From: lrayssiguier on
Hello,

I must do Openvpn copnnection with etoken and I'm a newbee on etokens...
In fact it's my first time I use this hardware.

I work on Centos 5.4
I use Aladdin eToken NG-FLASH and I have installed rpm for libraries and
utilities from Aladdin.

I have setup eToken with password protection and I have installed
OpenVPN 2.1.1 ( see below )

[root(a)centos ~]# openvpn --version
OpenVPN 2.1.1 i386-redhat-linux [SSL] [LZO2] [EPOLL] [PKCS11] built on
Jan 11 2010
Originally developed by James Yonan
Copyright (C) 2002-2009 OpenVPN Technologies, Inc. <sales(a)openvpn.net>

When I try command "openvpn --show-pkcs11-ids /usr/lib/libeTPkcs11.so" I
have this message :

The following objects are available for use.
Each object shown below may be used as parameter to
--pkcs11-id option please remember to use single quote mark.

Certificate
DN: /C=FR/ST=Midi
Pyrenees/L=Toulouse/O=CAPLASER/CN=client1/emailAddress=bidon(a)caplaser.fr
Serial: 02
Serialized id: Aladdin\x20Ltd
\x2E/eToken/003d2771/eToken3/43313733414334453844363944383436

So openvpn can list token certificates...

In my VPNclient.conf I have these lines :

ca ca.crt
# Works fine with files on openvpn directory
#cert client1.crt
#key client1.key

pkcs11-providers "/usr/lib/libeTPkcs11.so"
# First test
# pkcs11-id "/CN=client1/emailAddress=bidon(a)caplaser.fr"
pkcs11-id "Aladdin\\x20Ltd
\\x2E/eToken/003d2771/eToken3/43313733414334453844363944383436"

When I try to start Openvpn connection I see these messages in logs.

[root(a)centos ~]# /etc/init.d/openvpn start
Démarrage de openvpn : [ OK ]
[root(a)centos ~]# tail /var/log/messages
Jan 12 13:16:53 centos openvpn[8040]: VERIFY OK: depth=1,
/C=FR/ST=Midi_Pyrenees/L=Toulouse/O=CAPLASER/OU=Service_Informatique/CN=
CAPLASER_CA/emailAddress=bidon(a)caplaser.fr
Jan 12 13:16:53 centos openvpn[8040]: VERIFY OK: nsCertType=SERVER
Jan 12 13:16:53 centos openvpn[8040]: VERIFY OK: depth=0,
/C=FR/ST=Midi_Pyrenees/L=Toulouse/O=CAPLASER/CN=openvpn.caplaser.fr/emai
lAddress=bidon(a)caplaser.fr
Jan 12 13:16:53 centos openvpn[8040]: PKCS#11: Cannot perform signature
1:'CKR_CANCEL'
Jan 12 13:16:53 centos openvpn[8040]: TLS_ERROR: BIO read
tls_read_plaintext error: error:14099004:SSL routines:SSL3
_SEND_CLIENT_VERIFY:RSA lib
Jan 12 13:16:53 centos openvpn[8040]: TLS Error: TLS object -> incoming
plaintext read error
Jan 12 13:16:53 centos openvpn[8040]: TLS Error: TLS handshake failed
Jan 12 13:16:53 centos openvpn[8040]: TCP/UDP: Closing socket
Jan 12 13:16:53 centos openvpn[8040]: SIGUSR1[soft,tls-error] received,
process restarting
Jan 12 13:16:53 centos openvpn[8040]: Restart pause, 2 second(s)

I can't send password to read etoken, so it can be a reason, but I can't
understand how I can do that :-(

Please Help !! :-)

Regards

Laurent
From: lrayssiguier on
In article <MPG.25b67943896039f7989680(a)news.free.fr>,
l.rayssiguier(a)free.fr says...
> [root(a)centos ~]# /etc/init.d/openvpn start
I have found that if I launch directly command openvpn --config
/etc/openvpn/VPNclient.conf, the password is required and tunnel is
coming up when I give the right password.

The problem is the script which "deamonize" process and password can't
be asked.

Have you some hint to ask it even if I use openvpn script ?