[strongSwan] strongSwan with eToken
martin at strongswan.org
Wed Nov 10 10:39:57 CET 2010
> I build strongSwan Version 4.5.0 with "--enable-smartcard" and
The --enable-smartcard option enables PKCS#11 support for pluto, the new
--enable-pkcs11 module is more generic and used by charon (and the pki
At some point we probably will switch to the new smartcard interface in
> config setup
If you do not use pluto, the new PKCS#11 backend is required only. It
supports multiple PKCS#11 libraries. These are not configured in
ipsec.conf anymore, but in strongswan.conf.
A complete HOWTO is currently missing, but you can find the
configuration syntax for modules at  (only the syntax of
strongswan.conf applies, the rest is NetworkManager specific).
> opening '/etc/ipsec.d/certs/%smartcard' failed: No such file or directory
The new backend does not require explicit loading of smartcard
certificates. It automatically loads all certificates found on any token
during startup. Just make sure you have a leftid that matches to the
> : PIN %smartcard1 %prompt
man ipsec.secrets has a little more details about the syntax:
> IKEv1 uses the format
> %smartcard[<slot nr>[:<key id>]]
> The IKEv2 daemon supports multiple modules with the format
> %smartcard[<slot nr>[@<module>]]:<keyid>
The keyid is always required (33423544384442423444303736374239 in your
case). We might change this requirement, but I don't like to end up
using the PIN on the wrong token.
%prompt should work with IKEv2 if you enter it using "ipsec secrets".
More information about the Users