public inbox for gentoo-user-ru@lists.gentoo.org
 help / color / mirror / Atom feed
From: Alex <kav1979@mail.ru>
To: Gentoo <gentoo-user-ru@lists.gentoo.org>
Subject: [gentoo-user-ru] Cisco VPN Client не видит сертификат
Date: Wed, 11 Feb 2009 17:23:58 +0300	[thread overview]
Message-ID: <E1LXG0M-000Oya-00.kav1979-mail-ru@f224.mail.ru> (raw)

[-- Attachment #1: Type: text/plain, Size: 1187 bytes --]

Всем привет!

Возникла необходимость доступа к внутренней сетке моей организации через интернет по vpn
В качестве клиента используется Cisco VPN Client
Для проверки подлинности используется смарткарта, а после того как сертификат на карте проверен необходимо еще вводить доменные логин и пароль
С Windows-образных машин все работает
А вот из Linux не получается :(

Смарткарту в USB картридере pcscd видит и то что выдает pcsc_scan во вложении pcsc_scan.out

А вот Cisco VPN Client для Linux выдает ошибки (см вложение vpnlog.txt)

Настройки Cisco VPN Client взял с работающего клиента из Windows (см вложение vpnc.pcf)

Понял, что клиент не может найти сертификат на моей смарткарте, но как правильно прописать путь к сертификату в конфиге vpn клиента не знаю :(
Облазил весь интернет - ничего не нашел :(
Подскажите, пожалуйста, как объяснить vpn клиенту, где искать мой сертификат, или бросьте ссылку, где можно почитать о том, как указываются пути к сертификатам на смарткартах в Linux

Когда в Windows просматриваю инфу по моему сертификату на карте, то Путь сертификации выглядит так:
Root Organization
|_Enterprise Organization
  |_Login

Спасибо!





[-- Attachment #2: vpnc.pcf --]
[-- Type: text/plain, Size: 566 bytes --]

[main]
Description=
Host=gate-server.ru
AuthType=3
GroupName=
GroupPwd=
enc_GroupPwd=
EnableISPConnect=0
ISPConnectType=0
ISPConnect=
ISPPhonebook=
ISPCommand=
Username=domain\login
SaveUserPassword=0
UserPassword=
enc_UserPassword=
NTDomain=
EnableBackup=1
BackupServer=backup-server-1,backup-server-2
EnableMSLogon=1
MSLogonType=0
EnableNat=1
TunnelingMode=0
TcpTunnelingPort=10000
CertStore=2
CertName=Login
CertPath=
CertSubjectName=e=Login@post-server.ru,cn=Login,ou=Workers,dc=organization,dc=ru
CertSerialHash=
SendCertChain=0
PeerTimeout=90
EnableLocalLAN=0

[-- Attachment #3: vpnlog.txt --]
[-- Type: text/plain, Size: 6752 bytes --]

Cisco Systems VPN Client Version 4.8.02 (0030)
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.6.24-23-generic #1 SMP Mon Jan 26 00:13:11 UTC 2009 i686
Config file directory: /etc/opt/cisco-vpnclient

1      16:13:42.472  02/11/2009  Sev=Warning/3	CLI/0x83900004
Unable to purge old log files. Function returned -1.

2      16:13:42.494  02/11/2009  Sev=Info/4	CVPND/0x4340001F
Privilege Separation: restoring MTU on primary interface.

3      16:13:42.494  02/11/2009  Sev=Info/4	CVPND/0x4340000F
Started cvpnd:
Cisco Systems VPN Client Version 4.8.02 (0030)
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.6.24-23-generic #1 SMP Mon Jan 26 00:13:11 UTC 2009 i686

4      16:13:43.474  02/11/2009  Sev=Info/4	CLI/0x43900002
Started vpnclient:
Cisco Systems VPN Client Version 4.8.02 (0030)
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.6.24-23-generic #1 SMP Mon Jan 26 00:13:11 UTC 2009 i686

5      16:13:48.149  02/11/2009  Sev=Info/4	CM/0x43100002
Begin connection process

6      16:13:48.150  02/11/2009  Sev=Info/4	CM/0x43100004
Establish secure connection

7      16:13:48.150  02/11/2009  Sev=Info/4	CM/0x43100024
Attempt connection with server "gate-server.ru"

8      16:13:49.019  02/11/2009  Sev=Info/4	CVPND/0x43400019
Privilege Separation: binding to port: (0).

