[Swan] libreswan smartcards unexpected side effects
Ian Willis
ian at checksum.net.au
Thu Apr 28 16:16:50 EEST 2022
Hi All,
I have a workstation running rocky8.5 linux that connects via ipsec to
a remote vpn server also running rocky8.5.
Both run libreswan which gets restarted via a cron job on the client on
a regular basis
I was also playing with some smartcards looking to program them via
gp.jar https://github.com/martinpaljak/GlobalPlatformPro to put
openFIPS onto some javacards https://github.com/makinako/OpenFIPS201
Anyway ipsec attempted to restart via the cronjob and the link didn't
come up. It took me a while to work out that the smartcard was the
culprit and I see something like the logs at the bottom.
Unplugging the smartcard and the reader made things peachy again. pcscd
is running.
Rather than digging too much I was hoping that someone would explain
this behaviour. It does look like ipsec tries to leverage the smartcard
as it's credential store.
● ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/usr/lib/systemd/system/ipsec.service; enabled;
vendor preset: disabled)
Active: activating (start) since Thu 2022-04-28 22:47:12 AEST; 38s
ago
Docs: man:ipsec(8)
man:pluto(8)
man:ipsec.conf(5)
Process: 4972 ExecStopPost=/usr/sbin/ipsec --stopnflog (code=exited,
status=0/SUCCESS)
Process: 4968 ExecStopPost=/bin/bash -c if test "$EXIT_STATUS" !=
"12"; then /sbin/ip xfrm policy flush; /sbin/ip xfrm state flush; fi
(code=exited, status=0/SUCCESS)
Process: 4933 ExecStop=/usr/libexec/ipsec/whack --shutdown
(code=exited, status=0/SUCCESS)
Process: 5222 ExecStartPre=/usr/sbin/ipsec --checknflog (code=exited,
status=0/SUCCESS)
Process: 5220 ExecStartPre=/usr/sbin/ipsec --checknss (code=exited,
status=0/SUCCESS)
Process: 4981 ExecStartPre=/usr/libexec/ipsec/_stackmanager start
(code=exited, status=0/SUCCESS)
Process: 4979 ExecStartPre=/usr/libexec/ipsec/addconn --config
/etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
Main PID: 5234 (pluto)
Tasks: 1 (limit: 100532)
Memory: 3.4M
CGroup: /system.slice/ipsec.service
└─5234 /usr/libexec/ipsec/pluto --leak-detective --config
/etc/ipsec.conf --nofork
Apr 28 22:47:50 blah
pluto[5234]: MODP3072 IKEv1: IKE ESP
AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh15
Apr 28 22:47:50 blah
pluto[5234]: MODP4096 IKEv1: IKE ESP
AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh16
Apr 28 22:47:50 blah
pluto[5234]: MODP6144 IKEv1: IKE ESP
AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh17
Apr 28 22:47:50 blah
pluto[5234]: MODP8192 IKEv1: IKE ESP
AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh18
Apr 28 22:47:50 blah
pluto[5234]: DH19 IKEv1:
IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_256, ecp256
Apr 28 22:47:50 blah
pluto[5234]: DH20 IKEv1:
IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_384, ecp384
Apr 28 22:47:50 blah
pluto[5234]: DH21 IKEv1:
IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_521, ecp521
Apr 28 22:47:50 blah
pluto[5234]: DH31 IKEv1:
IKE IKEv2: IKE ESP AH NSS(ECP) curve25519
Apr 28 22:47:50 blah pluto[5234]: testing CAMELLIA_CBC:
Apr 28 22:47:50 blah pluto[5234]: Camellia: 16 bytes with 128-bit key
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20220428/2e6b5f46/attachment.htm>
More information about the Swan
mailing list