|
|
Here is my conf for both server and client <client> remote xxx.xx.xxx.xxx port 1194 dev tap tls-client ifconfig xxx.xxx.xxx 255.255.255.0 ifconfig-nowarn ca file.crt cert file.crt key file.key ping 15 ping-restart 45 ping-timer-rem persist-tun persist-key comp-lzo verb 3 auth-user-pass pull reneg-sec 0 </client> <server> dev tap0 tls-server dh dh.pem ca file.crt cert file.crt key file.key port 1194 user nobody group nobody comp-lzo plugin /etc/openvpn/openvpn-auth-pam.so openvpn reneg-sec 0 ping 15 ping-restart 45 ping-timer-rem persist-tun persist-key # Verbosity level. # 0 -- quiet except for fatal errors. # 1 -- mostly quiet, but display non-fatal network errors. # 3 -- medium output, good for normal operation. # 9 -- verbose, good for troubleshooting verb 3 </server> The file /etc/pam.d/openvpn has this line auth required pam_securid.so debug This works with SecurID correctly, but when auth fails, it kills the server process. Sunil, do you have reneg-sec set to 0 also? I have this set, it disables time-based negotiation, keeping the same session key during the entire session. Lowers security, but I haven't found a way around it. This keeps the VPN from having to re-auth every hour, and in my case, also prevents the server from dying every hour. Client caches user/pass, tries to re-auth in an hour, fails, and then the server dies. I could set auth-nocache, which would keep it from caching, but does not help the fact that somewhere down the road a user is going to type a password wrong, and wreck havoc in my case. Thanks again, Caleb ______________________ OpenVPN mailing lists https://lists.sourceforge.net/lists/listinfo/openvpn-users |