Extract the PKCS#12 file from the .sswan
Open the sswan file, you should see something like this :
"type": "ikev2-cert"
so, according to the documentation, it’s a certificate authentication.
We’ll need a CA certificate (usually provided separately, but if it’s not the case, don’t worry) with a client’s certificate and a private key.
We’ll use the content of the p12 field of the .sswan file to get all this stuff.
"p12" : "i'm the iteristing content"
First, put the content of field of the file (without the double quotes) in a separate file, say myB64p12Key
Decode the base64 file to an actual p12 file
base64 -d ./myB64p12Key > certsAndKeys.p12
Extract the certs and the key
openssl pkcs12 -in ./matthieu-jacquot.p12 -out keys_out.txt
You may have to enter your password a few times, if you’ve got no error, everything ran fine.
Open the keys_out.txt file, you’ll see a structure like that
Bag Attributes
localKeyID: ....
friendlyName: ...
subject=CN = matthieu-jacquot <= something looking like a client
issuer=CN = 123.123.123.123
-----BEGIN CERTIFICATE-----
MIIB7TCCAZOgAw....
I'm the client certificate
-----END CERTIFICATE-----
Bag Attributes: ...
subject=CN = 123.123.123.123 <= something looking seriously like an IP address
issuer=CN = 123.123.123.123
-----BEGIN CERTIFICATE-----
MIIBrzCCAV...
I'm the CA certificate
-----END CERTIFICATE-----
Bag Attributes
localKeyID: ...
friendlyName: ...
Key Attributes: ...
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIHj.
I'm the client's private key
-----END ENCRYPTED PRIVATE KEY-----
If you look closely, you’ll see 2 certificates and a private key, I gave you hints in order to differenciate the CA certificate from the client’s one.
Simply copy the 3 in 3 separate file, say cacert
, clientcert
, clientkey
so they look like that :
-----BEGIN ... -----
MIHj.flasdkfjlksdjlLKJ
lasdkfjlskdfjlkf
-----END ... -----
Extraction, done !
We could have split it with 3 different
openssl
commands but your VPN will most likely not be very fond of the bag attributes above each one, so we would’ve have to remove them by hand anyway.
Connect
According to this page, on Fedora, you can just run
dnf install NetworkManager-strongswan NetworkManager-strongswan-gnome
set a few fields in the network-manager and everything will run smoothly !
If you have SELinux activated, be careful to put these files in a valid context (you can check them with
ls -Z
) otherwise you’ll see apermission denied
in yourjournalctl
. Quick fix : put your files at the root of the~/.cert
folder.