[strongSwan] Need help reviewing a tutorial on smartcards
dimitris at siganos.org
Fri Apr 9 12:35:21 CEST 2010
François Pérou wrote:
> On Fri, 2010-04-09 at 07:58 +0200, François Pérou wrote:
> Dear Dimitrios,
> I modified to have pluto running in debug mode on Carol:
> This seems to work fine on Carol side with pluto.
> PIN and credentials are cached.
> I can run ipsec listcards.
> Many thanks.
> Now I have some problem on the most simple part: Moon.
> 1) Should I also run pluto on Moon? I guess no, charon should work also?
Yes, pluto must be running on both sides. I would also disable charon on
both sides to simplify the setup.
> 2) Should I use keyexchange=ikev2 or keyexchange=ikev1?
keyexchange=ikev1 on both sides
> 3) I installed carol PEM cert in /etc/ipsec.d/certs/carolCert.pem. Is
> this the right location?
It sounds right. But obviously that depends on default directory
settings and ipsec.conf configuration. You can also use absolute
pathnames. I do that sometimes to simplify things when I get confused.
Without some debug logs I can't help anymore. Also, upgrade to the
latest strongswan. If you are using emails in the DN (it is very
common), it won't work unless you upgrade to 4.3.5 at least.
Thank you for your reply to my question and i would be interested in
buying a usb dongle. But it would be better to reply separately to my
question (for future reference), because our questions, although
related, are not on the same topic.
More information about the Users