Connect to StrongSwan VPN using an .sswan file on linux

linux / security

Extract the PKCS#12 file from the .sswan

Open the sswan file, you should see something like this :

"type": "ikev2-cert"

so, according to the documentation, it’s a certificate authentication.

We’ll need a CA certificate (usually provided separately, but if it’s not the case, don’t worry) with a client’s certificate and a private key.

We’ll use the content of the p12 field of the .sswan file to get all this stuff.

"p12" : "i'm the iteristing content"

First, put the content of field of the file (without the double quotes) in a separate file, say myB64p12Key

Decode the base64 file to an actual p12 file

base64 -d ./myB64p12Key > certsAndKeys.p12

Extract the certs and the key

openssl pkcs12 -in ./matthieu-jacquot.p12 -out keys_out.txt

You may have to enter your password a few times, if you’ve got no error, everything ran fine.

Open the keys_out.txt file, you’ll see a structure like that

Bag Attributes
    localKeyID: .... 
    friendlyName: ...
subject=CN = matthieu-jacquot <= something looking like a client

issuer=CN = 123.123.123.123

-----BEGIN CERTIFICATE-----
MIIB7TCCAZOgAw....
I'm the client certificate
-----END CERTIFICATE-----
Bag Attributes: ...
subject=CN = 123.123.123.123 <= something looking seriously like an IP address

issuer=CN = 123.123.123.123

-----BEGIN CERTIFICATE-----
MIIBrzCCAV...
I'm the CA certificate
-----END CERTIFICATE-----
Bag Attributes
    localKeyID: ... 
    friendlyName: ...
Key Attributes: ... 
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIHj.
I'm the client's private key
-----END ENCRYPTED PRIVATE KEY-----

If you look closely, you’ll see 2 certificates and a private key, I gave you hints in order to differenciate the CA certificate from the client’s one.

Simply copy the 3 in 3 separate file, say cacert, clientcert, clientkey so they look like that :

-----BEGIN ... ----- 
MIHj.flasdkfjlksdjlLKJ
lasdkfjlskdfjlkf
-----END ... -----

Extraction, done !

We could have split it with 3 different openssl commands but your VPN will most likely not be very fond of the bag attributes above each one, so we would’ve have to remove them by hand anyway.

Connect

According to this page, on Fedora, you can just run

dnf install NetworkManager-strongswan NetworkManager-strongswan-gnome

set a few fields in the network-manager and everything will run smoothly !

If you have SELinux activated, be careful to put these files in a valid context (you can check them with ls -Z) otherwise you’ll see a permission denied in your journalctl. Quick fix : put your files at the root of the ~/.cert folder.


A question or comment ? Feel free to reach me on Twitter

 
Sorry for not tracking you, leave a little message or like below if you want me to know you enjoyed some content here
comments powered by Disqus