From: "Марьясин Семён" <MarSoft@ya.ru>
To: gentoo-user-ru@lists.gentoo.org
Subject: [gentoo-user-ru] Re: [gentoo-user-ru] Cisco VPN Client не видит сертификат
Date: Thu, 12 Feb 2009 10:07:19 +0300 [thread overview]
Message-ID: <124861234422439@webmail89.yandex.ru> (raw)
In-Reply-To: <E1LXG0M-000Oya-00.kav1979-mail-ru@f224.mail.ru>
Может поковырять параметр CertStore ?
А то он ведь сертификат пытается искать в Microsoft User Certificate, который под линухом вряд ли есть...
>
> Всем привет!
>
> Возникла необходимость доступа к внутренней сетке моей организации через интернет по vpn
> В качестве клиента используется Cisco VPN Client
> Для проверки подлинности используется смарткарта, а после того как сертификат на карте проверен необходимо еще вводить доменные логин и пароль
> С Windows-образных машин все работает
> А вот из Linux не получается :(
>
> Смарткарту в USB картридере pcscd видит и то что выдает pcsc_scan во вложении pcsc_scan.out
>
> А вот Cisco VPN Client для Linux выдает ошибки (см вложение vpnlog.txt)
>
> Настройки Cisco VPN Client взял с работающего клиента из Windows (см вложение vpnc.pcf)
>
> Понял, что клиент не может найти сертификат на моей смарткарте, но как правильно прописать путь к сертификату в конфиге vpn клиента не знаю :(
> Облазил весь интернет - ничего не нашел :(
> Подскажите, пожалуйста, как объяснить vpn клиенту, где искать мой сертификат, или бросьте ссылку, где можно почитать о том, как указываются пути к сертификатам на смарткартах в Linux
>
> Когда в Windows просматриваю инфу по моему сертификату на карте, то Путь сертификации выглядит так:
> Root Organization
> |_Enterprise Organization
> |_Login
>
> Спасибо!
>
> [main]
> Description=
> Host=gate-server.ru
> AuthType=3
> GroupName=
> GroupPwd=
> enc_GroupPwd=
> EnableISPConnect=0
> ISPConnectType=0
> ISPConnect=
> ISPPhonebook=
> ISPCommand=
> Username=domain\login
> SaveUserPassword=0
> UserPassword=
> enc_UserPassword=
> NTDomain=
> EnableBackup=1
> BackupServer=backup-server-1,backup-server-2
> EnableMSLogon=1
> MSLogonType=0
> EnableNat=1
> TunnelingMode=0
> TcpTunnelingPort=10000
> CertStore=2
> CertName=Login
> CertPath=
> CertSubjectName=e=Login@post-server.ru,cn=Login,ou=Workers,dc=organization,dc=ru
> CertSerialHash=
> SendCertChain=0
> PeerTimeout=90
> EnableLocalLAN=0
>
> Cisco Systems VPN Client Version 4.8.02 (0030)
>
> Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
>
> Client Type(s): Linux
>
> Running on: Linux 2.6.24-23-generic #1 SMP Mon Jan 26 00:13:11 UTC 2009 i686
>
> Config file directory: /etc/opt/cisco-vpnclient
>
>
> 1 16:13:42.472 02/11/2009 Sev=Warning/3 CLI/0x83900004
>
> Unable to purge old log files. Function returned -1.
>
>
> 2 16:13:42.494 02/11/2009 Sev=Info/4 CVPND/0x4340001F
>
> Privilege Separation: restoring MTU on primary interface.
>
>
> 3 16:13:42.494 02/11/2009 Sev=Info/4 CVPND/0x4340000F
>
> Started cvpnd:
>
> Cisco Systems VPN Client Version 4.8.02 (0030)
>
> Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
>
> Client Type(s): Linux
>
> Running on: Linux 2.6.24-23-generic #1 SMP Mon Jan 26 00:13:11 UTC 2009 i686
>
>
> 4 16:13:43.474 02/11/2009 Sev=Info/4 CLI/0x43900002
>
> Started vpnclient:
>
> Cisco Systems VPN Client Version 4.8.02 (0030)
>
> Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
>
> Client Type(s): Linux
>
> Running on: Linux 2.6.24-23-generic #1 SMP Mon Jan 26 00:13:11 UTC 2009 i686
>
>
> 5 16:13:48.149 02/11/2009 Sev=Info/4 CM/0x43100002
>
> Begin connection process
>
>
> 6 16:13:48.150 02/11/2009 Sev=Info/4 CM/0x43100004
>
> Establish secure connection
>
>
> 7 16:13:48.150 02/11/2009 Sev=Info/4 CM/0x43100024
>
> Attempt connection with server "gate-server.ru"
>
>
> 8 16:13:49.019 02/11/2009 Sev=Info/4 CVPND/0x43400019
>
> Privilege Separation: binding to port: (0).
>
>
> 9 16:13:49.019 02/11/2009 Sev=Info/4 CVPND/0x43400019
>
> Privilege Separation: binding to port: (0).
>
>
> 10 16:13:49.019 02/11/2009 Sev=Info/6 IKE/0x4300003B
>
> Attempting to establish a connection with backup-server-1.
>
>
> 11 16:13:49.020 02/11/2009 Sev=Warning/2 CERT/0x83600009
>
> Could not load certificate e=Login@post-server.ru,cn=Login,ou=Workers,dc=organization,dc=ru from store Microsoft User Certificate. Reason: store empty
>
>
> 12 16:13:49.020 02/11/2009 Sev=Warning/2 CERT/0x83600004
>
> If you are using a smartcard or token containing a certificate, verify that it is plugged in and try again.
>
>
> 13 16:13:49.020 02/11/2009 Sev=Warning/2 IKE/0xC3000008
>
> Unable to open certificate (e=Login@post-server.ru,cn=Login,ou=Workers,dc=organization,dc=ru).
>
> If you are using a smartcard or token containing a certificate, verify the correct one is plugged in and try again.
>
>
> 14 16:13:49.020 02/11/2009 Sev=Warning/2 IKE/0xC300009B
>
> Failed to open my certificate (Connection:240)
>
>
> 15 16:13:49.020 02/11/2009 Sev=Warning/2 IKE/0xC300009A
>
> Failed to set up connection data
>
>
> 16 16:13:49.020 02/11/2009 Sev=Info/4 CM/0x4310001C
>
> Unable to contact server "gate-server.ru"
>
>
> 17 16:13:49.020 02/11/2009 Sev=Info/4 CM/0x43100024
>
> Attempt connection with server "backup-server-2"
>
>
> 18 16:13:49.020 02/11/2009 Sev=Info/4 CVPND/0x43400019
>
> Privilege Separation: binding to port: (0).
>
>
> 19 16:13:49.021 02/11/2009 Sev=Info/4 CVPND/0x43400019
>
> Privilege Separation: binding to port: (0).
>
>
> 20 16:13:49.021 02/11/2009 Sev=Info/6 IKE/0x4300003B
>
> Attempting to establish a connection with backup-server-2.
>
>
> 21 16:13:49.021 02/11/2009 Sev=Warning/2 CERT/0x83600009
>
> Could not load certificate e=Login@post-server.ru,cn=Login,ou=Workers,dc=organization,dc=ru from store Microsoft User Certificate. Reason: store empty
>
>
> 22 16:13:49.021 02/11/2009 Sev=Warning/2 CERT/0x83600004
>
> If you are using a smartcard or token containing a certificate, verify that it is plugged in and try again.
>
>
> 23 16:13:49.021 02/11/2009 Sev=Warning/2 IKE/0xC3000008
>
> Unable to open certificate (e=Login@post-server.ru,cn=Login,ou=Workers,dc=organization,dc=ru).
>
> If you are using a smartcard or token containing a certificate, verify the correct one is plugged in and try again.
>
>
> 24 16:13:49.021 02/11/2009 Sev=Warning/2 IKE/0xC300009B
>
> Failed to open my certificate (Connection:240)
>
>
> 25 16:13:49.021 02/11/2009 Sev=Warning/2 IKE/0xC300009A
>
> Failed to set up connection data
>
>
> 26 16:13:49.021 02/11/2009 Sev=Info/4 CM/0x4310001C
>
> Unable to contact server "backup-server-2"
>
>
> 27 16:13:49.021 02/11/2009 Sev=Info/4 CM/0x43100024
>
> Attempt connection with server "backup-server-1"
>
>
> 28 16:13:49.021 02/11/2009 Sev=Info/4 CVPND/0x43400019
>
> Privilege Separation: binding to port: (0).
>
>
> 29 16:13:49.022 02/11/2009 Sev=Info/4 CVPND/0x43400019
>
> Privilege Separation: binding to port: (0).
>
>
> 30 16:13:49.022 02/11/2009 Sev=Info/6 IKE/0x4300003B
>
> Attempting to establish a connection with backup-server-1.
>
>
> 31 16:13:49.022 02/11/2009 Sev=Warning/2 CERT/0x83600009
>
> Could not load certificate e=Login@post-server.ru,cn=Login,ou=Workers,dc=organization,dc=ru from store Microsoft User Certificate. Reason: store empty
>
>
> 32 16:13:49.022 02/11/2009 Sev=Warning/2 CERT/0x83600004
>
> If you are using a smartcard or token containing a certificate, verify that it is plugged in and try again.
>
>
> 33 16:13:49.022 02/11/2009 Sev=Warning/2 IKE/0xC3000008
>
> Unable to open certificate (e=Login@post-server.ru,cn=Login,ou=Workers,dc=organization,dc=ru).
>
> If you are using a smartcard or token containing a certificate, verify the correct one is plugged in and try again.
>
>
> 34 16:13:49.022 02/11/2009 Sev=Warning/2 IKE/0xC300009B
>
> Failed to open my certificate (Connection:240)
>
>
> 35 16:13:49.022 02/11/2009 Sev=Warning/2 IKE/0xC300009A
>
> Failed to set up connection data
>
>
> 36 16:13:49.022 02/11/2009 Sev=Info/4 CM/0x4310001C
>
> Unable to contact server "backup-server-1"
>
>
> 37 16:13:49.022 02/11/2009 Sev=Info/4 CM/0x4310000C
>
> All connection attempts with backup server failed
>
>
> 38 16:13:49.022 02/11/2009 Sev=Info/5 CM/0x43100025
>
> Initializing CVPNDrv
>
>
> 39 16:13:49.022 02/11/2009 Sev=Info/4 CVPND/0x4340001F
>
> Privilege Separation: restoring MTU on primary interface.
>
>
> 40 16:13:49.022 02/11/2009 Sev=Info/4 IKE/0x43000001
>
> IKE received signal to terminate VPN connection
>
>
> 41 16:13:49.023 02/11/2009 Sev=Info/4 IPSEC/0x43700008
>
> IPSec driver successfully started
>
>
> 42 16:13:49.023 02/11/2009 Sev=Info/4 IPSEC/0x43700014
>
> Deleted all keys
>
>
> 43 16:13:49.023 02/11/2009 Sev=Info/4 IPSEC/0x43700014
>
> Deleted all keys
>
>
> 44 16:13:49.023 02/11/2009 Sev=Info/4 IPSEC/0x43700014
>
> Deleted all keys
>
>
> 45 16:13:49.023 02/11/2009 Sev=Info/4 IPSEC/0x43700014
>
> Deleted all keys
>
>
> 46 16:13:49.023 02/11/2009 Sev=Info/4 IPSEC/0x4370000A
>
> IPSec driver successfully stopped
>
>
> 47 16:13:52.021 02/11/2009 Sev=Info/4 CVPND/0x4340000C
>
> Stopped service:
>
>
> 48 16:13:52.022 02/11/2009 Sev=Info/4 CVPND/0x4340001F
>
> Privilege Separation: restoring MTU on primary interface.
>
> PC/SC device scanner
> V 1.4.11 (c) 2001-2007, Ludovic Rousseau <ludovic.rousseau@free.fr>
> Compiled with PC/SC lite version: 1.4.4
> Scanning present readers
> 0: AseIIIeUSB 00 00
>
> Wed Feb 11 16:01:02 2009
> Reader 0: AseIIIeUSB 00 00
> Card state: Card inserted,
> ATR: 3B D6 18 00 81 B1 80 7D 1F 03 80 51 00 61 10 30 8F
>
> ATR: 3B D6 18 00 81 B1 80 7D 1F 03 80 51 00 61 10 30 8F
> + TS = 3B --> Direct Convention
> + T0 = D6, Y(1): 1101, K: 6 (historical bytes)
> TA(1) = 18 --> Fi=372, Di=12, 31 cycles/ETU (115200 bits/s at 3.57 MHz)
> TC(1) = 00 --> Extra guard time: 0
> TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1
> -----
> TD(2) = B1 --> Y(i+1) = 1011, Protocol T = 1
> -----
> TA(3) = 80 --> IFSC: 128
> TB(3) = 7D --> Block Waiting Integer: 7 - Character Waiting Integer: 13
> TD(3) = 1F --> Y(i+1) = 0001, Protocol T = 15 - Global interface bytes following
> -----
> TA(4) = 03 --> Clock stop: not supported - Class accepted by the card: (3G) A 5V B 3V
> + Historical bytes: 80 51 00 61 10 30
> Category indicator byte: 80 (compact TLV data object)
> Tag: 5, len: 1 (card issuer's data)
> Card issuer data: 00
> Tag: 6, len: 1 (pre-issuing data)
> Data: 10
> Tag: 3, len: 0 (card service data byte)
> Error in the ATR: expecting 1 byte and got 0
> + TCK = 8F (correct checksum)
>
> Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
> 3B D6 18 00 81 B1 80 7D 1F 03 80 51 00 61 10 30 8F
> ASECard Crypto, http://www.athena-scs.com/product.asp?pid=8
>
>
next prev parent reply other threads:[~2009-02-12 7:07 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-02-11 14:23 [gentoo-user-ru] Cisco VPN Client не видит сертификат Alex
2009-02-12 7:07 ` Марьясин Семён [this message]
2009-02-12 8:49 ` Alex
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=124861234422439@webmail89.yandex.ru \
--to=marsoft@ya.ru \
--cc=gentoo-user-ru@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox