[strongSwan] strongSwan with eToken

Peter Winterer winterer at informatik.uni-freiburg.de
Wed Nov 10 14:54:41 CET 2010

Hi Martin,
thank you very much!, your comments makes things clearer.

Since our gateway supports only IKEv2, I build strongSwan with
"--enable-pkcs11" and without --enable-smartcard.

I have modified the configs accordingly. (see below)

However, it doesent work. It seems to me that our certificates are not
suitable enough ? I set the following extensions for our client
 X509v3 extensions:
   X509v3 Subject Alternative Name:

Do I need to set the "Extended Key Usage"?
X509v3 Extended Key Usage:
      TLS Web Client Authentication

Here are the logs:
ipsec start:

00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.0)
00[CFG] loaded PKCS#11 v2.1 library 'eToken-module'
00[CFG]   Aladdin Ltd.: eToken PKCS#11 v5.0
00[CFG]   found token in slot 'eToken-module':1 (AKS ifdh 00 00)
00[CFG]     eToken (Aladdin Knowledge Systems Ltd.: eToken)
00[CFG] C_FindObjectsInit() failed: ATTRIBUTE_TYPE_INVALID
00[CFG] C_FindObjectsInit() failed: ATTRIBUTE_TYPE_INVALID
00[KNL] listening on interfaces:
00[KNL]   eth0
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG]   loaded ca certificate "C=DE, O=MoPo WLAN Uni Freiburg, CN=MoPo
Root-CA" from '/etc/ipsec.d/cacerts/root.pem'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG]   loaded private key from
%smartcard1 at eToken:33423544384442423444303736374239
00[DMN] loaded plugins: aes des sha1 sha2 md5 random x509 revocation
pubkey pkcs1 pgp pem fips-prf gmp pkcs11 xcbc hmac attr kernel-netlink
resolve socket-raw stroke updown

ipsec up mopo:
13[CFG] received stroke: initiate 'mopo'
14[IKE] initiating IKE_SA mopo[1] to ip-gw
14[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
14[NET] sending packet: from ip-client 500] to ip-gw[500]
15[NET] received packet: from ip-gw[500] to ip-client[500]
15[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
15[IKE] received cert request for "C=DE, O=MoPo WLAN Uni Freiburg,
CN=MoPo Root-CA"
15[IKE] sending cert request for "C=DE, O=MoPo WLAN Uni Freiburg,
CN=MoPo Root-CA"
Nov 10 14:27:03 lralap05 charon: 15[IKE] no private key found for
'winterer at vpn'

 : PIN %smartcard1 at eToken:33423544384442423444303736374239 XXXX

conn mopo
      leftid=winterer at vpn
      rightid=root at vpn

libstrongswan {

        #  set to no, the DH exponent size is optimized
        #  dh_exponent_ansi_x9_42 = no
         # ...
  plugins {
    pkcs11 {
      modules {
          eToken {
          path = /usr/lib/libeTPkcs11.so


Am 10.11.2010 10:39, schrieb Martin Willi:
> Hi Peter,
>> I build strongSwan Version 4.5.0 with "--enable-smartcard" and
>> "--enable-pkcs11"
> The --enable-smartcard option enables PKCS#11 support for pluto, the new
> --enable-pkcs11 module is more generic and used by charon (and the pki
> tool).
> At some point we probably will switch to the new smartcard interface in
> pluto.
>> config setup
>>         plutostart=no
>>         pkcs11module=/usr/lib/libeTPkcs11.so
> If you do not use pluto, the new PKCS#11 backend is required only. It
> supports multiple PKCS#11 libraries. These are not configured in
> ipsec.conf anymore, but in strongswan.conf.
> A complete HOWTO is currently missing, but you can find the
> configuration syntax for modules at [1] (only the syntax of
> strongswan.conf applies, the rest is NetworkManager specific).
>>       leftcert=%smartcard
>> opening '/etc/ipsec.d/certs/%smartcard' failed: No such file or directory
> The new backend does not require explicit loading of smartcard
> certificates. It automatically loads all certificates found on any token
> during startup. Just make sure you have a leftid that matches to the
> gateway certificate.
>> ipsec.secrets
>>  : PIN %smartcard1 %prompt
> man ipsec.secrets has a little more details about the syntax:
>> IKEv1 uses the format 
>>   %smartcard[<slot nr>[:<key id>]]
>> The IKEv2 daemon supports multiple modules with the format
>>   %smartcard[<slot nr>[@<module>]]:<keyid>
> The keyid is always required (33423544384442423444303736374239 in your
> case). We might change this requirement, but I don't like to end up
> using the PIN on the wrong token.
> %prompt should work with IKEv2 if you enter it using "ipsec secrets".
> Regards
> Martin
> [1]http://wiki.strongswan.org/projects/strongswan/wiki/NetworkManager#Smartcard-requirements

More information about the Users mailing list