[strongSwan] Question regarding smartcard configuration

Tobias Brunner tobias at strongswan.org
Wed Dec 23 10:55:04 CET 2015


Hi Marian,

>>> Dec 21 23:17:46 13[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
>>> Dec 21 23:17:46 13[LIB] engine 'opensc' is not available
>>
>> This message is logged by the openssl plugin, not the pkcs11 plugin.
> 
> Does it mean, that openssl is used to access card ? ... and that openssl
> is required to be able to load engine_pkcs11 ?

No, it is not required.  But the openssl plugin optionally supports
fetching credentials from OpenSSL ENGINEs.

>> You should check the beginning of the log, is the plugin loaded and the
>> opensc module initialized properly?  The plugin should also load the
>> certificates from the token, which you should see in `ipsec listcerts`.
> ...
> However, I cannot see that opensc module (as I named it in the
> strongswan.conf) is initialized. I see simply nothing about the
> initialization procedure.

So try to fix that.  You should see at least a line like

> 00[LIB] plugin 'pkcs11': loaded successfully

Make sure the plugin is built and installed and that it is enabled (see
[1]), which should already be the case if it was enabled during the
original build.

> Just a note: if I specify simply
> : PIN %smartcard:1234 %prompt
> It says:
> Dec 22 21:37:33 01[LIB] engine 'pkcs11' is not available

Same message as before, pkcs11 is just the default ENGINE name we assume
in the openssl plugin.

Regards,
Tobias

[1] https://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad



More information about the Users mailing list