Prev: Error with gen_initramfs_list.sh when creating initramfs_data.cpio.gz
Next: Downloading only a particular page/selective pages of a document from the internet or other file server - Free Tool
From: lrayssiguier on 12 Jan 2010 06:20 Hello, I must do Openvpn copnnection with etoken and I'm a newbee on etokens... In fact it's my first time I use this hardware. I work on Centos 5.4 I use Aladdin eToken NG-FLASH and I have installed rpm for libraries and utilities from Aladdin. I have setup eToken with password protection and I have installed OpenVPN 2.1.1 ( see below ) [root(a)centos ~]# openvpn --version OpenVPN 2.1.1 i386-redhat-linux [SSL] [LZO2] [EPOLL] [PKCS11] built on Jan 11 2010 Originally developed by James Yonan Copyright (C) 2002-2009 OpenVPN Technologies, Inc. <sales(a)openvpn.net> When I try command "openvpn --show-pkcs11-ids /usr/lib/libeTPkcs11.so" I have this message : The following objects are available for use. Each object shown below may be used as parameter to --pkcs11-id option please remember to use single quote mark. Certificate DN: /C=FR/ST=Midi Pyrenees/L=Toulouse/O=CAPLASER/CN=client1/emailAddress=bidon(a)caplaser.fr Serial: 02 Serialized id: Aladdin\x20Ltd \x2E/eToken/003d2771/eToken3/43313733414334453844363944383436 So openvpn can list token certificates... In my VPNclient.conf I have these lines : ca ca.crt # Works fine with files on openvpn directory #cert client1.crt #key client1.key pkcs11-providers "/usr/lib/libeTPkcs11.so" # First test # pkcs11-id "/CN=client1/emailAddress=bidon(a)caplaser.fr" pkcs11-id "Aladdin\\x20Ltd \\x2E/eToken/003d2771/eToken3/43313733414334453844363944383436" When I try to start Openvpn connection I see these messages in logs. [root(a)centos ~]# /etc/init.d/openvpn start Démarrage de openvpn : [ OK ] [root(a)centos ~]# tail /var/log/messages Jan 12 13:16:53 centos openvpn[8040]: VERIFY OK: depth=1, /C=FR/ST=Midi_Pyrenees/L=Toulouse/O=CAPLASER/OU=Service_Informatique/CN= CAPLASER_CA/emailAddress=bidon(a)caplaser.fr Jan 12 13:16:53 centos openvpn[8040]: VERIFY OK: nsCertType=SERVER Jan 12 13:16:53 centos openvpn[8040]: VERIFY OK: depth=0, /C=FR/ST=Midi_Pyrenees/L=Toulouse/O=CAPLASER/CN=openvpn.caplaser.fr/emai lAddress=bidon(a)caplaser.fr Jan 12 13:16:53 centos openvpn[8040]: PKCS#11: Cannot perform signature 1:'CKR_CANCEL' Jan 12 13:16:53 centos openvpn[8040]: TLS_ERROR: BIO read tls_read_plaintext error: error:14099004:SSL routines:SSL3 _SEND_CLIENT_VERIFY:RSA lib Jan 12 13:16:53 centos openvpn[8040]: TLS Error: TLS object -> incoming plaintext read error Jan 12 13:16:53 centos openvpn[8040]: TLS Error: TLS handshake failed Jan 12 13:16:53 centos openvpn[8040]: TCP/UDP: Closing socket Jan 12 13:16:53 centos openvpn[8040]: SIGUSR1[soft,tls-error] received, process restarting Jan 12 13:16:53 centos openvpn[8040]: Restart pause, 2 second(s) I can't send password to read etoken, so it can be a reason, but I can't understand how I can do that :-( Please Help !! :-) Regards Laurent
From: lrayssiguier on 12 Jan 2010 09:29
In article <MPG.25b67943896039f7989680(a)news.free.fr>, l.rayssiguier(a)free.fr says... > [root(a)centos ~]# /etc/init.d/openvpn start I have found that if I launch directly command openvpn --config /etc/openvpn/VPNclient.conf, the password is required and tunnel is coming up when I give the right password. The problem is the script which "deamonize" process and password can't be asked. Have you some hint to ask it even if I use openvpn script ? |