTH_LIFETIME of 20278s, reauthentication already scheduled in 10059s

I added to my conf file :

leftsourceip=%config

My VPN server is configured to not route the internet traffic of the client. So I think it is a network configuration problem now.

394
0 + 0
cn flag
ecdsa
Why do you configure the secret in swanctl.conf but the connection in ipsec.conf? (Not directly causes the issue, but is still weird.) Configuring the private key isn't enough, you also need a public key/certificate that matches the configured local identity. There is a certificate loaded from the token, but that seems to be untrusted (as reported by PKCS#11). If you can't change that, you can try loading the certificate in the connection explicitly.
0
Reply
rBeal avatar
us flag
rBeal
I edited my post. Can the connection works if the certificate is untrusted? I can not find why it is not trusted. All certs are generated from a stormshield's firewall. So I suppose they are ok.
0
Reply
cn flag
ecdsa
You could have referenced the certificate on the token instead of loading it from a file (using the `%smartcard` syntax). And I actually might have been wrong above. Your configuring the key in swanctl.conf instead of ipsec.secrets might actually be an additional factor that causes this because I don't see the key actually getting loaded (which doesn't happen if `swanctl --load-creds` or `--load-all` is never called (which isn't the case if you just use `ipsec (re)start`). So try configuring it in [ipsec.secrets](https://wiki.strongswan.org/projects/strongswan/wiki/PINsecret).
0
Reply
rBeal avatar
us flag
rBeal
Thanks !! Now I have a new problem, I edited my post.
0
Reply
rBeal avatar
us flag
rBeal
I agree to have a clean configuration. I am working to having a clean one. How can I find the keyid for the ipsec.secrets file ?
0
Reply
cn flag
ecdsa
That's the `CKA_ID` for the key on the token (corresponds to _handle_ in swanctl.conf). That the server returns a `TS_UNACCEPTABLE` error might be because you didn't configure `rightsubnet`. Configure the subnet(s) you want to reach, use `0.0.0.0/0` to tunnel everything or let the responder narrow it down to what ever it has configured. If possible, check the log on the server for the reason it returns that error.
0
Reply
Score:0
rBeal avatar Server
us flag
rBeal

The solution was to set the rightsubnet to 0.0.0.0/0

Thanks to ecdsa !

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.