TLS Error: local/remote TLS keys are out of sync

jaime.viyuela

Hello everybody!

I have set up a freeipa with a freeradius, and I use my openvpn with a password and a token: very secure! :D

But the problem that I am having is the users are suffering vpn problems every hour aprox.
I was checking logs and it seems to happes always at XX:42:XX time.

I was reading a lot of documentation about radius and ipa and i have changed some config on them, but it is still failing, and the only info that i get from logs in my pfsense is:

Mar 17 14:36:06 openvpn 66107 XXX.XXX.XXX.XXX:56645 [xx-openvpn] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:56645
Mar 17 14:36:06 openvpn 66107 XXX.XXX.XXX.XXX:56645 TLS Auth Error: Auth Username/Password verification failed for peer
Mar 17 14:36:06 openvpn 66107 XXX.XXX.XXX.XXX:56645 WARNING: Failed running command (–auth-user-pass-verify): external program exited with error status: 1
Mar 17 14:36:06 openvpn user 'xx-openvpn' could not authenticate.
Mar 17 14:35:04 openvpn 66107 xx-openvpn/XXX.XXX.XXX.XXX:52420 [xx-openvpn] Inactivity timeout (–ping-restart), restarting
Mar 17 14:35:01 openvpn 66107 xx-openvpn/XXX.XXX.XXX.XXX:52420 TLS Error: local/remote TLS keys are out of sync: [AF_INET]XXX.XXX.XXX.XXX:52420 [1]
Mar 17 14:34:58 openvpn 66107 xx-openvpn/XXX.XXX.XXX.XXX:52420 TLS Error: local/remote TLS keys are out of sync: [AF_INET]XXX.XXX.XXX.XXX::52420 [1]
Mar 17 14:34:57 openvpn 66107 xx-openvpn/XXX.XXX.XXX.XXX:52420 TLS Error: local/remote TLS keys are out of sync: [AF_INET]XXX.XXX.XXX.XXX::52420 [1]

I thing that when i start to have the TLS error, it generate a timeout activty. The client try to reconnect but it needs a new token and them it fails.

So i have all my users (100) suffering an unstable service everyday.

i also have a "normal" openvpn server in my pfsense and it doesn 't happen…

PLEASE HELP ME  ;D ;D

jimp

What version of pfSense / OpenVPN is used on each side of this?

Do you have any custom configuration settings anywhere that might be altering OpenVPN's renegotiation parameters?

jaime.viyuela

I am getting me crazy cause I was readiing all weekend forums and documentation about it…:

pfsense version:  2.3.3-RELEASE-p1 (amd64)
openvpn: on pfsense what is with the version, on my laptop for example OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Feb  2 2016

As this problem is composed by 3 parts IPA+FreeRadius+Openvpn I have checked all the possibilities:

In IPA changing this data:

Password Policy
Max lifetime (days)
90
Min lifetime (hours)
3
History size (number of passwords)
0
Character classes
0
Min length
8
Max failures
6
Failure reset interval (seconds)
60
Lockout duration (seconds)
600

Kerberos Ticket Policy
Max renew (seconds)
604800
Max life (seconds)
86400

In FreeRadius adding this config to the connection

vim /etc/raddb/dictionary
ATTRIBUTE      Max-Daily-Session      36000  integer

Even in my openvpn:

Server
vi /var/etc/openvpn/server1.conf
reneg-sec 36000

Client -> Local file  *.ovpn
reneg-sec 0

I have restarted the service, and configured my vpn.
I dont know if the paths where I did the config was right, but seems than yes.

Some idea?

Thank you!!!

jimp

Is the OpenVPN server process restarting?

Anything in the system log, gateway log, or other logs around the time the error starts showing up?

Can you show the whole server configuration (minus any secret keys/names) from /var/etc/openvpn/ ?

jaime.viyuela

This is the info I have got:

LOGS FROM SERVER

Mar 20 20:54:23 openvpn 54240 xxx.xxx.xxx.xxx:52921 TLS Auth Error: Auth Username/Password verification failed for peer
Mar 20 20:54:23 openvpn 54240 xxx.xxx.xxx.xxx:52921 WARNING: Failed running command (–auth-user-pass-verify): external program exited with error status: 1
Mar 20 20:54:23 openvpn user 'user-openvpn' could not authenticate.
Mar 20 20:53:26 openvpn 54240 user-openvpn/xxx.xxx.xxx.xxx:46288 [user-openvpn] Inactivity timeout (–ping-restart), restarting
Mar 20 20:53:26 openvpn 54240 user-openvpn/xxx.xxx.xxx.xxx:46288 TLS Error: local/remote TLS keys are out of sync: [AF_INET]xxx.xxx.xxx.xxx:46288 [1]
Mar 20 20:53:25 openvpn 54240 user-openvpn/xxx.xxx.xxx.xxx:46288 TLS Error: local/remote TLS keys are out of sync: [AF_INET]xxx.xxx.xxx.xxx:46288 [1]
Mar 20 20:53:25 openvpn 54240 user-openvpn/xxx.xxx.xxx.xxx:46288 TLS Error: local/remote TLS keys are out of sync: [AF_INET]xxx.xxx.xxx.xxx:46288 [1]
Mar 20 20:53:24 openvpn 54240 user-openvpn/xxx.xxx.xxx.xxx:46288 TLS Error: local/remote TLS keys are out of sync: [AF_INET]xxx.xxx.xxx.xxx:46288 [1]
Mar 20 20:53:23 openvpn 54240 user-openvpn/xxx.xxx.xxx.xxx:46288 TLS Error: local/remote TLS keys are out of sync: [AF_INET]xxx.xxx.xxx.xxx:46288 [1]
Mar 20 20:53:22 openvpn 54240 user-openvpn/xxx.xxx.xxx.xxx:46288 TLS Error: local/remote TLS keys are out of sync: [AF_INET]xxx.xxx.xxx.xxx:46288 [1]
Mar 20 20:53:19 openvpn 54240 user-openvpn/xxx.xxx.xxx.xxx:46288 TLS Error: local/remote TLS keys are out of sync: [AF_INET]xxx.xxx.xxx.xxx:46288 [1]
Mar 20 20:53:17 openvpn 54240 user-openvpn/xxx.xxx.xxx.xxx:46288 TLS Error: local/remote TLS keys are out of sync: [AF_INET]xxx.xxx.xxx.xxx:46288 [1]
Mar 20 20:53:15 openvpn 54240 user-openvpn/xxx.xxx.xxx.xxx:46288 TLS Error: local/remote TLS keys are out of sync: [AF_INET]xxx.xxx.xxx.xxx:46288 [1]

