OpenVPN (SSL/TLS + UserAuth) + FreeRadius with OTP

tiny

I have a working setup of OpenVPN with (SSL/TLS + UserAuth) and Radiusd with one time password. Everything is working untill OpenVPN tries to renegotiate data channel keys. At least I think so. It happens exactly 1 hour or 3600 secs after initial login. This is also defult value for –reneg-sec option.

May  6 18:53:11 192.168.254.1 openvpn[19797]: Re-using SSL/TLS context
May  6 18:53:11 192.168.254.1 openvpn[19797]: LZO compression initialized
May  6 18:53:11 192.168.254.1 openvpn[19797]: TCP connection established with [AF_INET]x.x.x.x:50119
May  6 18:53:11 192.168.254.1 openvpn[19797]: TCPv4_SERVER link local: [undef]
May  6 18:53:11 192.168.254.1 openvpn[19797]: TCPv4_SERVER link remote: [AF_INET]x.x.x.x:50119
May  6 18:53:13 192.168.254.1 radiusd[54942]: Login OK: [matjaz] (from client OpenVPNServer port 0) 
May  6 18:53:13 192.168.254.1 openvpn[19797]: x.x.x.x:50119 [matjaz] Peer Connection Initiated with [AF_INET]x.x.x.x:50119
May  6 18:53:13 192.168.254.1 openvpn[19797]: matjaz/x.x.x.x:50119 MULTI_sva: pool returned IPv4=192.168.252.6, IPv6=14da:bfbf:a2:4b28:38d7:bfbf:391:608
May  6 18:53:15 192.168.254.1 openvpn[19797]: matjaz/x.x.x.x:50119 send_push_reply(): safe_cap=960
May  6 19:53:14 192.168.254.1 radiusd[54942]: Login incorrect: [matjaz] (from client OpenVPNServer port 0) 
May  6 19:53:15 192.168.254.1 openvpn[19797]: matjaz/x.x.x.x:50119 WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 255
May  6 19:53:15 192.168.254.1 openvpn[19797]: matjaz/x.x.x.x:50119 TLS Auth Error: Auth Username/Password verification failed for peer
May  6 19:54:12 192.168.254.1 openvpn[19797]: matjaz/x.x.x.x:50119 TLS Error: local/remote TLS keys are out of sync: [AF_INET]x.x.x.x:50119 [1]
May  6 19:54:14 192.168.254.1 openvpn[19797]: matjaz/x.x.x.x:50119 TLS Error: local/remote TLS keys are out of sync: [AF_INET]x.x.x.x:50119 [1]
May  6 19:54:15 192.168.254.1 openvpn[19797]: matjaz/1x.x.x.x:50119 TLS Error: local/remote TLS keys are out of sync: [AF_INET]1x.x.x.x:50119 [1]
....

Any workaround for this if I'd like to keep renegotiation of data channel keys?

jimp

There is a client-side command that will cache the credentials (I forget the name offhand though) that might help but I suspect the OT in OTP might be getting enforced there and not allowing it to renew since the token would have changed.

tiny

@jimp:

There is a client-side command that will cache the credentials (I forget the name offhand though) that might help but I suspect the OT in OTP might be getting enforced there and not allowing it to renew since the token would have changed.

Yes, thats exactly what I think. I tried with "reneg-sec 0" option on server side but no joy… Should I put this option also on client side?

Nachtfalke

If I read this correct then you must configure this parameter on both sites. If you do not so the lowest value takes effect.
But you can disable it on one site so that you can configure it individualle on the other site (different clients with different times i8f disabled on server site).

http://openvpn.net/archive/openvpn-users/2006-12/msg00189.html

PS: Do you use freeradius2 package with mOTP ?