Hello,

I must do Openvpn copnnection with etoken and I'm a newbee on etokens...=20
In fact it's my first time I use this hardware.

I work on Centos 5.4
I use Aladdin eToken NG-FLASH and I have installed rpm for libraries and=20
utilities from Aladdin.

I have setup eToken with password protection and I have installed=20
OpenVPN 2.1.1 ( see below )

[root@centos ~]# openvpn --version
OpenVPN 2.1.1 i386-redhat-linux [SSL] [LZO2] [EPOLL] [PKCS11] built on=20
Jan 11 2010
Originally developed by James Yonan
Copyright (C) 2002-2009 OpenVPN Technologies, Inc. <sales@openvpn.net>

When I try command "openvpn --show-pkcs11-ids /usr/lib/libeTPkcs11.so" I=20
have this message :

The following objects are available for use.
Each object shown below may be used as parameter to
--pkcs11-id option please remember to use single quote mark.

Certificate
       DN:             /C=3DFR/ST=3DMidi=20
Pyrenees/L=3DToulouse/O=3DCAPLASER/CN=3Dclient1/emailAddress=3Dbidon@caplas=
er.fr
       Serial:         02
       Serialized id:  Aladdin\x20Ltd
\x2E/eToken/003d2771/eToken3/43313733414334453844363944383436

So openvpn can list token certificates...

In my VPNclient.conf I have these lines :

ca ca.crt
# Works fine with files on openvpn directory
#cert client1.crt
#key client1.key

pkcs11-providers "/usr/lib/libeTPkcs11.so"
# First test
# pkcs11-id "/CN=3Dclient1/emailAddress=3Dbidon@caplaser.fr"
pkcs11-id "Aladdin\\x20Ltd
\\x2E/eToken/003d2771/eToken3/43313733414334453844363944383436"

When I try to start Openvpn connection I see these messages in logs.

[root@centos ~]# /etc/init.d/openvpn start
D=C3=A9marrage de openvpn :                                    [  OK  ]
[root@centos ~]# tail /var/log/messages
Jan 12 13:16:53 centos openvpn[8040]: VERIFY OK: depth=3D1,=20
/C=3DFR/ST=3DMidi_Pyrenees/L=3DToulouse/O=3DCAPLASER/OU=3DService_Informati=
que/CN=3D
CAPLASER_CA/emailAddress=3Dbidon@caplaser.fr
Jan 12 13:16:53 centos openvpn[8040]: VERIFY OK: nsCertType=3DSERVER
Jan 12 13:16:53 centos openvpn[8040]: VERIFY OK: depth=3D0,=20
/C=3DFR/ST=3DMidi_Pyrenees/L=3DToulouse/O=3DCAPLASER/CN=3Dopenvpn.caplaser.=
fr/emai
lAddress=3Dbidon@caplaser.fr
Jan 12 13:16:53 centos openvpn[8040]: PKCS#11: Cannot perform signature=20
1:'CKR_CANCEL'
Jan 12 13:16:53 centos openvpn[8040]: TLS_ERROR: BIO read=20
tls_read_plaintext error: error:14099004:SSL routines:SSL3
_SEND_CLIENT_VERIFY:RSA lib
Jan 12 13:16:53 centos openvpn[8040]: TLS Error: TLS object -> incoming=20
plaintext read error
Jan 12 13:16:53 centos openvpn[8040]: TLS Error: TLS handshake failed
Jan 12 13:16:53 centos openvpn[8040]: TCP/UDP: Closing socket
Jan 12 13:16:53 centos openvpn[8040]: SIGUSR1[soft,tls-error] received,=20
process restarting
Jan 12 13:16:53 centos openvpn[8040]: Restart pause, 2 second(s)

I can't send password to read etoken, so it can be a reason, but I can't=20
understand how I can do that :-(

Please Help !! :-)

Regards

Laurent

In article <MPG.25b67943896039f7989680@news.free.fr>, 
l.rayssiguier@free.fr says...
> [root@centos ~]# /etc/init.d/openvpn start
I have found that if I launch directly command openvpn --config 
/etc/openvpn/VPNclient.conf, the password is required and tunnel is 
coming up when I give the right password.

The problem is the script which "deamonize" process and password can't 
be asked.

Have you some hint to ask it even if I use openvpn script ?

Every body knows that our life seems to be not cheap, nevertheless some people require money for various stuff and not every person gets enough cash. Hence to receive quick <a href="http://bestfinance-blog.com">loans</a> and just auto loan should be a proper solution. 

Every body knows that our life seems to be not cheap, nevertheless some people require money for various stuff and not every person gets enough cash. Hence to receive quick <a href="http://bestfinance-blog.com">loans</a> and just auto loan should be a proper solution.