[strongSwan] Need help reviewing a tutorial on smartcards

Dimitrios Siganos dimitris at siganos.org
Fri Apr 9 12:35:21 CEST 2010

François Pérou wrote:
> On Fri, 2010-04-09 at 07:58 +0200, François Pérou wrote:
> Dear Dimitrios,
> I modified to have pluto running in debug mode on Carol:
> http://www.gooze.eu/howto/using-strongswan-with-smart-cards/configuring-road-warrior-carol
> This seems to work fine on Carol side with pluto. 
> PIN and credentials are cached. 
> I can run ipsec listcards.
> Many thanks.
> Now I have some problem on the most simple part: Moon.
> 1) Should I also run pluto on Moon? I guess no, charon should work also?
Yes, pluto must be running on both sides. I would also disable charon on 
both sides to simplify the setup.

> 2) Should I use keyexchange=ikev2 or keyexchange=ikev1?
keyexchange=ikev1 on both sides

> 3) I installed carol PEM cert in /etc/ipsec.d/certs/carolCert.pem. Is
> this the right location?
It sounds right. But obviously that depends on default directory 
settings and ipsec.conf configuration. You can also use absolute 
pathnames. I do that sometimes to simplify things when I get confused.

Without some debug logs I can't help anymore. Also, upgrade to the 
latest strongswan. If you are using emails in the DN (it is very 
common), it won't work unless you upgrade to 4.3.5 at least.

Thank you for your reply to my question and i would be interested in 
buying a usb dongle. But it would be better to reply separately to my 
question (for future reference), because our questions, although 
related, are not on the same topic.

Dimitrios Siganos

More information about the Users mailing list