S-S OVPN issue
-
@swixo said in S-S OVPN issue:
AEAD Decrypt error: cipher final failed
Is that actually a Site-to-Site tunnel? Like a /30 topology?
That is not longer valid for use with DCO in 22.05-RC. The input validation should prevent you setting it.
Steve
-
@stephenw10 It is a site-site /24 TLS tunnel.
-
Which side shows the failure? Any errors shown on the other side?
-
This post is deleted! -
@stephenw10 Im not 100% sure which side was which now - but one showed UP and the other DOWN. Traffic didn't flow for either.
The Decrypt errors were on the client side.
LMK if you need me to retest.
-
And client side was 22.05 with DCO enabled?
-
@stephenw10 Client Side was 22.05RC with or without DCO. It never worked after the Upgrade.
Just gives log errors: AEAD Decrypt error: cipher final failed
-
Hmm,
OK and the server was 22.05 with DCO already?We did see some errors like that during development when connecting an 22.05 client with DCO enabled to a 22.01 server. The client showed:
May 5 12:53:36 openvpn 66844 AEAD Decrypt error: cipher final failedBut that was fixed that day. Builds from May 6th did not see that.
Can you show us how they are/were configured?
-
@stephenw10
In my fail case both client and server were on 22.05RC 1919.Reverting JUST THE Client to 22.01 "fixes" it - and is where it is right now, connected.
-
Hmm, curious I have test setups running exactly that here that work as expected and have done for weeks.
Are you able to share any additional details of the server/client config? -
@stephenw10 I will apply the update again over the weekend when I can tolerate some down time and see if I can get any more data. Possibly the update was incomplete and it will just work a second time.?
-
That is possible. We have seen that a few times internally. Always because of internal build testing though. That should never happen against the public pkg repos.
Steve
