Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    OpenVPN client cannot connect to OpenVPN Server on PFSense after 2.4.0 upgrade

    OpenVPN
    3
    11
    3197
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pbnet last edited by

      Hello everybody,

      I've just upgraded from 2.3.4 to 2.4.0 and now I've noticed that my OpenVPN iOS 11 client cannot connect to the VPN anymore.
      Nothing was changed on the PFsense or Iphone part.

      Here's what I have in the PFSense OpenVPN status:

      Oct 14 07:10:54 openvpn 83939 109.166.133.171 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1507954240) Sat Oct 14 07:10:40 2017 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
      Oct 14 07:10:54 openvpn 83939 109.166.133.171 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:109.166.133.171:9163 (via ::ffff:188.26.94.94%pppoe1)
      Oct 14 07:10:54 openvpn 83939 109.166.133.171 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1507954240) Sat Oct 14 07:10:40 2017 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
      Oct 14 07:10:54 openvpn 83939 109.166.133.171 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:109.166.133.171:9163 (via ::ffff:188.26.94.94%pppoe1)
      Oct 14 07:10:54 openvpn 83939 109.166.133.171 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1507954240) Sat Oct 14 07:10:40 2017 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
      Oct 14 07:10:54 openvpn 83939 109.166.133.171 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:109.166.133.171:9163 (via ::ffff:188.26.94.94%pppoe1)
      Oct 14 07:10:54 openvpn 83939 109.166.133.171 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1507954240) Sat Oct 14 07:10:40 2017 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
      Oct 14 07:10:54 openvpn 83939 109.166.133.171 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:109.166.133.171:9163 (via ::ffff:188.26.94.94%pppoe1)
      Oct 14 07:10:54 openvpn 83939 109.166.133.171 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1507954240) Sat Oct 14 07:10:40 2017 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
      Oct 14 07:10:54 openvpn 83939 109.166.133.171 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:109.166.133.171:9163 (via ::ffff:188.26.94.94%pppoe1)
      Oct 14 07:10:54 openvpn 83939 109.166.133.171 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1507954240) Sat Oct 14 07:10:40 2017 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
      Oct 14 07:10:54 openvpn 83939 109.166.133.171 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:109.166.133.171:9163 (via ::ffff:188.26.94.94%pppoe1)
      Oct 14 07:10:54 openvpn 83939 109.166.133.171 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1507954240) Sat Oct 14 07:10:40 2017 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
      Oct 14 07:10:54 openvpn 83939 109.166.133.171 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:109.166.133.171:9163 (via ::ffff:188.26.94.94%pppoe1)
      Oct 14 07:10:54 openvpn 83939 109.166.133.171 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1507954240) Sat Oct 14 07:10:40 2017 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
      Oct 14 07:10:54 openvpn 83939 109.166.133.171 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:109.166.133.171:9163 (via ::ffff:188.26.94.94%pppoe1)
      Oct 14 07:10:54 openvpn 83939 109.166.133.171 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1507954240) Sat Oct 14 07:10:40 2017 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
      Oct 14 07:10:54 openvpn 83939 109.166.133.171 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:109.166.133.171:9163 (via ::ffff:188.26.94.94%pppoe1)
      Oct 14 07:10:54 openvpn 83939 109.166.133.171 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1507954250) Sat Oct 14 07:10:50 2017 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
      Oct 14 07:10:54 openvpn 83939 109.166.133.171 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:109.166.133.171:14458 (via ::ffff:188.26.94.94%pppoe1)
      Oct 14 07:10:54 openvpn 83939 109.166.133.171 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1507954250) Sat Oct 14 07:10:50 2017 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
      Oct 14 07:10:54 openvpn 83939 109.166.133.171 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:109.166.133.171:14458 (via ::ffff:188.26.94.94%pppoe1)
      Oct 14 07:10:54 openvpn 83939 109.166.133.171 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1507954250) Sat Oct 14 07:10:50 2017 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
      Oct 14 07:10:54 openvpn 83939 109.166.133.171 TLS Error: incoming packet authentication failed from [AF_INET6]::ffff:109.166.133.171:14458 (via ::ffff:188.26.94.94%pppoe1)
      Oct 14 07:10:54 openvpn 83939 109.166.133.171 peer info: IV_GUI_VER=net.openvpn.connect.ios_1.1.1-212
      Oct 14 07:10:54 openvpn 83939 109.166.133.171 peer info: IV_VER=3.1.2
      Oct 14 07:10:54 openvpn 83939 109.166.133.171 peer info: IV_PLAT=ios
      Oct 14 07:10:54 openvpn 83939 109.166.133.171 peer info: IV_NCP=2
      Oct 14 07:10:54 openvpn 83939 109.166.133.171 peer info: IV_TCPNL=1
      Oct 14 07:10:54 openvpn 83939 109.166.133.171 peer info: IV_PROTO=2
      Oct 14 07:11:12 openvpn 81622 WARNING: POTENTIALLY DANGEROUS OPTION –verify-client-cert none|optional (or --client-cert-not-required) may accept clients which do not present a certificate
      Oct 14 07:11:12 openvpn 81622 OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 8 2017
      Oct 14 07:11:12 openvpn 81622 library versions: OpenSSL 1.0.2k-freebsd 26 Jan 2017, LZO 2.10
      Oct 14 07:11:12 openvpn 81721 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
      Oct 14 07:11:12 openvpn 81721 TUN/TAP device ovpns1 exists previously, keep at program end
      Oct 14 07:11:12 openvpn 81721 TUN/TAP device /dev/tun1 opened
      Oct 14 07:11:12 openvpn 81721 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
      Oct 14 07:11:12 openvpn 81721 /sbin/ifconfig ovpns1 172.16.0.1 172.16.0.2 mtu 1500 netmask 255.255.255.0 up
      Oct 14 07:11:12 openvpn 81721 /usr/local/sbin/ovpn-linkup ovpns1 1500 1621 172.16.0.1 255.255.255.0 init
      Oct 14 07:11:12 openvpn 81721 Could not determine IPv4/IPv6 protocol. Using AF_INET6
      Oct 14 07:11:12 openvpn 81721 setsockopt(IPV6_V6ONLY=0)
      Oct 14 07:11:12 openvpn 81721 UDPv6 link local (bound): [AF_INET6][undef]:34447
      Oct 14 07:11:12 openvpn 81721 UDPv6 link remote: [AF_UNSPEC]
      Oct 14 07:11:12 openvpn 81721 Initialization Sequence Completed
      Oct 14 07:11:52 openvpn 81721 109.166.133.171 peer info: IV_GUI_VER=net.openvpn.connect.ios_1.1.1-212
      Oct 14 07:11:52 openvpn 81721 109.166.133.171 peer info: IV_VER=3.1.2
      Oct 14 07:11:52 openvpn 81721 109.166.133.171 peer info: IV_PLAT=ios
      Oct 14 07:11:52 openvpn 81721 109.166.133.171 peer info: IV_NCP=2
      Oct 14 07:11:52 openvpn 81721 109.166.133.171 peer info: IV_TCPNL=1
      Oct 14 07:11:52 openvpn 81721 109.166.133.171 peer info: IV_PROTO=2

      Could anybody give me a hint on what should I do ?

      Thanks a lot,
      Andy

      1 Reply Last reply Reply Quote 0
      • P
        pbnet last edited by

        I've tried both UDP and TCP and still cannot connect.
        Any hint would be greatly appreciated.

        Oct 14 08:54:12 openvpn 50484 109.166.133.171:8485 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1507960384) Sat Oct 14 08:53:04 2017 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Oct 14 08:54:12 openvpn 50484 109.166.133.171:8485 TLS Error: incoming packet authentication failed from [AF_INET]109.166.133.171:8485
        Oct 14 08:54:12 openvpn 50484 109.166.133.171:8485 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #1 / time = (1507960384) Sat Oct 14 08:53:04 2017 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
        Oct 14 08:54:12 openvpn 50484 109.166.133.171:8485 TLS Error: incoming packet authentication failed from [AF_INET]109.166.133.171:8485
        Oct 14 08:54:12 openvpn 50484 109.166.133.171:7611 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
        Oct 14 08:54:12 openvpn 50484 109.166.133.171:7611 TLS Error: TLS handshake failed
        Oct 14 08:54:12 openvpn 50484 109.166.133.171:9591 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
        Oct 14 08:54:12 openvpn 50484 109.166.133.171:9591 TLS Error: TLS handshake failed
        Oct 14 08:54:12 openvpn 50484 109.166.133.171:9813 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
        Oct 14 08:54:12 openvpn 50484 109.166.133.171:9813 TLS Error: TLS handshake failed
        Oct 14 08:54:12 openvpn 50484 109.166.133.171:5875 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
        Oct 14 08:54:12 openvpn 50484 109.166.133.171:5875 TLS Error: TLS handshake failed
        Oct 14 08:54:12 openvpn 50484 109.166.133.171:12744 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
        Oct 14 08:54:12 openvpn 50484 109.166.133.171:12744 TLS Error: TLS handshake failed
        Oct 14 08:54:12 openvpn 50484 109.166.133.171:10425 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
        Oct 14 08:54:12 openvpn 50484 109.166.133.171:10425 TLS Error: TLS handshake failed
        Oct 14 08:55:12 openvpn 50484 109.166.133.171:14690 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
        Oct 14 08:55:12 openvpn 50484 109.166.133.171:14690 TLS Error: TLS handshake failed
        Oct 14 08:55:12 openvpn 50484 109.166.133.171:8485 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
        Oct 14 08:55:12 openvpn 50484 109.166.133.171:8485 TLS Error: TLS handshake failed
        Oct 14 08:55:23 openvpn 50484 event_wait : Interrupted system call (code=4)
        Oct 14 08:55:23 openvpn 50484 /usr/local/sbin/ovpn-linkdown ovpns1 1500 1621 172.16.0.1 255.255.255.0 init
        Oct 14 08:55:23 openvpn 50484 SIGTERM[hard,] received, process exiting
        Oct 14 08:55:23 openvpn 67417 OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Oct 8 2017
        Oct 14 08:55:23 openvpn 67417 library versions: OpenSSL 1.0.2k-freebsd 26 Jan 2017, LZO 2.10
        Oct 14 08:55:23 openvpn 67487 NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
        Oct 14 08:55:23 openvpn 67487 TUN/TAP device ovpns1 exists previously, keep at program end
        Oct 14 08:55:23 openvpn 67487 TUN/TAP device /dev/tun1 opened
        Oct 14 08:55:23 openvpn 67487 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
        Oct 14 08:55:23 openvpn 67487 /sbin/ifconfig ovpns1 172.16.0.1 172.16.0.2 mtu 1500 netmask 255.255.255.0 up
        Oct 14 08:55:23 openvpn 67487 /usr/local/sbin/ovpn-linkup ovpns1 1500 1623 172.16.0.1 255.255.255.0 init
        Oct 14 08:55:23 openvpn 67487 Listening for incoming TCP connection on [AF_INET]188.26.94.94:34447
        Oct 14 08:55:23 openvpn 67487 TCPv4_SERVER link local (bound): [AF_INET]188.26.94.94:34447
        Oct 14 08:55:23 openvpn 67487 TCPv4_SERVER link remote: [AF_UNSPEC]
        Oct 14 08:55:23 openvpn 67487 Initialization Sequence Completed
        Oct 14 08:58:01 openvpn 67487 TCP connection established with [AF_INET]109.166.133.171:10795
        Oct 14 08:58:02 openvpn 67487 109.166.133.171:10795 peer info: IV_GUI_VER=net.openvpn.connect.ios_1.1.1-212
        Oct 14 08:58:02 openvpn 67487 109.166.133.171:10795 peer info: IV_VER=3.1.2
        Oct 14 08:58:02 openvpn 67487 109.166.133.171:10795 peer info: IV_PLAT=ios
        Oct 14 08:58:02 openvpn 67487 109.166.133.171:10795 peer info: IV_NCP=2
        Oct 14 08:58:02 openvpn 67487 109.166.133.171:10795 peer info: IV_TCPNL=1
        Oct 14 08:58:02 openvpn 67487 109.166.133.171:10795 peer info: IV_PROTO=2

        1 Reply Last reply Reply Quote 0
        • Derelict
          Derelict LAYER 8 Netgate last edited by

          There have been no reports that I can remember in testing about that. The same SSL/TLS + User Auth server, backed by RADIUS, is working here with no modifications or problems.

          You might try simply making sure the OpenVPN client export package is current and re-exporting the config for that device and testing again.

          Chattanooga, Tennessee, USA
          The pfSense Book is free of charge!
          DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • P
            pbnet last edited by

            Already tried that and the issue remains.
            Weirdly enough, it happened just after the upgrade from the previous PFSense version.

            Still trying to figure out what happened.
            I've even deleted the OpenVPN server config and doing everything from scratch. Still no go.
            The only thing that remains is changing the certificates and issuing new ones.

            1 Reply Last reply Reply Quote 0
            • P
              pbnet last edited by

              OK, fixed.
              For some reason the certificates issued by the OpenVPN CA were no longer recognized.
              I've issue a new CA, then a new server and user certificate.
              Everything works fine now.

              Thanks to everybody.

              1 Reply Last reply Reply Quote 0
              • K
                kejianshi last edited by

                Here is an oddity I ran into that seems very strange….

                So, upgraded to 2.4 on pfsense.  That was it own little nightmare but is all good now.

                I have a laptop that I run openvpn on.  So I uninstalled the TAP interface and the openvpn package.

                Then I downloaded the new one with client export and installed it with a known working profile.

                I selected Enable NCP in the openvpn instance and the setting do show up in the exported client...  But it doesn't work.

                Now, not to ask a dumb question but is the client export package exporting 2.3.18 or something like that? and not 2.4.x?

                EDIT:

                So I uninstalled the TAP again and Openvpn again...

                Downloaded the newest latest and greatest Openvpn 2.4.4 and installed it.  The exported Pfsense openvpn configs now work.

                I'm not sure why openvpn 2.4 isn't being exported with the configs from client export.  I know that pfsense itself has 2.4.

                Maybe just an oversight?  Causes problems.  Thats for sure.

                Another minor thought.  Since NCP is enable in my case giving clients a choice of 4 cypher suits to choose from, wouldn't it be nice if the logs, or system status or something somewhere displayed which cypher was selected and in use?

                Thats probably more of an openvpn question but I suppose it might be possible for the openvpn status on pfsense to display that?

                Another openvpn glitch...  The new 2.4.4 When you click "edit config", it doesn't pull up anything to edit.  It activates the vpn in a windows command console.

                Solved that problem by going into the directory where the configs are stored and right clicking a config and changing default program type to a note editor.

                I also noticed that all of your NCP choices get exported with the config file.  However I did not add those NCP choices to my android phone config.  It sees the choices anyway and selected the one at the top of the list.

                1 Reply Last reply Reply Quote 0
                • Derelict
                  Derelict LAYER 8 Netgate last edited by

                  If you are having strange issues with the OpenVPN Client Export package, uninstall it and reinstall it.

                  The version numbers for pfSense, OpenVPN, and the OpenVPN Client Exporter are all similar by coincidence. They are unrelated to each other.

                  Chattanooga, Tennessee, USA
                  The pfSense Book is free of charge!
                  DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • K
                    kejianshi last edited by

                    I did that - The version being installed from the client export package for windows was definitely not 2.4.x

                    1 Reply Last reply Reply Quote 0
                    • Derelict
                      Derelict LAYER 8 Netgate last edited by

                      You did see there are two areas of choice on export, right?

                      ![Screen Shot 2017-10-22 at 10.36.04 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-10-22 at 10.36.04 AM.png_thumb)
                      ![Screen Shot 2017-10-22 at 10.36.04 AM.png](/public/imported_attachments/1/Screen Shot 2017-10-22 at 10.36.04 AM.png)

                      Chattanooga, Tennessee, USA
                      The pfSense Book is free of charge!
                      DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • K
                        kejianshi last edited by

                        There you go…  Thats what I was doing wrong.

                        When my eyes glanced over the word "vista", I immediately thought "legacy system" and went on to press the button that is usually the most current version.

                        Silly me.  Thanks.  That will be very helpful in the future.

                        1 Reply Last reply Reply Quote 0
                        • K
                          kejianshi last edited by

                          I guess they could make the button colors red for xp, yellow for win6 and green for Vista or later…  For us slow non-readers!  haha

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post