[strongSwan] How to use Strongswan 5.0.1 & Smartcard correctly?
richter at ecos.de
richter at ecos.de
Thu Oct 11 16:29:00 CEST 2012
Hi,
I have been using smartcards with pluto for a long time, but now trying to switch to strongswan 5 and I can't get it working anymore.
I have two smartcards. An eToken with Siemens Card OS and a mIdentity with an TCOS 3.0 card.
I added the pkcs11 libs to strongswan.conf and "ipsec listcerts" shows me the certificates on the smardcards ("ipsec listcards" does not show anything).
Trouble starts when I use "ipsec secrects". /etc/ipsec.secrets looks like:
: PIN %smartcard:39453945373335312D333545442D343031612D384637302D3238463636393036363042303A31 %prompt
: PIN %smartcard:70ee000003ef %prompt
The long id is for eToken. I had to enlarge the line length in stroke_cred.c, but it does not find it's private key. When I change
CK_OBJECT_CLASS class = CKO_PUBLIC_KEY;
to
CK_OBJECT_CLASS class = CKO_CERTIFICATE;
In file Pkcs11_private_key.c in function find_lib_by_keyid (like pluto has done) the public key is found, but pkcs11_public_key_connect later on fails. I don't know which id to use to find the correct public key.
The TCOS private key is loaded correctly (during ipsec secrets), but when I start the connection, then I get the message no private key found for that id.
I have given the subject of the certificate as leftid in ipsec.conf. Is this correct? Note on the smartcard are two certificates with the same subject.
Is there any other way to specify which key to use? From the code it looks like that it is possible to use the fingerprint, but how could it be specified?
Any help appreciated
Thanks & Regards
Gerald
More information about the Users
mailing list