Hi Martin, > > > : PIN %smartcard:70ee000003ef %prompt > > > [...] pkcs11_public_key_connect later on fails. > > Does your token contain a public key object that is readable without login?
[[GR]] Yes > Does this public key have the same CKA_ID keyid as the associated private > key? [[GR]] Not sure. pkcs11-tool -O only shows the certificate ID not the id of the public key. Which tool can I use to view the public key id? At least the private key id is the same as the certificate id: pkcs11-tool --module /usr/lib/libetpkcs11.so -O -l --private Please enter User PIN: Private Key Object; RSA label: eTCAPI private key ID: 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30 Usage: decrypt, sign, unwrap Private Key Object; RSA label: eTCAPI private key ID: 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a31 Usage: decrypt, sign, unwrap Certificate Object, type = X.509 cert label: (eTCAPI) richter3's ID ID: 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a30 Certificate Object, type = X.509 cert label: (eTCAPI) richter3's ID ID: 39453945373335312d333545442d343031612d384637302d3238463636393036363042303a31 > > This is required to find the correct module and slot before login. If it > isn't the > case, you might try to specify module and slot explicitly (man ipsec.secrets > for syntax details). This way the login is enforced without checking for a > public key, so make sure to select the right module and token. > [[GR]] http://wiki.strongswan.org/projects/strongswan/wiki/PinSecret says: "The IKEv2 daemon supports multiple modules (configured in strongswan.conf) with the format %smartcard[<slotnr>[@<module>]]:<keyid>, but always requires a keyid to uniquely select the correct key." And as expected if I try : PIN %smartcard1@etoken-module %prompt I get charon: 15[CFG] line 22: the given %smartcard specifier is invalid There was a second question in my original mail. With my second card "ipsec secrets" works and the private key is loaded correctly, but when it comes to authentication, no private RSA key is found. Is there another way to specify the private key in addition to give the subject as leftid? Thanks & Regards Gerald _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
