public inbox for gentoo-user-ru@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-user-ru] Cisco VPN Client не видит сертификат
@ 2009-02-11 14:23 Alex
  2009-02-12  7:07 ` [gentoo-user-ru] " Марьясин Семён
  0 siblings, 1 reply; 3+ messages in thread
From: Alex @ 2009-02-11 14:23 UTC (permalink / raw
  To: Gentoo

[-- Attachment #1: Type: text/plain, Size: 1187 bytes --]

Всем привет!

Возникла необходимость доступа к внутренней сетке моей организации через интернет по vpn
В качестве клиента используется Cisco VPN Client
Для проверки подлинности используется смарткарта, а после того как сертификат на карте проверен необходимо еще вводить доменные логин и пароль
С Windows-образных машин все работает
А вот из Linux не получается :(

Смарткарту в USB картридере pcscd видит и то что выдает pcsc_scan во вложении pcsc_scan.out

А вот Cisco VPN Client для Linux выдает ошибки (см вложение vpnlog.txt)

Настройки Cisco VPN Client взял с работающего клиента из Windows (см вложение vpnc.pcf)

Понял, что клиент не может найти сертификат на моей смарткарте, но как правильно прописать путь к сертификату в конфиге vpn клиента не знаю :(
Облазил весь интернет - ничего не нашел :(
Подскажите, пожалуйста, как объяснить vpn клиенту, где искать мой сертификат, или бросьте ссылку, где можно почитать о том, как указываются пути к сертификатам на смарткартах в Linux

Когда в Windows просматриваю инфу по моему сертификату на карте, то Путь сертификации выглядит так:
Root Organization
|_Enterprise Organization
  |_Login

Спасибо!





[-- Attachment #2: vpnc.pcf --]
[-- Type: text/plain, Size: 566 bytes --]

[main]
Description=
Host=gate-server.ru
AuthType=3
GroupName=
GroupPwd=
enc_GroupPwd=
EnableISPConnect=0
ISPConnectType=0
ISPConnect=
ISPPhonebook=
ISPCommand=
Username=domain\login
SaveUserPassword=0
UserPassword=
enc_UserPassword=
NTDomain=
EnableBackup=1
BackupServer=backup-server-1,backup-server-2
EnableMSLogon=1
MSLogonType=0
EnableNat=1
TunnelingMode=0
TcpTunnelingPort=10000
CertStore=2
CertName=Login
CertPath=
CertSubjectName=e=Login@post-server.ru,cn=Login,ou=Workers,dc=organization,dc=ru
CertSerialHash=
SendCertChain=0
PeerTimeout=90
EnableLocalLAN=0

[-- Attachment #3: vpnlog.txt --]
[-- Type: text/plain, Size: 6752 bytes --]

Cisco Systems VPN Client Version 4.8.02 (0030)
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.6.24-23-generic #1 SMP Mon Jan 26 00:13:11 UTC 2009 i686
Config file directory: /etc/opt/cisco-vpnclient

1      16:13:42.472  02/11/2009  Sev=Warning/3	CLI/0x83900004
Unable to purge old log files. Function returned -1.

2      16:13:42.494  02/11/2009  Sev=Info/4	CVPND/0x4340001F
Privilege Separation: restoring MTU on primary interface.

3      16:13:42.494  02/11/2009  Sev=Info/4	CVPND/0x4340000F
Started cvpnd:
Cisco Systems VPN Client Version 4.8.02 (0030)
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.6.24-23-generic #1 SMP Mon Jan 26 00:13:11 UTC 2009 i686

4      16:13:43.474  02/11/2009  Sev=Info/4	CLI/0x43900002
Started vpnclient:
Cisco Systems VPN Client Version 4.8.02 (0030)
Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.6.24-23-generic #1 SMP Mon Jan 26 00:13:11 UTC 2009 i686

5      16:13:48.149  02/11/2009  Sev=Info/4	CM/0x43100002
Begin connection process

6      16:13:48.150  02/11/2009  Sev=Info/4	CM/0x43100004
Establish secure connection

7      16:13:48.150  02/11/2009  Sev=Info/4	CM/0x43100024
Attempt connection with server "gate-server.ru"

8      16:13:49.019  02/11/2009  Sev=Info/4	CVPND/0x43400019
Privilege Separation: binding to port: (0).

9      16:13:49.019  02/11/2009  Sev=Info/4	CVPND/0x43400019
Privilege Separation: binding to port: (0).

