[strongSwan] Need help reviewing a tutorial on smartcards

Dimitrios Siganos dimitris at siganos.org
Fri Apr 9 01:51:03 CEST 2010 

Charon (the IKEv2 daemon) does not support the %smartcard configuration 
specifier. Only pluto (IKEv1) does. Either use IKEv1 or hope for an 
answer to this question, which I recently posted myself :-)

"charon IKEv2 usb smartcard dongle integration"
<http://www.mail-archive.com/users@lists.strongswan.org/msg01798.html>

Dimitrios Siganos

François Pérou wrote:
> Dear friends,
>
> I am writing a tutorial on smartcards for strongSwan:
> http://www.gooze.eu/howto/using-strongswan-with-smart-cards
>
> I cannot configure roadwarrior Carol with smartcards:
> http://www.gooze.eu/howto/using-strongswan-with-smart-cards/configuring-road-warrior-carol
>
> %smartcard is not recognized:
>
> 01[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.2)
> 01[LIB] loading plugin 'sha1'
> failed: /usr/lib/ipsec/plugins/libstrongswan-sha1.so: cannot open shared
> object file: No such file or directory
> 01[LIB] loading plugin 'fips-prf'
> failed: /usr/lib/ipsec/plugins/libstrongswan-fips-prf.so: cannot open
> shared object file: No such file or directory
> 01[KNL] listening on interfaces:
> 01[KNL]   eth0
> 01[KNL]   wlan0
> 01[KNL]     192.168.0.7
> 01[KNL]     fe80::21c:26ff:feca:223b
> 01[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> 01[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> 01[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
> 01[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> 01[CFG] loading crls from '/etc/ipsec.d/crls'
> 01[CFG] loading secrets from '/etc/ipsec.secrets'
> 01[CFG] line 11: the given %smartcard specifier is not supported or
> invalid
> 01[LIB] loading plugin 'sql'
> failed: /usr/lib/ipsec/plugins/libstrongswan-sql.so: cannot open shared
> object file: No such file or directory
> 01[LIB] loading plugin 'attr'
> failed: /usr/lib/ipsec/plugins/libstrongswan-attr.so: cannot open shared
> object file: No such file or directory
> 01[CFG] no RADUIS secret defined
> 01[CFG] RADIUS plugin initialization failed
> 01[LIB] loading plugin 'eapradius' failed: plugin_create() returned NULL
> 01[CFG] mediation database URI not defined, skipped
> 01[LIB] loading plugin 'medsrv' failed: plugin_create() returned NULL
> 01[CFG] mediation client database URI not defined, skipped
> 01[LIB] loading plugin 'medcli' failed: plugin_create() returned NULL
> 01[LIB] loading plugin 'nm'
> failed: /usr/lib/ipsec/plugins/libstrongswan-nm.so: cannot open shared
> object file: No such file or directory
> 01[LIB] loading plugin 'resolv-conf'
> failed: /usr/lib/ipsec/plugins/libstrongswan-resolv-conf.so: cannot open
> shared object file: No such file or directory
> 01[DMN] loaded plugins: curl ldap random x509 pubkey openssl xcbc hmac
> agent gmp kernel-netlink stroke updown eapidentity eapmd5 eapgtc eapaka
> eapmschapv2
> 01[JOB] spawning 16 worker threads
> 05[CFG] received stroke: add connection 'home'
> 05[CFG] left nor right host is our side, assuming left=local
> 05[LIB]   reading file '/etc/ipsec.d/certs/%smartcard' failed
> 05[LIB] failed to create a builder for credential type CRED_CERTIFICATE,
> subtype (1)
> 05[CFG] added configuration 'home'
> 01[DMN] signal of type SIGINT received. Shutting down
>
> pkcs11-tool -L
> Available slots:
> Slot 4294967295          Virtual hotplug slot
>   (empty)
> Slot 1           Feitian SCR301 01 00
>   token label:   Jean-Michel Pouré (User PIN)
>   token manuf:   EnterSafe
>   token model:   PKCS#15
>   token flags:   rng, login required, PIN initialized, token initialized
>   serial num  :  2998511513171109
> Slot 2           Feitian SCR301 01 00
>   (empty)
> Slot 3           Feitian SCR301 01 00
>   (empty)
> Slot 4           Feitian SCR301 01 00
>   (empty)
>
> pkcs11-tool --slot 1 --list-objects
> Public Key Object; RSA 2048 bits
>   label:      Public Key
>   ID:         7645d913d5b4exxxxxxxxxxxxxxxx02324c23a7ebf4
>   Usage:      none
> Certificate Object, type = X.509 cert
>   label:      CAcert WoT User's Root CA ID
>   ID:         7645d913d5b4xxxxxxxxxxxxxxxx02324c23a7ebf4
> Public Key Object; RSA 2048 bits
>   label:      Public Key
>   ID:         6d0534d04axxxxxxxxxxxxxxxxxx571deec58
>   Usage:      none
> Certificate Object, type = X.509 cert
>   label:      StartCom Free Certificate Member's StartCom Ltd. ID
>   ID:         6d0534d04axxxxxxxxxxxxx7a2e33571deec58
>
> Could you help and review these settings?
> What debug information can I provide?
>
> Kind regards,
> François
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list