# Connect to StrongSwan VPN using an .sswan file on linux

## Extract the PKCS#12 file from the .sswan

Open the sswan file, you should see something like this :

"type": "ikev2-cert"


so, according to the documentation, it’s a certificate authentication.

We’ll need a CA certificate (usually provided separately, but if it’s not the case, don’t worry) with a client’s certificate and a private key.

We’ll use the content of the p12 field of the .sswan file to get all this stuff.

"p12" : "i'm the iteristing content"


First, put the content of field of the file (without the double quotes) in a separate file, say myB64p12Key

Decode the base64 file to an actual p12 file

base64 -d ./myB64p12Key > certsAndKeys.p12


## Extract the certs and the key

openssl pkcs12 -in ./matthieu-jacquot.p12 -out keys_out.txt


You may have to enter your password a few times, if you’ve got no error, everything ran fine.

Open the keys_out.txt file, you’ll see a structure like that

Bag Attributes
localKeyID: ....
friendlyName: ...
subject=CN = matthieu-jacquot <= something looking like a client

issuer=CN = 123.123.123.123

-----BEGIN CERTIFICATE-----
MIIB7TCCAZOgAw....
I'm the client certificate
-----END CERTIFICATE-----
Bag Attributes: ...
subject=CN = 123.123.123.123 <= something looking seriously like an IP address

issuer=CN = 123.123.123.123

-----BEGIN CERTIFICATE-----
MIIBrzCCAV...
I'm the CA certificate
-----END CERTIFICATE-----
Bag Attributes
localKeyID: ...
friendlyName: ...
Key Attributes: ...
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIHj.
I'm the client's private key
-----END ENCRYPTED PRIVATE KEY-----



If you look closely, you’ll see 2 certificates and a private key, I gave you hints in order to differenciate the CA certificate from the client’s one.

Simply copy the 3 in 3 separate file, say cacert, clientcert, clientkey so they look like that :

-----BEGIN ... -----
MIHj.flasdkfjlksdjlLKJ
lasdkfjlskdfjlkf
-----END ... -----


Extraction, done !

We could have split it with 3 different openssl commands but your VPN will most likely not be very fond of the bag attributes above each one, so we would’ve have to remove them by hand anyway.

## Connect

dnf install NetworkManager-strongswan NetworkManager-strongswan-gnome

If you have SELinux activated, be careful to put these files in a valid context (you can check them with ls -Z) otherwise you’ll see a permission denied in your journalctl. Quick fix : put your files at the root of the ~/.cert folder.