[strongSwan] Smartcard and Arm
Claude Vittoria
claude.vittoria at gmail.com
Thu Dec 15 09:06:55 CET 2011
Hi,
I attempt to etablish a connection between a debian squeeze x86 and a
arm board with busybox.
In first I check my configuration between two debian x86, one PC with
smardcard for authentification and the other with "server"
certificats. This works fine, I verified with wireshark that the
network packets are encrypted.
I use the last version of OpenSC and pcscd without trouble. I compiled
them for x86 and arm.
I can read the smartcard pubkey with pkcs15-tool and pkcs11-tool.
I cross compiled strongswan with
./configure --host=armel-unknown-linux-gnueabi --prefix=/usr --sysconfdir=/e
tc --localstatedir=/var --libexecdir=/usr/lib --enable-smartcard --with-default-
pkcs11=/usr/lib/opensc-pkcs11.so --enable-openssl --enable-test-vectors host_ali
as=armel-unknown-linux-gnueabi --no-create --no-recursion --enable-eap-radius --
enable-eap-identity --enable-eap-md5 --enable-eap-gtc --enable-eap-aka --enable-
eap-mschapv2
It's near of the debian's rules.
But I can't up the connection from ARM.
I get :
# ipsec up home
002 "home" #2: initiating Main Mode
002 "home" #2: ike alg: unable to retrieve my private key
002 "home" #2: ike alg: unable to retrieve my private key
003 "home" #2: empty ISAKMP SA proposal to send (no algorithms for ike
selection?)
#ipsec listpukeys
shows nothing. But on PC, I see the public certificat of the
smartcard. I don't understand why.
I copied the server certificats and crl on the board to use openssl, I
can display them, so is not a libcrypto issue.
In the linux kernel, I set all crypto algorithms and I have verified
kernel modules.
http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules.
I thought that the conf will be the same on the 2 architectures, but no...
Advices and help are welcome :o)
Claude
log parts
.....................................
found cert in slot: 1 with id: ab876dfe0c6c3xxxxxxxxxxxxxxxxxxxxx
| L0 - x509:
................................
| *received whack message
listening for IKE messages
| found lo with address 127.0.0.1
| found eth0 with address 192.168.0.2
adding interface eth0/eth0 192.168.0.2:500
adding interface lo/lo 127.0.0.1:500
| found lo with address 0000:0000:0000:0000:0000:0000:0000:0001
adding interface lo/lo ::1:500
| certs and keys locked by 'free_preshared_secrets'
| certs and keys unlocked by 'free_preshard_secrets'
loading secrets from "/etc/ipsec.secrets"
| smartcard #1 added
| pkcs11 session #805032 for searching slot 1
| found token with id ab876dfe0c6c3xxxxxxxxxxxxxxxxxxxxx in slot 1
| pkcs11 session #805032 opened
| PIN code correct
| pkcs11 session #805032 login successful
valid PIN for #1 (slot: 1, id: ab876dfe0c6c3xxxxxxxxxxxxxxxxxxxxx)
| certs and keys locked by 'process_secret'
| certs and keys unlocked by 'process_secrets'
.............................................
"home" #1: initiating Main Mode
| **emit ISAKMP Message:
| initiator cookie:
| 3c f0 53 5f 84 dc c7 6d
| responder cookie:
| 00 00 00 00 00 00 00 00
| next payload type: ISAKMP_NEXT_SA
| ISAKMP version: ISAKMP Version 1.0
| exchange type: ISAKMP_XCHG_IDPROT
| flags: none
| message ID: 00 00 00 00
| ***emit ISAKMP Security Association Payload:
| next payload type: ISAKMP_NEXT_VID
| DOI: ISAKMP_DOI_IPSEC
| ****emit IPsec DOI SIT:
| IPsec DOI SIT: SIT_IDENTITY_ONLY
| ike proposal: AES_CBC_128/HMAC_SHA1/MODP_2048, 3DES_CBC/HMAC_SHA1/MODP_1536,
"home" #1: ike alg: unable to retrieve my private key
"home" #1: ike alg: unable to retrieve my private key
"home" #1: empty ISAKMP SA proposal to send (no algorithms for ike selection?)
............................................
More information about the Users
mailing list