[strongSwan] Question regarding smartcard configuration

Marian Thieme marian.thieme at gmail.com
Tue Dec 22 23:32:26 CET 2015

Hello Tobias !

On 12/22/15 08:45, Tobias Brunner wrote:
> Hi Marian,
>> Dec 21 23:17:46 13[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
>> Dec 21 23:17:46 13[LIB] engine 'opensc' is not available
> This message is logged by the openssl plugin, not the pkcs11 plugin.

Does it mean, that openssl is used to access card ? ... and that openssl
is required to be able to load engine_pkcs11 ? (as described here:

> You should check the beginning of the log, is the plugin loaded and the
> opensc module initialized properly?  The plugin should also load the
> certificates from the token, which you should see in `ipsec listcerts`.

I can see that the openssl module itself is loaded:

Dec 22 21:35:51 00[LIB] plugin 'openssl': loaded successfully

and a number of 'features'  as well:

Dec 22 21:35:51 00[LIB] loading feature CUSTOM:libcharon in plugin 'charon'
Dec 22 21:35:51 00[LIB]   loading feature NONCE_GEN in plugin 'nonce'
Dec 22 21:35:51 00[LIB]     loading feature RNG:RNG_WEAK in plugin 'openssl'

However, I cannot see that opensc module (as I named it in the
strongswan.conf) is initialized. I see simply nothing about the
initialization procedure.

Just a note: if I specify simply
: PIN %smartcard:1234 %prompt
It says:
Dec 22 21:37:33 01[LIB] engine 'pkcs11' is not available

What could this mean ? Does my openssl lib is missing something ?
Is it possible that the respective configuration
(libstrongswan.plugins.pkcs11.modules.<name>.path) is not read by
strongswan or my definition is defect ?

Without of suprise the command `ipsec listcerts` does not return anything.

More information about the Users mailing list