[Openswan Users] ISO help w/ X.509 Smartcard support problem

[Vemcontact]

I have attempted to set up X.509 Smartcard support in both Openswan 2.2
and 2.3dr2 with no success -- any help would be appreciated.  Smartcard
hardware is an Omnikey Cardman 4040 PCMCIA reader, card is a
Schlumberger Cryptoflex 32k smartcard prepared with the standard pkcs15-
init utilities and loaded with two 2048-bit private keys and
corresponding .pem format X.509 certificates.  OS is Fedora Core Linux
2/3, card software is opensc-0.9.2 (have also tried 0.8.1 stable), and
pcsc-lite 1.2.0.  This hardware/software setup works in other contexts
(e.g., opensc-pam, card-based encryption).

My connection has been set up in accordance with the instructions in the
X.509 documentation:

ipsec.conf [snip]:

>	left=%defaultroute               # Picks up our dynamic IP
>       authby=rsasig		   	 # use RSA based authentication with certificates 
>	leftid=test at testing.com          # Local information
>	leftcert=%smartcard0:46		 # [Have also tried %smartcard, %smartcard0:45]
>	right=70.10.10.10		 # Remote information
>	rightsubnet=192.168.1.0/24
>	rightid=vpn at testing.com          #  Remote information
>       auto=add                         # authorizes but doesn't start this
>                                        # connection at startup
ipsec.secrets [snip]:

>       : PIN %smartcard0:46 %prompt    [Have also tried %smartcard, %
smartcard0:45, both with and without %prompt]

After attempting the connection, ipsec barf produces [snip]: 

>Oct 28 16:51:13 localhost ipsec__plutorun: Starting Pluto subsystem...
>Oct 28 16:51:14 localhost pluto[17594]: Starting Pluto (Openswan Version 2.3.0dr2 X.509-1.5.4 PLUTO_USES_KEYRR)
>Oct 28 16:51:14 localhost pluto[17594]:   including NAT-Traversal patch (Version 0.6c) [disabled]
>Oct 28 16:51:14 localhost pluto[17594]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
>Oct 28 16:51:14 localhost pluto[17594]: Using Linux 2.6 IPsec interface code
>Oct 28 16:51:14 localhost pluto[17594]: Changing to directory '/etc/ipsec.d/cacerts'
>Oct 28 16:51:14 localhost pluto[17594]:   loaded CA cert file 'CERT_testca_CA.pem' (1448 bytes)
>Oct 28 16:51:14 localhost pluto[17594]: Could not change to directory '/etc/ipsec.d/aacerts'
>Oct 28 16:51:14 localhost pluto[17594]: Changing to directory '/etc/ipsec.d/ocspcerts'
>Oct 28 16:51:15 localhost pluto[17594]: Changing to directory '/etc/ipsec.d/crls '
>Oct 28 16:51:15 localhost pluto[17594]:   Warning: empty directory
>Oct 28 16:51:15 localhost pluto[17594]:   could not open host cert file '/etc/ipsec.d/certs/%smartcard0:46'
>Oct 28 16:51:15 localhost pluto[17594]: added connection description "roadwarrior"
>Oct 28 16:51:15 localhost pluto[17594]: listening for IKE messages
>Oct 28 16:51:15 localhost pluto[17594]: adding interface eth0/eth0 192.168.1.1
>Oct 28 16:51:15 localhost pluto[17594]: adding interface lo/lo 127.0.0.1
>Oct 28 16:51:15 localhost pluto[17594]: adding interface lo/lo ::1
>Oct 28 16:51:15 localhost pluto[17594]: loading secrets from "/etc/ipsec.secrets "
>Oct 28 16:51:15 localhost pluto[17594]: "/etc/ipsec.secrets" line 8: Smartcard not supported
>+ _________________________ date

I thought that the problem might stem from the fact that smartcard
support is turned off in the default configuration, and tried the
fedora-rawhide, openswan.org, atrpms, and other binary packages without
success.

I also tried building from source after editing the Makefile to enable
smartcard=true, and tried running rpmbuild on the .specfile, all to no
avail.  Any suggestions?  Any howto for building smartcard-enabled RPM
packages?

Best,
Paul Raus