10     16:13:49.019  02/11/2009  Sev=Info/6	IKE/0x4300003B
Attempting to establish a connection with backup-server-1.

11     16:13:49.020  02/11/2009  Sev=Warning/2	CERT/0x83600009
Could not load certificate e=Login@post-server.ru,cn=Login,ou=Workers,dc=organization,dc=ru from store Microsoft User Certificate. Reason: store empty

12     16:13:49.020  02/11/2009  Sev=Warning/2	CERT/0x83600004
If you are using a smartcard or token containing a certificate, verify that it is plugged in and try again.

13     16:13:49.020  02/11/2009  Sev=Warning/2	IKE/0xC3000008
Unable to open certificate (e=Login@post-server.ru,cn=Login,ou=Workers,dc=organization,dc=ru).
If you are using a smartcard or token containing a certificate, verify the correct one is plugged in and try again.

14     16:13:49.020  02/11/2009  Sev=Warning/2	IKE/0xC300009B
Failed to open my certificate (Connection:240)

15     16:13:49.020  02/11/2009  Sev=Warning/2	IKE/0xC300009A
Failed to set up connection data

16     16:13:49.020  02/11/2009  Sev=Info/4	CM/0x4310001C
Unable to contact server "gate-server.ru"

17     16:13:49.020  02/11/2009  Sev=Info/4	CM/0x43100024
Attempt connection with server "backup-server-2"

18     16:13:49.020  02/11/2009  Sev=Info/4	CVPND/0x43400019
Privilege Separation: binding to port: (0).

19     16:13:49.021  02/11/2009  Sev=Info/4	CVPND/0x43400019
Privilege Separation: binding to port: (0).

20     16:13:49.021  02/11/2009  Sev=Info/6	IKE/0x4300003B
Attempting to establish a connection with backup-server-2.

21     16:13:49.021  02/11/2009  Sev=Warning/2	CERT/0x83600009
Could not load certificate e=Login@post-server.ru,cn=Login,ou=Workers,dc=organization,dc=ru from store Microsoft User Certificate. Reason: store empty

22     16:13:49.021  02/11/2009  Sev=Warning/2	CERT/0x83600004
If you are using a smartcard or token containing a certificate, verify that it is plugged in and try again.

23     16:13:49.021  02/11/2009  Sev=Warning/2	IKE/0xC3000008
Unable to open certificate (e=Login@post-server.ru,cn=Login,ou=Workers,dc=organization,dc=ru).
If you are using a smartcard or token containing a certificate, verify the correct one is plugged in and try again.

24     16:13:49.021  02/11/2009  Sev=Warning/2	IKE/0xC300009B
Failed to open my certificate (Connection:240)

25     16:13:49.021  02/11/2009  Sev=Warning/2	IKE/0xC300009A
Failed to set up connection data

26     16:13:49.021  02/11/2009  Sev=Info/4	CM/0x4310001C
Unable to contact server "backup-server-2"

27     16:13:49.021  02/11/2009  Sev=Info/4	CM/0x43100024
Attempt connection with server "backup-server-1"

28     16:13:49.021  02/11/2009  Sev=Info/4	CVPND/0x43400019
Privilege Separation: binding to port: (0).

29     16:13:49.022  02/11/2009  Sev=Info/4	CVPND/0x43400019
Privilege Separation: binding to port: (0).

30     16:13:49.022  02/11/2009  Sev=Info/6	IKE/0x4300003B
Attempting to establish a connection with backup-server-1.

31     16:13:49.022  02/11/2009  Sev=Warning/2	CERT/0x83600009
Could not load certificate e=Login@post-server.ru,cn=Login,ou=Workers,dc=organization,dc=ru from store Microsoft User Certificate. Reason: store empty

32     16:13:49.022  02/11/2009  Sev=Warning/2	CERT/0x83600004
If you are using a smartcard or token containing a certificate, verify that it is plugged in and try again.

33     16:13:49.022  02/11/2009  Sev=Warning/2	IKE/0xC3000008
Unable to open certificate (e=Login@post-server.ru,cn=Login,ou=Workers,dc=organization,dc=ru).
If you are using a smartcard or token containing a certificate, verify the correct one is plugged in and try again.

34     16:13:49.022  02/11/2009  Sev=Warning/2	IKE/0xC300009B
Failed to open my certificate (Connection:240)

35     16:13:49.022  02/11/2009  Sev=Warning/2	IKE/0xC300009A
Failed to set up connection data

36     16:13:49.022  02/11/2009  Sev=Info/4	CM/0x4310001C
Unable to contact server "backup-server-1"

37     16:13:49.022  02/11/2009  Sev=Info/4	CM/0x4310000C
All connection attempts with backup server failed

38     16:13:49.022  02/11/2009  Sev=Info/5	CM/0x43100025
Initializing CVPNDrv

39     16:13:49.022  02/11/2009  Sev=Info/4	CVPND/0x4340001F
Privilege Separation: restoring MTU on primary interface.

40     16:13:49.022  02/11/2009  Sev=Info/4	IKE/0x43000001
IKE received signal to terminate VPN connection

41     16:13:49.023  02/11/2009  Sev=Info/4	IPSEC/0x43700008
IPSec driver successfully started

42     16:13:49.023  02/11/2009  Sev=Info/4	IPSEC/0x43700014
Deleted all keys

43     16:13:49.023  02/11/2009  Sev=Info/4	IPSEC/0x43700014
Deleted all keys

44     16:13:49.023  02/11/2009  Sev=Info/4	IPSEC/0x43700014
Deleted all keys

45     16:13:49.023  02/11/2009  Sev=Info/4	IPSEC/0x43700014
Deleted all keys

46     16:13:49.023  02/11/2009  Sev=Info/4	IPSEC/0x4370000A
IPSec driver successfully stopped

47     16:13:52.021  02/11/2009  Sev=Info/4	CVPND/0x4340000C
Stopped service:

48     16:13:52.022  02/11/2009  Sev=Info/4	CVPND/0x4340001F
Privilege Separation: restoring MTU on primary interface.


[-- Attachment #4: pcsc_scan.out --]
[-- Type: text/plain, Size: 1473 bytes --]

PC/SC device scanner
V 1.4.11 (c) 2001-2007, Ludovic Rousseau <ludovic.rousseau@free.fr>
Compiled with PC/SC lite version: 1.4.4
Scanning present readers
0: AseIIIeUSB 00 00

Wed Feb 11 16:01:02 2009
 Reader 0: AseIIIeUSB 00 00
  Card state: Card inserted, 
  ATR: 3B D6 18 00 81 B1 80 7D 1F 03 80 51 00 61 10 30 8F

ATR: 3B D6 18 00 81 B1 80 7D 1F 03 80 51 00 61 10 30 8F
+ TS = 3B --> Direct Convention
+ T0 = D6, Y(1): 1101, K: 6 (historical bytes)
  TA(1) = 18 --> Fi=372, Di=12, 31 cycles/ETU (115200 bits/s at 3.57 MHz)
  TC(1) = 00 --> Extra guard time: 0
  TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1 
-----
  TD(2) = B1 --> Y(i+1) = 1011, Protocol T = 1 
-----
  TA(3) = 80 --> IFSC: 128
  TB(3) = 7D --> Block Waiting Integer: 7 - Character Waiting Integer: 13
  TD(3) = 1F --> Y(i+1) = 0001, Protocol T = 15 - Global interface bytes following 
-----
  TA(4) = 03 --> Clock stop: not supported - Class accepted by the card: (3G) A 5V B 3V 
+ Historical bytes: 80 51 00 61 10 30
  Category indicator byte: 80 (compact TLV data object)
    Tag: 5, len: 1 (card issuer's data)
      Card issuer data: 00
    Tag: 6, len: 1 (pre-issuing data)
      Data: 10
    Tag: 3, len: 0 (card service data byte)
      Error in the ATR: expecting 1 byte and got 0
+ TCK = 8F (correct checksum)

Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B D6 18 00 81 B1 80 7D 1F 03 80 51 00 61 10 30 8F
	ASECard Crypto, http://www.athena-scs.com/product.asp?pid=8


^ permalink raw reply	[flat|nested] 3+ messages in thread

* [gentoo-user-ru] Re: [gentoo-user-ru] Cisco VPN Client не видит сертификат
  2009-02-11 14:23 [gentoo-user-ru] Cisco VPN Client не видит сертификат Alex
@ 2009-02-12  7:07 ` Марьясин Семён
  2009-02-12  8:49   ` Alex
  0 siblings, 1 reply; 3+ messages in thread
From: Марьясин Семён @ 2009-02-12  7:07 UTC (permalink / raw
  To: gentoo-user-ru

Может поковырять параметр CertStore ?
А то он ведь сертификат пытается искать в Microsoft User Certificate, который под линухом вряд ли есть...

> 
> Всем привет!
> 
> Возникла необходимость доступа к внутренней сетке моей организации через интернет по vpn
> В качестве клиента используется Cisco VPN Client
> Для проверки подлинности используется смарткарта, а после того как сертификат на карте проверен необходимо еще вводить доменные логин и пароль
> С Windows-образных машин все работает
> А вот из Linux не получается :(
> 
> Смарткарту в USB картридере pcscd видит и то что выдает pcsc_scan во вложении pcsc_scan.out
> 
> А вот Cisco VPN Client для Linux выдает ошибки (см вложение vpnlog.txt)
> 
> Настройки Cisco VPN Client взял с работающего клиента из Windows (см вложение vpnc.pcf)
> 
> Понял, что клиент не может найти сертификат на моей смарткарте, но как правильно прописать путь к сертификату в конфиге vpn клиента не знаю :(
> Облазил весь интернет - ничего не нашел :(
> Подскажите, пожалуйста, как объяснить vpn клиенту, где искать мой сертификат, или бросьте ссылку, где можно почитать о том, как указываются пути к сертификатам на смарткартах в Linux
> 
> Когда в Windows просматриваю инфу по моему сертификату на карте, то Путь сертификации выглядит так:
> Root Organization
> |_Enterprise Organization
>   |_Login
> 
> Спасибо!
> 
> [main]
> Description=
> Host=gate-server.ru
> AuthType=3
> GroupName=
> GroupPwd=
> enc_GroupPwd=
> EnableISPConnect=0
> ISPConnectType=0
> ISPConnect=
> ISPPhonebook=
> ISPCommand=
> Username=domain\login
> SaveUserPassword=0
> UserPassword=
> enc_UserPassword=
> NTDomain=
> EnableBackup=1
> BackupServer=backup-server-1,backup-server-2
> EnableMSLogon=1
> MSLogonType=0
> EnableNat=1
> TunnelingMode=0
> TcpTunnelingPort=10000
> CertStore=2
> CertName=Login
> CertPath=
> CertSubjectName=e=Login@post-server.ru,cn=Login,ou=Workers,dc=organization,dc=ru
> CertSerialHash=
> SendCertChain=0
> PeerTimeout=90
> EnableLocalLAN=0
> 
> Cisco Systems VPN Client Version 4.8.02 (0030)
> 
> Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
> 
> Client Type(s): Linux
> 
> Running on: Linux 2.6.24-23-generic #1 SMP Mon Jan 26 00:13:11 UTC 2009 i686
> 
> Config file directory: /etc/opt/cisco-vpnclient
> 
> 
> 1      16:13:42.472  02/11/2009  Sev=Warning/3	CLI/0x83900004
> 
> Unable to purge old log files. Function returned -1.
> 
> 
> 2      16:13:42.494  02/11/2009  Sev=Info/4	CVPND/0x4340001F
> 
> Privilege Separation: restoring MTU on primary interface.
> 
> 
> 3      16:13:42.494  02/11/2009  Sev=Info/4	CVPND/0x4340000F
> 
> Started cvpnd:
> 
> Cisco Systems VPN Client Version 4.8.02 (0030)
> 
> Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
> 
> Client Type(s): Linux
> 
> Running on: Linux 2.6.24-23-generic #1 SMP Mon Jan 26 00:13:11 UTC 2009 i686
> 
> 
> 4      16:13:43.474  02/11/2009  Sev=Info/4	CLI/0x43900002
> 
> Started vpnclient:
> 
> Cisco Systems VPN Client Version 4.8.02 (0030)
> 
> Copyright (C) 1998-2007 Cisco Systems, Inc. All Rights Reserved.
> 
> Client Type(s): Linux
> 
> Running on: Linux 2.6.24-23-generic #1 SMP Mon Jan 26 00:13:11 UTC 2009 i686
> 
> 
> 5      16:13:48.149  02/11/2009  Sev=Info/4	CM/0x43100002
> 
> Begin connection process
> 
> 
> 6      16:13:48.150  02/11/2009  Sev=Info/4	CM/0x43100004
> 
> Establish secure connection
> 
> 
> 7      16:13:48.150  02/11/2009  Sev=Info/4	CM/0x43100024
> 
> Attempt connection with server "gate-server.ru"
> 
> 
> 8      16:13:49.019  02/11/2009  Sev=Info/4	CVPND/0x43400019
> 
> Privilege Separation: binding to port: (0).
> 
> 
> 9      16:13:49.019  02/11/2009  Sev=Info/4	CVPND/0x43400019
> 
> Privilege Separation: binding to port: (0).
> 
> 
> 10     16:13:49.019  02/11/2009  Sev=Info/6	IKE/0x4300003B
> 
> Attempting to establish a connection with backup-server-1.
> 
> 
> 11     16:13:49.020  02/11/2009  Sev=Warning/2	CERT/0x83600009
> 
> Could not load certificate e=Login@post-server.ru,cn=Login,ou=Workers,dc=organization,dc=ru from store Microsoft User Certificate. Reason: store empty
> 
> 
> 12     16:13:49.020  02/11/2009  Sev=Warning/2	CERT/0x83600004
> 
> If you are using a smartcard or token containing a certificate, verify that it is plugged in and try again.
> 
> 
> 13     16:13:49.020  02/11/2009  Sev=Warning/2	IKE/0xC3000008
> 
> Unable to open certificate (e=Login@post-server.ru,cn=Login,ou=Workers,dc=organization,dc=ru).
> 
> If you are using a smartcard or token containing a certificate, verify the correct one is plugged in and try again.
> 
> 
> 14     16:13:49.020  02/11/2009  Sev=Warning/2	IKE/0xC300009B
> 
> Failed to open my certificate (Connection:240)
> 
> 
> 15     16:13:49.020  02/11/2009  Sev=Warning/2	IKE/0xC300009A
> 
> Failed to set up connection data
> 
> 
> 16     16:13:49.020  02/11/2009  Sev=Info/4	CM/0x4310001C
> 
> Unable to contact server "gate-server.ru"
> 
> 
> 17     16:13:49.020  02/11/2009  Sev=Info/4	CM/0x43100024
> 
> Attempt connection with server "backup-server-2"
> 
> 
> 18     16:13:49.020  02/11/2009  Sev=Info/4	CVPND/0x43400019
> 
> Privilege Separation: binding to port: (0).
> 
> 
> 19     16:13:49.021  02/11/2009  Sev=Info/4	CVPND/0x43400019
> 
> Privilege Separation: binding to port: (0).
> 
> 
> 20     16:13:49.021  02/11/2009  Sev=Info/6	IKE/0x4300003B
> 
> Attempting to establish a connection with backup-server-2.
> 
> 
> 21     16:13:49.021  02/11/2009  Sev=Warning/2	CERT/0x83600009
> 
> Could not load certificate e=Login@post-server.ru,cn=Login,ou=Workers,dc=organization,dc=ru from store Microsoft User Certificate. Reason: store empty
> 
> 
> 22     16:13:49.021  02/11/2009  Sev=Warning/2	CERT/0x83600004
> 
> If you are using a smartcard or token containing a certificate, verify that it is plugged in and try again.
> 
> 
> 23     16:13:49.021  02/11/2009  Sev=Warning/2	IKE/0xC3000008
> 
> Unable to open certificate (e=Login@post-server.ru,cn=Login,ou=Workers,dc=organization,dc=ru).
> 
> If you are using a smartcard or token containing a certificate, verify the correct one is plugged in and try again.
> 
> 
> 24     16:13:49.021  02/11/2009  Sev=Warning/2	IKE/0xC300009B
> 
> Failed to open my certificate (Connection:240)
> 
> 
> 25     16:13:49.021  02/11/2009  Sev=Warning/2	IKE/0xC300009A
> 
> Failed to set up connection data
> 
> 
> 26     16:13:49.021  02/11/2009  Sev=Info/4	CM/0x4310001C
> 
> Unable to contact server "backup-server-2"
> 
> 
> 27     16:13:49.021  02/11/2009  Sev=Info/4	CM/0x43100024
> 
> Attempt connection with server "backup-server-1"
> 
> 
> 28     16:13:49.021  02/11/2009  Sev=Info/4	CVPND/0x43400019
> 
> Privilege Separation: binding to port: (0).
> 
> 
> 29     16:13:49.022  02/11/2009  Sev=Info/4	CVPND/0x43400019
> 
> Privilege Separation: binding to port: (0).
> 
> 
> 30     16:13:49.022  02/11/2009  Sev=Info/6	IKE/0x4300003B
> 
> Attempting to establish a connection with backup-server-1.
> 
> 
> 31     16:13:49.022  02/11/2009  Sev=Warning/2	CERT/0x83600009
> 
> Could not load certificate e=Login@post-server.ru,cn=Login,ou=Workers,dc=organization,dc=ru from store Microsoft User Certificate. Reason: store empty
> 
> 
> 32     16:13:49.022  02/11/2009  Sev=Warning/2	CERT/0x83600004
> 
> If you are using a smartcard or token containing a certificate, verify that it is plugged in and try again.
> 
> 
> 33     16:13:49.022  02/11/2009  Sev=Warning/2	IKE/0xC3000008
> 
> Unable to open certificate (e=Login@post-server.ru,cn=Login,ou=Workers,dc=organization,dc=ru).
> 
> If you are using a smartcard or token containing a certificate, verify the correct one is plugged in and try again.
> 
> 
> 34     16:13:49.022  02/11/2009  Sev=Warning/2	IKE/0xC300009B
> 
> Failed to open my certificate (Connection:240)
> 
> 
> 35     16:13:49.022  02/11/2009  Sev=Warning/2	IKE/0xC300009A
> 
> Failed to set up connection data
> 
> 
> 36     16:13:49.022  02/11/2009  Sev=Info/4	CM/0x4310001C
> 
> Unable to contact server "backup-server-1"
> 
> 
> 37     16:13:49.022  02/11/2009  Sev=Info/4	CM/0x4310000C
> 
> All connection attempts with backup server failed
> 
> 
> 38     16:13:49.022  02/11/2009  Sev=Info/5	CM/0x43100025
> 
> Initializing CVPNDrv
> 
> 
> 39     16:13:49.022  02/11/2009  Sev=Info/4	CVPND/0x4340001F
> 
> Privilege Separation: restoring MTU on primary interface.
> 
> 
> 40     16:13:49.022  02/11/2009  Sev=Info/4	IKE/0x43000001
> 
> IKE received signal to terminate VPN connection
> 
> 
> 41     16:13:49.023  02/11/2009  Sev=Info/4	IPSEC/0x43700008
> 
> IPSec driver successfully started
> 
> 
> 42     16:13:49.023  02/11/2009  Sev=Info/4	IPSEC/0x43700014
> 
> Deleted all keys
> 
> 
> 43     16:13:49.023  02/11/2009  Sev=Info/4	IPSEC/0x43700014
> 
> Deleted all keys
> 
> 
> 44     16:13:49.023  02/11/2009  Sev=Info/4	IPSEC/0x43700014
> 
> Deleted all keys
> 
> 
> 45     16:13:49.023  02/11/2009  Sev=Info/4	IPSEC/0x43700014
> 
> Deleted all keys
> 
> 
> 46     16:13:49.023  02/11/2009  Sev=Info/4	IPSEC/0x4370000A
> 
> IPSec driver successfully stopped
> 
> 
> 47     16:13:52.021  02/11/2009  Sev=Info/4	CVPND/0x4340000C
> 
> Stopped service:
> 
> 
> 48     16:13:52.022  02/11/2009  Sev=Info/4	CVPND/0x4340001F
> 
> Privilege Separation: restoring MTU on primary interface.
> 
> PC/SC device scanner
> V 1.4.11 (c) 2001-2007, Ludovic Rousseau <ludovic.rousseau@free.fr>
> Compiled with PC/SC lite version: 1.4.4
> Scanning present readers
> 0: AseIIIeUSB 00 00
> 
> Wed Feb 11 16:01:02 2009
>  Reader 0: AseIIIeUSB 00 00
>   Card state: Card inserted, 
>   ATR: 3B D6 18 00 81 B1 80 7D 1F 03 80 51 00 61 10 30 8F
> 
> ATR: 3B D6 18 00 81 B1 80 7D 1F 03 80 51 00 61 10 30 8F
> + TS = 3B --> Direct Convention
> + T0 = D6, Y(1): 1101, K: 6 (historical bytes)
>   TA(1) = 18 --> Fi=372, Di=12, 31 cycles/ETU (115200 bits/s at 3.57 MHz)
>   TC(1) = 00 --> Extra guard time: 0
>   TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1 
> -----
>   TD(2) = B1 --> Y(i+1) = 1011, Protocol T = 1 
> -----
>   TA(3) = 80 --> IFSC: 128
>   TB(3) = 7D --> Block Waiting Integer: 7 - Character Waiting Integer: 13
>   TD(3) = 1F --> Y(i+1) = 0001, Protocol T = 15 - Global interface bytes following 
> -----
>   TA(4) = 03 --> Clock stop: not supported - Class accepted by the card: (3G) A 5V B 3V 
> + Historical bytes: 80 51 00 61 10 30
>   Category indicator byte: 80 (compact TLV data object)
>     Tag: 5, len: 1 (card issuer's data)
>       Card issuer data: 00
>     Tag: 6, len: 1 (pre-issuing data)
>       Data: 10
>     Tag: 3, len: 0 (card service data byte)
>       Error in the ATR: expecting 1 byte and got 0
> + TCK = 8F (correct checksum)
> 
> Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
> 3B D6 18 00 81 B1 80 7D 1F 03 80 51 00 61 10 30 8F
> 	ASECard Crypto, http://www.athena-scs.com/product.asp?pid=8
> 
> 



