Hi, I attempt to etablish a connection between a debian squeeze x86 and a arm board with busybox.
In first I check my configuration between two debian x86, one PC with smardcard for authentification and the other with "server" certificats. This works fine, I verified with wireshark that the network packets are encrypted. I use the last version of OpenSC and pcscd without trouble. I compiled them for x86 and arm. I can read the smartcard pubkey with pkcs15-tool and pkcs11-tool. I cross compiled strongswan with ./configure --host=armel-unknown-linux-gnueabi --prefix=/usr --sysconfdir=/e tc --localstatedir=/var --libexecdir=/usr/lib --enable-smartcard --with-default- pkcs11=/usr/lib/opensc-pkcs11.so --enable-openssl --enable-test-vectors host_ali as=armel-unknown-linux-gnueabi --no-create --no-recursion --enable-eap-radius -- enable-eap-identity --enable-eap-md5 --enable-eap-gtc --enable-eap-aka --enable- eap-mschapv2 It's near of the debian's rules. But I can't up the connection from ARM. I get : # ipsec up home 002 "home" #2: initiating Main Mode 002 "home" #2: ike alg: unable to retrieve my private key 002 "home" #2: ike alg: unable to retrieve my private key 003 "home" #2: empty ISAKMP SA proposal to send (no algorithms for ike selection?) #ipsec listpukeys shows nothing. But on PC, I see the public certificat of the smartcard. I don't understand why. I copied the server certificats and crl on the board to use openssl, I can display them, so is not a libcrypto issue. In the linux kernel, I set all crypto algorithms and I have verified kernel modules. http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules. I thought that the conf will be the same on the 2 architectures, but no... Advices and help are welcome :o) Claude log parts ..................................... found cert in slot: 1 with id: ab876dfe0c6c3xxxxxxxxxxxxxxxxxxxxx | L0 - x509: ................................ | *received whack message listening for IKE messages | found lo with address 127.0.0.1 | found eth0 with address 192.168.0.2 adding interface eth0/eth0 192.168.0.2:500 adding interface lo/lo 127.0.0.1:500 | found lo with address 0000:0000:0000:0000:0000:0000:0000:0001 adding interface lo/lo ::1:500 | certs and keys locked by 'free_preshared_secrets' | certs and keys unlocked by 'free_preshard_secrets' loading secrets from "/etc/ipsec.secrets" | smartcard #1 added | pkcs11 session #805032 for searching slot 1 | found token with id ab876dfe0c6c3xxxxxxxxxxxxxxxxxxxxx in slot 1 | pkcs11 session #805032 opened | PIN code correct | pkcs11 session #805032 login successful valid PIN for #1 (slot: 1, id: ab876dfe0c6c3xxxxxxxxxxxxxxxxxxxxx) | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secrets' ............................................. "home" #1: initiating Main Mode | **emit ISAKMP Message: | initiator cookie: | 3c f0 53 5f 84 dc c7 6d | responder cookie: | 00 00 00 00 00 00 00 00 | next payload type: ISAKMP_NEXT_SA | ISAKMP version: ISAKMP Version 1.0 | exchange type: ISAKMP_XCHG_IDPROT | flags: none | message ID: 00 00 00 00 | ***emit ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_VID | DOI: ISAKMP_DOI_IPSEC | ****emit IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY | ike proposal: AES_CBC_128/HMAC_SHA1/MODP_2048, 3DES_CBC/HMAC_SHA1/MODP_1536, "home" #1: ike alg: unable to retrieve my private key "home" #1: ike alg: unable to retrieve my private key "home" #1: empty ISAKMP SA proposal to send (no algorithms for ike selection?) ............................................ _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users