Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    S-S OVPN issue

    Scheduled Pinned Locked Moved Plus 22.05 Development Snapshots (Retired)
    14 Posts 2 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      swixo
      last edited by swixo

      During the Snapshot testing I upgraded one side of a S-S OpenVPN to DEVREL and worked through the DCO issues.

      Everything going great until upgraded the other side this AM. I cannot get the tunnel to come up anymore - it connects on one side - but the other side shows down.

      Logs full with: AEAD Decrypt error: cipher final failed (repeated over and over)

      No settings changed other than the upgrade - and since then I have been unable to get it back up.

      Any ideas?

      (i'll keep it like this for as long as I can for testing, but probably have to do a reinstall soon - I need to get it going again!)

      S 1 Reply Last reply Reply Quote 0
      • S
        swixo @swixo
        last edited by swixo

        @swixo fwfw - I had to reinstall and go backward, I had to get the tunnel back up. After doing so - all is good. One side 22.01 other 22.05rc+DCO. LMK if you would like a retest.

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          @swixo said in S-S OVPN issue:

          AEAD Decrypt error: cipher final failed

          Is that actually a Site-to-Site tunnel? Like a /30 topology?

          That is not longer valid for use with DCO in 22.05-RC. The input validation should prevent you setting it.

          Steve

          S 1 Reply Last reply Reply Quote 0
          • S
            swixo @stephenw10
            last edited by

            @stephenw10 It is a site-site /24 TLS tunnel.

            1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              Which side shows the failure? Any errors shown on the other side?

              S 2 Replies Last reply Reply Quote 0
              • S
                swixo @stephenw10
                last edited by

                This post is deleted!
                1 Reply Last reply Reply Quote 0
                • S
                  swixo @stephenw10
                  last edited by

                  @stephenw10 Im not 100% sure which side was which now - but one showed UP and the other DOWN. Traffic didn't flow for either.

                  The Decrypt errors were on the client side.

                  LMK if you need me to retest.

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by stephenw10

                    And client side was 22.05 with DCO enabled?

                    S 1 Reply Last reply Reply Quote 0
                    • S
                      swixo @stephenw10
                      last edited by

                      @stephenw10 Client Side was 22.05RC with or without DCO. It never worked after the Upgrade.

                      Just gives log errors: AEAD Decrypt error: cipher final failed

                      stephenw10S 1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator @swixo
                        last edited by stephenw10

                        Hmm,
                        OK and the server was 22.05 with DCO already?

                        We did see some errors like that during development when connecting an 22.05 client with DCO enabled to a 22.01 server. The client showed:

                        May 5 12:53:36 	openvpn 	66844 	AEAD Decrypt error: cipher final failed
                        

                        But that was fixed that day. Builds from May 6th did not see that.

                        Can you show us how they are/were configured?

                        S 1 Reply Last reply Reply Quote 0
                        • S
                          swixo @stephenw10
                          last edited by swixo

                          @stephenw10
                          In my fail case both client and server were on 22.05RC 1919.

                          Reverting JUST THE Client to 22.01 "fixes" it - and is where it is right now, connected.

                          1 Reply Last reply Reply Quote 0
                          • stephenw10S
                            stephenw10 Netgate Administrator
                            last edited by

                            Hmm, curious I have test setups running exactly that here that work as expected and have done for weeks.
                            Are you able to share any additional details of the server/client config?

                            S 1 Reply Last reply Reply Quote 0
                            • S
                              swixo @stephenw10
                              last edited by

                              @stephenw10 I will apply the update again over the weekend when I can tolerate some down time and see if I can get any more data. Possibly the update was incomplete and it will just work a second time.?

                              1 Reply Last reply Reply Quote 0
                              • stephenw10S
                                stephenw10 Netgate Administrator
                                last edited by

                                That is possible. We have seen that a few times internally. Always because of internal build testing though. That should never happen against the public pkg repos.

                                Steve

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.