Title: Anyone get Two-Factor working in 2.3? Post by: fackler on Friday 19 February 2010, 01:56:19 am I am trying to get two-factor authentication going on a 2.3 install. We currently have two-factor auth working on a release 2 (c) EFW. Now I am trying to set up a new machine with EFW release 2.3-0 (Deployset #0) and get the two factor auth working there. I can VPN to the new 2.3 EFW with PSK but not the X.509 or X.509 & PSK options. I have used the same files that are currently working on the 2(c) EFW, transferring them to the new EFW by running:
/usr/bin/openssl pkcs12 -export -inkey hostkey.pem -in hostcert.pem -certfile cacert.pem -out pkcs12.p12 -nodes And then copying pkcs12.p12, cacert.pem and dh1024.pem to the new EFW /var/efw/openvpn But this hasn't worked. I have even created a whole new CA, server cert/key and client certs/keys packaged into pkcs12 and imported to the new EFW, but that hasn't worked. So the question is: has ANYONE actually gotten two factor authentication working on 2.3? http: // docs.endian.com/ vpn.html#advanced leaves out a few details. Title: Re: Anyone get Two-Factor working in 2.3? Post by: mnicolazzo on Friday 19 February 2010, 04:02:47 am Yes, it worked for me.
I created my CA and certificates, installed dh1024.pem and certificates on the server, BUT I also needed to modify /etc/openvpn/openvpn.conf.tmpl template file. I commented out the following line: ns-cert-type client by adding a '#' at the beginning of the line. I think that the self-generated certificate for the client has not the 'client' flag set and thus is refused by the server with the default configuration. After modifying the template file, save your current configuration from the web GUI, to propagate the change made in the template to the live openvpn.conf file, and try to connect again. Title: Re: Anyone get Two-Factor working in 2.3? Post by: fackler on Friday 19 February 2010, 04:51:05 am mnicolazzo you rock. That worked. So I guess the root of the problem is that I was trying to use client certs that didn't have the client flag set. |