OpenVPN client cannot connect to OpenVPN Server on PFSense after 2.4.0 upgrade

pbnet

Hello everybody,

I've just upgraded from 2.3.4 to 2.4.0 and now I've noticed that my OpenVPN iOS 11 client cannot connect to the VPN anymore.
Nothing was changed on the PFsense or Iphone part.

Here's what I have in the PFSense OpenVPN status:

Oct 14 07:10:54 openvpn 83939 109.166.133.171 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1507954240) Sat Oct 14 07:10:40 2017 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Oct 14 07:10:54 openvpn 83939 109.166.133.171 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:109.166.133.171:9163 (via ::ffff:188.26.94.94%pppoe1)
Oct 14 07:10:54 openvpn 83939 109.166.133.171 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1507954240) Sat Oct 14 07:10:40 2017 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Oct 14 07:10:54 openvpn 83939 109.166.133.171 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:109.166.133.171:9163 (via ::ffff:188.26.94.94%pppoe1)
Oct 14 07:10:54 openvpn 83939 109.166.133.171 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1507954240) Sat Oct 14 07:10:40 2017 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Oct 14 07:10:54 openvpn 83939 109.166.133.171 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:109.166.133.171:9163 (via ::ffff:188.26.94.94%pppoe1)
Oct 14 07:10:54 openvpn 83939 109.166.133.171 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1507954240) Sat Oct 14 07:10:40 2017 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Oct 14 07:10:54 openvpn 83939 109.166.133.171 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:109.166.133.171:9163 (via ::ffff:188.26.94.94%pppoe1)
Oct 14 07:10:54 openvpn 83939 109.166.133.171 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1507954240) Sat Oct 14 07:10:40 2017 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Oct 14 07:10:54 openvpn 83939 109.166.133.171 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:109.166.133.171:9163 (via ::ffff:188.26.94.94%pppoe1)
Oct 14 07:10:54 openvpn 83939 109.166.133.171 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1507954240) Sat Oct 14 07:10:40 2017 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Oct 14 07:10:54 openvpn 83939 109.166.133.171 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:109.166.133.171:9163 (via ::ffff:188.26.94.94%pppoe1)
Oct 14 07:10:54 openvpn 83939 109.166.133.171 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1507954240) Sat Oct 14 07:10:40 2017 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Oct 14 07:10:54 openvpn 83939 109.166.133.171 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:109.166.133.171:9163 (via ::ffff:188.26.94.94%pppoe1)
Oct 14 07:10:54 openvpn 83939 109.166.133.171 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1507954240) Sat Oct 14 07:10:40 2017 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Oct 14 07:10:54 openvpn 83939 109.166.133.171 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:109.166.133.171:9163 (via ::ffff:188.26.94.94%pppoe1)
Oct 14 07:10:54 openvpn 83939 109.166.133.171 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1507954240) Sat Oct 14 07:10:40 2017 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Oct 14 07:10:54 openvpn 83939 109.166.133.171 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:109.166.133.171:9163 (via ::ffff:188.26.94.94%pppoe1)
Oct 14 07:10:54 openvpn 83939 109.166.133.171 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1507954250) Sat Oct 14 07:10:50 2017 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Oct 14 07:10:54 openvpn 83939 109.166.133.171 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:109.166.133.171:14458 (via ::ffff:188.26.94.94%pppoe1)
Oct 14 07:10:54 openvpn 83939 109.166.133.171 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1507954250) Sat Oct 14 07:10:50 2017 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Oct 14 07:10:54 openvpn 83939 109.166.133.171 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:109.166.133.171:14458 (via ::ffff:188.26.94.94%pppoe1)
Oct 14 07:10:54 openvpn 83939 109.166.133.171 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1507954250) Sat Oct 14 07:10:50 2017 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Oct 14 07:10:54 openvpn 83939 109.166.133.171 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:109.166.133.171:14458 (via ::ffff:188.26.94.94%pppoe1)
Oct 14 07:10:54 openvpn 83939 109.166.133.171 peer info: IV_GUI_VER=net.openvpn.connect.ios_1.1.1-212
Oct 14 07:10:54 openvpn 83939 109.166.133.171 peer info: IV_VER=3.1.2
Oct 14 07:10:54 openvpn 83939 109.166.133.171 peer info: IV_PLAT=ios
Oct 14 07:10:54 openvpn 83939 109.166.133.171 peer info: IV_NCP=2
Oct 14 07:10:54 openvpn 83939 109.166.133.171 peer info: IV_TCPNL=1
Oct 14 07:10:54 openvpn 83939 109.166.133.171 peer info: IV_PROTO=2
Oct 14 07:11:12 openvpn 81622 WARNING: POTENTIALLY DANGEROUS OPTION –verify-client-cert none|optional (or --client-cert-not-required) may accept clients which do not present a certificate
Oct 14 07:11:12 openvpn 81622 OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 8 2017
Oct 14 07:11:12 openvpn 81622 library versions: OpenSSL 1.0.2k-freebsd 26 Jan 2017, LZO 2.10
Oct 14 07:11:12 openvpn 81721 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Oct 14 07:11:12 openvpn 81721 TUN/TAP device ovpns1 exists previously, keep at program end
Oct 14 07:11:12 openvpn 81721 TUN/TAP device /dev/tun1 opened
Oct 14 07:11:12 openvpn 81721 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Oct 14 07:11:12 openvpn 81721 /sbin/ifconfig ovpns1 172.16.0.1 172.16.0.2 mtu 1500 netmask 255.255.255.0 up
Oct 14 07:11:12 openvpn 81721 /usr/local/sbin/ovpn-linkup ovpns1 1500 1621 172.16.0.1 255.255.255.0 init
Oct 14 07:11:12 openvpn 81721 Could not determine IPv4/IPv6 protocol. Using AF_INET6
Oct 14 07:11:12 openvpn 81721 setsockopt(IPV6_V6ONLY=0)
Oct 14 07:11:12 openvpn 81721 UDPv6 link local (bound): [AF_INET6][undef]:34447
Oct 14 07:11:12 openvpn 81721 UDPv6 link remote: [AF_UNSPEC]
Oct 14 07:11:12 openvpn 81721 Initialization Sequence Completed
Oct 14 07:11:52 openvpn 81721 109.166.133.171 peer info: IV_GUI_VER=net.openvpn.connect.ios_1.1.1-212
Oct 14 07:11:52 openvpn 81721 109.166.133.171 peer info: IV_VER=3.1.2
Oct 14 07:11:52 openvpn 81721 109.166.133.171 peer info: IV_PLAT=ios
Oct 14 07:11:52 openvpn 81721 109.166.133.171 peer info: IV_NCP=2
Oct 14 07:11:52 openvpn 81721 109.166.133.171 peer info: IV_TCPNL=1
Oct 14 07:11:52 openvpn 81721 109.166.133.171 peer info: IV_PROTO=2

Could anybody give me a hint on what should I do ?

Thanks a lot,
Andy

pbnet

I've tried both UDP and TCP and still cannot connect.
Any hint would be greatly appreciated.

Oct 14 08:54:12 openvpn 50484 109.166.133.171:8485 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1507960384) Sat Oct 14 08:53:04 2017 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Oct 14 08:54:12 openvpn 50484 109.166.133.171:8485 TLS Error: incoming packet authentication failed from [AF_INET]109.166.133.171:8485
Oct 14 08:54:12 openvpn 50484 109.166.133.171:8485 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1507960384) Sat Oct 14 08:53:04 2017 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Oct 14 08:54:12 openvpn 50484 109.166.133.171:8485 TLS Error: incoming packet authentication failed from [AF_INET]109.166.133.171:8485
Oct 14 08:54:12 openvpn 50484 109.166.133.171:7611 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Oct 14 08:54:12 openvpn 50484 109.166.133.171:7611 TLS Error: TLS handshake failed
Oct 14 08:54:12 openvpn 50484 109.166.133.171:9591 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Oct 14 08:54:12 openvpn 50484 109.166.133.171:9591 TLS Error: TLS handshake failed
Oct 14 08:54:12 openvpn 50484 109.166.133.171:9813 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Oct 14 08:54:12 openvpn 50484 109.166.133.171:9813 TLS Error: TLS handshake failed
Oct 14 08:54:12 openvpn 50484 109.166.133.171:5875 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Oct 14 08:54:12 openvpn 50484 109.166.133.171:5875 TLS Error: TLS handshake failed
Oct 14 08:54:12 openvpn 50484 109.166.133.171:12744 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Oct 14 08:54:12 openvpn 50484 109.166.133.171:12744 TLS Error: TLS handshake failed
Oct 14 08:54:12 openvpn 50484 109.166.133.171:10425 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Oct 14 08:54:12 openvpn 50484 109.166.133.171:10425 TLS Error: TLS handshake failed
Oct 14 08:55:12 openvpn 50484 109.166.133.171:14690 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Oct 14 08:55:12 openvpn 50484 109.166.133.171:14690 TLS Error: TLS handshake failed
Oct 14 08:55:12 openvpn 50484 109.166.133.171:8485 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Oct 14 08:55:12 openvpn 50484 109.166.133.171:8485 TLS Error: TLS handshake failed
Oct 14 08:55:23 openvpn 50484 event_wait : Interrupted system call (code=4)
Oct 14 08:55:23 openvpn 50484 /usr/local/sbin/ovpn-linkdown ovpns1 1500 1621 172.16.0.1 255.255.255.0 init
Oct 14 08:55:23 openvpn 50484 SIGTERM[hard,] received, process exiting
Oct 14 08:55:23 openvpn 67417 OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 8 2017
Oct 14 08:55:23 openvpn 67417 library versions: OpenSSL 1.0.2k-freebsd 26 Jan 2017, LZO 2.10
Oct 14 08:55:23 openvpn 67487 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Oct 14 08:55:23 openvpn 67487 TUN/TAP device ovpns1 exists previously, keep at program end
Oct 14 08:55:23 openvpn 67487 TUN/TAP device /dev/tun1 opened
Oct 14 08:55:23 openvpn 67487 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Oct 14 08:55:23 openvpn 67487 /sbin/ifconfig ovpns1 172.16.0.1 172.16.0.2 mtu 1500 netmask 255.255.255.0 up
Oct 14 08:55:23 openvpn 67487 /usr/local/sbin/ovpn-linkup ovpns1 1500 1623 172.16.0.1 255.255.255.0 init
Oct 14 08:55:23 openvpn 67487 Listening for incoming TCP connection on [AF_INET]188.26.94.94:34447
Oct 14 08:55:23 openvpn 67487 TCPv4_SERVER link local (bound): [AF_INET]188.26.94.94:34447
Oct 14 08:55:23 openvpn 67487 TCPv4_SERVER link remote: [AF_UNSPEC]
Oct 14 08:55:23 openvpn 67487 Initialization Sequence Completed
Oct 14 08:58:01 openvpn 67487 TCP connection established with [AF_INET]109.166.133.171:10795
Oct 14 08:58:02 openvpn 67487 109.166.133.171:10795 peer info: IV_GUI_VER=net.openvpn.connect.ios_1.1.1-212
Oct 14 08:58:02 openvpn 67487 109.166.133.171:10795 peer info: IV_VER=3.1.2
Oct 14 08:58:02 openvpn 67487 109.166.133.171:10795 peer info: IV_PLAT=ios
Oct 14 08:58:02 openvpn 67487 109.166.133.171:10795 peer info: IV_NCP=2
Oct 14 08:58:02 openvpn 67487 109.166.133.171:10795 peer info: IV_TCPNL=1
Oct 14 08:58:02 openvpn 67487 109.166.133.171:10795 peer info: IV_PROTO=2

Derelict

There have been no reports that I can remember in testing about that. The same SSL/TLS + User Auth server, backed by RADIUS, is working here with no modifications or problems.

You might try simply making sure the OpenVPN client export package is current and re-exporting the config for that device and testing again.

pbnet

Already tried that and the issue remains.
Weirdly enough, it happened just after the upgrade from the previous PFSense version.

Still trying to figure out what happened.
I've even deleted the OpenVPN server config and doing everything from scratch. Still no go.
The only thing that remains is changing the certificates and issuing new ones.

pbnet

OK, fixed.
For some reason the certificates issued by the OpenVPN CA were no longer recognized.
I've issue a new CA, then a new server and user certificate.
Everything works fine now.

Thanks to everybody.

kejianshi

Here is an oddity I ran into that seems very strange….

So, upgraded to 2.4 on pfsense.  That was it own little nightmare but is all good now.

I have a laptop that I run openvpn on.  So I uninstalled the TAP interface and the openvpn package.

Then I downloaded the new one with client export and installed it with a known working profile.

I selected Enable NCP in the openvpn instance and the setting do show up in the exported client...  But it doesn't work.

Now, not to ask a dumb question but is the client export package exporting 2.3.18 or something like that? and not 2.4.x?

EDIT:

So I uninstalled the TAP again and Openvpn again...

Downloaded the newest latest and greatest Openvpn 2.4.4 and installed it.  The exported Pfsense openvpn configs now work.

I'm not sure why openvpn 2.4 isn't being exported with the configs from client export.  I know that pfsense itself has 2.4.

Maybe just an oversight?  Causes problems.  Thats for sure.

Another minor thought.  Since NCP is enable in my case giving clients a choice of 4 cypher suits to choose from, wouldn't it be nice if the logs, or system status or something somewhere displayed which cypher was selected and in use?

Thats probably more of an openvpn question but I suppose it might be possible for the openvpn status on pfsense to display that?

Another openvpn glitch...  The new 2.4.4 When you click "edit config", it doesn't pull up anything to edit.  It activates the vpn in a windows command console.

Solved that problem by going into the directory where the configs are stored and right clicking a config and changing default program type to a note editor.

I also noticed that all of your NCP choices get exported with the config file.  However I did not add those NCP choices to my android phone config.  It sees the choices anyway and selected the one at the top of the list.

Derelict

If you are having strange issues with the OpenVPN Client Export package, uninstall it and reinstall it.

The version numbers for pfSense, OpenVPN, and the OpenVPN Client Exporter are all similar by coincidence. They are unrelated to each other.

kejianshi

I did that - The version being installed from the client export package for windows was definitely not 2.4.x

Derelict

You did see there are two areas of choice on export, right?


kejianshi

There you go…  Thats what I was doing wrong.

When my eyes glanced over the word "vista", I immediately thought "legacy system" and went on to press the button that is usually the most current version.

Silly me.  Thanks.  That will be very helpful in the future.

kejianshi

I guess they could make the button colors red for xp, yellow for win6 and green for Vista or later…  For us slow non-readers!  haha