[strongSwan] Need help reviewing a tutorial on smartcards

Dimitrios Siganos dimitris at siganos.org
Fri Apr 9 16:59:23 CEST 2010 

François Pérou wrote:
> On Fri, 2010-04-09 at 11:35 +0100, Dimitrios Siganos wrote:
>   
>> It sounds right. But obviously that depends on default directory 
>> settings and ipsec.conf configuration. You can also use absolute 
>> pathnames. I do that sometimes to simplify things when I get confused.
>>
>> Without some debug logs I can't help anymore. Also, upgrade to the 
>> latest strongswan. If you are using emails in the DN (it is very 
>> common), it won't work unless you upgrade to 4.3.5 at least. 
>>     
>
> I followed your information on Carol road warrior and updated:
> http://www.gooze.eu/howto/using-strongswan-with-smart-cards/configuring-road-warrior-carol
>
> ipsec secrets
> 002 forgetting secrets
> 002 loading secrets from "/etc/ipsec.secrets"
> 040 need PIN for #1 (slot: 5, id:
> 7645d913d5b4e0************2324c23a7ebf4, label: 'CAcert WoT User's Root
> CA ID')
> Enter: 
> 004 valid PIN
> 002   valid pin for #1 (slot: 5, id:
> 7645d913d5b4e0************2324c23a7ebf4)
> acer:/home/jmpoure# ipsec up home
> 002 "home" #1: initiating Main Mode
> 002 "home" #1: ike alg: unable to locate my private key
> 002 "home" #1: ike alg: unable to locate my private key
> 003 "home" #1: empty ISAKMP SA proposal to send (no algorithms for ike
> selection?)
>
>
> config setup
>     crlcheckinterval=180
>     strictcrlpolicy=no
>     charonstart=no
>     plutostart=yes
>     pkcs11module = /usr/lib/opensc-pkcs11.so
>     pkcs11keepstate=yes
>     plutodebug = all # During testing you will need full-debug
>     plutostderrlog = /var/log/pluto.log 
>
> conn %default
>     ikelifetime=60m
>     keylife=20m
>     rekeymargin=3m
>     keyingtries=1
>     keyexchange=ikev1
>
> conn home
>     left=%defaultroute
>     leftcert=%smartcard
>     leftfirewall=yes
>     right=192.168.0.1
>     rightid=@moon.strongswan.org
>     rightsubnet=10.1.0.0/16
>     auto=add
>
> And the log:
>
> Using Linux 2.6 IPsec interface code
> | finish_pfkey_msg: SADB_REGISTER message 1 for AH 
> |   02 07 00 02  02 00 00 00  01 00 00 00  92 1b 00 00
> | pfkey_get: SADB_REGISTER message 1
> | AH registered with kernel.
> | finish_pfkey_msg: SADB_REGISTER message 2 for ESP 
> |   02 07 00 03  02 00 00 00  02 00 00 00  92 1b 00 00
> | pfkey_get: SADB_REGISTER message 2
> | alg_init(): memset(0x7f4777352f60, 0, 2016) memset(0x7f4777353740, 0,
> 2032)
> | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: sadb_msg_len=20
> sadb_supported_len=56
> | kernel_alg_add(): satype=3, exttype=14, alg_id=251
> | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[0], exttype=14,
> satype=3, alg_id=251, alg_ivlen=0, alg_minbits=0, alg_maxbits=0, res=0,
> ret=1
> | kernel_alg_add(): satype=3, exttype=14, alg_id=2
> | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[1], exttype=14,
> satype=3, alg_id=2, alg_ivlen=0, alg_minbits=128, alg_maxbits=128,
> res=0, ret=1
> | kernel_alg_add(): satype=3, exttype=14, alg_id=3
> | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[2], exttype=14,
> satype=3, alg_id=3, alg_ivlen=0, alg_minbits=160, alg_maxbits=160,
> res=0, ret=1
> | kernel_alg_add(): satype=3, exttype=14, alg_id=5
> | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[3], exttype=14,
> satype=3, alg_id=5, alg_ivlen=0, alg_minbits=256, alg_maxbits=256,
> res=0, ret=1
> | kernel_alg_add(): satype=3, exttype=14, alg_id=8
> | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[4], exttype=14,
> satype=3, alg_id=8, alg_ivlen=0, alg_minbits=160, alg_maxbits=160,
> res=0, ret=1
> | kernel_alg_add(): satype=3, exttype=14, alg_id=9
> | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[5], exttype=14,
> satype=3, alg_id=9, alg_ivlen=0, alg_minbits=128, alg_maxbits=128,
> res=0, ret=1
> | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: sadb_msg_len=20
> sadb_supported_len=88
> | kernel_alg_add(): satype=3, exttype=15, alg_id=11
> | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[6], exttype=15,
> satype=3, alg_id=11, alg_ivlen=0, alg_minbits=0, alg_maxbits=0, res=0,
> ret=1
> | kernel_alg_add(): satype=3, exttype=15, alg_id=2
> | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[7], exttype=15,
> satype=3, alg_id=2, alg_ivlen=8, alg_minbits=64, alg_maxbits=64, res=0,
> ret=1
> | kernel_alg_add(): satype=3, exttype=15, alg_id=3
> | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[8], exttype=15,
> satype=3, alg_id=3, alg_ivlen=8, alg_minbits=192, alg_maxbits=192,
> res=0, ret=1
> | kernel_alg_add(): satype=3, exttype=15, alg_id=6
> | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[9], exttype=15,
> satype=3, alg_id=6, alg_ivlen=8, alg_minbits=40, alg_maxbits=128, res=0,
> ret=1
> | kernel_alg_add(): satype=3, exttype=15, alg_id=7
> | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[10], exttype=15,
> satype=3, alg_id=7, alg_ivlen=8, alg_minbits=40, alg_maxbits=448, res=0,
> ret=1
> | kernel_alg_add(): satype=3, exttype=15, alg_id=12
> | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[11], exttype=15,
> satype=3, alg_id=12, alg_ivlen=8, alg_minbits=128, alg_maxbits=256,
> res=0, ret=1
> | kernel_alg_add(): satype=3, exttype=15, alg_id=252
> | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[12], exttype=15,
> satype=3, alg_id=252, alg_ivlen=8, alg_minbits=128, alg_maxbits=256,
> res=0, ret=1
> | kernel_alg_add(): satype=3, exttype=15, alg_id=22
> | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[13], exttype=15,
> satype=3, alg_id=22, alg_ivlen=8, alg_minbits=128, alg_maxbits=256,
> res=0, ret=1
> | kernel_alg_add(): satype=3, exttype=15, alg_id=253
> | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[14], exttype=15,
> satype=3, alg_id=253, alg_ivlen=8, alg_minbits=128, alg_maxbits=256,
> res=0, ret=1
> | kernel_alg_add(): satype=3, exttype=15, alg_id=13
> | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[15], exttype=15,
> satype=3, alg_id=13, alg_ivlen=8, alg_minbits=128, alg_maxbits=256,
> res=0, ret=1
> | ESP registered with kernel.
> | finish_pfkey_msg: SADB_REGISTER message 3 for IPCOMP 
> |   02 07 00 09  02 00 00 00  03 00 00 00  92 1b 00 00
> | pfkey_get: SADB_REGISTER message 3
> | IPCOMP registered with kernel.
> Changing to directory '/etc/ipsec.d/cacerts'
> Changing to directory '/etc/ipsec.d/aacerts'
> Changing to directory '/etc/ipsec.d/ocspcerts'
> Changing to directory '/etc/ipsec.d/crls'
> Changing to directory '/etc/ipsec.d/acerts'
> | inserting event EVENT_LOG_DAILY, timeout in 39413 seconds
> | next event EVENT_REINIT_SECRET in 3600 seconds
> | 
> | *received whack message
> listening for IKE messages
> | found lo with address 127.0.0.1
> | found eth0 with address 192.168.2.2
> adding interface eth0/eth0 192.168.2.2:500
> adding interface lo/lo 127.0.0.1:500
> | found lo with address 0000:0000:0000:0000:0000:0000:0000:0001
> adding interface lo/lo ::1:500
> | certs and keys locked by 'free_preshared_secrets'
> | certs and keys unlocked by 'free_preshard_secrets'
> loading secrets from "/etc/ipsec.secrets"
>   pin entry via prompt for #1 (slot: 5, id:
> 7645d9***************************7ebf4)
> | certs and keys locked by 'process_secret'
> | certs and keys unlocked by 'process_secrets'
> | next event EVENT_REINIT_SECRET in 3600 seconds
> | 
> | *received whack message
> | from whack: got --esp=aes128-sha1,3des-sha1
> | esp alg added: AES_CBC_128/HMAC_SHA1, cnt=1
> | esp alg added: 3DES_CBC_0/HMAC_SHA1, cnt=2
> | esp proposal: AES_CBC_128/HMAC_SHA1, 3DES_CBC/HMAC_SHA1, 
> | from whack: got --ike=aes128-sha1-modp2048,3des-sha1-modp1536
> | ikg alg added: AES_CBC_128/HMAC_SHA1/MODP_2048, cnt=1
> | ikg alg added: 3DES_CBC_0/HMAC_SHA1/MODP_1536, cnt=2
> | ike proposal: AES_CBC_128/HMAC_SHA1/MODP_2048,
> 3DES_CBC/HMAC_SHA1/MODP_1536, 
>   using cached cert from smartcard #1 (slot: 5, id:
> 7645d913*********************3a7ebf4, label: 'CAcert WoT User's Root CA
> ID')
> added connection description "home"
> | 192.168.2.2[CN=CAcert WoT User, E=jmp**********,
> E=234af363446d11**************51cec7]---192.168.2.254...88.160.*.*[@**************]===192.168.0.0/16
> | ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s; rekey_fuzz:
> 100%; keyingtries: 1; policy: PUBKEY+ENCRYPT+TUNNEL+PFS
> | next event EVENT_REINIT_SECRET in 3600 seconds
> | 
> | *received whack message
> | certs and keys locked by 'free_preshared_secrets'
> forgetting secrets
> | certs and keys unlocked by 'free_preshard_secrets'
> loading secrets from "/etc/ipsec.secrets"
> | fetch thread started
> | next regular crl check in 180 seconds
> | pkcs11 session #139944923392992 for searching slot 5
> | found token with id 7645***************************c23a7ebf4 in slot 5
> | pkcs11 session #139944923392992 opened
> | PIN code correct
> | pkcs11 session #139944923392992 login successful
> | pkcs11 session #139944923392992 logout
> | pkcs11 session #139944923392992 closed
>   valid pin for #1 (slot: 5, id: 7645d91********************ebf4)
> | certs and keys locked by 'process_secret'
> | certs and keys unlocked by 'process_secrets'
> | next event EVENT_REINIT_SECRET in 3598 seconds
> | 
> | *received whack message
> | creating state object #1 at 0x7f4777726c40
> | ICOOKIE:  72 6d a8 fe  26 a7 c5 62
> | RCOOKIE:  00 00 00 00  00 00 00 00
> | peer:  58 a0 a8 21
> | state hash entry 24
> | inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #1
> | Queuing pending Quick Mode with 88.160.168.33 "home"
> "home" #1: initiating Main Mode
> | **emit ISAKMP Message:
> |    initiator cookie:
> |   72 6d a8 fe  26 a7 c5 62
> |    responder cookie:
> |   00 00 00 00  00 00 00 00
> |    next payload type: ISAKMP_NEXT_SA
> |    ISAKMP version: ISAKMP Version 1.0
> |    exchange type: ISAKMP_XCHG_IDPROT
> |    flags: none
> |    message ID:  00 00 00 00
> | ***emit ISAKMP Security Association Payload:
> |    next payload type: ISAKMP_NEXT_VID
> |    DOI: ISAKMP_DOI_IPSEC
> | ****emit IPsec DOI SIT:
> |    IPsec DOI SIT: SIT_IDENTITY_ONLY
> | ike proposal: AES_CBC_128/HMAC_SHA1/MODP_2048,
> 3DES_CBC/HMAC_SHA1/MODP_1536, 
> "home" #1: ike alg: unable to locate my private key
> "home" #1: ike alg: unable to locate my private key
> "home" #1: empty ISAKMP SA proposal to send (no algorithms for ike
> selection?)
> | next event EVENT_SO_DISCARD in 0 seconds for #1
> | 
> | *time to handle event
> | event after this is EVENT_REINIT_SECRET in 3594 seconds
> | ICOOKIE:  72 6d a8 fe  26 a7 c5 62
> | RCOOKIE:  00 00 00 00  00 00 00 00
> | peer:  58 a0 a8 21
> | state hash entry 24
> | next event EVENT_REINIT_SECRET in 3594 seconds
> |  
> | *time to check crls and the ocsp cache
> | ocsp cache locked by 'check_ocsp'
> | ocsp cache unlocked by 'check_ocsp'
> | crl list locked by 'check_crls'
> | crl list unlocked by 'check_crls'
> | ocsp fetch request list locked by 'fetch_ocsp'
> | ocsp fetch request list unlocked by 'fetch_ocsp'
> | crl fetch request list locked by 'fetch_crls'
> | crl fetch request list unlocked by 'fetch_crls'
> | next regular crl check in 180 seconds
>
> It seems that this configuration is not able to fetch RSA public key. Am
> I right? Should I specify leftid?
>
> Kind regards
>   
I am totally out of my depth here, I have never used pluto nor 
smartcards before.

But the logs are saying that it can't find your private kays. The logs 
also suggest that it loads at least one certificate from the smartcard. 
I would suspect your ipsec.secrets file here. But I don't know how you 
are supposed to tell strongswan which private key to use from the 
smartcard (there could many). It makes sense that it needs to be told 
but how do we do that?

We need someone who has smartcard experience here.

Dimitrios Siganos

More information about the Users mailing list