[strongSwan] strongSwan with eToken

Peter Winterer winterer at informatik.uni-freiburg.de
Wed Nov 10 14:54:41 CET 2010 

Hi Martin,
thank you very much!, your comments makes things clearer.

Since our gateway supports only IKEv2, I build strongSwan with
"--enable-pkcs11" and without --enable-smartcard.

I have modified the configs accordingly. (see below)

However, it doesent work. It seems to me that our certificates are not
suitable enough ? I set the following extensions for our client
certificates:
..
 X509v3 extensions:
   X509v3 Subject Alternative Name:
      mail:[user]@vpn

Do I need to set the "Extended Key Usage"?
X509v3 Extended Key Usage:
      TLS Web Client Authentication


Here are the logs:
ipsec start:

00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.0)
00[CFG] loaded PKCS#11 v2.1 library 'eToken-module'
(/usr/lib/libeTPkcs11.so)
00[CFG]   Aladdin Ltd.: eToken PKCS#11 v5.0
00[CFG]   found token in slot 'eToken-module':1 (AKS ifdh 00 00)
00[CFG]     eToken (Aladdin Knowledge Systems Ltd.: eToken)
00[CFG] C_FindObjectsInit() failed: ATTRIBUTE_TYPE_INVALID
00[CFG] C_FindObjectsInit() failed: ATTRIBUTE_TYPE_INVALID
00[KNL] listening on interfaces:
00[KNL]   eth0
...
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG]   loaded ca certificate "C=DE, O=MoPo WLAN Uni Freiburg, CN=MoPo
Root-CA" from '/etc/ipsec.d/cacerts/root.pem'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG]   loaded private key from
%smartcard1 at eToken:33423544384442423444303736374239
00[DMN] loaded plugins: aes des sha1 sha2 md5 random x509 revocation
pubkey pkcs1 pgp pem fips-prf gmp pkcs11 xcbc hmac attr kernel-netlink
resolve socket-raw stroke updown
....

ipsec up mopo:
...
13[CFG] received stroke: initiate 'mopo'
14[IKE] initiating IKE_SA mopo[1] to ip-gw
14[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) ]
14[NET] sending packet: from ip-client 500] to ip-gw[500]
15[NET] received packet: from ip-gw[500] to ip-client[500]
15[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
15[IKE] received cert request for "C=DE, O=MoPo WLAN Uni Freiburg,
CN=MoPo Root-CA"
15[IKE] sending cert request for "C=DE, O=MoPo WLAN Uni Freiburg,
CN=MoPo Root-CA"
Nov 10 14:27:03 lralap05 charon: 15[IKE] no private key found for
'winterer at vpn'
...

ipsec.secrets:
 : PIN %smartcard1 at eToken:33423544384442423444303736374239 XXXX

ipsec.conf:
.....
conn mopo
      left=%defaultroute
      keyexchange=ike
      leftsourceip=%config
      leftid=winterer at vpn
      leftfirewall=no
      right=ip-gw
      rightsubnet=0.0.0.0/0
      rightid=root at vpn
      auto=add
...

strongswan.conf:
....
libstrongswan {

        #  set to no, the DH exponent size is optimized
        #  dh_exponent_ansi_x9_42 = no
         # ...
  plugins {
    pkcs11 {
      modules {
          eToken {
          path = /usr/lib/libeTPkcs11.so
        }
      }
    }
  }
}
....

Regards
peter

Am 10.11.2010 10:39, schrieb Martin Willi:
> Hi Peter,
> 
>> I build strongSwan Version 4.5.0 with "--enable-smartcard" and
>> "--enable-pkcs11"
> 
> The --enable-smartcard option enables PKCS#11 support for pluto, the new
> --enable-pkcs11 module is more generic and used by charon (and the pki
> tool).
> 
> At some point we probably will switch to the new smartcard interface in
> pluto.
> 
>> config setup
>>         plutostart=no
>>         pkcs11module=/usr/lib/libeTPkcs11.so
> 
> If you do not use pluto, the new PKCS#11 backend is required only. It
> supports multiple PKCS#11 libraries. These are not configured in
> ipsec.conf anymore, but in strongswan.conf.
> 
> A complete HOWTO is currently missing, but you can find the
> configuration syntax for modules at [1] (only the syntax of
> strongswan.conf applies, the rest is NetworkManager specific).
> 
>>       leftcert=%smartcard
> 
>> opening '/etc/ipsec.d/certs/%smartcard' failed: No such file or directory
> 
> The new backend does not require explicit loading of smartcard
> certificates. It automatically loads all certificates found on any token
> during startup. Just make sure you have a leftid that matches to the
> gateway certificate.
> 
>> ipsec.secrets
>>  : PIN %smartcard1 %prompt
> 
> man ipsec.secrets has a little more details about the syntax:
> 
>> IKEv1 uses the format 
>>
>>   %smartcard[<slot nr>[:<key id>]]
>>
>> The IKEv2 daemon supports multiple modules with the format
>>
>>   %smartcard[<slot nr>[@<module>]]:<keyid>
> 
> The keyid is always required (33423544384442423444303736374239 in your
> case). We might change this requirement, but I don't like to end up
> using the PIN on the wrong token.
> 
> %prompt should work with IKEv2 if you enter it using "ipsec secrets".
> 
> Regards
> Martin
> 
> [1]http://wiki.strongswan.org/projects/strongswan/wiki/NetworkManager#Smartcard-requirements
>

More information about the Users mailing list