Project

General

Profile

Actions

Feature #9878

closed

IPsec PKCS#11 authentication

Added by Viktor Gurov about 5 years ago. Updated about 5 years ago.

Status:
Resolved
Priority:
Normal
Category:
IPsec
Target version:
Start date:
11/03/2019
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:

Description

Add ability to select and configure PKCS#11 RSA authentication in WebGUI

you need to install packages: ccid-1.4.30.txz, opensc-0.19.0.txz, pcsc-lite-1.8.24,2.txz + dependencies
and uncomment in /usr/local/etc/strongswan.d/charon/pkcs11.conf:

modules {
        opensc {
            load_certs = yes
            path = /usr/local/lib/opensc-pkcs11.so
        }
    }

add <earlyshellcmd>/usr/local/sbin/pcscd</earlyshellcmd> in /cf/conf/config.xml above </system>

successfully tested with Aktiv Co. Rutoken ECP: https://github.com/OpenSC/OpenSC/wiki/Aktiv-Co.-Rutoken-ECP
failed with Alladin eToken PRO 72K Java (uses proprietary pkcs11 library, not available for bsd): https://github.com/OpenSC/OpenSC/wiki/Aladdin-eToken-PRO

tested on pfSense 2.5.0.a.20191028.1945 (SG-1000)
IPsec tunnel with pfSense 2.4.4-p3

also see https://wiki.strongswan.org/projects/strongswan/wiki/SmartCards for reference

WARNING! test it only when pcscd daemon is running, or charon will flood your logs!


Files

Screenshot from 2019-11-03 17-54-54.png (48.3 KB) Screenshot from 2019-11-03 17-54-54.png WebGUI options Viktor Gurov, 11/03/2019 08:56 AM
Actions #2

Updated by Jim Pingle about 5 years ago

  • Status changed from New to Pull Request Review
  • Target version deleted (2.5.0)
Actions #3

Updated by Viktor Gurov about 5 years ago

for today only CheckPoint support PKCS#11 tokens

most of other vendors (Palo Alto, Riverbed, Huawei, Fortinet, F5) supports only HSM,
some of them supports PKCS#11 only by clients hosts (Fortinet, Sophos)

Actions #4

Updated by Renato Botelho about 5 years ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho
  • Target version set to 2.5.0
  • % Done changed from 0 to 100

PR has been merged. Thanks!

Actions #5

Updated by Viktor Gurov about 5 years ago

  • Status changed from Feedback to Resolved

Renato Botelho wrote:

PR has been merged. Thanks!

tested on pfSense 2.5.0.a.20191223.2203 with Yubikey 4 (FIPS)

works as expected,
Resolved

Actions

Also available in: Atom PDF