[2.0.RC2] Login and password not working with X.509

Home Page Forums Network Management VPN [2.0.RC2] Login and password not working with X.509

This topic contains 4 replies, has 0 voices, and was last updated by  Shadok 5 years, 3 months ago.

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • #43710

    Shadok
    Member

    Hi,

    I’m using Zeroshell 2.0.RC2.
    I have setup OpenVPN server to use X.509 certificate + password.

    I have the ovpn, user pem and CA.pem file.
    When I launch OpenVPN, i’m asked the login and password but I always got an AUTH_FAILED error in OpenVPN :

    Tue Aug 13 16:57:02 2013 AUTH: Received AUTH_FAILED control message
    Tue Aug 13 16:57:02 2013 TCP/UDP: Closing socket
    Tue Aug 13 16:57:02 2013 SIGTERM[soft,auth-failure] received, process exiting

    If i try with “Only X.509 certificate” auth option (and auth-user-pass commented), it works.

    I created another user to test with its credentials, but i got the same error.

    I’m using the provided openvpn file in the tutorial and “auth-user-pass” is enabled.

    Any idea ?

    Thanks.

    #52825

    Shadok
    Member

    The error still occurs with Zeroshell 2.0.2 RC3.

    #52826

    redfive
    Participant

    Zs and openvpn work perfectly together , from which S.O. are you trying to connect ? This is one of my configuration files , (host is win) and openvpn client is OpenVpn 2.3.2

    remote xx.xx.xx.xx 1194
    proto tcp
    auth-user-pass
    ca myCacert.pem
    cert myusercert.pem
    key myusercert.pem
    #verify-x509-name 'OU=Hosts, CN=cn_on_certificate'
    remote-cert-eku 'TLS Web Server Authentication'
    #cipher AES-128-CBC
    #auth RSA-SHA512
    comp-lzo
    verb 3
    mute 20
    resolv-retry infinite
    nobind
    client
    dev tap
    persist-key
    persist-tun
    auth-nocache
    script-security 3
    route-method exe
    route-delay 2

    greetings

    #52827

    Shadok
    Member

    It doesn’t work with your config either :

    Mon Aug 26 21:19:22 2013 VERIFY OK: depth=1, /O=example/OU=zeroshell_afec/CN=ZeroShell
    Mon Aug 26 21:19:22 2013 VERIFY OK: depth=0, /OU=Hosts/CN=gateway.domain.com
    Mon Aug 26 21:19:25 2013 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Mon Aug 26 21:19:25 2013 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mon Aug 26 21:19:25 2013 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Mon Aug 26 21:19:25 2013 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Mon Aug 26 21:19:25 2013 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
    Mon Aug 26 21:19:25 2013 [gateway.domain.com] Peer Connection Initiated with XXX.XXX.XXX.XXX:1194
    Mon Aug 26 21:19:27 2013 SENT CONTROL [gateway.domain.com]: 'PUSH_REQUEST' (status=1)
    Mon Aug 26 21:19:27 2013 AUTH: Received AUTH_FAILED control message
    Mon Aug 26 21:19:27 2013 TCP/UDP: Closing socket
    Mon Aug 26 21:19:27 2013 SIGTERM[soft,auth-failure] received, process exiting
    #52828

    redfive
    Participant

    Strange.. are you sure that user and pwd are correct ? And the logs on ZS , what say when you fail the vpn connection ?

    #52829

    Shadok
    Member
    21:18:57 	89.2.150.224:50264 [user@EXAMPLE.COM] Trying Kerberos 5 (Local KDC) authentication
    21:18:58 89.2.150.224:50264 [user@EXAMPLE.COM] Kerberos 5 authentication failed: host/gateway.domain.com@EXAMPLE.COM: Server not found in Kerberos database while getting credentials
    21:18:58 89.2.150.224:50264 WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 11
    21:18:58 89.2.150.224:50264 TLS Auth Error: Auth Username/Password verification failed for peer

    Well, the user@example.com exists in kerberos database but gateway.domain.com doesn’t (gateway.localdomain.com exists, didn’t see the difference before).

    Adding it fixed my issue, thanks for pointing that out 🙂

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.