[Openswan Users]

Paul Wouters paul at xelerance.com
Thu Jan 12 02:27:30 CET 2006

On Wed, 11 Jan 2006, Kimmo Koivisto wrote:

> I have openswan openswan-2.4.4 in my Fedora Core 5t1 box, smart card support
> compiled into it. Opensc is 0.10.
> Connections and smart card works fine and I use bash script for opening
> tunnels. All tunnels have %smartcard as cert and auto=add.

It would be great if you could write up a quick README.smartcards file for
inclusion in the openswan-2/docs directory.

> My script does the following:
> 1. it tests that card is inserted (opensc -n) , if not I use kdialog to ask
> for card
> 2. it uses "ipsec secrets" which asks for the pin, I insert my pin to the
> console window
> 3. script opens all tunnels with ipsec auto --up connection-name, looping
> through all tunnels


> I would like to improve my script so that I could ask pin with "kdialog
> --password" add feed the pin to the card, with "ipsec secrets" or with some
> other method
> Q: Any ideas how to do this, I did not find any --stdin or similar options for
> "ipsec secrets" and I don't know how to "verify" pin with opensc.

There is not. The whole point is that the pin is never stored. You could work
around it using /usr/bin/expect.

> Q: How to list configured connection names, so that those can be used with
> ipsec auto --up. Currently I have done it so that all connections have prefix
> tunneli and postfix number (example tunneli1, tunneli2, tunneli3) and I use
> <script>

Unfortunately, you will have to go through 'ipsec auto --status'. Showing the
active connections in a much more readable and parable way is on our todo list.

> TUNNELS=`ipsec auto --status | grep tunneli | cut -f 2 -d "\"" | sort | uniq |
> wc -l`
> while there are tunnels left $TUNNELS do
> ipsec auto --up tunneli$TUNNEL
> done
> </script>
> and this is quite ugly.

My apologies for that :)

> Q: Is there any way to just start all tunnels without starting every one
> separately. Using auto=start is not what I want, because pin code and card
> might not be available until user decides to use connections.

No there isn't at this point.


More information about the Users mailing list