[strongSwan] ikev2 smartcard support

Peter Winterer winterer at informatik.uni-freiburg.de
Wed Dec 22 14:59:00 CET 2010

with a lot of help from Martin, I managed to setup smartcard support in
strongSwan 4.5.0 ikev2 (NM). To do so, I had to apply some patches
to the strongSwan sourcecode [1].
>From these patches, I created one patch against the current stable
version of strongSwan 4.5.0, which includes all patches that I got from
Martin. I have attached the patch to this email. With this patched
strongSwan Version smartcard support is working fine for me.

However, I found the following, when I use the current snapshot of
strongSwan. For some reason, the private key on the smartcard is no
longer found and finally the connection fails, see the logs below.

The same Crypto-Stick is working with the patched Version of strongswan
4.5.0. The only difference I see is, that one certificate is untrusted
in the logs of the snapshot version.



00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.0-185-g6aa144d)
00[CFG] loaded PKCS#11 v2.20 library 'openSC' (/usr/lib/opensc-pkcs11.so)
00[CFG]   OpenSC (www.opensc-project.org): Smart card PKCS#11 API v0.0
00[CFG]   found token in slot 'openSC':5 (Feitian SCR301 01 00)
00[CFG]     MoPo SC (User PIN) (EnterSafe: PKCS#15)
00[CFG]     loaded untrusted cert 'Certificate'
00[CFG]     loaded trusted cert 'Certificate'
00[DMN] loaded plugins: random x509 revocation pubkey pkcs1 pgp pem
openssl agent pkcs11 xcbc hmac attr kernel-netlink resolve
socket-default eap-md5 eap-gtc eap-mschapv2 nm
00[JOB] spawning 16 worker threads
06[CFG] received initiate for NetworkManager connection Crypto Stick
06[CFG] using gateway certificate, identity 'C=DE, O=Uni, CN=vpn.de'
06[CFG] found key on PKCS#11 token 'openSC':5
06[CFG] using smartcard certificate 'winterer at vpn.de'
06[IKE] initiating IKE_SA Mobile Pools Crypto Stick[1] to
06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
06[NET] sending packet: from[500] to[500]
11[NET] received packet: from[500] to[500]
11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
11[IKE] received cert request for "C=DE, O=Uni, CN=CA"
11[IKE] sending cert request for "C=DE, O=Uni, CN=CA"
11[IKE] no private key found for 'winterer at vpn.de'
NetworkManager[927]: <warn> VPN plugin failed: 0

pkcs15-tool --list-pins --list-keys --list-certificates

X.509 Certificate [Certificate]
        Flags    : 2
        Authority: no
        Path     : 3f0050153100
        ID       : c43dab133732791b034c327598877219cddaf116
        Encoded serial: 02 02 190E

X.509 Certificate [Certificate]
        Flags    : 2
        Authority: yes
        Path     : 3f0050153101
        ID       : 366549997716cc5bdd87a7db215b1142808fbbcc
        Encoded serial: 02 01 00

Private RSA Key [Private Key]
        Com. Flags  : 3
        Usage       : [0x4], sign
        Access Flags: [0x0]
        ModLength   : 1024
        Key ref     : 1
        Native      : yes
        Path        : 3f005015
        Auth ID     : 01
        ID          : 8f1f90a190e89feb7b144c5a900c36336b8f024e

PIN [User PIN]
        Com. Flags: 0x3
        ID        : 01
        Flags     : [0x32], local, initialized, needs-padding
        Length    : min_len:4, max_len:16, stored_len:16
        Pad char  : 0x00
        Reference : 1
        Type      : ascii-numeric
        Path      : 3f005015

-------------- next part --------------
A non-text attachment was scrubbed...
Name: strongswan-4.5.0_pkcs11.patch
Type: text/x-diff
Size: 10699 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101222/d2a0c09b/attachment.patch>

More information about the Users mailing list