LOGS FROM CLIENT

Mon Mar 13 13:13:59 2017 [off-OpenVPN.domain.com] Inactivity timeout (–ping-restart), restarting
Mon Mar 13 13:13:59 2017 SIGUSR1[soft,ping-restart] received, process restarting
Mon Mar 13 13:14:01 2017 UDPv4 link local (bound): [undef]
Mon Mar 13 13:14:01 2017 UDPv4 link remote: [AF_INET]62.14.247.61:1194
Mon Mar 13 13:14:03 2017 [off-OpenVPN.domain.com] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:1194
Mon Mar 13 13:14:06 2017 AUTH: Received control message: AUTH_FAILED
Mon Mar 13 13:14:06 2017 /sbin/ip addr del dev tun0 192.168.52.11/24
Mon Mar 13 13:14:06 2017 SIGTERM[soft,auth-failure] received, process exiting

CONFIG FROM SERVER

dev ovpns1
verb 1
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
reneg-sec 36000
keepalive 10 6000
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local XX.XX.XX.XX
tls-server
server 192.168.52.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/server1
username-as-common-name
auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user SVBB true server1 1194" via-env
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'off-OpenVPN.domain.com' 1"
lport 1194
management /var/etc/openvpn/server1.sock unix
push "route 192.168.0.0 255.255.255.0"
push "route 192.168.50.0 255.255.255.0"
push "route 192.168.250.0 255.255.255.0"
push "route 10.10.1.0 255.255.255.0"
push "route 10.10.3.0 255.255.255.0"
push "route 172.30.1.0 255.255.255.0"
push "route 172.30.2.0 255.255.255.0"
push "route 172.30.3.0 255.255.255.0"
push "route 172.30.4.0 255.255.255.0"
push "route 172.30.31.0 255.255.255.0"
push "route 172.30.35.0 255.255.255.0"
push "route 172.30.39.0 255.255.255.0"
push "route 172.29.0.0 255.255.224.0"
push "route 10.210.0.0 255.255.0.0"
push "route 10.57.31.0 255.255.255.0"
push "route 10.57.34.0 255.255.255.0"
push "route 192.168.100.0 255.255.255.0"
push "route 93.90.19.0 255.255.255.0"
push "route 109.70.39.0 255.255.255.0"
push "route 89.187.117.238 255.255.255.255"
push "route 77.240.112.0 255.255.240.0"
push "route 172.30.5.0 255.255.255.0"
push "route 93.90.20.0 255.255.255.0"
push "route 192.168.2.0 255.255.255.0"
push "dhcp-option DOMAIN mad01.domain.local"
push "dhcp-option DNS 93.90.19.234"
push "dhcp-option DNS 93.90.19.235"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 192.168.0.162"
push "register-dns"
push "dhcp-option NTP 192.168.0.162"
push "dhcp-option NTP 192.168.0.163"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.1024
tls-auth /var/etc/openvpn/server1.tls-auth 0
comp-lzo adaptive
persist-remote-ip
float
topology subnet

CONFIG FROM CLIENT

dev tun
persist-tun
persist-key
cipher AES-128-CBC
auth SHA1
tls-client
client
resolv-retry infinite
reneg-sec 0
remote off.domain.com 1194 udp
lport 0
verify-x509-name "off-OpenVPN.domain.com" name
auth-user-pass
pkcs12 vpns-udp-1194-user-openvpn.p12
tls-auth vpns-udp-1194-user-openvpn-tls.key 1
ns-cert-type server
comp-lzo adaptive

Thank you for the interest and the help!

Regards

jaime.viyuela

FIXED!!

https://forum.pfsense.org/index.php?topic=127601.0

Once I put the attributes in the server and in the client, the connection stay stable for the time i decide!!!

"reneg-sec 0" in server
"reneg-ser 36000" in client

THANK YOU VERY MUCH

Derelict

"reneg-sec 0" in server
"reneg-ser 36000" in client

FWIW I would do it like this:
"reneg-sec 0" in client
"reneg-sec 36000" in server

That way the server setting is controlling and one change changes the renegotiation policy.

jaime.viyuela

Done!

thanks