[strongSwan] strongSwan with eToken

Peter Winterer winterer at informatik.uni-freiburg.de
Wed Nov 10 09:55:42 CET 2010 

Hi all,
I am trying to setup strongSwan to work with an eToken. However, it does
not work for me.

I build strongSwan Version 4.5.0 with "--enable-smartcard" and
"--enable-pkcs11"

With the following command, I verified that the certificate is on the token:

pkcs11-tool --module /usr/lib/libeTPkcs11.so --slot 1 --login --list-objects
Please enter User PIN:


Private Key Object; RSA


  label:      726B6D14FAFB125D


  ID:         33423544384442423444303736374239
  Usage:      decrypt, sign, unwrap
Certificate Object, type = X.509 cert
  label:      726B6D14FAFB125D
  ID:         33423544384442423444303736374239
Certificate Object, type = X.509 cert
  label:      (eTCAPI) MoPo Root-CA's MoPo WLAN Uni Freiburg ID
  ID:
39453945373335312d333545442d343031612d384637302d3238463636393036363042303a323535


The strongswan config looks like this:

config setup
        # plutodebug=all
        # crlcheckinterval=600
        strictcrlpolicy=no
        # cachecrls=yes
        nat_traversal=yes
        charonstart=yes
        plutostart=no
        pkcs11module=/usr/lib/libeTPkcs11.so

conn mopo
      left=%defaultroute
      keyexchange=ike
      leftsourceip=%config
      leftcert=%smartcard
      leftid=user at email.de
      leftfirewall=no
      right=10.1.0.2
      rightsubnet=0.0.0.0/0
      rightid=root at vpn-gateway.de
      auto=add
.....

ipsec.secrets
 : PIN %smartcard1 %prompt

However when I start ipsec, I am getting  the following error in the log:

.....
 00[DMN] loaded plugins: aes des sha1 sha2 md5 random x509 revocation
pubkey pkcs1 pgp pem fips-prf gmp pkcs11 xcbc hmac attr kernel-netlink
resolve socket-raw stroke updown
00[JOB] spawning 16 worker threads
06[CFG] received stroke: add connection 'mopo'
06[LIB]   opening '/etc/ipsec.d/certs/%smartcard' failed: No such file
or directory
Nov  9 22:44:34 lralap05 charon: 06[LIB] building CRED_CERTIFICATE - ANY
failed, tried 1 builders
Nov  9 22:44:34 lralap05 charon: 06[CFG]   loading certificate from
'%smartcard' failed
Nov  9 22:44:34 lralap05 charon: 06[CFG] added configuration 'mopo'
..



The command "ipsec listcards" shows nothing.

Since the eToken is in "Slot 1", I changed the keyword "%smartcard" to
"%smartcard1", however same message in the logfiles.

It seems to me, that the keyword "%smartcard" is not recognized as the
keyword for smartcard access.

Thanks for help!
peter

More information about the Users mailing list