You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm using StrongSwan (IPSec) in the "RoadWarrior"-Scenario. Since StrongSwan offers a PKCS#11 PlugIn, I tried to use the Token from StrongSwan. But I'm receiving this Error:
00[DMN] Starting IKE charon daemon (strongSwan 6.0.0beta6, Linux 6.1.0-18-amd64, x86_64)
00[CFG] PKCS11 module '<name>' lacks library path
00[CFG] loaded PKCS#11 v2.40 library 'hsm-module' (/usr/lib/softhsm/libsofthsm2.so)
00[CFG] SoftHSM: Implementation of PKCS11 v2.6
00[CFG] found token in slot 'hsm-module':1807073400 (SoftHSM slot ID 0x6bb5c078)
00[CFG] my_token (SoftHSM project: SoftHSM v2)
00[CFG] found token in slot 'hsm-module':1 (SoftHSM slot ID 0x1)
00[CFG] (SoftHSM project: SoftHSM v2)
00[LIB] plugin 'sha1': failed to load - sha1_plugin_create not found and no plugin file available
00[LIB] plugin 'tpm': failed to load - tpm_plugin_create not found and no plugin file available
00[LIB] providers loaded by OpenSSL: legacy default
00[CFG] install DNS servers in '/etc/resolv.conf'
00[CFG] loaded untrusted cert 'MyCertificate'
00[CFG] opening session failed: TOKEN_NOT_RECOGNIZED
00[LIB] loaded plugins: charon pkcs11 sha3 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pgp dnskey sshkey pem openssl pkcs8 xcbc cmac kdf drbg attr kernel-netlink resolve socket-default vici updown xauth-generic
00[JOB] spawning 16 worker threads
00[DMN] executing start script 'creds' (swanctl --load-creds)
04[CFG] module 'hsm-module' does not support hot-plugging, canceled
loaded PKCS#11 v2.40 library 'hsm-module' (/usr/lib/softhsm/libsofthsm2.so)
SoftHSM: Implementation of PKCS11 v2.6
found token in slot 'hsm-module':1807073400 (SoftHSM slot ID 0x6bb5c078)
my_token (SoftHSM project: SoftHSM v2)
found token in slot 'hsm-module':1 (SoftHSM slot ID 0x1)
(SoftHSM project: SoftHSM v2)
loaded untrusted cert 'MyCertificate'
opening session failed: TOKEN_NOT_RECOGNIZED
module 'hsm-module' does not support hot-plugging, canceled
08[CFG] loaded certificate 'C=CH, O=strongswan, CN=moon.strongswan.org'
10[CFG] loaded certificate 'C=CH, O=strongSwan, CN=strongSwan Root CA'
16[CFG] loaded ED25519 private key
12[CFG] found key on PKCS#11 token 'hsm-module':1807073400
12[CFG] loaded RSA private key from token
Segmentation fault (core dumped)
00[DMN] executing start script 'conns' (swanctl --load-conns)
loaded PKCS#11 v2.40 library 'hsm-module' (/usr/lib/softhsm/libsofthsm2.so)
SoftHSM: Implementation of PKCS11 v2.6
found token in slot 'hsm-module':1807073400 (SoftHSM slot ID 0x6bb5c078)
my_token (SoftHSM project: SoftHSM v2)
found token in slot 'hsm-module':1 (SoftHSM slot ID 0x1)
(SoftHSM project: SoftHSM v2)
loaded untrusted cert 'MyCertificate'
opening session failed: TOKEN_NOT_RECOGNIZED
module 'hsm-module' does not support hot-plugging, canceled
11[CFG] added vici connection: IKEv2
Segmentation fault (core dumped)
00[DMN] executing start script 'pools' (swanctl --load-pools)
loaded PKCS#11 v2.40 library 'hsm-module' (/usr/lib/softhsm/libsofthsm2.so)
SoftHSM: Implementation of PKCS11 v2.6
found token in slot 'hsm-module':1807073400 (SoftHSM slot ID 0x6bb5c078)
my_token (SoftHSM project: SoftHSM v2)
found token in slot 'hsm-module':1 (SoftHSM slot ID 0x1)
(SoftHSM project: SoftHSM v2)
loaded untrusted cert 'MyCertificate'
opening session failed: TOKEN_NOT_RECOGNIZED
module 'hsm-module' does not support hot-plugging, canceled
14[CFG] added vici pool mypool: 10.1.0.1, 254 entries
Segmentation fault (core dumped)
03[NET] received packet: from 192.168.254.3[500] to 192.168.254.2[500] (1100 bytes)
03[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) V ]
03[IKE] received strongSwan vendor ID
03[IKE] 192.168.254.3 is initiating an IKE_SA
03[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA1/MODP_1024
03[CFG] C_GenerateKeyPair() error: GENERAL_ERROR
Using SoftHSM 2.6.1
This is the configuration for StrongSwan:
strongswan.conf:
charon {
#threads = 1
# Definiert Skripte, die beim Start von Charon ausgeführt werden. In diesem Fall werden die Befehle swanctl --load-creds, swanctl --load-conns und swanctl --load-pools ausgeführt, um Anmeldeinformationen, Verbindungen und IP-Pools zu laden.
start-scripts {
creds = swanctl --load-creds
conns = swanctl --load-conns
pools = swanctl --load-pools
}
# Definiert die Log-Einstellungen für Charon. In diesem Fall wird das Standard-Log-Level auf 1 gesetzt und die Log-Nachrichten werden an stderr gesendet.
filelog {
stderr {
default = 1
}
}
send_vendor_id = yes
prefer_configured_proposals = no
fragment_size = 1480
max_packet = 30000
load_modular = yes
nonce_plugins = random
plugins {
include strongswan.d/charon/*.conf
vici {
load = yes
}
random {
# Enable the plugin
load = yes
}
sha1 {
# Enable the plugin
load = yes
}
sha3 {
# Enable the plugin
load = yes
}
socket-default {
# Enable the plugin
use = netkey
}
openssl {
# Enable the plugin
load = yes
path = /usr/lib/x86_64-linux-gnu/ruby/3.1.0/openssl.so
}
}
}
swanctl {
load = pem pkcs11 x509 revocation constraints pubkey openssl random
}
include strongswan.d/*.conf
libstrongswan {
plugins {
pkcs11 {
use_dh = true
use_ecc = true
use_pubkey = true
modules {
hsm-module {
path = /usr/lib/softhsm/libsofthsm2.so
}
}
}
}
}
Hi there,
I'm using StrongSwan (IPSec) in the "RoadWarrior"-Scenario. Since StrongSwan offers a PKCS#11 PlugIn, I tried to use the Token from StrongSwan. But I'm receiving this Error:
Using SoftHSM 2.6.1
This is the configuration for StrongSwan:
strongswan.conf:
swanctl.conf
This is how the Token is created:
There is also a Ticket in StrongSwan-Project: strongswan/strongswan#2248
Please advise,
I'm not sure what leads to this error and how to fix this.
How should the Token be configured that StrongSwan can use it?
The text was updated successfully, but these errors were encountered: