S-S OVPN issue

swixo

During the Snapshot testing I upgraded one side of a S-S OpenVPN to DEVREL and worked through the DCO issues.

Everything going great until upgraded the other side this AM. I cannot get the tunnel to come up anymore - it connects on one side - but the other side shows down.

Logs full with: AEAD Decrypt error: cipher final failed (repeated over and over)

No settings changed other than the upgrade - and since then I have been unable to get it back up.

Any ideas?

(i'll keep it like this for as long as I can for testing, but probably have to do a reinstall soon - I need to get it going again!)

swixo

@swixo fwfw - I had to reinstall and go backward, I had to get the tunnel back up. After doing so - all is good. One side 22.01 other 22.05rc+DCO. LMK if you would like a retest.

stephenw10

@swixo said in S-S OVPN issue:

AEAD Decrypt error: cipher final failed

Is that actually a Site-to-Site tunnel? Like a /30 topology?

That is not longer valid for use with DCO in 22.05-RC. The input validation should prevent you setting it.

Steve

swixo

@stephenw10 It is a site-site /24 TLS tunnel.

stephenw10

Which side shows the failure? Any errors shown on the other side?

swixo

This post is deleted!

swixo

@stephenw10 Im not 100% sure which side was which now - but one showed UP and the other DOWN. Traffic didn't flow for either.

The Decrypt errors were on the client side.

LMK if you need me to retest.

stephenw10

And client side was 22.05 with DCO enabled?

swixo

@stephenw10 Client Side was 22.05RC with or without DCO. It never worked after the Upgrade.

Just gives log errors: AEAD Decrypt error: cipher final failed

stephenw10

Hmm,
OK and the server was 22.05 with DCO already?

We did see some errors like that during development when connecting an 22.05 client with DCO enabled to a 22.01 server. The client showed:

May 5 12:53:36 	openvpn 	66844 	AEAD Decrypt error: cipher final failed

But that was fixed that day. Builds from May 6th did not see that.

Can you show us how they are/were configured?

swixo

@stephenw10
In my fail case both client and server were on 22.05RC 1919.

Reverting JUST THE Client to 22.01 "fixes" it - and is where it is right now, connected.

stephenw10

Hmm, curious I have test setups running exactly that here that work as expected and have done for weeks.
Are you able to share any additional details of the server/client config?

swixo

@stephenw10 I will apply the update again over the weekend when I can tolerate some down time and see if I can get any more data. Possibly the update was incomplete and it will just work a second time.?

stephenw10

That is possible. We have seen that a few times internally. Always because of internal build testing though. That should never happen against the public pkg repos.

Steve