Extract the PKCS#12 file from the .sswan
Open the sswan file, you should see something like this :
so, according to the documentation, it’s a certificate authentication.
We’ll need a CA certificate (usually provided separately, but if it’s not the case, don’t worry) with a client’s certificate and a private key.
We’ll use the content of the p12 field of the .sswan file to get all this stuff.
"p12" : "i'm the iteristing content"
First, put the content of field of the file (without the double quotes) in a separate file, say myB64p12Key
Decode the base64 file to an actual p12 file
base64 -d ./myB64p12Key > certsAndKeys.p12
Extract the certs and the key
openssl pkcs12 -in ./matthieu-jacquot.p12 -out keys_out.txt
You may have to enter your password a few times, if you’ve got no error, everything ran fine.
Open the keys_out.txt file, you’ll see a structure like that
Bag Attributes localKeyID: .... friendlyName: ... subject=CN = matthieu-jacquot <= something looking like a client issuer=CN = 126.96.36.199 -----BEGIN CERTIFICATE----- MIIB7TCCAZOgAw.... I'm the client certificate -----END CERTIFICATE----- Bag Attributes: ... subject=CN = 188.8.131.52 <= something looking seriously like an IP address issuer=CN = 184.108.40.206 -----BEGIN CERTIFICATE----- MIIBrzCCAV... I'm the CA certificate -----END CERTIFICATE----- Bag Attributes localKeyID: ... friendlyName: ... Key Attributes: ... -----BEGIN ENCRYPTED PRIVATE KEY----- MIHj. I'm the client's private key -----END ENCRYPTED PRIVATE KEY-----
If you look closely, you’ll see 2 certificates and a private key, I gave you hints in order to differenciate the CA certificate from the client’s one.
Simply copy the 3 in 3 separate file, say
clientkey so they look like that :
-----BEGIN ... ----- MIHj.flasdkfjlksdjlLKJ lasdkfjlskdfjlkf -----END ... -----
Extraction, done !
We could have split it with 3 different
opensslcommands but your VPN will most likely not be very fond of the bag attributes above each one, so we would’ve have to remove them by hand anyway.
According to this page, on Fedora, you can just run
dnf install NetworkManager-strongswan NetworkManager-strongswan-gnome
set a few fields in the network-manager and everything will run smoothly !
If you have SELinux activated, be careful to put these files in a valid context (you can check them with
ls -Z) otherwise you’ll see a
permission deniedin your
journalctl. Quick fix : put your files at the root of the