PFSENSE TLS Error: TLS key negotiation failed to occur within 60 seconds
-
Hi Experts,
i am trying to connect my office Pfsense network remotely but getting the subjected error whose logs are as below:
Sat Oct 03 20:45:15 2015 OpenVPN 2.3.8 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug 4 2015
Sat Oct 03 20:45:15 2015 library versions: OpenSSL 1.0.1p 9 Jul 2015, LZO 2.08
Enter Management Password:
Sat Oct 03 20:45:26 2015 Control Channel Authentication: using 'Nestle-udp-1194-vpnuser1-tls.key' as a OpenVPN static key file
Sat Oct 03 20:45:26 2015 UDPv4 link local (bound): [undef]
Sat Oct 03 20:45:26 2015 UDPv4 link remote: [AF_INET]221.120.215.34:1194
Sat Oct 03 20:46:27 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Oct 03 20:46:27 2015 TLS Error: TLS handshake failed
Sat Oct 03 20:46:27 2015 SIGUSR1[soft,tls-error] received, process restarting
Sat Oct 03 20:46:29 2015 UDPv4 link local (bound): [undef]
Sat Oct 03 20:46:29 2015 UDPv4 link remote: [AF_INET]221.120.215.34:1194
Sat Oct 03 20:47:29 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Oct 03 20:47:29 2015 TLS Error: TLS handshake failed
Sat Oct 03 20:47:29 2015 SIGUSR1[soft,tls-error] received, process restarting
Sat Oct 03 20:47:31 2015 UDPv4 link local (bound): [undef]
Sat Oct 03 20:47:31 2015 UDPv4 link remote: [AF_INET]221.120.215.34:1194
Sat Oct 03 20:48:31 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Oct 03 20:48:31 2015 TLS Error: TLS handshake failed
Sat Oct 03 20:48:31 2015 SIGUSR1[soft,tls-error] received, process restarting
Sat Oct 03 20:48:33 2015 UDPv4 link local (bound): [undef]
Sat Oct 03 20:48:33 2015 UDPv4 link remote: [AF_INET]221.120.215.34:1194
Sat Oct 03 20:49:10 2015 SIGTERM[hard,] received, process exitingplease help me out ASAP so that i may connect.
Thanks.
-
I have the same problem that this guys, i'll post a little bit information about my system,
I've install pfsense 2.2.4 last week, everthing work fine but i'm trying to configure an remote access server. And i can't figure out to make it work. I've follow the documentation on the official page.
Here are the client log file with Windows 10, (i'll try linux client and windows 7 this weekend) :
Mon Oct 05 22:08:34 2015 UDPv4 link remote: [AF_INET]XX.XX.XXX.XX:1194
Mon Oct 05 22:09:34 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Oct 05 22:09:34 2015 TLS Error: TLS handshake failed
Mon Oct 05 22:09:34 2015 SIGUSR1[soft,tls-error] received, process restarting
Mon Oct 05 22:09:36 2015 UDPv4 link local (bound): [undef]
Mon Oct 05 22:09:36 2015 UDPv4 link remote: [AF_INET]XX.XX.XXX.XX:1194
Mon Oct 05 22:10:36 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Oct 05 22:10:36 2015 TLS Error: TLS handshake failed
Mon Oct 05 22:10:36 2015 SIGUSR1[soft,tls-error] received, process restarting
Mon Oct 05 22:10:38 2015 UDPv4 link local (bound): [undef]
Mon Oct 05 22:10:38 2015 UDPv4 link remote: [AF_INET]XX.XX.XXX.XX:1194
Mon Oct 05 22:11:39 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Oct 05 22:11:39 2015 TLS Error: TLS handshake failed
Mon Oct 05 22:11:39 2015 SIGUSR1[soft,tls-error] received, process restarting
Mon Oct 05 22:11:41 2015 UDPv4 link local (bound): [undef]
Mon Oct 05 22:11:41 2015 UDPv4 link remote: [AF_INET]XX.XX.XXX.XX:1194
Mon Oct 05 22:11:55 2015 SIGTERM[hard,] received, process exitingHere are the server log file :
Oct 5 20:51:02 pfSense openvpn[17080]: OpenVPN 2.3.7 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Jun 19 2015
Oct 5 20:51:02 pfSense openvpn[17080]: library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09
Oct 5 20:51:02 pfSense openvpn[18097]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Oct 5 20:51:02 pfSense openvpn[18097]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
Oct 5 20:51:02 pfSense openvpn[18097]: TUN/TAP device ovpns1 exists previously, keep at program end
Oct 5 20:51:02 pfSense openvpn[18097]: TUN/TAP device /dev/tun1 opened
Oct 5 20:51:02 pfSense openvpn[18097]: ioctl(TUNSIFMODE): Device busy: Device busy (errno=16)
Oct 5 20:51:02 pfSense openvpn[18097]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Oct 5 20:51:02 pfSense openvpn[18097]: /sbin/ifconfig ovpns1 10.0.10.1 10.0.10.2 mtu 1500 netmask 255.255.255.255 up
Oct 5 20:51:02 pfSense openvpn[18097]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1557 10.0.10.1 10.0.10.2 init
Oct 5 20:51:03 pfSense openvpn[18097]: UDPv4 link local (bound): [AF_INET]XX.XX.XX.XX:1194
Oct 5 20:51:03 pfSense openvpn[18097]: UDPv4 link remote: [undef]
Oct 5 20:51:03 pfSense openvpn[18097]: Initialization Sequence Completed
Oct 5 21:34:18 pfSense openvpn[55483]: OpenVPN 2.3.7 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Jun 19 2015
Oct 5 21:34:18 pfSense openvpn[55483]: library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09
Oct 5 21:34:18 pfSense openvpn[55625]: WARNING: using –duplicate-cn and --client-config-dir together is probably not what you want
Oct 5 21:34:18 pfSense openvpn[55625]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Oct 5 21:34:18 pfSense openvpn[55625]: Control Channel Authentication: using '/var/etc/openvpn/server2.tls-auth' as a OpenVPN static key file
Oct 5 21:34:18 pfSense openvpn[55625]: TUN/TAP device ovpns2 exists previously, keep at program end
Oct 5 21:34:18 pfSense openvpn[55625]: TUN/TAP device /dev/tun2 opened
Oct 5 21:34:18 pfSense openvpn[55625]: ioctl(TUNSIFMODE): Device busy: Device busy (errno=16)
Oct 5 21:34:18 pfSense openvpn[55625]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Oct 5 21:34:18 pfSense openvpn[55625]: /sbin/ifconfig ovpns2 10.0.15.1 10.0.15.2 mtu 1500 netmask 255.255.255.255 up
Oct 5 21:34:18 pfSense openvpn[55625]: /usr/local/sbin/ovpn-linkup ovpns2 1500 1557 10.0.15.1 10.0.15.2 init
Oct 5 21:34:18 pfSense openvpn[55625]: UDPv4 link local (bound): [AF_INET]XX.XX.XX.XX:1195
Oct 5 21:34:18 pfSense openvpn[55625]: UDPv4 link remote: [undef]
Oct 5 21:34:18 pfSense openvpn[55625]: Initialization Sequence Completed
Oct 5 21:48:12 pfSense openvpn[18097]: /usr/local/sbin/ovpn-linkdown ovpns1 1500 1557 10.0.10.1 10.0.10.2 init
Oct 5 21:48:12 pfSense openvpn[18097]: SIGTERM[hard,] received, process exiting
Oct 5 21:48:13 pfSense openvpn[99344]: Options error: –server directive network/netmask combination is invalid
Oct 5 21:48:13 pfSense openvpn[99344]: Use –help for more information.
Oct 5 21:49:34 pfSense openvpn[55625]: event_wait : Interrupted system call (code=4)
Oct 5 21:49:34 pfSense openvpn[55625]: /usr/local/sbin/ovpn-linkdown ovpns2 1500 1557 10.0.15.1 10.0.15.2 init
Oct 5 21:49:34 pfSense openvpn[55625]: SIGTERM[hard,] received, process exitingHere my config .ovpn
dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote XX.XX.XXX.XX 1194 udp
lport 0
verify-x509-name "myuservpn" name
auth-user-pass
pkcs12 pfSense-udp-1194-myuservpn.p12
tls-auth pfSense-udp-1194-myuservpn-tls.key 1I've only need a clue on the path that is not working, tks
-
Ensure that the server is reachable from the clients site at UDP 1194.
WAN rules okay?
-
Yes the port is open|filtered, i'll check the wan rules tonight
https://pentest-tools.com/network-vulnerability-scanning/udp-port-scanner-online-nmap
-
Can anyone please help me how to check server logs and config.vpn file so that i may also share it here to resolve my issue.
Thanks -
As i am new and you all are experts, kindly help me for step by step procedure. I will be grateful for this.
-
Can anyone please help me how to check server logs and config.vpn file so that i may also share it here to resolve my issue.
ThanksGo to Diagnostics > Command Prompt
In the field beside "File to download" enter "/var/log/openvpn.log" and press Download.
Then do the same with /var/etc/openvpn/server1.conf. If you have more than one server also download /var/etc/openvpn/server2.conf and so on.However, please respond to my question above.
-
Here a look
-
Your WAN rule is okay to allow OpenVPN connections. The server should be reachable.
So try to establish a connection from client and take a look in the server protocol (/var/log/openvpn.log) if the connection attempt is been logged.
In doubt run Packet Capture from Diagnostic menu at WAN interface to see if your packet arrive. Maybe they don't. -
I had the very same Problem here … because my client-router only likes SHA1 and PfSense creates CA/CERTS with SHA256 per default...
-
If anyone is still interest, here the step i made to make it work fiinaly,
1. I factory reset the pfsense
2. I did the same step that before but did something more in the open vpn -> client export
3. I check this option and put a passwordCertificate Export Options
X Use Microsoft Certificate Storage instead of local files.
X Use a password to protect the pkcs12 file contents or key in Viscosity bundle.4. I download the Windows Installers (2.3.8-Ix01):…
5. In my other computer on another network i uninstall openvpn and install it back with the new installer that contain the microsoft cert....
And it WORK :)
This time i did not change the network ip of my internal lan but i don't think that was why it didn't work....
I change it back after the vpn was right -
Can you please let me know which procedure you adopted for the OPENVPN to work. please share the link so that I may get help.
-
If you check online, they basicly do all the same procedure on youtube or on website, but you can follow this video
PfSense Open VPN Tutorial (with Narrator) from DlStreamnet
https://www.youtube.com/watch?v=VdAHVSTl1ysThe only step that i did more was the step that i write in the commend below
Certificate Export Options
X Use Microsoft Certificate Storage instead of local files.
X Use a password to protect the pkcs12 file contents or key in Viscosity bundle.Make sur you check those before download the openvpn file….