^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [gentoo-user-ru] Cisco VPN Client не видит сертификат
  2009-02-12  7:07 ` [gentoo-user-ru] " Марьясин Семён
@ 2009-02-12  8:49   ` Alex
  0 siblings, 0 replies; 3+ messages in thread
From: Alex @ 2009-02-12  8:49 UTC (permalink / raw
  To: gentoo-user-ru

Прописал параметр CertStore=1, те cisco хранилище, ругается так:

34     11:20:44.388  02/12/2009  Sev=Warning/2  CERT/0x83600009
Could not load certificate e=Login@post-server.ru,cn=Login,ou=Workers,dc=organization,dc=ru from store Cisco User Certificate. Reason: store empty

35     11:20:44.388  02/12/2009  Sev=Warning/2  IKE/0xC3000008
Unable to open certificate (e=Login@post-server.ru,cn=Login,ou=Workers,dc=organization,dc=ru).
If you are using a smartcard or token containing a certificate, verify the correct one is plugged in and try again.

Прописал параметр CertStore=0, те хранилище по умолчанию, ругается так:

11     11:38:14.418  02/12/2009  Sev=Warning/2  IKE/0xC3000008
Unable to open certificate (e=Login@post-server.ru,cn=Login,ou=Workers,dc=organization,dc=ru).
If you are using a smartcard or token containing a certificate, verify the correct one is plugged in and try again.

12     11:38:14.418  02/12/2009  Sev=Warning/2  IKE/0xC300009B
Failed to open my certificate (Connection:240)

pcsc_scan карту видит


> 
> Может поковырять параметр CertStore ?
> А то он ведь сертификат пытается искать в Microsoft User Certificate, который под линухом вряд ли есть...
> 
> > 
> > Всем привет!
> > 
> > Возникла необходимость доступа к внутренней сетке моей организации через интернет по vpn
> > В качестве клиента используется Cisco VPN Client
> > Для проверки подлинности используется смарткарта, а после того как сертификат на карте проверен необходимо еще вводить доменные логин и пароль
> > С Windows-образных машин все работает
> > А вот из Linux не получается :(
> > 
> > Смарткарту в USB картридере pcscd видит и то что выдает pcsc_scan во вложении pcsc_scan.out
> > 
> > А вот Cisco VPN Client для Linux выдает ошибки (см вложение vpnlog.txt)
> > 
> > Настройки Cisco VPN Client взял с работающего клиента из Windows (см вложение vpnc.pcf)
> > 
> > Понял, что клиент не может найти сертификат на моей смарткарте, но как правильно прописать путь к сертификату в конфиге vpn клиента не знаю :(
> > Облазил весь интернет - ничего не нашел :(
> > Подскажите, пожалуйста, как объяснить vpn клиенту, где искать мой сертификат, или бросьте ссылку, где можно почитать о том, как указываются пути к сертификатам на смарткартах в Linux
> > 
> > Когда в Windows просматриваю инфу по моему сертификату на карте, то Путь сертификации выглядит так:
> > Root Organization
> > |_Enterprise Organization
> >   |_Login
> > 
> > Спасибо!
> > 




^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2009-02-12  8:50 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-02-11 14:23 [gentoo-user-ru] Cisco VPN Client не видит сертификат Alex
2009-02-12  7:07 ` [gentoo-user-ru] " Марьясин Семён
2009-02-12  8:49   ` Alex

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox