public inbox for gentoo-user-ru@lists.gentoo.org
 help / color / mirror / Atom feed
From: "Марьясин Семён" <MarSoft@ya.ru>
To: gentoo-user-ru@lists.gentoo.org
Subject: [gentoo-user-ru] Re: [gentoo-user-ru] Cisco VPN Client не видит сертификат
Date: Thu, 12 Feb 2009 10:07:19 +0300	[thread overview]
Message-ID: <124861234422439@webmail89.yandex.ru> (raw)
In-Reply-To: <E1LXG0M-000Oya-00.kav1979-mail-ru@f224.mail.ru>

Может поковырять параметр CertStore ?
А то он ведь сертификат пытается искать в Microsoft User Certificate, который под линухом вряд ли есть...

> 
> Всем привет!
> 
> Возникла необходимость доступа к внутренней сетке моей организации через интернет по vpn
> В качестве клиента используется Cisco VPN Client
> Для проверки подлинности используется смарткарта, а после того как сертификат на карте проверен необходимо еще вводить доменные логин и пароль
> С Windows-образных машин все работает
> А вот из Linux не получается :(
> 
> Смарткарту в USB картридере pcscd видит и то что выдает pcsc_scan во вложении pcsc_scan.out
> 
> А вот Cisco VPN Client для Linux выдает ошибки (см вложение vpnlog.txt)
> 
> Настройки Cisco VPN Client взял с работающего клиента из Windows (см вложение vpnc.pcf)
> 
> Понял, что клиент не может найти сертификат на моей смарткарте, но как правильно прописать путь к сертификату в конфиге vpn клиента не знаю :(
> Облазил весь интернет - ничего не нашел :(
> Подскажите, пожалуйста, как объяснить vpn клиенту, где искать мой сертификат, или бросьте ссылку, где можно почитать о том, как указываются пути к сертификатам на смарткартах в Linux
> 
> Когда в Windows просматриваю инфу по моему сертификату на карте, то Путь сертификации выглядит так:
> Root Organization
> |_Enterprise Organization
>   |_Login
> 
> Спасибо!
> 
> [main]
> Description=
> Host=gate-server.ru
> AuthType=3
> GroupName=
> GroupPwd=
> enc_GroupPwd=
> EnableISPConnect=0
> ISPConnectType=0
> ISPConnect=
> ISPPhonebook=
> ISPCommand=
> Username=domain\login
> SaveUserPassword=0
> UserPassword=
> enc_UserPassword=
> NTDomain=
> EnableBackup=1
> BackupServer=backup-server-1,backup-server-2
> EnableMSLogon=1
> MSLogonType=0
> EnableNat=1
> TunnelingMode=0
> TcpTunnelingPort=10000
> CertStore=2
> CertName=Login
> CertPath=
> CertSubjectName=e=Login@post-server.ru,cn=Login,ou=Workers,dc=organization,dc=ru
> CertSerialHash=
> SendCertChain=0
> PeerTimeout=90
> EnableLocalLAN=0
> 
> Cisco Systems VPN Client Version 4.8.02 (0030)
> 
> Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
> 
> Client Type(s): Linux
> 
> Running on: Linux 2.6.24-23-generic #1 SMP Mon Jan 26 00:13:11 UTC 2009 i686
> 
> Config file directory: /etc/opt/cisco-vpnclient
> 
> 
> 1      16:13:42.472  02/11/2009  Sev=Warning/3	CLI/0x83900004
> 
> Unable to purge old log files. Function returned -1.
> 
> 
> 2      16:13:42.494  02/11/2009  Sev=Info/4	CVPND/0x4340001F
> 
> Privilege Separation: restoring MTU on primary interface.
> 
> 
> 3      16:13:42.494  02/11/2009  Sev=Info/4	CVPND/0x4340000F
> 
> Started cvpnd:
> 
> Cisco Systems VPN Client Version 4.8.02 (0030)
> 
> Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
> 
> Client Type(s): Linux
> 
> Running on: Linux 2.6.24-23-generic #1 SMP Mon Jan 26 00:13:11 UTC 2009 i686
> 
> 
> 4      16:13:43.474  02/11/2009  Sev=Info/4	CLI/0x43900002
> 
> Started vpnclient:
> 
> Cisco Systems VPN Client Version 4.8.02 (0030)
> 
> Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
> 
> Client Type(s): Linux
> 
> Running on: Linux 2.6.24-23-generic #1 SMP Mon Jan 26 00:13:11 UTC 2009 i686
> 
> 
> 5      16:13:48.149  02/11/2009  Sev=Info/4	CM/0x43100002
> 
> Begin connection process
> 
> 
> 6      16:13:48.150  02/11/2009  Sev=Info/4	CM/0x43100004
> 
> Establish secure connection
> 
> 
> 7      16:13:48.150  02/11/2009  Sev=Info/4	CM/0x43100024
> 
> Attempt connection with server "gate-server.ru"
> 
> 
> 8      16:13:49.019  02/11/2009  Sev=Info/4	CVPND/0x43400019
> 
> Privilege Separation: binding to port: (0).
> 
> 
> 9      16:13:49.019  02/11/2009  Sev=Info/4	CVPND/0x43400019
> 
> Privilege Separation: binding to port: (0).
> 
> 
> 10     16:13:49.019  02/11/2009  Sev=Info/6	IKE/0x4300003B
> 
> Attempting to establish a connection with backup-server-1.
> 
> 
> 11     16:13:49.020  02/11/2009  Sev=Warning/2	CERT/0x83600009
> 
> Could not load certificate e=Login@post-server.ru,cn=Login,ou=Workers,dc=organization,dc=ru from store Microsoft User Certificate. Reason: store empty
> 
> 
> 12     16:13:49.020  02/11/2009  Sev=Warning/2	CERT/0x83600004
> 
> If you are using a smartcard or token containing a certificate, verify that it is plugged in and try again.
> 
> 
> 13     16:13:49.020  02/11/2009  Sev=Warning/2	IKE/0xC3000008
> 
> Unable to open certificate (e=Login@post-server.ru,cn=Login,ou=Workers,dc=organization,dc=ru).
> 
> If you are using a smartcard or token containing a certificate, verify the correct one is plugged in and try again.
> 
> 
> 14     16:13:49.020  02/11/2009  Sev=Warning/2	IKE/0xC300009B
> 
> Failed to open my certificate (Connection:240)
> 
> 
> 15     16:13:49.020  02/11/2009  Sev=Warning/2	IKE/0xC300009A
> 
> Failed to set up connection data
> 
> 
> 16     16:13:49.020  02/11/2009  Sev=Info/4	CM/0x4310001C
> 
> Unable to contact server "gate-server.ru"
> 
> 
> 17     16:13:49.020  02/11/2009  Sev=Info/4	CM/0x43100024
> 
> Attempt connection with server "backup-server-2"
> 
> 
> 18     16:13:49.020  02/11/2009  Sev=Info/4	CVPND/0x43400019
> 
> Privilege Separation: binding to port: (0).
> 
> 
> 19     16:13:49.021  02/11/2009  Sev=Info/4	CVPND/0x43400019
> 
> Privilege Separation: binding to port: (0).
> 
> 
> 20     16:13:49.021  02/11/2009  Sev=Info/6	IKE/0x4300003B
> 
> Attempting to establish a connection with backup-server-2.
> 
> 
> 21     16:13:49.021  02/11/2009  Sev=Warning/2	CERT/0x83600009
> 
> Could not load certificate e=Login@post-server.ru,cn=Login,ou=Workers,dc=organization,dc=ru from store Microsoft User Certificate. Reason: store empty
> 
> 
> 22     16:13:49.021  02/11/2009  Sev=Warning/2	CERT/0x83600004
> 
> If you are using a smartcard or token containing a certificate, verify that it is plugged in and try again.
> 
> 
> 23     16:13:49.021  02/11/2009  Sev=Warning/2	IKE/0xC3000008
> 
> Unable to open certificate (e=Login@post-server.ru,cn=Login,ou=Workers,dc=organization,dc=ru).
> 
> If you are using a smartcard or token containing a certificate, verify the correct one is plugged in and try again.
> 
> 
> 24     16:13:49.021  02/11/2009  Sev=Warning/2	IKE/0xC300009B
> 
> Failed to open my certificate (Connection:240)
> 
> 
> 25     16:13:49.021  02/11/2009  Sev=Warning/2	IKE/0xC300009A
> 
> Failed to set up connection data
> 
> 
> 26     16:13:49.021  02/11/2009  Sev=Info/4	CM/0x4310001C
> 
> Unable to contact server "backup-server-2"
> 
> 
> 27     16:13:49.021  02/11/2009  Sev=Info/4	CM/0x43100024
> 
> Attempt connection with server "backup-server-1"
> 
> 
> 28     16:13:49.021  02/11/2009  Sev=Info/4	CVPND/0x43400019
> 
> Privilege Separation: binding to port: (0).
> 
> 
> 29     16:13:49.022  02/11/2009  Sev=Info/4	CVPND/0x43400019
> 
> Privilege Separation: binding to port: (0).
> 
> 
> 30     16:13:49.022  02/11/2009  Sev=Info/6	IKE/0x4300003B
> 
> Attempting to establish a connection with backup-server-1.
> 
> 
> 31     16:13:49.022  02/11/2009  Sev=Warning/2	CERT/0x83600009
> 
> Could not load certificate e=Login@post-server.ru,cn=Login,ou=Workers,dc=organization,dc=ru from store Microsoft User Certificate. Reason: store empty
> 
> 
> 32     16:13:49.022  02/11/2009  Sev=Warning/2	CERT/0x83600004
> 
> If you are using a smartcard or token containing a certificate, verify that it is plugged in and try again.
> 
> 
> 33     16:13:49.022  02/11/2009  Sev=Warning/2	IKE/0xC3000008
> 
> Unable to open certificate (e=Login@post-server.ru,cn=Login,ou=Workers,dc=organization,dc=ru).
> 
> If you are using a smartcard or token containing a certificate, verify the correct one is plugged in and try again.
> 
> 
> 34     16:13:49.022  02/11/2009  Sev=Warning/2	IKE/0xC300009B
> 
> Failed to open my certificate (Connection:240)
> 
> 
> 35     16:13:49.022  02/11/2009  Sev=Warning/2	IKE/0xC300009A
> 
> Failed to set up connection data
> 
> 
> 36     16:13:49.022  02/11/2009  Sev=Info/4	CM/0x4310001C
> 
> Unable to contact server "backup-server-1"
> 
> 
> 37     16:13:49.022  02/11/2009  Sev=Info/4	CM/0x4310000C
> 
> All connection attempts with backup server failed
> 
> 
> 38     16:13:49.022  02/11/2009  Sev=Info/5	CM/0x43100025
> 
> Initializing CVPNDrv
> 
> 
> 39     16:13:49.022  02/11/2009  Sev=Info/4	CVPND/0x4340001F
> 
> Privilege Separation: restoring MTU on primary interface.
> 
> 
> 40     16:13:49.022  02/11/2009  Sev=Info/4	IKE/0x43000001
> 
> IKE received signal to terminate VPN connection
> 
> 
> 41     16:13:49.023  02/11/2009  Sev=Info/4	IPSEC/0x43700008
> 
> IPSec driver successfully started
> 
> 
> 42     16:13:49.023  02/11/2009  Sev=Info/4	IPSEC/0x43700014
> 
> Deleted all keys
> 
> 
> 43     16:13:49.023  02/11/2009  Sev=Info/4	IPSEC/0x43700014
> 
> Deleted all keys
> 
> 
> 44     16:13:49.023  02/11/2009  Sev=Info/4	IPSEC/0x43700014
> 
> Deleted all keys
> 
> 
> 45     16:13:49.023  02/11/2009  Sev=Info/4	IPSEC/0x43700014
> 
> Deleted all keys
> 
> 
> 46     16:13:49.023  02/11/2009  Sev=Info/4	IPSEC/0x4370000A
> 
> IPSec driver successfully stopped
> 
> 
> 47     16:13:52.021  02/11/2009  Sev=Info/4	CVPND/0x4340000C
> 
> Stopped service:
> 
> 
> 48     16:13:52.022  02/11/2009  Sev=Info/4	CVPND/0x4340001F
> 
> Privilege Separation: restoring MTU on primary interface.
> 
> PC/SC device scanner
> V 1.4.11 (c) 2001-2007, Ludovic Rousseau <ludovic.rousseau@free.fr>
> Compiled with PC/SC lite version: 1.4.4
> Scanning present readers
> 0: AseIIIeUSB 00 00
> 
> Wed Feb 11 16:01:02 2009
>  Reader 0: AseIIIeUSB 00 00
>   Card state: Card inserted, 
>   ATR: 3B D6 18 00 81 B1 80 7D 1F 03 80 51 00 61 10 30 8F
> 
> ATR: 3B D6 18 00 81 B1 80 7D 1F 03 80 51 00 61 10 30 8F
> + TS = 3B --> Direct Convention
> + T0 = D6, Y(1): 1101, K: 6 (historical bytes)
>   TA(1) = 18 --> Fi=372, Di=12, 31 cycles/ETU (115200 bits/s at 3.57 MHz)
>   TC(1) = 00 --> Extra guard time: 0
>   TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1 
> -----
>   TD(2) = B1 --> Y(i+1) = 1011, Protocol T = 1 
> -----
>   TA(3) = 80 --> IFSC: 128
>   TB(3) = 7D --> Block Waiting Integer: 7 - Character Waiting Integer: 13
>   TD(3) = 1F --> Y(i+1) = 0001, Protocol T = 15 - Global interface bytes following 
> -----
>   TA(4) = 03 --> Clock stop: not supported - Class accepted by the card: (3G) A 5V B 3V 
> + Historical bytes: 80 51 00 61 10 30
>   Category indicator byte: 80 (compact TLV data object)
>     Tag: 5, len: 1 (card issuer's data)
>       Card issuer data: 00
>     Tag: 6, len: 1 (pre-issuing data)
>       Data: 10
>     Tag: 3, len: 0 (card service data byte)
>       Error in the ATR: expecting 1 byte and got 0
> + TCK = 8F (correct checksum)
> 
> Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
> 3B D6 18 00 81 B1 80 7D 1F 03 80 51 00 61 10 30 8F
> 	ASECard Crypto, http://www.athena-scs.com/product.asp?pid=8
> 
> 



  reply	other threads:[~2009-02-12  7:07 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-02-11 14:23 [gentoo-user-ru] Cisco VPN Client не видит сертификат Alex
2009-02-12  7:07 ` Марьясин Семён [this message]
2009-02-12  8:49   ` Alex

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=124861234422439@webmail89.yandex.ru \
    --to=marsoft@ya.ru \
    --cc=gentoo-user-ru@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox