[Swan] libreswan smartcards unexpected side effects

Ian Willis ian at checksum.net.au
Thu Apr 28 16:16:50 EEST 2022 

Hi All,

I have a workstation running rocky8.5 linux that connects via ipsec to
a remote vpn server also running rocky8.5. 
Both run libreswan which gets restarted via a cron job on the client on
a regular basis 
I was also playing with some smartcards looking to program them via
gp.jar  https://github.com/martinpaljak/GlobalPlatformPro to put
openFIPS onto some javacards https://github.com/makinako/OpenFIPS201
Anyway ipsec attempted to restart via the cronjob and the link didn't
come up. It took me a while to work out that the smartcard was the
culprit and I see something like the logs at the bottom. 

Unplugging the smartcard and the reader made things peachy again. pcscd
is running. 

Rather than digging too much I was hoping that someone would explain
this behaviour. It does look like ipsec tries to leverage the smartcard
as it's credential store. 



● ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
   Loaded: loaded (/usr/lib/systemd/system/ipsec.service; enabled;
vendor preset: disabled)
   Active: activating (start) since Thu 2022-04-28 22:47:12 AEST; 38s
ago
     Docs: man:ipsec(8)
           man:pluto(8)
           man:ipsec.conf(5)
  Process: 4972 ExecStopPost=/usr/sbin/ipsec --stopnflog (code=exited,
status=0/SUCCESS)
  Process: 4968 ExecStopPost=/bin/bash -c if test "$EXIT_STATUS" !=
"12"; then /sbin/ip xfrm policy flush; /sbin/ip xfrm state flush; fi
(code=exited, status=0/SUCCESS)
  Process: 4933 ExecStop=/usr/libexec/ipsec/whack --shutdown
(code=exited, status=0/SUCCESS)
  Process: 5222 ExecStartPre=/usr/sbin/ipsec --checknflog (code=exited,
status=0/SUCCESS)
  Process: 5220 ExecStartPre=/usr/sbin/ipsec --checknss (code=exited,
status=0/SUCCESS)
  Process: 4981 ExecStartPre=/usr/libexec/ipsec/_stackmanager start
(code=exited, status=0/SUCCESS)
  Process: 4979 ExecStartPre=/usr/libexec/ipsec/addconn --config
/etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
 Main PID: 5234 (pluto)
    Tasks: 1 (limit: 100532)
   Memory: 3.4M
   CGroup: /system.slice/ipsec.service
           └─5234 /usr/libexec/ipsec/pluto --leak-detective --config
/etc/ipsec.conf --nofork

Apr 28 22:47:50 blah
pluto[5234]:   MODP3072                          IKEv1: IKE ESP
AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh15
Apr 28 22:47:50 blah
pluto[5234]:   MODP4096                          IKEv1: IKE ESP
AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh16
Apr 28 22:47:50 blah
pluto[5234]:   MODP6144                          IKEv1: IKE ESP
AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh17
Apr 28 22:47:50 blah
pluto[5234]:   MODP8192                          IKEv1: IKE ESP
AH  IKEv2: IKE ESP AH  FIPS NSS(MODP)    dh18
Apr 28 22:47:50 blah
pluto[5234]:   DH19                              IKEv1:
IKE         IKEv2: IKE ESP AH  FIPS NSS(ECP)     ecp_256, ecp256
Apr 28 22:47:50 blah
pluto[5234]:   DH20                              IKEv1:
IKE         IKEv2: IKE ESP AH  FIPS NSS(ECP)     ecp_384, ecp384
Apr 28 22:47:50 blah
pluto[5234]:   DH21                              IKEv1:
IKE         IKEv2: IKE ESP AH  FIPS NSS(ECP)     ecp_521, ecp521
Apr 28 22:47:50 blah
pluto[5234]:   DH31                              IKEv1:
IKE         IKEv2: IKE ESP AH       NSS(ECP)     curve25519
Apr 28 22:47:50 blah pluto[5234]: testing CAMELLIA_CBC:
Apr 28 22:47:50 blah pluto[5234]:   Camellia: 16 bytes with 128-bit key
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20220428/2e6b5f46/attachment.htm>

More information about the Swan mailing list