Hi Martin, thank you very much!, your comments makes things clearer. Since our gateway supports only IKEv2, I build strongSwan with "--enable-pkcs11" and without --enable-smartcard.
I have modified the configs accordingly. (see below) However, it doesent work. It seems to me that our certificates are not suitable enough ? I set the following extensions for our client certificates: .. X509v3 extensions: X509v3 Subject Alternative Name: mail:[us...@vpn Do I need to set the "Extended Key Usage"? X509v3 Extended Key Usage: TLS Web Client Authentication Here are the logs: ipsec start: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.0) 00[CFG] loaded PKCS#11 v2.1 library 'eToken-module' (/usr/lib/libeTPkcs11.so) 00[CFG] Aladdin Ltd.: eToken PKCS#11 v5.0 00[CFG] found token in slot 'eToken-module':1 (AKS ifdh 00 00) 00[CFG] eToken (Aladdin Knowledge Systems Ltd.: eToken) 00[CFG] C_FindObjectsInit() failed: ATTRIBUTE_TYPE_INVALID 00[CFG] C_FindObjectsInit() failed: ATTRIBUTE_TYPE_INVALID 00[KNL] listening on interfaces: 00[KNL] eth0 ... 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' 00[CFG] loaded ca certificate "C=DE, O=MoPo WLAN Uni Freiburg, CN=MoPo Root-CA" from '/etc/ipsec.d/cacerts/root.pem' 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' 00[CFG] loading crls from '/etc/ipsec.d/crls' 00[CFG] loading secrets from '/etc/ipsec.secrets' 00[CFG] loaded private key from %smartca...@etoken:33423544384442423444303736374239 00[DMN] loaded plugins: aes des sha1 sha2 md5 random x509 revocation pubkey pkcs1 pgp pem fips-prf gmp pkcs11 xcbc hmac attr kernel-netlink resolve socket-raw stroke updown .... ipsec up mopo: ... 13[CFG] received stroke: initiate 'mopo' 14[IKE] initiating IKE_SA mopo[1] to ip-gw 14[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] 14[NET] sending packet: from ip-client 500] to ip-gw[500] 15[NET] received packet: from ip-gw[500] to ip-client[500] 15[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] 15[IKE] received cert request for "C=DE, O=MoPo WLAN Uni Freiburg, CN=MoPo Root-CA" 15[IKE] sending cert request for "C=DE, O=MoPo WLAN Uni Freiburg, CN=MoPo Root-CA" Nov 10 14:27:03 lralap05 charon: 15[IKE] no private key found for 'winte...@vpn' ... ipsec.secrets: : PIN %smartca...@etoken:33423544384442423444303736374239 XXXX ipsec.conf: ..... conn mopo left=%defaultroute keyexchange=ike leftsourceip=%config leftid=winte...@vpn leftfirewall=no right=ip-gw rightsubnet=0.0.0.0/0 rightid=r...@vpn auto=add ... strongswan.conf: .... libstrongswan { # set to no, the DH exponent size is optimized # dh_exponent_ansi_x9_42 = no # ... plugins { pkcs11 { modules { eToken { path = /usr/lib/libeTPkcs11.so } } } } } .... Regards peter Am 10.11.2010 10:39, schrieb Martin Willi: > Hi Peter, > >> I build strongSwan Version 4.5.0 with "--enable-smartcard" and >> "--enable-pkcs11" > > The --enable-smartcard option enables PKCS#11 support for pluto, the new > --enable-pkcs11 module is more generic and used by charon (and the pki > tool). > > At some point we probably will switch to the new smartcard interface in > pluto. > >> config setup >> plutostart=no >> pkcs11module=/usr/lib/libeTPkcs11.so > > If you do not use pluto, the new PKCS#11 backend is required only. It > supports multiple PKCS#11 libraries. These are not configured in > ipsec.conf anymore, but in strongswan.conf. > > A complete HOWTO is currently missing, but you can find the > configuration syntax for modules at [1] (only the syntax of > strongswan.conf applies, the rest is NetworkManager specific). > >> leftcert=%smartcard > >> opening '/etc/ipsec.d/certs/%smartcard' failed: No such file or directory > > The new backend does not require explicit loading of smartcard > certificates. It automatically loads all certificates found on any token > during startup. Just make sure you have a leftid that matches to the > gateway certificate. > >> ipsec.secrets >> : PIN %smartcard1 %prompt > > man ipsec.secrets has a little more details about the syntax: > >> IKEv1 uses the format >> >> %smartcard[<slot nr>[:<key id>]] >> >> The IKEv2 daemon supports multiple modules with the format >> >> %smartcard[<slot nr>[@<module>]]:<keyid> > > The keyid is always required (33423544384442423444303736374239 in your > case). We might change this requirement, but I don't like to end up > using the PIN on the wrong token. > > %prompt should work with IKEv2 if you enter it using "ipsec secrets". > > Regards > Martin > > [1]http://wiki.strongswan.org/projects/strongswan/wiki/NetworkManager#Smartcard-requirements > _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users