OpenVPN with smartcard login

pbnet

Hello,
I'm trying to configure PFSense's OpenVPN in order to be able to login using smartcards.

Setup
Hardware + Software
PFSense 2.1 DEV (built on Fri Nov 25 14:30:42 EST 2011)
OpenVPN 2.2 + OpenSC -0.12.2-win64 (on Windows 8.1 PRO)
Smartcard reader: http://www.acs.com.hk/index.php?pid=product&prod_sections=0&id=ACR38
PKI Smartcard: http://www.ftsafe.com/product/smartcard/pkicard

Software Configuration
OpenVPN on PFSense was setup using the following walkthrough: http://www.youtube.com/watch?v=VdAHVSTl1ys
Then I exported the client configuration from "client export" and I got the following files:

pbnet-udp-34447-pbnetvpn-tls.key
pbnet-udp-34447-pbnetvpn.ovpn
pbnet-udp-34447-pbnetvpn.p12

I've initialized the smartcard using PKCS15 format like below:

C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-init -E
Using reader with a card: ACS CCID USB Reader 0

C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-init -C –profile pkcs15+onepin --pin 1234 --puk 123456 --label "Andrei"
Using reader with a card: ACS CCID USB Reader 0

C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-init -S C:\cert\client.p12 -f PKCS12 -a 01
Using reader with a card: ACS CCID USB Reader 0
Importing 2 certificates:
  0: /C=RO/ST=Bucharest/L=Bucharest/O=PBNET/emailAddress=noc@xxxx/CN=pbnetvpn
  1: /C=RO/ST=Bucharest/L=Bucharest/O=PBNET/emailAddress=noc@xxxx/CN=OpenVPNCA
User PIN [User PIN] required.
Please enter User PIN [User PIN]:
C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-tool.exe –list-certificates

Using reader with a card: ACS CCID USB Reader 0
X.509 Certificate [/C=RO/ST=Bucharest/L=Bucharest/O=PBNET/emailAddress=noc@xxxxx/CN=pbnetvpn]
        Object Flags  : [0x2], modifiable
        Authority      : no
        Path          : 3f0050153100
        ID            : 465e190a5f54b0a45afe3290e7e2dffc780e5d2f
        GUID          : {465e190a-5f54-b0a4-5afe-3290e7e2dffc}
        Encoded serial : 02 01 01

X.509 Certificate [/C=RO/ST=Bucharest/L=Bucharest/O=PBNET/emailAddress=noc@xxxxx/CN=OpenVPNCA]
        Object Flags  : [0x2], modifiable
        Authority      : yes
        Path          : 3f0050153101
        ID            : 08b45a94208eb14d679d85c24ae027750663a420
        GUID          : {08b45a94-208e-b14d-679d-85c24ae02775}
        Encoded serial : 02 01 00

C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-tool –list-keys
Using reader with a card: ACS CCID USB Reader 0
Private RSA Key [Private Key]
        Object Flags  : [0x3], private, modifiable
        Usage          : [0x10E], decrypt, sign, signRecover, derive
        Access Flags  : [0x0]
        ModLength      : 2048
        Key ref        : 1 (0x1)
        Native        : yes
        Path          : 3f005015
        Auth ID        : 01
        ID            : 465e190a5f54b0a45afe3290e7e2dffc780e5d2f
        GUID          : {465e190a-5f54-b0a4-5afe-3290e7e2dffc}

Now comes the problem:

When connecting to the OpenVPN server using username/password everything works fine by using the following OpenVPN config file:

dev tun
persist-tun
persist-key
cipher AES-128-CBC
tls-client
client
resolv-retry infinite
remote myserverip 34447 udp
tls-remote pbnetvpn
auth-user-pass
pkcs12 pbnet-udp-34447-pbnetvpn.p12
tls-auth pbnet-udp-34447-pbnetvpn-tls.key 1
comp-lzo

I've tried to build an OpenVPN config file (See below) in order to connect using a SmartCard:

dev tun
persist-tun
persist-key
cipher AES-128-CBC
tls-client
client
remote myserverip 34447 udp
ca ca.crt
tls-remote pbnetvpn
pkcs11-providers c:\windows\system32\opensc-pkcs11.dll
pkcs11-id 'EnterSafe/PKCS\x2315/0370293916270713/Andrei\x20\x28User\x20PIN\x29/465E190A5F54B0A45AFE3290E7E2DFFC780E5D2F'
#pkcs12 pbnet-udp-34447-pbnetvpn.p12
tls-auth pbnet-udp-34447-pbnetvpn-tls.key 1
comp-lzo

and I get the following results:

C:\Program Files\OpenVPN\bin>openvpn.exe –config pbnet-SC-34447-pbnetvpn.ovpn
Thu Sep 12 21:13:32 2013 DEPRECATED OPTION: --tls-remote, please update your configuration
Thu Sep 12 21:13:32 2013 OpenVPN 2.3.2 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO]
[PKCS11] [eurephia] [IPv6] built on Aug 22 2013
Thu Sep 12 21:13:32 2013 PKCS#11: Adding PKCS#11 provider 'c:\windows\system32\opensc-pkcs11.dll'
Thu Sep 12 21:13:34 2013 Control Channel Authentication: using 'pbnet-udp-34447-pbnetvpn-tls.key' as a OpenVPN static key file
Thu Sep 12 21:13:34 2013 UDPv4 link local (bound): [undef]
Thu Sep 12 21:13:34 2013 UDPv4 link remote: [AF_INET]x.x.x.x:34447
Enter Andrei (User PIN) token Password:
Thu Sep 12 21:14:34 2013 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Sep 12 21:14:34 2013 TLS Error: TLS handshake failed
Thu Sep 12 21:14:34 2013 SIGUSR1[soft,tls-error] received, process restarting
Thu Sep 12 21:14:36 2013 UDPv4 link local (bound): [undef]
Thu Sep 12 21:14:36 2013 UDPv4 link remote: [AF_INET]x.x.x.x:34447

Any help or suggestion would be greatly appreciated.

Guest

I found this on the web, Nitro Key

User authentication on local computers (e.g. Windows, Linux) and networks (e.g. Firefox, OpenSSH,
OpenVPN, IPSec, OpenID).