subject:"\[strongSwan\] Need help reviewing a tutorial on smartcards"

Re: [strongSwan] Need help reviewing a tutorial on smartcards

2010-04-09 Thread François Pérou

On Fri, 2010-04-09 at 15:59 +0100, Dimitrios Siganos wrote:
> 
> But the logs are saying that it can't find your private kays. The
> logs 
> also suggest that it loads at least one certificate from the
> smartcard. 

Sorry, I forgot to publish the ipsec.secrets file:
: PIN %smartcard %prompt

Then I run ipsec secrets to enter PIN.

I would suspect your ipsec.secrets file here. But I don't know how you 
> are supposed to tell strongswan which private key to use from the 
> smartcard (there could many). It makes sense that it needs to be told 
> but how do we do that? 
> 

I am trying with a new card with only one certificate.

In smartcards, the private key never leaves the card. So I doubt that
strongSwan can ever access the card.

On the converse, strongSwan needs to be able to make crypto operations
from the smartcard using OpenSSL.

Kind regards

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Need help reviewing a tutorial on smartcards

2010-04-09 Thread Dimitrios Siganos

François Pérou wrote:
> On Fri, 2010-04-09 at 11:35 +0100, Dimitrios Siganos wrote:
>   
>> It sounds right. But obviously that depends on default directory 
>> settings and ipsec.conf configuration. You can also use absolute 
>> pathnames. I do that sometimes to simplify things when I get confused.
>>
>> Without some debug logs I can't help anymore. Also, upgrade to the 
>> latest strongswan. If you are using emails in the DN (it is very 
>> common), it won't work unless you upgrade to 4.3.5 at least. 
>> 
>
> I followed your information on Carol road warrior and updated:
> http://www.gooze.eu/howto/using-strongswan-with-smart-cards/configuring-road-warrior-carol
>
> ipsec secrets
> 002 forgetting secrets
> 002 loading secrets from "/etc/ipsec.secrets"
> 040 need PIN for #1 (slot: 5, id:
> 7645d913d5b4e02324c23a7ebf4, label: 'CAcert WoT User's Root
> CA ID')
> Enter: 
> 004 valid PIN
> 002   valid pin for #1 (slot: 5, id:
> 7645d913d5b4e02324c23a7ebf4)
> acer:/home/jmpoure# ipsec up home
> 002 "home" #1: initiating Main Mode
> 002 "home" #1: ike alg: unable to locate my private key
> 002 "home" #1: ike alg: unable to locate my private key
> 003 "home" #1: empty ISAKMP SA proposal to send (no algorithms for ike
> selection?)
>
>
> config setup
> crlcheckinterval=180
> strictcrlpolicy=no
> charonstart=no
> plutostart=yes
> pkcs11module = /usr/lib/opensc-pkcs11.so
> pkcs11keepstate=yes
> plutodebug = all # During testing you will need full-debug
> plutostderrlog = /var/log/pluto.log 
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> keyexchange=ikev1
>
> conn home
> left=%defaultroute
> leftcert=%smartcard
> leftfirewall=yes
> right=192.168.0.1
> right...@moon.strongswan.org
> rightsubnet=10.1.0.0/16
> auto=add
>
> And the log:
>
> Using Linux 2.6 IPsec interface code
> | finish_pfkey_msg: SADB_REGISTER message 1 for AH 
> |   02 07 00 02  02 00 00 00  01 00 00 00  92 1b 00 00
> | pfkey_get: SADB_REGISTER message 1
> | AH registered with kernel.
> | finish_pfkey_msg: SADB_REGISTER message 2 for ESP 
> |   02 07 00 03  02 00 00 00  02 00 00 00  92 1b 00 00
> | pfkey_get: SADB_REGISTER message 2
> | alg_init(): memset(0x7f4777352f60, 0, 2016) memset(0x7f4777353740, 0,
> 2032)
> | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: sadb_msg_len=20
> sadb_supported_len=56
> | kernel_alg_add(): satype=3, exttype=14, alg_id=251
> | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[0], exttype=14,
> satype=3, alg_id=251, alg_ivlen=0, alg_minbits=0, alg_maxbits=0, res=0,
> ret=1
> | kernel_alg_add(): satype=3, exttype=14, alg_id=2
> | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[1], exttype=14,
> satype=3, alg_id=2, alg_ivlen=0, alg_minbits=128, alg_maxbits=128,
> res=0, ret=1
> | kernel_alg_add(): satype=3, exttype=14, alg_id=3
> | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[2], exttype=14,
> satype=3, alg_id=3, alg_ivlen=0, alg_minbits=160, alg_maxbits=160,
> res=0, ret=1
> | kernel_alg_add(): satype=3, exttype=14, alg_id=5
> | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[3], exttype=14,
> satype=3, alg_id=5, alg_ivlen=0, alg_minbits=256, alg_maxbits=256,
> res=0, ret=1
> | kernel_alg_add(): satype=3, exttype=14, alg_id=8
> | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[4], exttype=14,
> satype=3, alg_id=8, alg_ivlen=0, alg_minbits=160, alg_maxbits=160,
> res=0, ret=1
> | kernel_alg_add(): satype=3, exttype=14, alg_id=9
> | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[5], exttype=14,
> satype=3, alg_id=9, alg_ivlen=0, alg_minbits=128, alg_maxbits=128,
> res=0, ret=1
> | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: sadb_msg_len=20
> sadb_supported_len=88
> | kernel_alg_add(): satype=3, exttype=15, alg_id=11
> | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[6], exttype=15,
> satype=3, alg_id=11, alg_ivlen=0, alg_minbits=0, alg_maxbits=0, res=0,
> ret=1
> | kernel_alg_add(): satype=3, exttype=15, alg_id=2
> | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[7], exttype=15,
> satype=3, alg_id=2, alg_ivlen=8, alg_minbits=64, alg_maxbits=64, res=0,
> ret=1
> | kernel_alg_add(): satype=3, exttype=15, alg_id=3
> | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[8], exttype=15,
> satype=3, alg_id=3, alg_ivlen=8, alg_minbits=192, alg_maxbits=192,
> res=0, ret=1
> | kernel_alg_add(): satype=3, exttype=15, alg_id=6
> | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[9], exttype=15,
> satype=3, alg_id=6, alg_ivlen=8, alg_minbits=40, alg_maxbits=128, res=0,
> ret=1
> | kernel_alg_add(): satype=3, exttype=15, alg_id=7
> | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[10], exttype=15,
> satype=3, alg_id=7, alg_ivlen=8, alg_minbits=40, alg_maxbits=448, res=0,
> ret=1
> | kernel_alg_add(): satype=3, exttype=15, alg_id=12
> | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[11], exttype=15,
> satype=3, alg_id=12, alg_ivlen=8, alg_minbits=128, alg_maxbits=256

