December 25, 2017 at 11:11Configure VPN (PPTP) on Ubuntu 17.10 with JaCarta Smart Card Authorization
In operating systems of the Windows family, setting up VPN access using smart cards is a fairly simple and trivial matter. Although, the gentlemen from MS clearly broke this feature in Windows 10 version 1709 build 16299.15.
When trying to connect to the VPN server using pptp protocol using a smart card, Windows OS simply closes this window without any errors, without even asking for the password for the smart card.
“It was necessary to install Linux !!!”, many will say, and maybe they will be right.
In this article, we will look at how to configure a connection to a remote server via VPN using JaCarta smart card authorization.
Ubuntu 17.04 x64 Desktop was chosen as the operating system. Unfortunately, I did not succeed in getting a quick way to get Debian 9, but this is an occasion to write the next article under Debian.
1. Next, we put the packages we need
* pptp version 1.9.0
In addition to packages from the standard repository, we need drivers and libraries for our smart card.
Download
Unpack the archive
Install the necessary drivers and libraries.
For 64bit systems:
For 32bit systems:
2. Preliminary operations completed. Now the VPN setup itself.
2.1. First we need to check if the system saw our smart card. We insert the JaСarta card into the USB port of the computer and execute the command
Then something like the following should appear:
2.2. To create a configuration file, we will need the identifiers of the key and certificate from the token. To do this, enter the command
after entering the pin code, you will need to remember the values from the ID fields :
2.3. We get the root certificate of the organization in .pem format from the certificate of the .cer format in DER encoding.
2.4. Create the file /etc/ppp/openssl.cnf with the following contents:
2.5. You must enable EAP-TLS authentication by commenting out the refuse-eap line in the /etc/ppp/options.pptp file
2.6. We create a file with connection parameters / etc / ppp / peers / any-peer-name, specify your domain login as the “UserName” parameter, then specify the path to the converted root certificate in PEM format as the “ca” parameter, as “ cert "and" key "specify stored key and certificate identifiers with the prefix" pkcs11: "
3. Connection setup:
Connection break:
Enable debug output during connection setup:
APPENDIX: The
instruction is based on the document .
When trying to connect to the VPN server using pptp protocol using a smart card, Windows OS simply closes this window without any errors, without even asking for the password for the smart card.
“It was necessary to install Linux !!!”, many will say, and maybe they will be right.
In this article, we will look at how to configure a connection to a remote server via VPN using JaCarta smart card authorization.
Ubuntu 17.04 x64 Desktop was chosen as the operating system. Unfortunately, I did not succeed in getting a quick way to get Debian 9, but this is an occasion to write the next article under Debian.
$ uname –a
Linux VPN-PPTP 4.13.0-16-generic #19-Ubuntu SMP Wed Oct 11 18:35:14 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux1. Next, we put the packages we need
$ sudo apt update
$ sudo apt install opensc libpcsclite1 pcsc-tools pcscd libengine-pkcs11-openssl ppp pptp-linux* pptp version 1.9.0
In addition to packages from the standard repository, we need drivers and libraries for our smart card.
Download
$ mkdir ~/tmp
$ cd ~/tmp
$ wget https://www.aladdin-rd.ru/support/downloads/279f1310-d83d-4858-ba13-ecdbe0d37530/get
Unpack the archive
$ unzip get
$ cd JaCarta_PKI_Linux/IDProtect\ Client\ 6.37.03/DEB/
$ ls
idprotectclient_637.03-0_amd64.deb
idprotectclient_637.03-0_i386.deb
idprotectclientlib_637.03-0_amd64.debInstall the necessary drivers and libraries.
For 64bit systems:
$ sudo dpkg -i idprotectclient_637.03-0_amd64.deb
$ sudo dpkg –i idprotectclientlib_637.03-0_amd64.debFor 32bit systems:
$ sudo dpkg -i idprotectclient_637.03-0_i386.deb2. Preliminary operations completed. Now the VPN setup itself.
2.1. First we need to check if the system saw our smart card. We insert the JaСarta card into the USB port of the computer and execute the command
$ pkcs11-tool --module /lib64/libASEP11.so -LThen something like the following should appear:
[TEXT]
Available slots:
Slot 0 (0x0): Aladdin R.D. JaCarta [SCR Interface] (000000000000) 00 00
token label : ISadykov
token manufacturer : Aladdin R.D.
token model : JaCarta Laser
token flags : login required, rng, token initialized, PIN initialized
hardware version : 1.0
firmware version : 1.0
serial num : 4E46001220483933
pin min/max : 4/162.2. To create a configuration file, we will need the identifiers of the key and certificate from the token. To do this, enter the command
$ pkcs11-tool --module /lib64/libASEP11.so -l –Oafter entering the pin code, you will need to remember the values from the ID fields :
Using slot 0 with a present token (0x0)
Logging in to "ISadykov".
Please enter User PIN:
Certificate Object; type = X.509 cert
label: le-AladdinJacartaUser-1e321881-0e-59035
ID: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Private Key Object; RSA
label: le-AladdinJacartaUser-1e321881-0e-59035
ID: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Usage: decrypt, sign2.3. We get the root certificate of the organization in .pem format from the certificate of the .cer format in DER encoding.
$ openssl x509 -inform der -in ./root_certificate.cer -out ./root_certificate.pem2.4. Create the file /etc/ppp/openssl.cnf with the following contents:
$ sudo nano /etc/ppp/openssl.cnf
openssl_conf = openssl_def
[ openssl_def ]
engines = engine_section
[ engine_section ]
pkcs11 = pkcs11_section
[ pkcs11_section ]
engine_id = pkcs11
dynamic_path = /usr/lib/x86_64-linux-gnu/openssl-1.0.2/engines/pkcs11.so
MODULE_PATH = /lib64/libASEP11.so
init = 02.5. You must enable EAP-TLS authentication by commenting out the refuse-eap line in the /etc/ppp/options.pptp file
$ sudo nano /etc/ppp/options.pptp# refuse-eap2.6. We create a file with connection parameters / etc / ppp / peers / any-peer-name, specify your domain login as the “UserName” parameter, then specify the path to the converted root certificate in PEM format as the “ca” parameter, as “ cert "and" key "specify stored key and certificate identifiers with the prefix" pkcs11: "
pty "pptp ***.aladdin-rd.ru --nolaunchpppd"
name isadykov # Имя пользователя (может быть DOMAIN\\username)
remotename ***.aladdin-rd.ru # имя сервера подключения
require-mppe-128
file /etc/ppp/options.pptp
ipparam any-peer-name
need-peer-eap
updetach
usepeerdns
defaultroute
replacedefaultroute
ca /path/to/root_certificate.pem # путь до root.pem
cert pkcs11:xxxxxxxxxxxxxxxxxxxxxxxxxx # certificate ID
key pkcs11:xxxxxxxxxxxxxxxxxxxxxxxxxx # key ID3. Connection setup:
$ sudo pon any-peer-nameConnection break:
$ sudo poff any-peer-nameEnable debug output during connection setup:
$ sudo pon klvpn debug dump logfd 2APPENDIX: The
instruction is based on the document .