<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.3.2">
</HEAD>
<BODY>
I have attempted to setup X.509 Smartcard in both Openswan 2.2 and 2.3dr2 with no success -- any help would be appreciated. Smartcard hardware is an Omnikey Cardman 4040 PCMCIA reader, card is a Schlumberger Cryptoflex 32k smartcard prepared with the standard pkcs15-init utilities and loaded with two 2048-bit private keys and corresponding certificates. OS is Fedora Core 2/3, card software is opensc-0.9.2 (have also tried 0.8.1 stable), and pcsc-lite 1.2.0. This hardware/software setup works in other contexts (e.g., opensc-pam, card-based encryption).<BR>
<BR>
My connection has been set up in accordance with the instructions in the X.509 documentation:<BR>
<BR>
ipsec.conf [snip]:<BR>
<BR>
<PRE>
><FONT COLOR="#000000"> left=%defaultroute # Picks up our dynamic IP</FONT>
><FONT COLOR="#000000"> authby=rsasig # use RSA based authentication with certificates </FONT>
><FONT COLOR="#000000"> leftid=test@testing.com # Local information</FONT>
><FONT COLOR="#000000"> leftcert=%smartcard0:46</FONT> # [Have also tried %smartcard, %smartcard0:45]
><FONT COLOR="#000000"> right=70.10.10.10 # Remote information</FONT>
><FONT COLOR="#000000"> rightsubnet=192.168.1.0/24</FONT>
><FONT COLOR="#000000"> rightid=vpn@testing.com # Remote information</FONT>
><FONT COLOR="#000000"> auto=add # authorizes but doesn't start this</FONT>
><FONT COLOR="#000000"> # connection at startup</FONT>
</PRE>
<FONT COLOR="#000000">ipsec.secrets [snip]:</FONT><BR>
<BR>
> : PIN %smartcard0:46 %prompt [Have also tried %smartcard, %smartcard0:45]<BR>
<BR>
After attempting the connection, ipsec barf produces [snip]:
<PRE>
>Oct 28 16:51:13 localhost ipsec__plutorun: Starting Pluto subsystem...
>Oct 28 16:51:14 localhost pluto[17594]: Starting Pluto (Openswan Version 2.3.0dr2 X.509-1.5.4 PLUTO_USES_KEYRR)
>Oct 28 16:51:14 localhost pluto[17594]: including NAT-Traversal patch (Version 0.6c) [disabled]
>Oct 28 16:51:14 localhost pluto[17594]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
>Oct 28 16:51:14 localhost pluto[17594]: Using Linux 2.6 IPsec interface code
>Oct 28 16:51:14 localhost pluto[17594]: Changing to directory '/etc/ipsec.d/cacerts'
>Oct 28 16:51:14 localhost pluto[17594]: loaded CA cert file 'CERT_testca_CA.pem' (1448 bytes)
>Oct 28 16:51:14 localhost pluto[17594]: Could not change to directory '/etc/ipsec.d/aacerts'
>Oct 28 16:51:14 localhost pluto[17594]: Changing to directory '/etc/ipsec.d/ocspcerts'
>Oct 28 16:51:15 localhost pluto[17594]: Changing to directory '/etc/ipsec.d/crls '
>Oct 28 16:51:15 localhost pluto[17594]: Warning: empty directory
>Oct 28 16:51:15 localhost pluto[17594]: could not open host cert file '/etc/ipsec.d/certs/%smartcard0:46'
>Oct 28 16:51:15 localhost pluto[17594]: added connection description "roadwarrior"
>Oct 28 16:51:15 localhost pluto[17594]: listening for IKE messages
>Oct 28 16:51:15 localhost pluto[17594]: adding interface eth0/eth0 192.168.1.1
>Oct 28 16:51:15 localhost pluto[17594]: adding interface lo/lo 127.0.0.1
>Oct 28 16:51:15 localhost pluto[17594]: adding interface lo/lo ::1
>Oct 28 16:51:15 localhost pluto[17594]: loading secrets from "/etc/ipsec.secrets "
>Oct 28 16:51:15 localhost pluto[17594]: "/etc/ipsec.secrets" line 8: Smartcard not supported
>+ _________________________ date
</PRE>
I thought that the problem might stem from the fact that smartcard support is turned off in the default configuration, and tried the fedora-rawhide, openswan.org, atrpms, and other binary packages without success.<BR>
<BR>
I also tried building from source after editing the Makefile to enable smartcard=true, and tried running rpmbuild on the .specfile, all to no avail. Any suggestions? Any howto for building smartcard-enabled RPM packages?<BR>
<BR>
Best,<BR>
Paul Raus
</BODY>
</HTML>