Re: [strongSwan] Need help reviewing a tutorial on smartcards

2010-04-09 Thread François Pérou

On Fri, 2010-04-09 at 11:35 +0100, Dimitrios Siganos wrote:
> It sounds right. But obviously that depends on default directory 
> settings and ipsec.conf configuration. You can also use absolute 
> pathnames. I do that sometimes to simplify things when I get confused.
> 
> Without some debug logs I can't help anymore. Also, upgrade to the 
> latest strongswan. If you are using emails in the DN (it is very 
> common), it won't work unless you upgrade to 4.3.5 at least. 

I followed your information on Carol road warrior and updated:
http://www.gooze.eu/howto/using-strongswan-with-smart-cards/configuring-road-warrior-carol

ipsec secrets
002 forgetting secrets
002 loading secrets from "/etc/ipsec.secrets"
040 need PIN for #1 (slot: 5, id:
7645d913d5b4e02324c23a7ebf4, label: 'CAcert WoT User's Root
CA ID')
Enter: 
004 valid PIN
002   valid pin for #1 (slot: 5, id:
7645d913d5b4e02324c23a7ebf4)
acer:/home/jmpoure# ipsec up home
002 "home" #1: initiating Main Mode
002 "home" #1: ike alg: unable to locate my private key
002 "home" #1: ike alg: unable to locate my private key
003 "home" #1: empty ISAKMP SA proposal to send (no algorithms for ike
selection?)


config setup
crlcheckinterval=180
strictcrlpolicy=no
charonstart=no
plutostart=yes
pkcs11module = /usr/lib/opensc-pkcs11.so
pkcs11keepstate=yes
plutodebug = all # During testing you will need full-debug
plutostderrlog = /var/log/pluto.log 

conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1

conn home
left=%defaultroute
leftcert=%smartcard
leftfirewall=yes
right=192.168.0.1
right...@moon.strongswan.org
rightsubnet=10.1.0.0/16
auto=add

And the log:

Using Linux 2.6 IPsec interface code
| finish_pfkey_msg: SADB_REGISTER message 1 for AH 
|   02 07 00 02  02 00 00 00  01 00 00 00  92 1b 00 00
| pfkey_get: SADB_REGISTER message 1
| AH registered with kernel.
| finish_pfkey_msg: SADB_REGISTER message 2 for ESP 
|   02 07 00 03  02 00 00 00  02 00 00 00  92 1b 00 00
| pfkey_get: SADB_REGISTER message 2
| alg_init(): memset(0x7f4777352f60, 0, 2016) memset(0x7f4777353740, 0,
2032)
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: sadb_msg_len=20
sadb_supported_len=56
| kernel_alg_add(): satype=3, exttype=14, alg_id=251
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[0], exttype=14,
satype=3, alg_id=251, alg_ivlen=0, alg_minbits=0, alg_maxbits=0, res=0,
ret=1
| kernel_alg_add(): satype=3, exttype=14, alg_id=2
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[1], exttype=14,
satype=3, alg_id=2, alg_ivlen=0, alg_minbits=128, alg_maxbits=128,
res=0, ret=1
| kernel_alg_add(): satype=3, exttype=14, alg_id=3
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[2], exttype=14,
satype=3, alg_id=3, alg_ivlen=0, alg_minbits=160, alg_maxbits=160,
res=0, ret=1
| kernel_alg_add(): satype=3, exttype=14, alg_id=5
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[3], exttype=14,
satype=3, alg_id=5, alg_ivlen=0, alg_minbits=256, alg_maxbits=256,
res=0, ret=1
| kernel_alg_add(): satype=3, exttype=14, alg_id=8
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[4], exttype=14,
satype=3, alg_id=8, alg_ivlen=0, alg_minbits=160, alg_maxbits=160,
res=0, ret=1
| kernel_alg_add(): satype=3, exttype=14, alg_id=9
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[5], exttype=14,
satype=3, alg_id=9, alg_ivlen=0, alg_minbits=128, alg_maxbits=128,
res=0, ret=1
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: sadb_msg_len=20
sadb_supported_len=88
| kernel_alg_add(): satype=3, exttype=15, alg_id=11
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[6], exttype=15,
satype=3, alg_id=11, alg_ivlen=0, alg_minbits=0, alg_maxbits=0, res=0,
ret=1
| kernel_alg_add(): satype=3, exttype=15, alg_id=2
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[7], exttype=15,
satype=3, alg_id=2, alg_ivlen=8, alg_minbits=64, alg_maxbits=64, res=0,
ret=1
| kernel_alg_add(): satype=3, exttype=15, alg_id=3
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[8], exttype=15,
satype=3, alg_id=3, alg_ivlen=8, alg_minbits=192, alg_maxbits=192,
res=0, ret=1
| kernel_alg_add(): satype=3, exttype=15, alg_id=6
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[9], exttype=15,
satype=3, alg_id=6, alg_ivlen=8, alg_minbits=40, alg_maxbits=128, res=0,
ret=1
| kernel_alg_add(): satype=3, exttype=15, alg_id=7
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[10], exttype=15,
satype=3, alg_id=7, alg_ivlen=8, alg_minbits=40, alg_maxbits=448, res=0,
ret=1
| kernel_alg_add(): satype=3, exttype=15, alg_id=12
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[11], exttype=15,
satype=3, alg_id=12, alg_ivlen=8, alg_minbits=128, alg_maxbits=256,
res=0, ret=1
| kernel_alg_add(): satype=3, exttype=15, alg_id=252
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[12], exttype=15,
satype=3, alg_id=252, alg_ivlen=8, alg_minbits=128, alg_maxbits=256,
res=0, ret=1
| kernel_alg_add(): satype=3, exttype=

Re: [strongSwan] Need help reviewing a tutorial on smartcards

2010-04-09 Thread Dimitrios Siganos

François Pérou wrote:
> On Fri, 2010-04-09 at 07:58 +0200, François Pérou wrote:
>   
> Dear Dimitrios,
>
> I modified to have pluto running in debug mode on Carol:
> http://www.gooze.eu/howto/using-strongswan-with-smart-cards/configuring-road-warrior-carol
>
> This seems to work fine on Carol side with pluto. 
> PIN and credentials are cached. 
> I can run ipsec listcards.
>
> Many thanks.
>
> Now I have some problem on the most simple part: Moon.
>
> 1) Should I also run pluto on Moon? I guess no, charon should work also?
>   
Yes, pluto must be running on both sides. I would also disable charon on 
both sides to simplify the setup.

> 2) Should I use keyexchange=ikev2 or keyexchange=ikev1?
>   
keyexchange=ikev1 on both sides


> 3) I installed carol PEM cert in /etc/ipsec.d/certs/carolCert.pem. Is
> this the right location?
>   
It sounds right. But obviously that depends on default directory 
settings and ipsec.conf configuration. You can also use absolute 
pathnames. I do that sometimes to simplify things when I get confused.

Without some debug logs I can't help anymore. Also, upgrade to the 
latest strongswan. If you are using emails in the DN (it is very 
common), it won't work unless you upgrade to 4.3.5 at least.

Thank you for your reply to my question and i would be interested in 
buying a usb dongle. But it would be better to reply separately to my 
question (for future reference), because our questions, although 
related, are not on the same topic.

Regards,
Dimitrios Siganos

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Need help reviewing a tutorial on smartcards

2010-04-09 Thread François Pérou

On Fri, 2010-04-09 at 07:58 +0200, François Pérou wrote:
> >
>  

Dear Dimitrios,

I modified to have pluto running in debug mode on Carol:
http://www.gooze.eu/howto/using-strongswan-with-smart-cards/configuring-road-warrior-carol

This seems to work fine on Carol side with pluto. 
PIN and credentials are cached. 
I can run ipsec listcards.

Many thanks.

Now I have some problem on the most simple part: Moon.

1) Should I also run pluto on Moon? I guess no, charon should work also?
2) Should I use keyexchange=ikev2 or keyexchange=ikev1?
3) I installed carol PEM cert in /etc/ipsec.d/certs/carolCert.pem. Is
this the right location?

Then I try to establish connection and nothing happens.
Any idea?

Kind regards

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Need help reviewing a tutorial on smartcards

2010-04-08 Thread François Pérou

On Fri, 2010-04-09 at 00:51 +0100, Dimitrios Siganos wrote:
> "charon IKEv2 usb smartcard dongle integration"
>  

To answer part of your question, you will need :

* OpenSC, pcsc-light and OpenCT. I don't recommend using OpenCT, as it
targeted to non-standard readers. For long time project, I would not
choose non-standard readers.

* Use a PCSC CCID reader, either in full format or mini-sim (stick). I
will soon offer mini-sim sticks if you are interested. The advantage of
CCID compliant readers is that they are fully supported by OpenSC and
any system (Win32, MacOSX, GNU/Linux) without additional driver.

* Java cards are not well supported by OpenSC. Use a traditional pkcs15
crypto card, like the one we sell, with support for each system (Win32,
MacOSX, GNU/Linux) . It is cheaper and compliant. If Java cards worked,
I would sell some of them. If I don't, it is because you get into too
many problems: initialization, erase, etc ... Everything becomes a
nightmare.

* I recommend to start with our tutorials, which will give you a picture
of what can be done: http://www.gooze.eu/tutorials 

Kind regards.

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Need help reviewing a tutorial on smartcards

2010-04-08 Thread Dimitrios Siganos

Charon (the IKEv2 daemon) does not support the %smartcard configuration 
specifier. Only pluto (IKEv1) does. Either use IKEv1 or hope for an 
answer to this question, which I recently posted myself :-)

"charon IKEv2 usb smartcard dongle integration"


Dimitrios Siganos

François Pérou wrote:
> Dear friends,
>
> I am writing a tutorial on smartcards for strongSwan:
> http://www.gooze.eu/howto/using-strongswan-with-smart-cards
>
> I cannot configure roadwarrior Carol with smartcards:
> http://www.gooze.eu/howto/using-strongswan-with-smart-cards/configuring-road-warrior-carol
>
> %smartcard is not recognized:
>
> 01[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.2)
> 01[LIB] loading plugin 'sha1'
> failed: /usr/lib/ipsec/plugins/libstrongswan-sha1.so: cannot open shared
> object file: No such file or directory
> 01[LIB] loading plugin 'fips-prf'
> failed: /usr/lib/ipsec/plugins/libstrongswan-fips-prf.so: cannot open
> shared object file: No such file or directory
> 01[KNL] listening on interfaces:
> 01[KNL]   eth0
> 01[KNL]   wlan0
> 01[KNL] 192.168.0.7
> 01[KNL] fe80::21c:26ff:feca:223b
> 01[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> 01[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> 01[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
> 01[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> 01[CFG] loading crls from '/etc/ipsec.d/crls'
> 01[CFG] loading secrets from '/etc/ipsec.secrets'
> 01[CFG] line 11: the given %smartcard specifier is not supported or
> invalid
> 01[LIB] loading plugin 'sql'
> failed: /usr/lib/ipsec/plugins/libstrongswan-sql.so: cannot open shared
> object file: No such file or directory
> 01[LIB] loading plugin 'attr'
> failed: /usr/lib/ipsec/plugins/libstrongswan-attr.so: cannot open shared
> object file: No such file or directory
> 01[CFG] no RADUIS secret defined
> 01[CFG] RADIUS plugin initialization failed
> 01[LIB] loading plugin 'eapradius' failed: plugin_create() returned NULL
> 01[CFG] mediation database URI not defined, skipped
> 01[LIB] loading plugin 'medsrv' failed: plugin_create() returned NULL
> 01[CFG] mediation client database URI not defined, skipped
> 01[LIB] loading plugin 'medcli' failed: plugin_create() returned NULL
> 01[LIB] loading plugin 'nm'
> failed: /usr/lib/ipsec/plugins/libstrongswan-nm.so: cannot open shared
> object file: No such file or directory
> 01[LIB] loading plugin 'resolv-conf'
> failed: /usr/lib/ipsec/plugins/libstrongswan-resolv-conf.so: cannot open
> shared object file: No such file or directory
> 01[DMN] loaded plugins: curl ldap random x509 pubkey openssl xcbc hmac
> agent gmp kernel-netlink stroke updown eapidentity eapmd5 eapgtc eapaka
> eapmschapv2
> 01[JOB] spawning 16 worker threads
> 05[CFG] received stroke: add connection 'home'
> 05[CFG] left nor right host is our side, assuming left=local
> 05[LIB]   reading file '/etc/ipsec.d/certs/%smartcard' failed
> 05[LIB] failed to create a builder for credential type CRED_CERTIFICATE,
> subtype (1)
> 05[CFG] added configuration 'home'
> 01[DMN] signal of type SIGINT received. Shutting down
>
> pkcs11-tool -L
> Available slots:
> Slot 4294967295  Virtual hotplug slot
>   (empty)
> Slot 1   Feitian SCR301 01 00
>   token label:   Jean-Michel Pouré (User PIN)
>   token manuf:   EnterSafe
>   token model:   PKCS#15
>   token flags:   rng, login required, PIN initialized, token initialized
>   serial num  :  2998511513171109
> Slot 2   Feitian SCR301 01 00
>   (empty)
> Slot 3   Feitian SCR301 01 00
>   (empty)
> Slot 4   Feitian SCR301 01 00
>   (empty)
>
> pkcs11-tool --slot 1 --list-objects
> Public Key Object; RSA 2048 bits
>   label:  Public Key
>   ID: 7645d913d5b4e02324c23a7ebf4
>   Usage:  none
> Certificate Object, type = X.509 cert
>   label:  CAcert WoT User's Root CA ID
>   ID: 7645d913d5b402324c23a7ebf4
> Public Key Object; RSA 2048 bits
>   label:  Public Key
>   ID: 6d0534d04axx571deec58
>   Usage:  none
> Certificate Object, type = X.509 cert
>   label:  StartCom Free Certificate Member's StartCom Ltd. ID
>   ID: 6d0534d04ax7a2e33571deec58
>
> Could you help and review these settings?
> What debug information can I provide?
>
> Kind regards,
> François
>
>
> ___
> Users mailing list
> Users@lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users


___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] Need help reviewing a tutorial on smartcards

2010-04-08 Thread François Pérou

Dear friends,

I am writing a tutorial on smartcards for strongSwan:
http://www.gooze.eu/howto/using-strongswan-with-smart-cards

I cannot configure roadwarrior Carol with smartcards:
http://www.gooze.eu/howto/using-strongswan-with-smart-cards/configuring-road-warrior-carol

%smartcard is not recognized:

01[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.2)
01[LIB] loading plugin 'sha1'
failed: /usr/lib/ipsec/plugins/libstrongswan-sha1.so: cannot open shared
object file: No such file or directory
01[LIB] loading plugin 'fips-prf'
failed: /usr/lib/ipsec/plugins/libstrongswan-fips-prf.so: cannot open
shared object file: No such file or directory
01[KNL] listening on interfaces:
01[KNL]   eth0
01[KNL]   wlan0
01[KNL] 192.168.0.7
01[KNL] fe80::21c:26ff:feca:223b
01[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
01[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
01[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
01[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
01[CFG] loading crls from '/etc/ipsec.d/crls'
01[CFG] loading secrets from '/etc/ipsec.secrets'
01[CFG] line 11: the given %smartcard specifier is not supported or
invalid
01[LIB] loading plugin 'sql'
failed: /usr/lib/ipsec/plugins/libstrongswan-sql.so: cannot open shared
object file: No such file or directory
01[LIB] loading plugin 'attr'
failed: /usr/lib/ipsec/plugins/libstrongswan-attr.so: cannot open shared
object file: No such file or directory
01[CFG] no RADUIS secret defined
01[CFG] RADIUS plugin initialization failed
01[LIB] loading plugin 'eapradius' failed: plugin_create() returned NULL
01[CFG] mediation database URI not defined, skipped
01[LIB] loading plugin 'medsrv' failed: plugin_create() returned NULL
01[CFG] mediation client database URI not defined, skipped
01[LIB] loading plugin 'medcli' failed: plugin_create() returned NULL
01[LIB] loading plugin 'nm'
failed: /usr/lib/ipsec/plugins/libstrongswan-nm.so: cannot open shared
object file: No such file or directory
01[LIB] loading plugin 'resolv-conf'
failed: /usr/lib/ipsec/plugins/libstrongswan-resolv-conf.so: cannot open
shared object file: No such file or directory
01[DMN] loaded plugins: curl ldap random x509 pubkey openssl xcbc hmac
agent gmp kernel-netlink stroke updown eapidentity eapmd5 eapgtc eapaka
eapmschapv2
01[JOB] spawning 16 worker threads
05[CFG] received stroke: add connection 'home'
05[CFG] left nor right host is our side, assuming left=local
05[LIB]   reading file '/etc/ipsec.d/certs/%smartcard' failed
05[LIB] failed to create a builder for credential type CRED_CERTIFICATE,
subtype (1)
05[CFG] added configuration 'home'
01[DMN] signal of type SIGINT received. Shutting down

pkcs11-tool -L
Available slots:
Slot 4294967295  Virtual hotplug slot
  (empty)
Slot 1   Feitian SCR301 01 00
  token label:   Jean-Michel Pouré (User PIN)
  token manuf:   EnterSafe
  token model:   PKCS#15
  token flags:   rng, login required, PIN initialized, token initialized
  serial num  :  2998511513171109
Slot 2   Feitian SCR301 01 00
  (empty)
Slot 3   Feitian SCR301 01 00
  (empty)
Slot 4   Feitian SCR301 01 00
  (empty)

pkcs11-tool --slot 1 --list-objects
Public Key Object; RSA 2048 bits
  label:  Public Key
  ID: 7645d913d5b4e02324c23a7ebf4
  Usage:  none
Certificate Object, type = X.509 cert
  label:  CAcert WoT User's Root CA ID
  ID: 7645d913d5b402324c23a7ebf4
Public Key Object; RSA 2048 bits
  label:  Public Key
  ID: 6d0534d04axx571deec58
  Usage:  none
Certificate Object, type = X.509 cert
  label:  StartCom Free Certificate Member's StartCom Ltd. ID
  ID: 6d0534d04ax7a2e33571deec58

Could you help and review these settings?
What debug information can I provide?

Kind regards,
François


___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Need help reviewing a tutorial on smartcards

Re: [strongSwan] Need help reviewing a tutorial on smartcards

Re: [strongSwan] Need help reviewing a tutorial on smartcards

Re: [strongSwan] Need help reviewing a tutorial on smartcards

Re: [strongSwan] Need help reviewing a tutorial on smartcards

Re: [strongSwan] Need help reviewing a tutorial on smartcards

Re: [strongSwan] Need help reviewing a tutorial on smartcards

[strongSwan] Need help reviewing a tutorial on smartcards

8 matches

Site Navigation

Mail list logo

Footer information