Ubuntu
network-manager-fortisslvpn package

Bug #1322728
Comment #21

Comment 21 for bug 1322728

Revision history for this message

Francis (francisd) wrote on 2019-10-31:

#21

Hi,

I imported my client configuration using the option "import from a file" (translation from "importer depuis un fichier"). My client configuration contain that line:

static-challenge "Code unique d'authentification" 1

When I look at my connection configuration in /etc/NetworkManager/system-connections, I don't see any reference to the static-challence configuration. I suspect the problem come from there.

So when I try to connect, NM ask me the password, but never the challenge PIN. I tried to enter my PIN when NM request again my password, but it doesn't work either.

In my client logs (first try I enter my password, the second try I enter my 2FA PIN)
oct 31 09:09:52 u1910 NetworkManager[491]: <info> [1572527392.4132] audit: op="connection-activate" uuid="0df2fac7-29f5-4808-b15a-f49f748a8963" name="vpn" pid=1317 uid=1000 result="success"
oct 31 09:09:52 u1910 NetworkManager[491]: <info> [1572527392.4475] vpn-connection[0x55d5bb61c310,0df2fac7-29f5-4808-b15a-f49f748a8963,"vpn",0]: Started the VPN service, PID 2254
oct 31 09:09:52 u1910 NetworkManager[491]: <info> [1572527392.4768] vpn-connection[0x55d5bb61c310,0df2fac7-29f5-4808-b15a-f49f748a8963,"vpn",0]: Saw the service appear; activating connection
oct 31 09:10:02 u1910 NetworkManager[491]: <info> [1572527402.8568] vpn-connection[0x55d5bb61c310,0df2fac7-29f5-4808-b15a-f49f748a8963,"vpn",0]: VPN plugin: state changed: starting (3)
oct 31 09:10:02 u1910 NetworkManager[491]: <info> [1572527402.8574] vpn-connection[0x55d5bb61c310,0df2fac7-29f5-4808-b15a-f49f748a8963,"vpn",0]: VPN connection: (ConnectInteractive) reply received
oct 31 09:10:02 u1910 nm-openvpn[2271]: OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 5 2019
oct 31 09:10:02 u1910 nm-openvpn[2271]: library versions: OpenSSL 1.1.1c 28 May 2019, LZO 2.10
oct 31 09:10:03 u1910 nm-openvpn[2271]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
oct 31 09:10:03 u1910 nm-openvpn[2271]: TCP/UDP: Preserving recently used remote address: [AF_INET]4.3.2.1:1192
oct 31 09:10:03 u1910 nm-openvpn[2271]: UDP link local: (not bound)
oct 31 09:10:03 u1910 nm-openvpn[2271]: UDP link remote: [AF_INET]4.3.2.1:1192
oct 31 09:10:03 u1910 nm-openvpn[2271]: NOTE: chroot will be delayed because of --client, --pull, or --up-delay
oct 31 09:10:03 u1910 nm-openvpn[2271]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
oct 31 09:10:03 u1910 nm-openvpn[2271]: [server] Peer Connection Initiated with [AF_INET]4.3.2.1:1192
oct 31 09:10:04 u1910 nm-openvpn[2271]: AUTH: Received control message: AUTH_FAILED
oct 31 09:10:04 u1910 nm-openvpn[2271]: SIGUSR1[soft,auth-failure] received, process restarting
oct 31 09:10:09 u1910 NetworkManager[491]: <info> [1572527409.5104] vpn-connection[0x55d5bb61c310,0df2fac7-29f5-4808-b15a-f49f748a8963,"vpn",0]: VPN plugin: requested secrets; state connect (4)
oct 31 09:10:21 u1910 nm-openvpn[2271]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
oct 31 09:10:21 u1910 nm-openvpn[2271]: TCP/UDP: Preserving recently used remote address: [AF_INET]4.3.2.1:1192
oct 31 09:10:21 u1910 nm-openvpn[2271]: UDP link local: (not bound)
oct 31 09:10:21 u1910 nm-openvpn[2271]: UDP link remote: [AF_INET]4.3.2.1:1192
oct 31 09:10:21 u1910 PackageKit[910]: uid 1000 is trying to obtain org.freedesktop.packagekit.system-sources-refresh auth (only_trusted:0)
oct 31 09:10:21 u1910 PackageKit[910]: uid 1000 obtained auth for org.freedesktop.packagekit.system-sources-refresh
oct 31 09:10:21 u1910 nm-openvpn[2271]: [server] Peer Connection Initiated with [AF_INET]4.3.2.1:1192
oct 31 09:10:22 u1910 nm-openvpn[2271]: AUTH: Received control message: AUTH_FAILED
oct 31 09:10:22 u1910 nm-openvpn[2271]: SIGUSR1[soft,auth-failure] received, process restarting
oct 31 09:10:22 u1910 PackageKit[910]: refresh-cache transaction /20_aabcedec from uid 1000 finished with success after 1406ms
oct 31 09:10:27 u1910 NetworkManager[491]: <info> [1572527427.6045] vpn-connection[0x55d5bb61c310,0df2fac7-29f5-4808-b15a-f49f748a8963,"vpn",0]: VPN plugin: requested secrets; state connect (4)
oct 31 09:10:29 u1910 NetworkManager[491]: <error> [1572527429.8132] vpn-connection[0x55d5bb61c310,0df2fac7-29f5-4808-b15a-f49f748a8963,"vpn",0]: Failed to request VPN secrets #4: User canceled the secrets request.
oct 31 09:10:29 u1910 nm-openvpn[2271]: ERROR: could not read Auth username/password/ok/string from management interface
oct 31 09:10:29 u1910 nm-openvpn[2271]: Exiting due to fatal error

(last error is when I clicked the cancel button)

In my server logs:
Oct 31 09:10:03 srv ovpn-bureau-2fa[1409]: Error extracting challenge/response from password. Parse error = 'Incorrectly formatted cr string.'
Oct 31 09:10:03 srv ovpn-bureau-2fa[1409]: 1.2.3.4:51828 PLUGIN_CALL: POST /usr/local/lib/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Oct 31 09:10:03 srv ovpn-bureau-2fa[1409]: 1.2.3.4:51828 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/local/lib/openvpn-auth-ldap.so
Oct 31 09:10:03 srv ovpn-bureau-2fa[1409]: 1.2.3.4:51828 PLUGIN_CALL: POST /usr/local/lib/openvpn/openvpn-otp.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Oct 31 09:10:03 srv ovpn-bureau-2fa[1409]: 1.2.3.4:51828 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/local/lib/openvpn/openvpn-otp.so
Oct 31 09:10:03 srv ovpn-bureau-2fa[1409]: 1.2.3.4:51828 TLS Auth Error: Auth Username/Password verification failed for peer
Oct 31 09:10:21 srv ovpn-bureau-2fa[1409]: Error extracting challenge/response from password. Parse error = 'Incorrectly formatted cr string.'
Oct 31 09:10:21 srv ovpn-bureau-2fa[1409]: 1.2.3.4:58490 PLUGIN_CALL: POST /usr/local/lib/openvpn-auth-ldap.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Oct 31 09:10:21 srv ovpn-bureau-2fa[1409]: 1.2.3.4:58490 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/local/lib/openvpn-auth-ldap.so
Oct 31 09:10:21 srv ovpn-bureau-2fa[1409]: 1.2.3.4:58490 PLUGIN_CALL: POST /usr/local/lib/openvpn/openvpn-otp.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1
Oct 31 09:10:21 srv ovpn-bureau-2fa[1409]: 1.2.3.4:58490 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/local/lib/openvpn/openvpn-otp.so
Oct 31 09:10:21 srv ovpn-bureau-2fa[1409]: 1.2.3.4:58490 TLS Auth Error: Auth Username/Password verification failed for peer

No problems with Tunnelblick on Mac or OpenVPN GUI on Windows.

Hi,

I imported my client configuration using the option "import from a file" (translation from "importer depuis un fichier"). My client configuration contain that line:

static-challenge "Code unique d'authentification" 1

When I look at my connection configuration in /etc/NetworkManager/system-connections, I don't see any reference to the static-challence configuration. I suspect the problem come from there.

So when I try to connect, NM ask me the password, but never the challenge PIN. I tried to enter my PIN when NM request again my password, but it doesn't work either.

