Ubuntu 14.04 64bit – OpenVPN and SafeNet iKey 3000 token

My company allows remote connection to some computers by OpenVPN, but you have to use SafeNet iKey 3000 token. Since Ubuntu 9.04 64bit iKey 3000 doesn’t work properly, there is small workaround how to install and configure OpenVPN, iKey 3000 token and how to modify windows *.ovpn files to Linux compatible version.

ikey3000

[wp_ad_camp_1]

Required software installation

  1. Open terminal and run command
    sudo apt-get install openvpn openct opensc

SafeNet iKey 3000 validation

  1. Open terminal and reset openct daemon by command
    sudo /etc/init.d/openct restart
  2. Insert iKey 3000 to the USB port
  3. Check if you can read information from iKey token
    sudo pkcs15-tool -c
  4. You should see similar output
    Using reader with a card: Rainbow iKey 3000 00 00
    X.509 Certificate [Vladislav Korecky GVPN's Gordic VPN CA ID]
            Object Flags   : [0x2], modifiable
            Authority      : no
            Path           : 3f0050154300
            ID             : 36353262333363342d306561362d343833612d393937302d343061356565316539613933
            GUID           : {c62e1e6e-55d4-7629-91af-273fdbfdf455}
            Encoded serial : 02 0A 2B72D02F0001000002F5

[wp_ad_camp_1]

OpenVPN configuration

  1. I received from my company these files for OpenVPN:
    • VPN.ovpn – configuration file for Windows OpenVPN
    • gvpn_ca.cer – CA certificate
    • ta.key – key file

    You should have similar files too

  2. Copy these files to “/etc/openvpn” folder
  3. In terminal run command
    sudo openvpn --show-pkcs11-ids /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

    You should see output

    the following objects are available for use.
    Each object shown below may be used as parameter to
    --pkcs11-id option please remember to use single quote mark.
    
    Certificate
           DN:             C=CZ, L=Jihlava, O=GORDIC spol. s r. o., OU=Centrala, CN=Vladislav Korecky GVPN
           Serial:         2B72D02F0001000002F5
           Serialized id:  A\x2EE\x2ET\x2E\x20Europe\x20B\x2EV\x2E/PKCS\x2315/9790623500140921/Vladislav\x20Korecky/36353262333363342D306561362D343833612D393937302D343061356565316539613933

    we will use “Serialized id” attribute in our VPN.ovpn file

  4. Open /etc/openvpn/VPN.ovpn in editor e.g. by command
     sudo nano /etc/openvpn/VPN.ovpn
  5. My original VPN.ovpn file looked like this
    client
    dev tun
    proto udp
    remote 111.111.111.1 1111
    resolv-retry infinite
    persist-key
    persist-tun
    redirect-gateway
    tls-remote ovpn.server.com
    redirect-gateway
    ca "C:\\Program Files\\OpenVPN\\config\\gvpn_ca.cer"
    cryptoapicert "SUBJ:John Smith GVPN"
    tls-auth ta.key 1
    comp-lzo
    verb 4
  6. You should modify file to this (I modified only bold lines)
    client
    dev tun
    proto udp
    remote 111.111.111.1 1111
    resolv-retry infinite
    persist-key
    persist-tun
    redirect-gateway
    tls-remote ovpn.server.com
    redirect-gateway
    pkcs11-providers /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
    pkcs11-id 'A\x2EE\x2ET\x2E\x20Europe\x20B\x2EV\x2E/PKCS\x2315/9790623500140921/Vladislav\x20Korecky/36353262333363342D306561362D343833612D393937302D343061356565316539613933'
    tls-auth /etc/openvpn/ta.key 1
    comp-lzo
    verb 4
    
    "pkcs11-id" is  "Serialized id" attribute from command "sudo openvpn --show-pkcs11-ids /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so"

Connection to OpenVPN network

  1. In terminal run command
     sudo openvpn --config /etc/openvpn/VPN.ovpn --ca /etc/openvpn/gvpn_ca.cer
  2. When you will see similar lines
    Wed Apr 23 09:39:40 2014 us=105713 VERIFY X509NAME OK: /C=CZ/L=Jihlava/O=GORDIC_spol._s_r._o./OU=centrala/CN=ovpn-ji.gordic.cz
    Wed Apr 23 09:39:40 2014 us=105725 VERIFY OK: depth=0, /C=CZ/L=Jihlava/O=GORDIC_spol._s_r._o./OU=centrala/CN=ovpn-ji.gordic.cz
    Enter Vladislav Korecky token Password:
    

    write PIN password and hit ENTER

  3. When you will see lines
    Wed Apr 23 09:40:23 2014 us=121821 /sbin/ip route add 172.17.0.0/18 via 10.20.10.174
    Wed Apr 23 09:40:30 2014 us=511121 /sbin/ip route add 10.20.8.1/32 via 10.20.10.174
    Wed Apr 23 09:40:37 2014 us=934387 Initialization Sequence Completed

    you are successfully connected

[wp_ad_camp_1]

Leave a Reply

Your email address will not be published. Required fields are marked *