[strongSwan] How to use Strongswan 5.0.1 & Smartcard correctly?

Martin Willi martin at strongswan.org
Fri Oct 12 11:05:33 CEST 2012


> You can't tell me that (Aladdin/Safenet) eTokens are exotic...

It's not about the token itself, but how the keys and certificates are
deployed on it.

> What might make the difference is, that the certificates are written
> with Windows CAPI and not using pkcs#11, but this is also not very
> exotic.

That's probably the problem. If you generate keys with PKCS#11 on the
token, you always get a keypair. This might be different with CAPI, or
at least with your software.

> If you give me a few hints where to start I might be able to provide a
> patch.

I'll have a look at it next week, shouldn't be too hard to implement
this fallback.

> I have two certificates with the same subject (different usage (sign,
> encrypt). So is there a way to tell strongswan which certificate to use
> (I can't change the smartcard)?

No, currently not. 

> And why is the private key found during "ipsec secrets", but not when I
> start the connection:

The loaded private key is later looked up using the computed
fingerprint. Either the pkcs11 backend can't fingerprint the associated
public key, or the fingerprints don't match.

Regards
Martin





More information about the Users mailing list