From: Alex <kav1979@mail.ru>
To: Gentoo <gentoo-user-ru@lists.gentoo.org>
Subject: [gentoo-user-ru] Cisco VPN Client не видит сертификат
Date: Wed, 11 Feb 2009 17:23:58 +0300 [thread overview]
Message-ID: <E1LXG0M-000Oya-00.kav1979-mail-ru@f224.mail.ru> (raw)
[-- Attachment #1: Type: text/plain, Size: 1187 bytes --]
Всем привет!
Возникла необходимость доступа к внутренней сетке моей организации через интернет по vpn
В качестве клиента используется Cisco VPN Client
Для проверки подлинности используется смарткарта, а после того как сертификат на карте проверен необходимо еще вводить доменные логин и пароль
С Windows-образных машин все работает
А вот из Linux не получается :(
Смарткарту в USB картридере pcscd видит и то что выдает pcsc_scan во вложении pcsc_scan.out
А вот Cisco VPN Client для Linux выдает ошибки (см вложение vpnlog.txt)
Настройки Cisco VPN Client взял с работающего клиента из Windows (см вложение vpnc.pcf)
Понял, что клиент не может найти сертификат на моей смарткарте, но как правильно прописать путь к сертификату в конфиге vpn клиента не знаю :(
Облазил весь интернет - ничего не нашел :(
Подскажите, пожалуйста, как объяснить vpn клиенту, где искать мой сертификат, или бросьте ссылку, где можно почитать о том, как указываются пути к сертификатам на смарткартах в Linux
Когда в Windows просматриваю инфу по моему сертификату на карте, то Путь сертификации выглядит так:
Root Organization
|_Enterprise Organization
|_Login
Спасибо!
[-- Attachment #2: vpnc.pcf --]
[-- Type: text/plain, Size: 566 bytes --]
[main]
Description=
Host=gate-server.ru
AuthType=3
GroupName=
GroupPwd=
enc_GroupPwd=
EnableISPConnect=0
ISPConnectType=0
ISPConnect=
ISPPhonebook=
ISPCommand=
Username=domain\login
SaveUserPassword=0
UserPassword=
enc_UserPassword=
NTDomain=
EnableBackup=1
BackupServer=backup-server-1,backup-server-2
EnableMSLogon=1
MSLogonType=0
EnableNat=1
TunnelingMode=0
TcpTunnelingPort=10000
CertStore=2
CertName=Login
CertPath=
CertSubjectName=e=Login@post-server.ru,cn=Login,ou=Workers,dc=organization,dc=ru
CertSerialHash=
SendCertChain=0
PeerTimeout=90
EnableLocalLAN=0
[-- Attachment #3: vpnlog.txt --]
[-- Type: text/plain, Size: 6752 bytes --]
Cisco Systems VPN Client Version 4.8.02 (0030)
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.6.24-23-generic #1 SMP Mon Jan 26 00:13:11 UTC 2009 i686
Config file directory: /etc/opt/cisco-vpnclient
1 16:13:42.472 02/11/2009 Sev=Warning/3 CLI/0x83900004
Unable to purge old log files. Function returned -1.
2 16:13:42.494 02/11/2009 Sev=Info/4 CVPND/0x4340001F
Privilege Separation: restoring MTU on primary interface.
3 16:13:42.494 02/11/2009 Sev=Info/4 CVPND/0x4340000F
Started cvpnd:
Cisco Systems VPN Client Version 4.8.02 (0030)
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.6.24-23-generic #1 SMP Mon Jan 26 00:13:11 UTC 2009 i686
4 16:13:43.474 02/11/2009 Sev=Info/4 CLI/0x43900002
Started vpnclient:
Cisco Systems VPN Client Version 4.8.02 (0030)
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.6.24-23-generic #1 SMP Mon Jan 26 00:13:11 UTC 2009 i686
5 16:13:48.149 02/11/2009 Sev=Info/4 CM/0x43100002
Begin connection process
6 16:13:48.150 02/11/2009 Sev=Info/4 CM/0x43100004
Establish secure connection
7 16:13:48.150 02/11/2009 Sev=Info/4 CM/0x43100024
Attempt connection with server "gate-server.ru"
8 16:13:49.019 02/11/2009 Sev=Info/4 CVPND/0x43400019
Privilege Separation: binding to port: (0).
9 16:13:49.019 02/11/2009 Sev=Info/4 CVPND/0x43400019
Privilege Separation: binding to port: (0).
10 16:13:49.019 02/11/2009 Sev=Info/6 IKE/0x4300003B
Attempting to establish a connection with backup-server-1.
11 16:13:49.020 02/11/2009 Sev=Warning/2 CERT/0x83600009
Could not load certificate e=Login@post-server.ru,cn=Login,ou=Workers,dc=organization,dc=ru from store Microsoft User Certificate. Reason: store empty
12 16:13:49.020 02/11/2009 Sev=Warning/2 CERT/0x83600004
If you are using a smartcard or token containing a certificate, verify that it is plugged in and try again.
13 16:13:49.020 02/11/2009 Sev=Warning/2 IKE/0xC3000008
Unable to open certificate (e=Login@post-server.ru,cn=Login,ou=Workers,dc=organization,dc=ru).
If you are using a smartcard or token containing a certificate, verify the correct one is plugged in and try again.
14 16:13:49.020 02/11/2009 Sev=Warning/2 IKE/0xC300009B
Failed to open my certificate (Connection:240)
15 16:13:49.020 02/11/2009 Sev=Warning/2 IKE/0xC300009A
Failed to set up connection data
16 16:13:49.020 02/11/2009 Sev=Info/4 CM/0x4310001C
Unable to contact server "gate-server.ru"
17 16:13:49.020 02/11/2009 Sev=Info/4 CM/0x43100024
Attempt connection with server "backup-server-2"
18 16:13:49.020 02/11/2009 Sev=Info/4 CVPND/0x43400019
Privilege Separation: binding to port: (0).
19 16:13:49.021 02/11/2009 Sev=Info/4 CVPND/0x43400019
Privilege Separation: binding to port: (0).
20 16:13:49.021 02/11/2009 Sev=Info/6 IKE/0x4300003B
Attempting to establish a connection with backup-server-2.
21 16:13:49.021 02/11/2009 Sev=Warning/2 CERT/0x83600009
Could not load certificate e=Login@post-server.ru,cn=Login,ou=Workers,dc=organization,dc=ru from store Microsoft User Certificate. Reason: store empty
22 16:13:49.021 02/11/2009 Sev=Warning/2 CERT/0x83600004
If you are using a smartcard or token containing a certificate, verify that it is plugged in and try again.
23 16:13:49.021 02/11/2009 Sev=Warning/2 IKE/0xC3000008
Unable to open certificate (e=Login@post-server.ru,cn=Login,ou=Workers,dc=organization,dc=ru).
If you are using a smartcard or token containing a certificate, verify the correct one is plugged in and try again.
24 16:13:49.021 02/11/2009 Sev=Warning/2 IKE/0xC300009B
Failed to open my certificate (Connection:240)
25 16:13:49.021 02/11/2009 Sev=Warning/2 IKE/0xC300009A
Failed to set up connection data
26 16:13:49.021 02/11/2009 Sev=Info/4 CM/0x4310001C
Unable to contact server "backup-server-2"
27 16:13:49.021 02/11/2009 Sev=Info/4 CM/0x43100024
Attempt connection with server "backup-server-1"
28 16:13:49.021 02/11/2009 Sev=Info/4 CVPND/0x43400019
Privilege Separation: binding to port: (0).
29 16:13:49.022 02/11/2009 Sev=Info/4 CVPND/0x43400019
Privilege Separation: binding to port: (0).
30 16:13:49.022 02/11/2009 Sev=Info/6 IKE/0x4300003B
Attempting to establish a connection with backup-server-1.
31 16:13:49.022 02/11/2009 Sev=Warning/2 CERT/0x83600009
Could not load certificate e=Login@post-server.ru,cn=Login,ou=Workers,dc=organization,dc=ru from store Microsoft User Certificate. Reason: store empty
32 16:13:49.022 02/11/2009 Sev=Warning/2 CERT/0x83600004
If you are using a smartcard or token containing a certificate, verify that it is plugged in and try again.
33 16:13:49.022 02/11/2009 Sev=Warning/2 IKE/0xC3000008
Unable to open certificate (e=Login@post-server.ru,cn=Login,ou=Workers,dc=organization,dc=ru).
If you are using a smartcard or token containing a certificate, verify the correct one is plugged in and try again.
34 16:13:49.022 02/11/2009 Sev=Warning/2 IKE/0xC300009B
Failed to open my certificate (Connection:240)
35 16:13:49.022 02/11/2009 Sev=Warning/2 IKE/0xC300009A
Failed to set up connection data
36 16:13:49.022 02/11/2009 Sev=Info/4 CM/0x4310001C
Unable to contact server "backup-server-1"
37 16:13:49.022 02/11/2009 Sev=Info/4 CM/0x4310000C
All connection attempts with backup server failed
38 16:13:49.022 02/11/2009 Sev=Info/5 CM/0x43100025
Initializing CVPNDrv
39 16:13:49.022 02/11/2009 Sev=Info/4 CVPND/0x4340001F
Privilege Separation: restoring MTU on primary interface.
40 16:13:49.022 02/11/2009 Sev=Info/4 IKE/0x43000001
IKE received signal to terminate VPN connection
41 16:13:49.023 02/11/2009 Sev=Info/4 IPSEC/0x43700008
IPSec driver successfully started
42 16:13:49.023 02/11/2009 Sev=Info/4 IPSEC/0x43700014
Deleted all keys
43 16:13:49.023 02/11/2009 Sev=Info/4 IPSEC/0x43700014
Deleted all keys
44 16:13:49.023 02/11/2009 Sev=Info/4 IPSEC/0x43700014
Deleted all keys
45 16:13:49.023 02/11/2009 Sev=Info/4 IPSEC/0x43700014
Deleted all keys
46 16:13:49.023 02/11/2009 Sev=Info/4 IPSEC/0x4370000A
IPSec driver successfully stopped
47 16:13:52.021 02/11/2009 Sev=Info/4 CVPND/0x4340000C
Stopped service:
48 16:13:52.022 02/11/2009 Sev=Info/4 CVPND/0x4340001F
Privilege Separation: restoring MTU on primary interface.
[-- Attachment #4: pcsc_scan.out --]
[-- Type: text/plain, Size: 1473 bytes --]
PC/SC device scanner
V 1.4.11 (c) 2001-2007, Ludovic Rousseau <ludovic.rousseau@free.fr>
Compiled with PC/SC lite version: 1.4.4
Scanning present readers
0: AseIIIeUSB 00 00
Wed Feb 11 16:01:02 2009
Reader 0: AseIIIeUSB 00 00
Card state: Card inserted,
ATR: 3B D6 18 00 81 B1 80 7D 1F 03 80 51 00 61 10 30 8F
ATR: 3B D6 18 00 81 B1 80 7D 1F 03 80 51 00 61 10 30 8F
+ TS = 3B --> Direct Convention
+ T0 = D6, Y(1): 1101, K: 6 (historical bytes)
TA(1) = 18 --> Fi=372, Di=12, 31 cycles/ETU (115200 bits/s at 3.57 MHz)
TC(1) = 00 --> Extra guard time: 0
TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1
-----
TD(2) = B1 --> Y(i+1) = 1011, Protocol T = 1
-----
TA(3) = 80 --> IFSC: 128
TB(3) = 7D --> Block Waiting Integer: 7 - Character Waiting Integer: 13
TD(3) = 1F --> Y(i+1) = 0001, Protocol T = 15 - Global interface bytes following
-----
TA(4) = 03 --> Clock stop: not supported - Class accepted by the card: (3G) A 5V B 3V
+ Historical bytes: 80 51 00 61 10 30
Category indicator byte: 80 (compact TLV data object)
Tag: 5, len: 1 (card issuer's data)
Card issuer data: 00
Tag: 6, len: 1 (pre-issuing data)
Data: 10
Tag: 3, len: 0 (card service data byte)
Error in the ATR: expecting 1 byte and got 0
+ TCK = 8F (correct checksum)
Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B D6 18 00 81 B1 80 7D 1F 03 80 51 00 61 10 30 8F
ASECard Crypto, http://www.athena-scs.com/product.asp?pid=8
next reply other threads:[~2009-02-11 14:24 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-02-11 14:23 Alex [this message]
2009-02-12 7:07 ` [gentoo-user-ru] Re: [gentoo-user-ru] Cisco VPN Client не видит сертификат Марьясин Семён
2009-02-12 8:49 ` Alex
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=E1LXG0M-000Oya-00.kav1979-mail-ru@f224.mail.ru \
--to=kav1979@mail.ru \
--cc=gentoo-user-ru@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox