Hi all! i'm testing smartcard- and usb-token support with ikev2. After applying some patches from martin, smartcard support in strongswan (ikev2) works great for me. Take a look at [1] to find the patches and some hints about the config in ikev2.
I was able to successfully test the following devices: - Fetian SmartCard - Aladdins eToken - Fetian ePass PKI Token Now, I'm trying to get smartcard support to work with the NetworkManager plugin. However, I can't establish a vpn tunnel. I think it's not a smartcard issue, something seems to be missconfigured. This configuration however is working with the normal Certificate NetworkManager setup (without smartcard) Thanks peter [1] https://lists.strongswan.org/pipermail/users/2010-November/005560.html Here are the config/logs: client-log: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.0) 00[CFG] loaded PKCS#11 v2.20 library 'openSC' (/usr/lib/opensc-pkcs11.so) 00[CFG] OpenSC (www.opensc-project.org): Smart card PKCS#11 API v0.0 00[CFG] found token in slot 'openSC':1 (Feitian SCR301 00 00) 00[CFG] Peter (User PIN) (EnterSafe: PKCS#15) 00[CFG] loaded trusted cert 'Certificate' 00[CFG] loaded trusted cert 'Certificate' .. NetworkManager[910]: <info> VPN service 'org.freedesktop.NetworkManager.strongswan' appeared, activating connections 00[DMN] loaded plugins: random x509 revocation pubkey pkcs1 pgp pem openssl agent pkcs11 xcbc hmac attr kernel-netlink resolve socket-default eap-md5 eap-gtc eap-mschapv2 nm .. NetworkManager connection Mobile Pools Crypto Stick 10[CFG] using gateway certificate, identity 'C=DE, O=MoPo WLAN Test, CN=vpn-mopo.vpn.test.de' NetworkManager[910]: <info> VPN plugin state changed: 3 10[CFG] found key on PKCS#11 token 'openSC':1 10[CFG] using smartcard certificate '[email protected]' 10[IKE] initiating IKE_SA Mobile Pools Crypto Stick[1] to 10.1.0.2 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] 10[NET] sending packet: from 192.168.5.22[500] to 10.1.0.2[500] NetworkManager[910]: <info> VPN connection 'Mobile Pools Crypto Stick' (Connect) reply received. 16[NET] received packet: from 10.1.0.2[500] to 192.168.5.22[500] 16[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] 16[IKE] local host is behind NAT, sending keep alives 16[IKE] received cert request for "C=DE, O=MoPo WLAN Test, CN=MoPo Root-CA" 16[IKE] sending cert request for "C=DE, O=MoPo WLAN Test, CN=MoPo Root-CA" 16[IKE] authentication of 'wintererATinformatik.test.de' (myself) with RSA signature successful 16[IKE] sending end entity cert "C=DE, O=MoPo WLAN Test, CN=Peter" 16[IKE] establishing CHILD_SA Mobile Pools Crypto Stick 16[ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH CP(ADDR DNS DNS NBNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] .. 01[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ] 01[IKE] received AUTHENTICATION_FAILED notify error gateway-log: ... 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] 13[NET] sending packet: from 10.1.0.2[500] to 10.206.3.148[500] 04[NET] received packet: from 10.206.3.148[4500] to 10.1.0.2[4500] 04[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH CP(ADDR DNS DNS NBNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N((16417)) ] 04[IKE] received cert request for "C=DE, O=MoPo WLAN Test, CN=MoPo Root-CA" 04[IKE] received end entity cert "C=DE, O=MoPo WLAN Test, CN=Peter Winterer" 04[CFG] looking for peer configs matching 10.1.0.2[C=DE, O=MoPo WLAN Test, CN=vpn-mopo.vpn.test.de]...10.206.3.148[wintererATinformatik.test.de] 15[CFG] no matching peer config found ... gateway config: this config works with NetworkManager Clients: ... conn rw2-intern right=%any rightid="C=DE, O=MoPo WLAN Test, CN=*" left=10.1.0.2 leftsubnet=0.0.0.0/0 leftcert=cert.pem I tried this config too, with no success: conn mopo-sc-intern right=%any left=10.1.0.2 leftsubnet=0.0.0.0/0 leftcert=cert.pem rightid=ATinformatik.test.de auto=add _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
