packet HMAC authentication failed on peer-to-peer (shared key)



  • I'm trying to join my network and a remote network together but for some reason it just does not want to go through. The status of the connection says it is "up" but status logs only give out "Authenticate/Decrypt packet error: packet HMAC authentication failed" on the server.
    All the config match and rules were added on both side to let anything pass through the port (1195).

    Client is also behind two gateways (double nat) but forwarding is done and everything seems to pass as it should (this cannot be changed) :

    remoteip (goes to first gateway) > 192.168.2.190 (pfsense wan) > 192.168.3.1 (pfsense lan)
    

    Server OpenVPN status :

    Firewall UDP4:1195	up	Wed Jul 18 10:42:06 2018	10.10.10.1	clientip	7 KiB / 10 KiB
    

    Server/client Wan rule :

    	1 /30.86 MiB     IPv4 UDP	*	*	WAN address	1195	*	none	 	   
    

    Server/client OpenVPN rule :

    	8 /22.77 GiB     IPv4 *	*	*	*	*	*	none	 	   
    

    Server NAT outbound

    WAN	10.10.10.0/28 	*	*	*	WAN address	*		
    

    Sever logs :

    Jul 18 10:42:26	openvpn	9130	Authenticate/Decrypt packet error: packet HMAC authentication failed
    Jul 18 10:42:10	openvpn	9130	Authenticate/Decrypt packet error: packet HMAC authentication failed
    Jul 18 10:42:09	openvpn	9130	WARNING: 'tun-ipv6' is present in remote config but missing in local config, remote='tun-ipv6'
    Jul 18 10:42:06	openvpn	9130	Initialization Sequence Completed
    Jul 18 10:42:06	openvpn	9130	WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Jul 18 10:42:06	openvpn	9130	Peer Connection Initiated with [AF_INET]clientip:5399
    Jul 18 10:42:01	openvpn	9130	Authenticate/Decrypt packet error: packet HMAC authentication failed
    Jul 18 10:41:59	openvpn	9130	UDPv4 link remote: [AF_UNSPEC]
    Jul 18 10:41:59	openvpn	9130	UDPv4 link local (bound): [AF_INET]serverip:1195
    Jul 18 10:41:59	openvpn	9130	/usr/local/sbin/ovpn-linkup ovpns3 1500 1560 10.10.10.1 10.10.10.2 init
    Jul 18 10:41:59	openvpn	9130	/sbin/ifconfig ovpns3 10.10.10.1 10.10.10.2 mtu 1500 netmask 255.255.255.255 up
    Jul 18 10:41:59	openvpn	9130	do_ifconfig, tt->did_ifconfig_ipv6_setup=0
    Jul 18 10:41:59	openvpn	9130	TUN/TAP device /dev/tun3 opened
    Jul 18 10:41:59	openvpn	9130	TUN/TAP device ovpns3 exists previously, keep at program end
    Jul 18 10:41:59	openvpn	9130	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Jul 18 10:41:59	openvpn	9096	library versions: OpenSSL 1.0.2m-freebsd 2 Nov 2017, LZO 2.10
    Jul 18 10:41:59	openvpn	9096	OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Mar 16 2018
    Jul 18 10:41:59	openvpn	9096	disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
    Jul 18 10:41:59	openvpn	12190	SIGTERM[hard,] received, process exiting
    Jul 18 10:41:59	openvpn	12190	/usr/local/sbin/ovpn-linkdown ovpns3 1500 1560 10.10.10.1 10.10.10.2 init
    Jul 18 10:41:59	openvpn	12190	event_wait : Interrupted system call (code=4)
    

    Client logs :

    Jul 18 08:01:11 openvpn 64579 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Jul 18 08:01:11 openvpn 64579 Re-using pre-shared static key
    Jul 18 08:01:11 openvpn 64579 Preserving previous TUN/TAP instance: ovpnc1
    Jul 18 08:01:11 openvpn 64579 UDPv4 link local (bound): [AF_INET]192.168.2.190
    Jul 18 08:01:11 openvpn 64579 UDPv4 link remote: [AF_INET]serverip:1195
    Jul 18 08:01:16 openvpn 64579 Peer Connection Initiated with [AF_INET]serverip:1195
    Jul 18 08:01:16 openvpn 64579 Initialization Sequence Completed
    Jul 18 08:01:21 openvpn 64579 WARNING: 'tun-ipv6' is present in local config but missing in remote config, local='tun-ipv6'
    

    Server conf file :

    dev ovpns3
    verb 1
    dev-type tun
    dev-node /dev/tun3
    writepid /var/run/openvpn_server3.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp4
    cipher AES-256-CBC
    auth SHA1
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local serverip
    ifconfig 10.10.10.1 10.10.10.2
    lport 1195
    management /var/etc/openvpn/server3.sock unix
    max-clients 1
    route 192.168.3.0 255.255.255.0
    route 192.168.2.0 255.255.255.0
    secret /var/etc/openvpn/server3.secret 
    

    Client conf :

    dev ovpnc1
    verb 1
    dev-type tun
    tun-ipv6
    dev-node /dev/tun1
    writepid /var/run/openvpn_client1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-256-CBC
    auth SHA1
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 192.168.2.190
    lport 0
    management /var/etc/openvpn/client1.sock unix
    remote serverip 1195
    ifconfig 10.10.10.2 10.10.10.1
    route 172.16.0.0 255.255.254.0
    secret /var/etc/openvpn/client1.secret
    resolv-retry infinite
    

    EDIT: Both shared keys are identical (checked 2017-07-18 1:56PM)


  • Rebel Alliance Developer Netgate

    Are you certain both systems are using the exact same shared key? That's the easiest way to get that error.



  • @jimp said in packet HMAC authentication failed on peer-to-peer (shared key):

    Are you certain both systems are using the exact same shared key? That's the easiest way to get that error.

    I'm waiting to get the file from the client, but last time I checked (2 weeks ago when we first brought it online) they were the same.

    EDIT: Checked and both are identical.