Opened 11 years ago
Closed 4 years ago
#342 closed Bug / Defect (fixed)
Cannot connect to VPN from Linux by using ikey3000 token
Reported by: | vkorecky | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | release 2.5 |
Component: | Generic / unclassified | Version: | OpenVPN 2.3.2 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | ikey3000, opensc volunteer |
Cc: |
Description
How to reproduce this bug:
- Any Linux distribution (I use Linuxmint 15)
- Install openvpn, openct, opensc (sudo apt-get install opensc openct openvpn)
- Insert token ikey3000
- Try connect to VPN
Connection works last time in Ubuntu 9.04.
There was these versions:
- Openvpn 2.1 RC11
- Opensc 0.11
- Openct 0.6
Sience 2009 connection doesn't work on any Linux distribution which I tested. OpenSUSE, Fedor, Ubuntu, etc...
Attached is:
- my ovpn file (modified IPs for company security rules)
- otput from command sudo openvpn --show-pkcs11-ids /usr/lib/opensc-pkcs11.so
- full log from openvpn and opensc (debug/verbose is set to 9)
Attachments (4)
Change History (14)
Changed 11 years ago by
Attachment: | Certificates on ikey3000 token.txt added |
---|
Changed 11 years ago by
Attachment: | debug.txt.zip added |
---|
Debug output from command sudo openvpn --config /etc/openvpn/Jihlava.ovpn --ca /etc/openvpn/gvpn_ca2.cer
comment:1 Changed 11 years ago by
I tried compile latest openvpn version 2.3.2 with pkcs11 support (command "./configure --enable-pkcs11") and the result is the same as in version 2.2.1 which is distributed by Ubuntu (Linuxmint).
comment:2 Changed 11 years ago by
Logs at --verb 4 would be much more useful. These are pretty much unreadable with all the extra noise in the logs.
Level 5 prints characters for each packet sent/received (primarily for identifying firewall issues) and levels above 5 are debug levels you should use only when requested (or are doing personal debugging of openvpn and know you need them.)
Changed 11 years ago by
Attachment: | openvpn-verb4.txt added |
---|
Openvpn log with verb 4. Opensc debug is disabled.
comment:4 Changed 11 years ago by
That log looks quite good to me, tbh. Connection succeeds, authentication succeeds, push info is received from server, interface is initialized.
So what do you mean by "connection doesn't work"?
comment:5 Changed 11 years ago by
OpenVPN login operation should finish with line:
... Initialization Sequence Completed
But in my case, OpenVPN frozen on line:
/sbin/ifconfig tun0 10.20.10.173 pointopoint 10.20.10.174 mtu 1500
and I cannot access VPN network.
If you look to debug with verb=9 you can see, that after line:
.../sbin/ifconfig tun0 10.20.10.173 pointopoint 10.20.10.174 mtu 1500
opensc continues with some actions:
...
[opensc-pkcs11] card.c:258:sc_disconnect_card: returning with: 0 (Success)
[opensc-pkcs11] ctx.c:737:sc_release_context: called
[opensc-pkcs11] reader-pcsc.c:736:pcsc_finish: called
But OpenVPN doesn't continue. It looks that OpenVPN doesn't know that opensc sucessfully finished.
comment:6 Changed 11 years ago by
Version: | 2.2.1 → 2.3.2 |
---|
comment:8 Changed 11 years ago by
No progress, because I think none of the developers have an OpenSC smartcard system, so we can't reproduce that.
It's clear that OpenVPN is hanging (that it just stops doing anything is highly unsual), but it's not clear where. It might be a bug in newer versions of opensc or pkcs11-helper (which is why it's not working for you on any linux distribution).
What you could do is try two things to narrow it down
- try compiling openVPN 2.1 on the same system, see if it happens there as well (if yes, it's opensc or pkcs11-helper and needs to be fixed there)
- if it works for 2.1 but fails on 2.2/2.3, we broke something. In that case, please run
strace -f openvpn <normal openvpn options>
and paste the last 200 lines from there into the ticket - it should give us an indication what is happening in which component, and why it's not proceeding.
- try raising this topic in the openvpn forum or on the openvpn-users mailing list - I'm hoping that someone else will speak up and say "it's working perfectly well for me with a XYZ smartcard" or "I have the same issue with an ABC smartcard"
comment:9 Changed 9 years ago by
Keywords: | volunteer added |
---|---|
Milestone: | → release 2.5 |
We could use a volunteer/volunteers here to gauge who exactly are affected by this, and to test the fix.
comment:10 Changed 4 years ago by
Resolution: | → fixed |
---|---|
Status: | new → closed |
So. Nothing has happened for the last 5 years. My suggestions to try different OpenVPN versions have not been answered, and 2.2/2.3 are end of support.
We have improved our pkcs11 handling in various places (like, commit 5fd3d1d5, "do not set pkcs11-helper safe fork mode"), which might have fixed this. That particular commit went into v2.4.8, but there is more stuff in the 2.4 train.
So - any issues with smartcards should be retried with 2.4.9 or with 2.5.0 (as soon as it is released). If still reproduceable, please open a new ticket.
Output of command "sudo openvpn --show-pkcs11-ids /usr/lib/opensc-pkcs11.so"