In my client logs (first try I enter my password, the second try I enter my 2FA PIN)
oct 31 09:09:52 u1910 NetworkManager[491]: <info>  [1572527392.4132] audit: op="connection-activate" uuid="0df2fac7-29f5-4808-b15a-f49f748a8963" name="vpn" pid=1317 uid=1000 result="success"
oct 31 09:09:52 u1910 NetworkManager[491]: <info>  [1572527392.4475] vpn-connection[0x55d5bb61c310,0df2fac7-29f5-4808-b15a-f49f748a8963,"vpn",0]: Started the VPN service, PID 2254
oct 31 09:09:52 u1910 NetworkManager[491]: <info>  [1572527392.4768] vpn-connection[0x55d5bb61c310,0df2fac7-29f5-4808-b15a-f49f748a8963,"vpn",0]: Saw the service appear; activating connection
oct 31 09:10:02 u1910 NetworkManager[491]: <info>  [1572527402.8568] vpn-connection[0x55d5bb61c310,0df2fac7-29f5-4808-b15a-f49f748a8963,"vpn",0]: VPN plugin: state changed: starting (3)
oct 31 09:10:02 u1910 NetworkManager[491]: <info>  [1572527402.8574] vpn-connection[0x55d5bb61c310,0df2fac7-29f5-4808-b15a-f49f748a8963,"vpn",0]: VPN connection: (ConnectInteractive) reply received
oct 31 09:10:02 u1910 nm-openvpn[2271]: OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep  5 2019
oct 31 09:10:02 u1910 nm-openvpn[2271]: library versions: OpenSSL 1.1.1c  28 May 2019, LZO 2.10
oct 31 09:10:03 u1910 nm-openvpn[2271]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
oct 31 09:10:03 u1910 nm-openvpn[2271]: TCP/UDP: Preserving recently used remote address: [AF_INET]4.3.2.1:1192
oct 31 09:10:03 u1910 nm-openvpn[2271]: UDP link local: (not bound)
oct 31 09:10:03 u1910 nm-openvpn[2271]: UDP link remote: [AF_INET]4.3.2.1:1192
oct 31 09:10:03 u1910 nm-openvpn[2271]: NOTE: chroot will be delayed because of --client, --pull, or --up-delay
oct 31 09:10:03 u1910 nm-openvpn[2271]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
oct 31 09:10:03 u1910 nm-openvpn[2271]: [server] Peer Connection Initiated with [AF_INET]4.3.2.1:1192
oct 31 09:10:04 u1910 nm-openvpn[2271]: AUTH: Received control message: AUTH_FAILED
oct 31 09:10:04 u1910 nm-openvpn[2271]: SIGUSR1[soft,auth-failure] received, process restarting
oct 31 09:10:09 u1910 NetworkManager[491]: <info>  [1572527409.5104] vpn-connection[0x55d5bb61c310,0df2fac7-29f5-4808-b15a-f49f748a8963,"vpn",0]: VPN plugin: requested secrets; state connect (4)
oct 31 09:10:21 u1910 nm-openvpn[2271]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
oct 31 09:10:21 u1910 nm-openvpn[2271]: TCP/UDP: Preserving recently used remote address: [AF_INET]4.3.2.1:1192
oct 31 09:10:21 u1910 nm-openvpn[2271]: UDP link local: (not bound)
oct 31 09:10:21 u1910 nm-openvpn[2271]: UDP link remote: [AF_INET]4.3.2.1:1192
oct 31 09:10:21 u1910 PackageKit[910]: uid 1000 is trying to obtain org.freedesktop.packagekit.system-sources-refresh auth (only_trusted:0)
oct 31 09:10:21 u1910 PackageKit[910]: uid 1000 obtained auth for org.freedesktop.packagekit.system-sources-refresh
oct 31 09:10:21 u1910 nm-openvpn[2271]: [server] Peer Connection Initiated with [AF_INET]4.3.2.1:1192
oct 31 09:10:22 u1910 nm-openvpn[2271]: AUTH: Received control message: AUTH_FAILED
oct 31 09:10:22 u1910 nm-openvpn[2271]: SIGUSR1[soft,auth-failure] received, process restarting
oct 31 09:10:22 u1910 PackageKit[910]: refresh-cache transaction /20_aabcedec from uid 1000 finished with success after 1406ms
oct 31 09:10:27 u1910 NetworkManager[491]: <info>  [1572527427.6045] vpn-connection[0x55d5bb61c310,0df2fac7-29f5-4808-b15a-f49f748a8963,"vpn",0]: VPN plugin: requested secrets; state connect (4)
oct 31 09:10:29 u1910 NetworkManager[491]: <error> [1572527429.8132] vpn-connection[0x55d5bb61c310,0df2fac7-29f5-4808-b15a-f49f748a8963,"vpn",0]: Failed to request VPN secrets #4: User canceled the secrets request.
oct 31 09:10:29 u1910 nm-openvpn[2271]: ERROR: could not read Auth username/password/ok/string from management interface
oct 31 09:10:29 u1910 nm-openvpn[2271]: Exiting due to fatal error

(last error is when I clicked the cancel button)

No problems with Tunnelblick on Mac or OpenVPN GUI on Windows.

Ubuntunetwork-manager-fortisslvpn package

Comment 21 for bug 1322728

Ubuntu
network-manager-fortisslvpn package