Hi,
I have been using smartcards with pluto for a long time, but now trying to
switch to strongswan 5 and I can't get it working anymore.
I have two smartcards. An eToken with Siemens Card OS and a mIdentity with an
TCOS 3.0 card.
I added the pkcs11 libs to strongswan.conf and "ipsec listcerts" shows me the
certificates on the smardcards ("ipsec listcards" does not show anything).
Trouble starts when I use "ipsec secrects". /etc/ipsec.secrets looks like:
: PIN
%smartcard:39453945373335312D333545442D343031612D384637302D3238463636393036363042303A31
%prompt
: PIN %smartcard:70ee000003ef %prompt
The long id is for eToken. I had to enlarge the line length in stroke_cred.c,
but it does not find it's private key. When I change
CK_OBJECT_CLASS class = CKO_PUBLIC_KEY;
to
CK_OBJECT_CLASS class = CKO_CERTIFICATE;
In file Pkcs11_private_key.c in function find_lib_by_keyid (like pluto has
done) the public key is found, but pkcs11_public_key_connect later on fails. I
don't know which id to use to find the correct public key.
The TCOS private key is loaded correctly (during ipsec secrets), but when I
start the connection, then I get the message no private key found for that id.
I have given the subject of the certificate as leftid in ipsec.conf. Is this
correct? Note on the smartcard are two certificates with the same subject.
Is there any other way to specify which key to use? From the code it looks like
that it is possible to use the fingerprint, but how could it be specified?
Any help appreciated
Thanks & Regards
Gerald
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
