[strongSwan] strongSwan with eToken

Martin Willi martin at strongswan.org
Wed Nov 10 10:39:57 CET 2010

Hi Peter,

> I build strongSwan Version 4.5.0 with "--enable-smartcard" and
> "--enable-pkcs11"

The --enable-smartcard option enables PKCS#11 support for pluto, the new
--enable-pkcs11 module is more generic and used by charon (and the pki

At some point we probably will switch to the new smartcard interface in

> config setup
>         plutostart=no
>         pkcs11module=/usr/lib/libeTPkcs11.so

If you do not use pluto, the new PKCS#11 backend is required only. It
supports multiple PKCS#11 libraries. These are not configured in
ipsec.conf anymore, but in strongswan.conf.

A complete HOWTO is currently missing, but you can find the
configuration syntax for modules at [1] (only the syntax of
strongswan.conf applies, the rest is NetworkManager specific).

>       leftcert=%smartcard

> opening '/etc/ipsec.d/certs/%smartcard' failed: No such file or directory

The new backend does not require explicit loading of smartcard
certificates. It automatically loads all certificates found on any token
during startup. Just make sure you have a leftid that matches to the
gateway certificate.

> ipsec.secrets
>  : PIN %smartcard1 %prompt

man ipsec.secrets has a little more details about the syntax:

> IKEv1 uses the format 
>   %smartcard[<slot nr>[:<key id>]]
> The IKEv2 daemon supports multiple modules with the format
>   %smartcard[<slot nr>[@<module>]]:<keyid>

The keyid is always required (33423544384442423444303736374239 in your
case). We might change this requirement, but I don't like to end up
using the PIN on the wrong token.

%prompt should work with IKEv2 if you enter it using "ipsec secrets".



More information about the Users mailing list