[strongSwan] Need help reviewing a tutorial on smartcards

François Pérou francois.perou at free.fr
Fri Apr 9 13:19:14 CEST 2010 

On Fri, 2010-04-09 at 11:35 +0100, Dimitrios Siganos wrote:
> It sounds right. But obviously that depends on default directory 
> settings and ipsec.conf configuration. You can also use absolute 
> pathnames. I do that sometimes to simplify things when I get confused.
> 
> Without some debug logs I can't help anymore. Also, upgrade to the 
> latest strongswan. If you are using emails in the DN (it is very 
> common), it won't work unless you upgrade to 4.3.5 at least. 

I followed your information on Carol road warrior and updated:
http://www.gooze.eu/howto/using-strongswan-with-smart-cards/configuring-road-warrior-carol

ipsec secrets
002 forgetting secrets
002 loading secrets from "/etc/ipsec.secrets"
040 need PIN for #1 (slot: 5, id:
7645d913d5b4e0************2324c23a7ebf4, label: 'CAcert WoT User's Root
CA ID')
Enter: 
004 valid PIN
002   valid pin for #1 (slot: 5, id:
7645d913d5b4e0************2324c23a7ebf4)
acer:/home/jmpoure# ipsec up home
002 "home" #1: initiating Main Mode
002 "home" #1: ike alg: unable to locate my private key
002 "home" #1: ike alg: unable to locate my private key
003 "home" #1: empty ISAKMP SA proposal to send (no algorithms for ike
selection?)


config setup
    crlcheckinterval=180
    strictcrlpolicy=no
    charonstart=no
    plutostart=yes
    pkcs11module = /usr/lib/opensc-pkcs11.so
    pkcs11keepstate=yes
    plutodebug = all # During testing you will need full-debug
    plutostderrlog = /var/log/pluto.log 

conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1
    keyexchange=ikev1

conn home
    left=%defaultroute
    leftcert=%smartcard
    leftfirewall=yes
    right=192.168.0.1
    rightid=@moon.strongswan.org
    rightsubnet=10.1.0.0/16
    auto=add

And the log:

Using Linux 2.6 IPsec interface code
| finish_pfkey_msg: SADB_REGISTER message 1 for AH 
|   02 07 00 02  02 00 00 00  01 00 00 00  92 1b 00 00
| pfkey_get: SADB_REGISTER message 1
| AH registered with kernel.
| finish_pfkey_msg: SADB_REGISTER message 2 for ESP 
|   02 07 00 03  02 00 00 00  02 00 00 00  92 1b 00 00
| pfkey_get: SADB_REGISTER message 2
| alg_init(): memset(0x7f4777352f60, 0, 2016) memset(0x7f4777353740, 0,
2032)
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: sadb_msg_len=20
sadb_supported_len=56
| kernel_alg_add(): satype=3, exttype=14, alg_id=251
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[0], exttype=14,
satype=3, alg_id=251, alg_ivlen=0, alg_minbits=0, alg_maxbits=0, res=0,
ret=1
| kernel_alg_add(): satype=3, exttype=14, alg_id=2
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[1], exttype=14,
satype=3, alg_id=2, alg_ivlen=0, alg_minbits=128, alg_maxbits=128,
res=0, ret=1
| kernel_alg_add(): satype=3, exttype=14, alg_id=3
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[2], exttype=14,
satype=3, alg_id=3, alg_ivlen=0, alg_minbits=160, alg_maxbits=160,
res=0, ret=1
| kernel_alg_add(): satype=3, exttype=14, alg_id=5
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[3], exttype=14,
satype=3, alg_id=5, alg_ivlen=0, alg_minbits=256, alg_maxbits=256,
res=0, ret=1
| kernel_alg_add(): satype=3, exttype=14, alg_id=8
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[4], exttype=14,
satype=3, alg_id=8, alg_ivlen=0, alg_minbits=160, alg_maxbits=160,
res=0, ret=1
| kernel_alg_add(): satype=3, exttype=14, alg_id=9
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[5], exttype=14,
satype=3, alg_id=9, alg_ivlen=0, alg_minbits=128, alg_maxbits=128,
res=0, ret=1
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: sadb_msg_len=20
sadb_supported_len=88
| kernel_alg_add(): satype=3, exttype=15, alg_id=11
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[6], exttype=15,
satype=3, alg_id=11, alg_ivlen=0, alg_minbits=0, alg_maxbits=0, res=0,
ret=1
| kernel_alg_add(): satype=3, exttype=15, alg_id=2
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[7], exttype=15,
satype=3, alg_id=2, alg_ivlen=8, alg_minbits=64, alg_maxbits=64, res=0,
ret=1
| kernel_alg_add(): satype=3, exttype=15, alg_id=3
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[8], exttype=15,
satype=3, alg_id=3, alg_ivlen=8, alg_minbits=192, alg_maxbits=192,
res=0, ret=1
| kernel_alg_add(): satype=3, exttype=15, alg_id=6
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[9], exttype=15,
satype=3, alg_id=6, alg_ivlen=8, alg_minbits=40, alg_maxbits=128, res=0,
ret=1
| kernel_alg_add(): satype=3, exttype=15, alg_id=7
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[10], exttype=15,
satype=3, alg_id=7, alg_ivlen=8, alg_minbits=40, alg_maxbits=448, res=0,
ret=1
| kernel_alg_add(): satype=3, exttype=15, alg_id=12
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[11], exttype=15,
satype=3, alg_id=12, alg_ivlen=8, alg_minbits=128, alg_maxbits=256,
res=0, ret=1
| kernel_alg_add(): satype=3, exttype=15, alg_id=252
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[12], exttype=15,
satype=3, alg_id=252, alg_ivlen=8, alg_minbits=128, alg_maxbits=256,
res=0, ret=1
| kernel_alg_add(): satype=3, exttype=15, alg_id=22
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[13], exttype=15,
satype=3, alg_id=22, alg_ivlen=8, alg_minbits=128, alg_maxbits=256,
res=0, ret=1
| kernel_alg_add(): satype=3, exttype=15, alg_id=253
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[14], exttype=15,
satype=3, alg_id=253, alg_ivlen=8, alg_minbits=128, alg_maxbits=256,
res=0, ret=1
| kernel_alg_add(): satype=3, exttype=15, alg_id=13
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[15], exttype=15,
satype=3, alg_id=13, alg_ivlen=8, alg_minbits=128, alg_maxbits=256,
res=0, ret=1
| ESP registered with kernel.
| finish_pfkey_msg: SADB_REGISTER message 3 for IPCOMP 
|   02 07 00 09  02 00 00 00  03 00 00 00  92 1b 00 00
| pfkey_get: SADB_REGISTER message 3
| IPCOMP registered with kernel.
Changing to directory '/etc/ipsec.d/cacerts'
Changing to directory '/etc/ipsec.d/aacerts'
Changing to directory '/etc/ipsec.d/ocspcerts'
Changing to directory '/etc/ipsec.d/crls'
Changing to directory '/etc/ipsec.d/acerts'
| inserting event EVENT_LOG_DAILY, timeout in 39413 seconds
| next event EVENT_REINIT_SECRET in 3600 seconds
| 
| *received whack message
listening for IKE messages
| found lo with address 127.0.0.1
| found eth0 with address 192.168.2.2
adding interface eth0/eth0 192.168.2.2:500
adding interface lo/lo 127.0.0.1:500
| found lo with address 0000:0000:0000:0000:0000:0000:0000:0001
adding interface lo/lo ::1:500
| certs and keys locked by 'free_preshared_secrets'
| certs and keys unlocked by 'free_preshard_secrets'
loading secrets from "/etc/ipsec.secrets"
  pin entry via prompt for #1 (slot: 5, id:
7645d9***************************7ebf4)
| certs and keys locked by 'process_secret'
| certs and keys unlocked by 'process_secrets'
| next event EVENT_REINIT_SECRET in 3600 seconds
| 
| *received whack message
| from whack: got --esp=aes128-sha1,3des-sha1
| esp alg added: AES_CBC_128/HMAC_SHA1, cnt=1
| esp alg added: 3DES_CBC_0/HMAC_SHA1, cnt=2
| esp proposal: AES_CBC_128/HMAC_SHA1, 3DES_CBC/HMAC_SHA1, 
| from whack: got --ike=aes128-sha1-modp2048,3des-sha1-modp1536
| ikg alg added: AES_CBC_128/HMAC_SHA1/MODP_2048, cnt=1
| ikg alg added: 3DES_CBC_0/HMAC_SHA1/MODP_1536, cnt=2
| ike proposal: AES_CBC_128/HMAC_SHA1/MODP_2048,
3DES_CBC/HMAC_SHA1/MODP_1536, 
  using cached cert from smartcard #1 (slot: 5, id:
7645d913*********************3a7ebf4, label: 'CAcert WoT User's Root CA
ID')
added connection description "home"
| 192.168.2.2[CN=CAcert WoT User, E=jmp**********,
E=234af363446d11**************51cec7]---192.168.2.254...88.160.*.*[@**************]===192.168.0.0/16
| ike_life: 3600s; ipsec_life: 1200s; rekey_margin: 180s; rekey_fuzz:
100%; keyingtries: 1; policy: PUBKEY+ENCRYPT+TUNNEL+PFS
| next event EVENT_REINIT_SECRET in 3600 seconds
| 
| *received whack message
| certs and keys locked by 'free_preshared_secrets'
forgetting secrets
| certs and keys unlocked by 'free_preshard_secrets'
loading secrets from "/etc/ipsec.secrets"
| fetch thread started
| next regular crl check in 180 seconds
| pkcs11 session #139944923392992 for searching slot 5
| found token with id 7645***************************c23a7ebf4 in slot 5
| pkcs11 session #139944923392992 opened
| PIN code correct
| pkcs11 session #139944923392992 login successful
| pkcs11 session #139944923392992 logout
| pkcs11 session #139944923392992 closed
  valid pin for #1 (slot: 5, id: 7645d91********************ebf4)
| certs and keys locked by 'process_secret'
| certs and keys unlocked by 'process_secrets'
| next event EVENT_REINIT_SECRET in 3598 seconds
| 
| *received whack message
| creating state object #1 at 0x7f4777726c40
| ICOOKIE:  72 6d a8 fe  26 a7 c5 62
| RCOOKIE:  00 00 00 00  00 00 00 00
| peer:  58 a0 a8 21
| state hash entry 24
| inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #1
| Queuing pending Quick Mode with 88.160.168.33 "home"
"home" #1: initiating Main Mode
| **emit ISAKMP Message:
|    initiator cookie:
|   72 6d a8 fe  26 a7 c5 62
|    responder cookie:
|   00 00 00 00  00 00 00 00
|    next payload type: ISAKMP_NEXT_SA
|    ISAKMP version: ISAKMP Version 1.0
|    exchange type: ISAKMP_XCHG_IDPROT
|    flags: none
|    message ID:  00 00 00 00
| ***emit ISAKMP Security Association Payload:
|    next payload type: ISAKMP_NEXT_VID
|    DOI: ISAKMP_DOI_IPSEC
| ****emit IPsec DOI SIT:
|    IPsec DOI SIT: SIT_IDENTITY_ONLY
| ike proposal: AES_CBC_128/HMAC_SHA1/MODP_2048,
3DES_CBC/HMAC_SHA1/MODP_1536, 
"home" #1: ike alg: unable to locate my private key
"home" #1: ike alg: unable to locate my private key
"home" #1: empty ISAKMP SA proposal to send (no algorithms for ike
selection?)
| next event EVENT_SO_DISCARD in 0 seconds for #1
| 
| *time to handle event
| event after this is EVENT_REINIT_SECRET in 3594 seconds
| ICOOKIE:  72 6d a8 fe  26 a7 c5 62
| RCOOKIE:  00 00 00 00  00 00 00 00
| peer:  58 a0 a8 21
| state hash entry 24
| next event EVENT_REINIT_SECRET in 3594 seconds
|  
| *time to check crls and the ocsp cache
| ocsp cache locked by 'check_ocsp'
| ocsp cache unlocked by 'check_ocsp'
| crl list locked by 'check_crls'
| crl list unlocked by 'check_crls'
| ocsp fetch request list locked by 'fetch_ocsp'
| ocsp fetch request list unlocked by 'fetch_ocsp'
| crl fetch request list locked by 'fetch_crls'
| crl fetch request list unlocked by 'fetch_crls'
| next regular crl check in 180 seconds

It seems that this configuration is not able to fetch RSA public key. Am
I right? Should I specify leftid?

Kind regards

More information about the Users mailing list