[strongSwan] Smartcard and Arm

Claude Vittoria claude.vittoria at gmail.com
Thu Dec 15 09:06:55 CET 2011


Hi,

I attempt to etablish a connection between a debian squeeze x86 and a
arm board with busybox.

In first I check my configuration between two debian x86, one PC with
smardcard for authentification and the other with "server"
certificats. This works fine, I verified with wireshark that the
network packets are encrypted.

I use the last version of OpenSC and pcscd without trouble. I compiled
them for x86 and arm.
I can read the smartcard pubkey with pkcs15-tool and pkcs11-tool.

I cross compiled strongswan with
./configure --host=armel-unknown-linux-gnueabi --prefix=/usr --sysconfdir=/e
tc --localstatedir=/var --libexecdir=/usr/lib --enable-smartcard --with-default-
pkcs11=/usr/lib/opensc-pkcs11.so --enable-openssl --enable-test-vectors host_ali
as=armel-unknown-linux-gnueabi --no-create --no-recursion --enable-eap-radius --
enable-eap-identity --enable-eap-md5 --enable-eap-gtc --enable-eap-aka --enable-
eap-mschapv2

It's near of the debian's rules.

But I can't up the connection from ARM.
I get :

# ipsec up home
002 "home" #2: initiating Main Mode
002 "home" #2: ike alg: unable to retrieve my private key
002 "home" #2: ike alg: unable to retrieve my private key
003 "home" #2: empty ISAKMP SA proposal to send (no algorithms for ike
selection?)

#ipsec listpukeys
shows nothing. But on PC, I see the public certificat of the
smartcard. I don't understand why.

I copied the server certificats and crl on the board to use openssl, I
can display them, so is not a libcrypto issue.

In the linux kernel, I set all crypto algorithms and I have verified
kernel modules.
http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules.

I thought that the conf will be the same on the 2 architectures, but no...

Advices and help are welcome :o)
Claude

log parts
.....................................
found cert in slot: 1 with id: ab876dfe0c6c3xxxxxxxxxxxxxxxxxxxxx
| L0 - x509:
................................
| *received whack message
listening for IKE messages
| found lo with address 127.0.0.1
| found eth0 with address 192.168.0.2
adding interface eth0/eth0 192.168.0.2:500
adding interface lo/lo 127.0.0.1:500
| found lo with address 0000:0000:0000:0000:0000:0000:0000:0001
adding interface lo/lo ::1:500
| certs and keys locked by 'free_preshared_secrets'
| certs and keys unlocked by 'free_preshard_secrets'
loading secrets from "/etc/ipsec.secrets"
|   smartcard #1 added
| pkcs11 session #805032 for searching slot 1
| found token with id ab876dfe0c6c3xxxxxxxxxxxxxxxxxxxxx in slot 1
| pkcs11 session #805032 opened
| PIN code correct
| pkcs11 session #805032 login successful
  valid PIN for #1 (slot: 1, id: ab876dfe0c6c3xxxxxxxxxxxxxxxxxxxxx)
| certs and keys locked by 'process_secret'
| certs and keys unlocked by 'process_secrets'
.............................................
"home" #1: initiating Main Mode
| **emit ISAKMP Message:
|    initiator cookie:
|   3c f0 53 5f  84 dc c7 6d
|    responder cookie:
|   00 00 00 00  00 00 00 00
|    next payload type: ISAKMP_NEXT_SA
|    ISAKMP version: ISAKMP Version 1.0
|    exchange type: ISAKMP_XCHG_IDPROT
|    flags: none
|    message ID:  00 00 00 00
| ***emit ISAKMP Security Association Payload:
|    next payload type: ISAKMP_NEXT_VID
|    DOI: ISAKMP_DOI_IPSEC
| ****emit IPsec DOI SIT:
|    IPsec DOI SIT: SIT_IDENTITY_ONLY
| ike proposal: AES_CBC_128/HMAC_SHA1/MODP_2048, 3DES_CBC/HMAC_SHA1/MODP_1536,
"home" #1: ike alg: unable to retrieve my private key
"home" #1: ike alg: unable to retrieve my private key
"home" #1: empty ISAKMP SA proposal to send (no algorithms for ike selection?)
............................................




More information about the Users mailing list