• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

Scheduled Pinned Locked Moved OpenVPN
29 Posts 4 Posters 7.8k Views 4 Watching
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J Online
    johnpoz LAYER 8 Global Moderator
    last edited by Jul 6, 2018, 10:43 AM

    Where do you think he would need to forward anything? He has a test box connected to pfsense wan network 192.168.0.. So source of his traffic would be 192.168.0.254 so yeah your blocking rfc1918 - its not going to work.

    If you want to test your vpn connections using rfc1918, then your going to have to turn off the block rfc1918 rule.

    An intelligent man is sometimes forced to be drunk to spend time with his fools
    If you get confused: Listen to the Music Play
    Please don't Chat/PM me for help, unless mod related
    SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

    V 1 Reply Last reply Jul 6, 2018, 10:51 AM Reply Quote 0
    • J Offline
      joedoe
      last edited by Jul 6, 2018, 10:43 AM

      @viragomann said in TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity):

      And ensure the OpenVPN access is forwarded correctly to pfSense WAN.

      how can i do it ?

      1 Reply Last reply Reply Quote 0
      • J Online
        johnpoz LAYER 8 Global Moderator
        last edited by Jul 6, 2018, 10:44 AM

        You don't need to..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

        1 Reply Last reply Reply Quote 0
        • J Offline
          joedoe
          last edited by Jul 6, 2018, 10:46 AM

          @johnpoz said in TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity):

          You don't need to..

          Ok i just diseable the restriction concerning rfc1918 and nothing change

          1 Reply Last reply Reply Quote 0
          • J Online
            johnpoz LAYER 8 Global Moderator
            last edited by johnpoz Jul 6, 2018, 10:53 AM Jul 6, 2018, 10:48 AM

            Yes.. I you have some client on 192.168.0 and you want to connect to 192.168.0.50 to try and create a vpn connection to pfsense.. Your going to have to turn off that default block of rfc1918

            What is your lan network? What did you use for tunnel? You could still run into a problem with such a test if yoru lan behind pfsense is also 192.168.0? Or you tunnel network overlaps either your wan or lan network address space.

            BTW: Next time you want to draw some ascii art diagram

            https://textik.com/

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

            1 Reply Last reply Reply Quote 0
            • V Offline
              viragomann @johnpoz
              last edited by Jul 6, 2018, 10:51 AM

              @johnpoz said in TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity):

              Where do you think he would need to forward anything?

              @viragomann said in TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity):

              Is your WAN IP a public static one?

              @joedoe said in TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity):

              And for you last question yes it's a static ip

              1 Reply Last reply Reply Quote 0
              • J Offline
                joedoe
                last edited by Jul 6, 2018, 10:53 AM

                Ok

                My client (w10 x64) is connected to my cell phone with the ip adress : 192.168.43.39/24

                And here more informations concerning the architecture :

                box : 192.168.0.254
                |
                |
                WAN1FREE : 192.168.0.50/24
                The tunnel network : 10.0.8.0/24
                LAN : 192.168.1.3/24
                |
                |
                ....

                J 1 Reply Last reply Jul 6, 2018, 10:56 AM Reply Quote 0
                • J Online
                  johnpoz LAYER 8 Global Moderator
                  last edited by Jul 6, 2018, 10:54 AM

                  And again what does his wan IP being static have to do with a forward? His test box is on 192.168.0 along with his pfsense wan?

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                  V 1 Reply Last reply Jul 6, 2018, 10:59 AM Reply Quote 0
                  • J Online
                    johnpoz LAYER 8 Global Moderator @joedoe
                    last edited by Jul 6, 2018, 10:56 AM

                    @joedoe said in TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity):

                    my cell phone with the ip adress : 192.168.43.39/24

                    Huh??? Dude that is never going to work!!! How is some device out on the public internet?? Behind a Carrier grade nat going to get to a rfc1918 address? Your pfsense wan IP.. Is your cell phone on some wifi network that is routed to this 192.168.0 network??

                    Draw up where your cell phone is connecting and what this 192.168.0.254 box is???

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                    1 Reply Last reply Reply Quote 0
                    • V Offline
                      viragomann @johnpoz
                      last edited by Jul 6, 2018, 10:59 AM

                      @johnpoz
                      If his pfSense is in a private network, but his WAN is a public address, there is obviously a router in front of it.
                      I didn't realize that's a test environment with private networks.

                      1 Reply Last reply Reply Quote 0
                      • J Offline
                        joedoe
                        last edited by Jul 6, 2018, 11:15 AM

                        @viragomann said in TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity):

                        @johnpoz
                        If his pfSense is in a private network, but his WAN is a public address, there is obviously a router in front of it.
                        I didn't realize that's a test environment with private networks.

                        Sorry maybe i wasn't enought accurate,
                        I just want to create a vpn access to my network and i want to give access from the outside. (i pretty new in network configuration, i'm learning)
                        I just want to test and configure a vpn so i just link my computer

                        When i plug my computer to my box it works i can go to my network now.
                        But i just try to share my cell phone to my computer and it doesn't works.

                        0_1530875743400_3.PNG

                        1 Reply Last reply Reply Quote 0
                        • J Online
                          johnpoz LAYER 8 Global Moderator
                          last edited by Jul 6, 2018, 12:38 PM

                          Confused to what this box is? Its some router - where is its internet connection?

                          If your on the internet you can not connect to some rfc1918 address. You would have to connect to a public IP, which you could forward into pfsense sure.

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                          1 Reply Last reply Reply Quote 0
                          • J Offline
                            joedoe
                            last edited by Jul 7, 2018, 6:11 AM

                            Yes it's a router, this box give a internet and have a public ip adresse.

                            1 Reply Last reply Reply Quote 0
                            • J Offline
                              joedoe
                              last edited by Jul 7, 2018, 7:24 AM

                              i just try from my home and i can't connect to the vpn i don't understand.

                              1 Reply Last reply Reply Quote 0
                              • J Online
                                johnpoz LAYER 8 Global Moderator
                                last edited by Jul 7, 2018, 10:16 AM

                                If your on the internet how do you think you can connect to some rfc1918 address 192.168.x.x ??

                                When you create your export you need to put in your PUBLIC IP.. ie your ISP public IP, and the port your using for openvpn would have to be forwarded to pfsense IP.

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                V 1 Reply Last reply Jul 7, 2018, 11:32 AM Reply Quote 0
                                • V Offline
                                  viragomann @johnpoz
                                  last edited by Jul 7, 2018, 11:32 AM

                                  @johnpoz said in TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity):

                                  When you create your export you need to put in your PUBLIC IP.. ie your ISP public IP, and the port your using for openvpn would have to be forwarded to pfsense IP.

                                  👏

                                  1 Reply Last reply Reply Quote 0
                                  • J Online
                                    johnpoz LAYER 8 Global Moderator
                                    last edited by Jul 7, 2018, 1:11 PM

                                    BTW "box" is not a good term for your router ;)

                                    Normally box wold refer to a end device, computer, iot, dvr, etc. Not a router doing nat ;)... Maybe if you would of called it your ISP box ;)

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                    1 Reply Last reply Reply Quote 0
                                    • J Offline
                                      joedoe
                                      last edited by Jul 9, 2018, 6:37 AM

                                      @johnpoz said in TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity):

                                      When you create your export you need to put in your PUBLIC IP.. ie your ISP public IP, and the port your using for openvpn would have to be forwarded to pfsense IP.

                                      Thank you for the reply : what is isp public ip, is it the public ip ?
                                      Could you tell me how to do that please ?

                                      So sorry in france we call the router that give us internet : box.

                                      G 1 Reply Last reply Jul 9, 2018, 7:37 AM Reply Quote 0
                                      • G Offline
                                        Gertjan @joedoe
                                        last edited by Jul 9, 2018, 7:37 AM

                                        @joedoe said in TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity):

                                        in france we call the router that give us internet : box.

                                        I'm using the same "box" (Livebox pro from Orange) as my up-stream "ISP router".
                                        I set it's LAN IP to 192.168.10.1/24, handing over to pfSense an rfc1918 address like 192.168.**10.**9
                                        192.168.10.9 is my pfSense WAN IP - this means that "Block private networks and loopback addresses" shouldn't be checked on the pfSense WAN interface settings page.
                                        This is a typical router-after-router setup, quiet commn these days.

                                        To make the VPN work : you have to add a NAT rule in your "ISP BOX/router" the VPN port, probably 1194 to the connected device called "pfSense", like :
                                        0_1531121703641_5323956d-11db-4fec-bbf2-28497141ffdc-image.png

                                        Your real WAN IP is https://whatismyipaddress.com/fr/mon-ip

                                        No "help me" PM's please. Use the forum, the community will thank you.
                                        Edit : and where are the logs ??

                                        1 Reply Last reply Reply Quote 0
                                        • J Offline
                                          joedoe
                                          last edited by Jul 9, 2018, 8:23 AM

                                          hello Gertjan,

                                          Thank you for the reply.

                                          I just add a nat rule to my free box but nothing change.
                                          And if i understand i can connect to my local network because i don't use the good ip ?
                                          in my configuration i've got : 192.168.0.50 1194 udp should i modify it and add my private ip ?

                                          Here you can find the client configuration :
                                          dev tun
                                          persist-tun
                                          persist-key
                                          cipher AES-256-CBC
                                          ncp-ciphers AES-256-GCM:AES-128-GCM
                                          auth SHA1
                                          tls-client
                                          client
                                          resolv-retry infinite
                                          remote 192.168.0.50 1194 udp
                                          auth-user-pass
                                          ca pfSense-UDP4-1194-ca.crt
                                          tls-auth pfSense-UDP4-1194-tls.key 1
                                          remote-cert-tls server

                                          and my free nat

                                          0_1531124536449_Capture.PNG

                                          G 1 Reply Last reply Jul 9, 2018, 9:11 AM Reply Quote 0
                                          26 out of 29
                                          • First post
                                            26/29
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            This community forum collects and processes your personal information.
                                            consent.not_received