TLS Error: local/remote TLS keys are out of sync



  • Hello everybody!

    I have set up a freeipa with a freeradius, and I use my openvpn with a password and a token: very secure! :D

    But the problem that I am having is the users are suffering vpn problems every hour aprox.
    I was checking logs and it seems to happes always at XX:42:XX time.

    I was reading a lot of documentation about radius and ipa and i have changed some config on them, but it is still failing, and the only info that i get from logs in my pfsense is:

    Mar 17 14:36:06 openvpn 66107 XXX.XXX.XXX.XXX:56645 [xx-openvpn] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:56645
    Mar 17 14:36:06 openvpn 66107 XXX.XXX.XXX.XXX:56645 TLS Auth Error: Auth Username/Password verification failed for peer
    Mar 17 14:36:06 openvpn 66107 XXX.XXX.XXX.XXX:56645 WARNING: Failed running command (–auth-user-pass-verify): external program exited with error status: 1
    Mar 17 14:36:06 openvpn user 'xx-openvpn' could not authenticate.
    Mar 17 14:35:04 openvpn 66107 xx-openvpn/XXX.XXX.XXX.XXX:52420 [xx-openvpn] Inactivity timeout (–ping-restart), restarting
    Mar 17 14:35:01 openvpn 66107 xx-openvpn/XXX.XXX.XXX.XXX:52420 TLS Error: local/remote TLS keys are out of sync: [AF_INET]XXX.XXX.XXX.XXX:52420 [1]
    Mar 17 14:34:58 openvpn 66107 xx-openvpn/XXX.XXX.XXX.XXX:52420 TLS Error: local/remote TLS keys are out of sync: [AF_INET]XXX.XXX.XXX.XXX::52420 [1]
    Mar 17 14:34:57 openvpn 66107 xx-openvpn/XXX.XXX.XXX.XXX:52420 TLS Error: local/remote TLS keys are out of sync: [AF_INET]XXX.XXX.XXX.XXX::52420 [1]

    I thing that when i start to have the TLS error, it generate a timeout activty. The client try to reconnect but it needs a new token and them it fails.

    So i have all my users (100) suffering an unstable service everyday.

    i also have a "normal" openvpn server in my pfsense and it doesn 't happen…

    PLEASE HELP ME  ;D ;D


  • Rebel Alliance Developer Netgate

    What version of pfSense / OpenVPN is used on each side of this?

    Do you have any custom configuration settings anywhere that might be altering OpenVPN's renegotiation parameters?



  • I am getting me crazy cause I was readiing all weekend forums and documentation about it…:

    pfsense version:  2.3.3-RELEASE-p1 (amd64)
    openvpn: on pfsense what is with the version, on my laptop for example OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Feb  2 2016

    As this problem is composed by 3 parts IPA+FreeRadius+Openvpn I have checked all the possibilities:

    In IPA changing this data:

    Password Policy
    Max lifetime (days)
    90
    Min lifetime (hours)
    3
    History size (number of passwords)
    0
    Character classes
    0
    Min length
    8
    Max failures
    6
    Failure reset interval (seconds)
    60
    Lockout duration (seconds)
    600

    Kerberos Ticket Policy
    Max renew (seconds)
    604800
    Max life (seconds)
    86400

    In FreeRadius adding this config to the connection

    vim /etc/raddb/dictionary
    ATTRIBUTE      Max-Daily-Session      36000  integer

    Even in my openvpn:

    Server
    vi /var/etc/openvpn/server1.conf
    reneg-sec 36000

    Client -> Local file  *.ovpn
    reneg-sec 0

    I have restarted the service, and configured my vpn.
    I dont know if the paths where I did the config was right, but seems than yes.

    Some idea?

    Thank you!!!


  • Rebel Alliance Developer Netgate

    Is the OpenVPN server process restarting?

    Anything in the system log, gateway log, or other logs around the time the error starts showing up?

    Can you show the whole server configuration (minus any secret keys/names) from /var/etc/openvpn/ ?



  • This is the info I have got:

    LOGS FROM SERVER

    Mar 20 20:54:23 openvpn 54240 xxx.xxx.xxx.xxx:52921 TLS Auth Error: Auth Username/Password verification failed for peer
    Mar 20 20:54:23 openvpn 54240 xxx.xxx.xxx.xxx:52921 WARNING: Failed running command (–auth-user-pass-verify): external program exited with error status: 1
    Mar 20 20:54:23 openvpn user 'user-openvpn' could not authenticate.
    Mar 20 20:53:26 openvpn 54240 user-openvpn/xxx.xxx.xxx.xxx:46288 [user-openvpn] Inactivity timeout (–ping-restart), restarting
    Mar 20 20:53:26 openvpn 54240 user-openvpn/xxx.xxx.xxx.xxx:46288 TLS Error: local/remote TLS keys are out of sync: [AF_INET]xxx.xxx.xxx.xxx:46288 [1]
    Mar 20 20:53:25 openvpn 54240 user-openvpn/xxx.xxx.xxx.xxx:46288 TLS Error: local/remote TLS keys are out of sync: [AF_INET]xxx.xxx.xxx.xxx:46288 [1]
    Mar 20 20:53:25 openvpn 54240 user-openvpn/xxx.xxx.xxx.xxx:46288 TLS Error: local/remote TLS keys are out of sync: [AF_INET]xxx.xxx.xxx.xxx:46288 [1]
    Mar 20 20:53:24 openvpn 54240 user-openvpn/xxx.xxx.xxx.xxx:46288 TLS Error: local/remote TLS keys are out of sync: [AF_INET]xxx.xxx.xxx.xxx:46288 [1]
    Mar 20 20:53:23 openvpn 54240 user-openvpn/xxx.xxx.xxx.xxx:46288 TLS Error: local/remote TLS keys are out of sync: [AF_INET]xxx.xxx.xxx.xxx:46288 [1]
    Mar 20 20:53:22 openvpn 54240 user-openvpn/xxx.xxx.xxx.xxx:46288 TLS Error: local/remote TLS keys are out of sync: [AF_INET]xxx.xxx.xxx.xxx:46288 [1]
    Mar 20 20:53:19 openvpn 54240 user-openvpn/xxx.xxx.xxx.xxx:46288 TLS Error: local/remote TLS keys are out of sync: [AF_INET]xxx.xxx.xxx.xxx:46288 [1]
    Mar 20 20:53:17 openvpn 54240 user-openvpn/xxx.xxx.xxx.xxx:46288 TLS Error: local/remote TLS keys are out of sync: [AF_INET]xxx.xxx.xxx.xxx:46288 [1]
    Mar 20 20:53:15 openvpn 54240 user-openvpn/xxx.xxx.xxx.xxx:46288 TLS Error: local/remote TLS keys are out of sync: [AF_INET]xxx.xxx.xxx.xxx:46288 [1]

    LOGS FROM CLIENT

    Mon Mar 13 13:13:59 2017 [off-OpenVPN.domain.com] Inactivity timeout (–ping-restart), restarting
    Mon Mar 13 13:13:59 2017 SIGUSR1[soft,ping-restart] received, process restarting
    Mon Mar 13 13:14:01 2017 UDPv4 link local (bound): [undef]
    Mon Mar 13 13:14:01 2017 UDPv4 link remote: [AF_INET]62.14.247.61:1194
    Mon Mar 13 13:14:03 2017 [off-OpenVPN.domain.com] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:1194
    Mon Mar 13 13:14:06 2017 AUTH: Received control message: AUTH_FAILED
    Mon Mar 13 13:14:06 2017 /sbin/ip addr del dev tun0 192.168.52.11/24
    Mon Mar 13 13:14:06 2017 SIGTERM[soft,auth-failure] received, process exiting

    CONFIG FROM SERVER

    dev ovpns1
    verb 1
    dev-type tun
    tun-ipv6
    dev-node /dev/tun1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    reneg-sec 36000
    keepalive 10 6000
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    auth SHA1
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    client-connect /usr/local/sbin/openvpn.attributes.sh
    client-disconnect /usr/local/sbin/openvpn.attributes.sh
    local XX.XX.XX.XX
    tls-server
    server 192.168.52.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc/server1
    username-as-common-name
    auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user SVBB true server1 1194" via-env
    tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'off-OpenVPN.domain.com' 1"
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    push "route 192.168.0.0 255.255.255.0"
    push "route 192.168.50.0 255.255.255.0"
    push "route 192.168.250.0 255.255.255.0"
    push "route 10.10.1.0 255.255.255.0"
    push "route 10.10.3.0 255.255.255.0"
    push "route 172.30.1.0 255.255.255.0"
    push "route 172.30.2.0 255.255.255.0"
    push "route 172.30.3.0 255.255.255.0"
    push "route 172.30.4.0 255.255.255.0"
    push "route 172.30.31.0 255.255.255.0"
    push "route 172.30.35.0 255.255.255.0"
    push "route 172.30.39.0 255.255.255.0"
    push "route 172.29.0.0 255.255.224.0"
    push "route 10.210.0.0 255.255.0.0"
    push "route 10.57.31.0 255.255.255.0"
    push "route 10.57.34.0 255.255.255.0"
    push "route 192.168.100.0 255.255.255.0"
    push "route 93.90.19.0 255.255.255.0"
    push "route 109.70.39.0 255.255.255.0"
    push "route 89.187.117.238 255.255.255.255"
    push "route 77.240.112.0 255.255.240.0"
    push "route 172.30.5.0 255.255.255.0"
    push "route 93.90.20.0 255.255.255.0"
    push "route 192.168.2.0 255.255.255.0"
    push "dhcp-option DOMAIN mad01.domain.local"
    push "dhcp-option DNS 93.90.19.234"
    push "dhcp-option DNS 93.90.19.235"
    push "dhcp-option DNS 8.8.8.8"
    push "dhcp-option DNS 192.168.0.162"
    push "register-dns"
    push "dhcp-option NTP 192.168.0.162"
    push "dhcp-option NTP 192.168.0.163"
    ca /var/etc/openvpn/server1.ca
    cert /var/etc/openvpn/server1.cert
    key /var/etc/openvpn/server1.key
    dh /etc/dh-parameters.1024
    tls-auth /var/etc/openvpn/server1.tls-auth 0
    comp-lzo adaptive
    persist-remote-ip
    float
    topology subnet

    CONFIG FROM CLIENT

    dev tun
    persist-tun
    persist-key
    cipher AES-128-CBC
    auth SHA1
    tls-client
    client
    resolv-retry infinite
    reneg-sec 0
    remote off.domain.com 1194 udp
    lport 0
    verify-x509-name "off-OpenVPN.domain.com" name
    auth-user-pass
    pkcs12 vpns-udp-1194-user-openvpn.p12
    tls-auth vpns-udp-1194-user-openvpn-tls.key 1
    ns-cert-type server
    comp-lzo adaptive

    Thank you for the interest and the help!

    Regards



  • FIXED!!

    https://forum.pfsense.org/index.php?topic=127601.0

    Once I put the attributes in the server and in the client, the connection stay stable for the time i decide!!!

    "reneg-sec 0" in server
    "reneg-ser 36000" in client

    THANK YOU VERY MUCH


  • Netgate

    "reneg-sec 0" in server
    "reneg-ser 36000" in client

    FWIW I would do it like this:
    "reneg-sec 0" in client
    "reneg-sec 36000" in server

    That way the server setting is controlling and one change changes the renegotiation policy.



  • Done!

    thanks