[Openswan Users] Asking or verifying pin for smart card without ipsec secrets?

Kimmo Koivisto kimmo.koivisto at surfeu.fi
Wed Jan 11 23:23:52 CET 2006


I have openswan openswan-2.4.4 in my Fedora Core 5t1 box, smart card support 
compiled into it. Opensc is 0.10.

Connections and smart card works fine and I use bash script for opening 
tunnels. All tunnels have %smartcard as cert and auto=add.

My script does the following:
1. it tests that card is inserted (opensc -n) , if not I use kdialog to ask 
for card
2. it uses "ipsec secrets" which asks for the pin, I insert my pin to the 
console window
3. script opens all tunnels with ipsec auto --up connection-name, looping 
through all tunnels

I would like to improve my script so that I could ask pin with "kdialog 
--password" add feed the pin to the card, with "ipsec secrets" or with some 
other method
Q: Any ideas how to do this, I did not find any --stdin or similar options for 
"ipsec secrets" and I don't know how to "verify" pin with opensc.

Q: How to list configured connection names, so that those can be used with 
ipsec auto --up. Currently I have done it so that all connections have prefix 
tunneli and postfix number (example tunneli1, tunneli2, tunneli3) and I use
TUNNELS=`ipsec auto --status | grep tunneli | cut -f 2 -d "\"" | sort | uniq | 
wc -l`
while there are tunnels left $TUNNELS do
ipsec auto --up tunneli$TUNNEL
and this is quite ugly. 

Q: Is there any way to just start all tunnels without starting every one 
separately. Using auto=start is not what I want, because pin code and card 
might not be available until user decides to use connections.

Kimmo Koivisto 

More information about the Users mailing list