Date: Thu, 19 Feb 2009 19:54:34 -0800 From: PGNet <pgnet.trash+fbsdnet@gmail.com> To: freebsd-net@freebsd.org Subject: openvpn "HMAC auth" and TLS errors @ client connect? Message-ID: <dbd51810902191954v1d2818efh5241dc5bb2e18b4b@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
i'm taking a stab at setup of, openvpn --version OpenVPN 2.0.6 i386-portbld-freebsd6.3 [SSL] [LZO] built on Jul 18 2008 on a client's (read: i don't want to fubar this box!) headless router/firewall (running fbsd pf) box, uname -r 6.3-RELEASE-p3 i've setup, rc.conf openvpn_enable="YES" openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf" openvpn_if="tun" @ server, "/usr/local/etc/openvpn/openvpn.conf" -------- server 172.30.7.0 255.255.255.0 dev tun1 proto udp port 22222 dh /usr/local/etc/openvpn/dh2048.pem ca /usr/local/etc/openvpn/mydomain.com.CA.cert.rsa.pem cert /usr/local/etc/openvpn/server.cert.rsa.pem key /usr/local/etc/openvpn/server.key.rsa.pem tls-auth /usr/local/etc/openvpn/ta.key 0 client-config-dir /usr/local/etc/openvpn/ccd ccd-exclusive max-clients 2 max-routes-per-client 128 connect-freq 3 60 cipher AES-256-CBC client-to-client comp-lzo keepalive 15 120 persist-key persist-tun status openvpn-status.log verb 4 -------- @ client, ".../openvpn.conf" -------- tls-client tls-remote ho3.mydomain.com remote 99.xx.xx.xx 22222 dev tun proto udp resolv-retry infinite keepalive 15 120 nobind persist-key persist-tun ca /usr/local/etc/openvpn/mydomain.com.CA.cert.rsa.pem cert /usr/local/etc/openvpn/client.cert.rsa.pem key /usr/local/etc/openvpn/client.key.rsa.pem tls-auth /usr/local/etc/openvpn/ta.key 1 ns-cert-type server cipher AES-256-CBC comp-lzo verb 4 pull -------- @ server, /usr/local/etc/rc.d/openvpn start Starting openvpn. add net 172.30.7.0: gateway 172.30.7.2 @ client connect, client logs show, ... Thu 02/19/09 07:28 PM: Control Channel Authentication: using '/usr/local/etc/openvpn/ta.key' as a OpenVPN static key file Thu 02/19/09 07:28 PM: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Thu 02/19/09 07:28 PM: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Thu 02/19/09 07:28 PM: LZO compression initialized Thu 02/19/09 07:28 PM: Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ] Thu 02/19/09 07:28 PM: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Thu 02/19/09 07:28 PM: tls-client' Thu 02/19/09 07:28 PM: tls-server' Thu 02/19/09 07:28 PM: Local Options hash (VER=V4): '504e774e' Thu 02/19/09 07:28 PM: Expected Remote Options hash (VER=V4): '14168603' Thu 02/19/09 07:28 PM: Socket Buffers: R=[42080->65536] S=[9216->65536] Thu 02/19/09 07:28 PM: UDPv4 link local: [undef] Thu 02/19/09 07:28 PM: UDPv4 link remote: 99.xx.xx.xx:22222 Thu 02/19/09 07:28 PM: @ server syslog, Feb 19 19:28:21 server openvpn[3947]: Authenticate/Decrypt packet error: packet HMAC authentication failed Feb 19 19:28:21 server openvpn[3947]: TLS Error: incoming packet authentication failed from 192.168.1.6:51365 i tried to follow what online help i could find, but have clearly missed something. any suggestions as to what to fix? not sure what info to provide; happy to provide what's needed. thanks.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?dbd51810902191954v1d2818efh5241dc5bb2e18b4b>