9      16:13:49.019  02/11/2009  Sev=Info/4	CVPND/0x43400019
Privilege Separation: binding to port: (0).

10     16:13:49.019  02/11/2009  Sev=Info/6	IKE/0x4300003B
Attempting to establish a connection with backup-server-1.

11     16:13:49.020  02/11/2009  Sev=Warning/2	CERT/0x83600009
Could not load certificate e=Login@post-server.ru,cn=Login,ou=Workers,dc=organization,dc=ru from store Microsoft User Certificate. Reason: store empty

12     16:13:49.020  02/11/2009  Sev=Warning/2	CERT/0x83600004
If you are using a smartcard or token containing a certificate, verify that it is plugged in and try again.

13     16:13:49.020  02/11/2009  Sev=Warning/2	IKE/0xC3000008
Unable to open certificate (e=Login@post-server.ru,cn=Login,ou=Workers,dc=organization,dc=ru).
If you are using a smartcard or token containing a certificate, verify the correct one is plugged in and try again.

14     16:13:49.020  02/11/2009  Sev=Warning/2	IKE/0xC300009B
Failed to open my certificate (Connection:240)

15     16:13:49.020  02/11/2009  Sev=Warning/2	IKE/0xC300009A
Failed to set up connection data

16     16:13:49.020  02/11/2009  Sev=Info/4	CM/0x4310001C
Unable to contact server "gate-server.ru"

17     16:13:49.020  02/11/2009  Sev=Info/4	CM/0x43100024
Attempt connection with server "backup-server-2"

18     16:13:49.020  02/11/2009  Sev=Info/4	CVPND/0x43400019
Privilege Separation: binding to port: (0).

19     16:13:49.021  02/11/2009  Sev=Info/4	CVPND/0x43400019
Privilege Separation: binding to port: (0).

20     16:13:49.021  02/11/2009  Sev=Info/6	IKE/0x4300003B
Attempting to establish a connection with backup-server-2.

21     16:13:49.021  02/11/2009  Sev=Warning/2	CERT/0x83600009
Could not load certificate e=Login@post-server.ru,cn=Login,ou=Workers,dc=organization,dc=ru from store Microsoft User Certificate. Reason: store empty

22     16:13:49.021  02/11/2009  Sev=Warning/2	CERT/0x83600004
If you are using a smartcard or token containing a certificate, verify that it is plugged in and try again.

23     16:13:49.021  02/11/2009  Sev=Warning/2	IKE/0xC3000008
Unable to open certificate (e=Login@post-server.ru,cn=Login,ou=Workers,dc=organization,dc=ru).
If you are using a smartcard or token containing a certificate, verify the correct one is plugged in and try again.

24     16:13:49.021  02/11/2009  Sev=Warning/2	IKE/0xC300009B
Failed to open my certificate (Connection:240)

25     16:13:49.021  02/11/2009  Sev=Warning/2	IKE/0xC300009A
Failed to set up connection data

26     16:13:49.021  02/11/2009  Sev=Info/4	CM/0x4310001C
Unable to contact server "backup-server-2"

27     16:13:49.021  02/11/2009  Sev=Info/4	CM/0x43100024
Attempt connection with server "backup-server-1"

28     16:13:49.021  02/11/2009  Sev=Info/4	CVPND/0x43400019
Privilege Separation: binding to port: (0).

29     16:13:49.022  02/11/2009  Sev=Info/4	CVPND/0x43400019
Privilege Separation: binding to port: (0).

30     16:13:49.022  02/11/2009  Sev=Info/6	IKE/0x4300003B
Attempting to establish a connection with backup-server-1.

31     16:13:49.022  02/11/2009  Sev=Warning/2	CERT/0x83600009
Could not load certificate e=Login@post-server.ru,cn=Login,ou=Workers,dc=organization,dc=ru from store Microsoft User Certificate. Reason: store empty

32     16:13:49.022  02/11/2009  Sev=Warning/2	CERT/0x83600004
If you are using a smartcard or token containing a certificate, verify that it is plugged in and try again.

33     16:13:49.022  02/11/2009  Sev=Warning/2	IKE/0xC3000008
Unable to open certificate (e=Login@post-server.ru,cn=Login,ou=Workers,dc=organization,dc=ru).
If you are using a smartcard or token containing a certificate, verify the correct one is plugged in and try again.

34     16:13:49.022  02/11/2009  Sev=Warning/2	IKE/0xC300009B
Failed to open my certificate (Connection:240)

35     16:13:49.022  02/11/2009  Sev=Warning/2	IKE/0xC300009A
Failed to set up connection data

36     16:13:49.022  02/11/2009  Sev=Info/4	CM/0x4310001C
Unable to contact server "backup-server-1"

37     16:13:49.022  02/11/2009  Sev=Info/4	CM/0x4310000C
All connection attempts with backup server failed

38     16:13:49.022  02/11/2009  Sev=Info/5	CM/0x43100025
Initializing CVPNDrv

39     16:13:49.022  02/11/2009  Sev=Info/4	CVPND/0x4340001F
Privilege Separation: restoring MTU on primary interface.

40     16:13:49.022  02/11/2009  Sev=Info/4	IKE/0x43000001
IKE received signal to terminate VPN connection

41     16:13:49.023  02/11/2009  Sev=Info/4	IPSEC/0x43700008
IPSec driver successfully started

42     16:13:49.023  02/11/2009  Sev=Info/4	IPSEC/0x43700014
Deleted all keys

43     16:13:49.023  02/11/2009  Sev=Info/4	IPSEC/0x43700014
Deleted all keys

44     16:13:49.023  02/11/2009  Sev=Info/4	IPSEC/0x43700014
Deleted all keys

45     16:13:49.023  02/11/2009  Sev=Info/4	IPSEC/0x43700014
Deleted all keys

46     16:13:49.023  02/11/2009  Sev=Info/4	IPSEC/0x4370000A
IPSec driver successfully stopped

47     16:13:52.021  02/11/2009  Sev=Info/4	CVPND/0x4340000C
Stopped service:

48     16:13:52.022  02/11/2009  Sev=Info/4	CVPND/0x4340001F
Privilege Separation: restoring MTU on primary interface.


[-- Attachment #4: pcsc_scan.out --]
[-- Type: text/plain, Size: 1473 bytes --]

PC/SC device scanner
V 1.4.11 (c) 2001-2007, Ludovic Rousseau <ludovic.rousseau@free.fr>
Compiled with PC/SC lite version: 1.4.4
Scanning present readers
0: AseIIIeUSB 00 00

Wed Feb 11 16:01:02 2009
 Reader 0: AseIIIeUSB 00 00
  Card state: Card inserted, 
  ATR: 3B D6 18 00 81 B1 80 7D 1F 03 80 51 00 61 10 30 8F

ATR: 3B D6 18 00 81 B1 80 7D 1F 03 80 51 00 61 10 30 8F
+ TS = 3B --> Direct Convention
+ T0 = D6, Y(1): 1101, K: 6 (historical bytes)
  TA(1) = 18 --> Fi=372, Di=12, 31 cycles/ETU (115200 bits/s at 3.57 MHz)
  TC(1) = 00 --> Extra guard time: 0
  TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1 
-----
  TD(2) = B1 --> Y(i+1) = 1011, Protocol T = 1 
-----
  TA(3) = 80 --> IFSC: 128
  TB(3) = 7D --> Block Waiting Integer: 7 - Character Waiting Integer: 13
  TD(3) = 1F --> Y(i+1) = 0001, Protocol T = 15 - Global interface bytes following 
-----
  TA(4) = 03 --> Clock stop: not supported - Class accepted by the card: (3G) A 5V B 3V 
+ Historical bytes: 80 51 00 61 10 30
  Category indicator byte: 80 (compact TLV data object)
    Tag: 5, len: 1 (card issuer's data)
      Card issuer data: 00
    Tag: 6, len: 1 (pre-issuing data)
      Data: 10
    Tag: 3, len: 0 (card service data byte)
      Error in the ATR: expecting 1 byte and got 0
+ TCK = 8F (correct checksum)

Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B D6 18 00 81 B1 80 7D 1F 03 80 51 00 61 10 30 8F
	ASECard Crypto, http://www.athena-scs.com/product.asp?pid=8


             reply	other threads:[~2009-02-11 14:24 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-02-11 14:23 Alex [this message]
2009-02-12  7:07 ` [gentoo-user-ru] Re: [gentoo-user-ru] Cisco VPN Client не видит сертификат Марьясин Семён
2009-02-12  8:49   ` Alex

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=E1LXG0M-000Oya-00.kav1979-mail-ru@f224.mail.ru \
    --to=kav1979@mail.ru \
    --cc=gentoo-user-ru@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox