Using an Aladdin eToken as Certificate Store¶

This document tries to describe how to use a certificate and key stored on an Aladdin eToken to setup a Strongswan tunnel. I have successfully run this setup on Ubuntu Jaunty.
Parts of this document are based on the Smartcard Howto.

Hardware¶

This setup has been tested with the following hardware:

root:~# lsusb
..
Bus 001 Device 005: ID 0529:0600 Aladdin Knowledge Systems eToken Pro 64k (4.2)
..

Preparation¶

Aladdin PKI Client¶

Install the required packages for the Aladdin PKI client and Strongswan:

aptitude install libqt4-core libqt4-gui pcscd opensc strongswan

To access the token with the help of pkcs11-tool you need the Aladdin library which is installed with the PKI client:

cd /tmp/
wget http://www.aladdin.ru/upload/iblock/55b/etokenpkiclientlinux50sp1_2009-08-18.zip
mkdir pkiclient
cd pkiclient
unzip ../etokenpkiclientlinux50sp1_2009-08-18.zip
dpkg -i Ubuntu/Deb\ installation/pkiclient-5.00.59-0_i386.deb

Afterward you should find an eToken Menu in Applications. Running the eToken Properties you should now be able to access the token.

pkcs11-tool¶

Running:

pkcs11-tool --module /usr/lib/libeTPkcs11.so --slot 0 --login --list-objects

might ask you for the token password and should show at least one Privte Key and one Certificate Object.

Strongswan Configuration¶

The most important steps for the Strongswan Configuration:

• add the parameter:

  pkcs11module=/usr/lib/libeTPkcs11.so

  to your config section so that strongswan uses the Aladdin library to access the token.
• add the parameter:

  leftcert=%smartcard

  to your connection section so that strongswan uses the cert stored on the token.
• after these changes reloading Strongswan and running

  ipsec listcards

  should show at least one Smartcard Object.

More details about the smartcard configuration in general can be found in the Smartcard Howto