First, you need to inform strongSwan to use the smartcard reader.
strongSwan supports smartcards using only pluto backend.
Charon backend does not support smartcards.
Edit /etc/ipsec.conf:
crlcheckinterval=180
strictcrlpolicy=no
charonstart=no
plutostart=yes
pkcs11module = /usr/lib/opensc-pkcs11.so
pkcs11keepstate=yes
plutodebug = all # During testing you will need full-debug
plutostderrlog = /var/log/pluto.log
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
conn home
left=%defaultroute
leftcert=%smartcard
leftfirewall=yes
right=192.168.0.1
rightid=@moon.strongswan.org
rightsubnet=10.1.0.0/16
auto=add
In most cases there is a single smartcard reader or cryptotoken and only one RSA private key safely stored on the crypto device.
The entry:
stands for the full notation:
This is sufficient where the first certificate/private key object enumerated by PKCS#11 module is used. If several certificate/private key objects are present then the nth object can be selected using
The ipsec listcards command gives an overview over all certifcate objects made available by the PKCS#11 module. CA certificates are automatically available as trust anchors without the need to copy them into the /etc/ipsec.d/cacerts/ directory first:
000
000 List of Smartcard Objects:
000
000 Apr 09 08:52:05 2010, #1, count: 3
000 slot: 5, session closed, logged out, has valid pin
000 id: 7645d913d5b4****************324c23a7ebf4
000 label: 'CAcert WoT User's Root CA ID'
000 subject: 'CN=CAcert WoT User, E=****************, E=*****************'
000 Apr 09 08:52:05 2010, #2, count: 1
000 slot: 5, session closed, logged out, has no pin
000 id: 6d0534d04a8b***************2e33571deec58
000 label: 'StartCom Free Certificate Member's StartCom Ltd. ID'
000 subject: 'D=1767**************6l5, O=Persona Not Validated, CN=StartCom Free Certificate Member, E=**************'
As an alternative the certificate ID and/or the slot number defined by the PKCS#11 standard can be specified using the notation
Thus
will look in all available slots for ID 0x50 starting with the first slot (usually slot 0) whereas
As an alternative the certificate ID and/or the slot number defined by the PKCS#11 standard can be specified using the notation
will directly check slot 4 (which is usually the first slot on the second reader/token when using the OpenSC library) for a key with ID 0x50.
Blinklist
del.icio.us
Digg
Facebook
Favorite
Google
Google Buzz
Icerocket
LinkedIn
Newsvine
Propeller
Reddit
SlashDot
StumbleUpon
Technorati
Twitter
Yahoo
Printer-friendly version- 1282 reads
PDF version
