OpenVPN and Token USB ( long )

Hello,

I must do Openvpn copnnection with etoken and I'm a newbee on etokens...
In fact it's my first time I use this hardware.

I work on Centos 5.4
I use Aladdin eToken NG-FLASH and I have installed rpm for libraries and
utilities from Aladdin.

I have setup eToken with password protection and I have installed
OpenVPN 2.1.1 ( see below )

[root@centos ~]# openvpn --version
OpenVPN 2.1.1 i386-redhat-linux [SSL] [LZO2] [EPOLL] [PKCS11] built on
Jan 11 2010
Originally developed by James Yonan
Copyright (C) 2002-2009 OpenVPN Technologies, Inc. <(E-Mail Removed)>

When I try command "openvpn --show-pkcs11-ids /usr/lib/libeTPkcs11.so" I
have this message :

The following objects are available for use.
Each object shown below may be used as parameter to
--pkcs11-id option please remember to use single quote mark.

Certificate
DN: /C=FR/ST=Midi
Pyrenees/L=Toulouse/O=CAPLASER/CN=client1/emailAddress=(E-Mail Removed)
Serial: 02
Serialized id: Aladdin\x20Ltd
\x2E/eToken/003d2771/eToken3/43313733414334453844363944383436

So openvpn can list token certificates...

In my VPNclient.conf I have these lines :

ca ca.crt
# Works fine with files on openvpn directory
#cert client1.crt
#key client1.key

pkcs11-providers "/usr/lib/libeTPkcs11.so"
# First test
# pkcs11-id "/CN=client1/emailAddress=(E-Mail Removed)"
pkcs11-id "Aladdin\\x20Ltd
\\x2E/eToken/003d2771/eToken3/43313733414334453844363944383436"

When I try to start Openvpn connection I see these messages in logs.

[root@centos ~]# /etc/init.d/openvpn start
Démarrage de openvpn : [ OK ]
[root@centos ~]# tail /var/log/messages
Jan 12 13:16:53 centos openvpn[8040]: VERIFY OK: depth=1,
/C=FR/ST=Midi_Pyrenees/L=Toulouse/O=CAPLASER/OU=Service_Informatique/CN=
CAPLASER_CA/emailAddress=(E-Mail Removed)
Jan 12 13:16:53 centos openvpn[8040]: VERIFY OK: nsCertType=SERVER
Jan 12 13:16:53 centos openvpn[8040]: VERIFY OK: depth=0,
/C=FR/ST=Midi_Pyrenees/L=Toulouse/O=CAPLASER/CN=openvpn.caplaser.fr/emai
lAddress=(E-Mail Removed)
Jan 12 13:16:53 centos openvpn[8040]: PKCS#11: Cannot perform signature
1:'CKR_CANCEL'
Jan 12 13:16:53 centos openvpn[8040]: TLS_ERROR: BIO read
tls_read_plaintext error: error:14099004:SSL routines:SSL3
_SEND_CLIENT_VERIFY:RSA lib
Jan 12 13:16:53 centos openvpn[8040]: TLS Error: TLS object -> incoming
plaintext read error
Jan 12 13:16:53 centos openvpn[8040]: TLS Error: TLS handshake failed
Jan 12 13:16:53 centos openvpn[8040]: TCP/UDP: Closing socket
Jan 12 13:16:53 centos openvpn[8040]: SIGUSR1[soft,tls-error] received,
process restarting
Jan 12 13:16:53 centos openvpn[8040]: Restart pause, 2 second(s)

I can't send password to read etoken, so it can be a reason, but I can't
understand how I can do that :-(

Please Help !! :-)

Regards

Laurent

In article <(E-Mail Removed)>,
(E-Mail Removed) says...
> [root@centos ~]# /etc/init.d/openvpn start
I have found that if I launch directly command openvpn --config
/etc/openvpn/VPNclient.conf, the password is required and tunnel is
coming up when I give the right password.

The problem is the script which "deamonize" process and password can't
be asked.

Have you some hint to ask it even if I use openvpn script ?

Every body knows that our life seems to be not cheap, nevertheless some people require money for various stuff and not every person gets enough cash. Hence to receive quick <a href="http://bestfinance-blog.com">loans</a> and just auto loan should be a proper solution.