[strongSwan] How to use Strongswan 5.0.1 & Smartcard correctly?

[Martin Willi]

> You can't tell me that (Aladdin/Safenet) eTokens are exotic...

It's not about the token itself, but how the keys and certificates are
deployed on it.

> What might make the difference is, that the certificates are written
> with Windows CAPI and not using pkcs#11, but this is also not very
> exotic.

That's probably the problem. If you generate keys with PKCS#11 on the
token, you always get a keypair. This might be different with CAPI, or
at least with your software.

> If you give me a few hints where to start I might be able to provide a
> patch.

I'll have a look at it next week, shouldn't be too hard to implement
this fallback.

> I have two certificates with the same subject (different usage (sign,
> encrypt). So is there a way to tell strongswan which certificate to use
> (I can't change the smartcard)?

No, currently not. 

> And why is the private key found during "ipsec secrets", but not when I
> start the connection:

The loaded private key is later looked up using the computed
fingerprint. Either the pkcs11 backend can't fingerprint the associated
public key, or the fingerprints don't match.

Regards
Martin