packet HMAC authentication failed on peer-to-peer (shared key)

carobell · Jul 18, 2018, 5:56 PM

I'm trying to join my network and a remote network together but for some reason it just does not want to go through. The status of the connection says it is "up" but status logs only give out "Authenticate/Decrypt packet error: packet HMAC authentication failed" on the server.
All the config match and rules were added on both side to let anything pass through the port (1195).

Client is also behind two gateways (double nat) but forwarding is done and everything seems to pass as it should (this cannot be changed) :

remoteip (goes to first gateway) > 192.168.2.190 (pfsense wan) > 192.168.3.1 (pfsense lan)

Server OpenVPN status :

Firewall UDP4:1195	up	Wed Jul 18 10:42:06 2018	10.10.10.1	clientip	7 KiB / 10 KiB

Server/client Wan rule :

	1 /30.86 MiB     IPv4 UDP	*	*	WAN address	1195	*	none

Server/client OpenVPN rule :

	8 /22.77 GiB     IPv4 *	*	*	*	*	*	none

Server NAT outbound

WAN	10.10.10.0/28 	*	*	*	WAN address	*

Sever logs :

Jul 18 10:42:26	openvpn	9130	Authenticate/Decrypt packet error: packet HMAC authentication failed
Jul 18 10:42:10	openvpn	9130	Authenticate/Decrypt packet error: packet HMAC authentication failed
Jul 18 10:42:09	openvpn	9130	WARNING: 'tun-ipv6' is present in remote config but missing in local config, remote='tun-ipv6'
Jul 18 10:42:06	openvpn	9130	Initialization Sequence Completed
Jul 18 10:42:06	openvpn	9130	WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jul 18 10:42:06	openvpn	9130	Peer Connection Initiated with [AF_INET]clientip:5399
Jul 18 10:42:01	openvpn	9130	Authenticate/Decrypt packet error: packet HMAC authentication failed
Jul 18 10:41:59	openvpn	9130	UDPv4 link remote: [AF_UNSPEC]
Jul 18 10:41:59	openvpn	9130	UDPv4 link local (bound): [AF_INET]serverip:1195
Jul 18 10:41:59	openvpn	9130	/usr/local/sbin/ovpn-linkup ovpns3 1500 1560 10.10.10.1 10.10.10.2 init
Jul 18 10:41:59	openvpn	9130	/sbin/ifconfig ovpns3 10.10.10.1 10.10.10.2 mtu 1500 netmask 255.255.255.255 up
Jul 18 10:41:59	openvpn	9130	do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Jul 18 10:41:59	openvpn	9130	TUN/TAP device /dev/tun3 opened
Jul 18 10:41:59	openvpn	9130	TUN/TAP device ovpns3 exists previously, keep at program end
Jul 18 10:41:59	openvpn	9130	NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 18 10:41:59	openvpn	9096	library versions: OpenSSL 1.0.2m-freebsd 2 Nov 2017, LZO 2.10
Jul 18 10:41:59	openvpn	9096	OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Mar 16 2018
Jul 18 10:41:59	openvpn	9096	disabling NCP mode (--ncp-disable) because not in P2MP client or server mode
Jul 18 10:41:59	openvpn	12190	SIGTERM[hard,] received, process exiting
Jul 18 10:41:59	openvpn	12190	/usr/local/sbin/ovpn-linkdown ovpns3 1500 1560 10.10.10.1 10.10.10.2 init
Jul 18 10:41:59	openvpn	12190	event_wait : Interrupted system call (code=4)

Client logs :

Jul 18 08:01:11 openvpn 64579 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 18 08:01:11 openvpn 64579 Re-using pre-shared static key
Jul 18 08:01:11 openvpn 64579 Preserving previous TUN/TAP instance: ovpnc1
Jul 18 08:01:11 openvpn 64579 UDPv4 link local (bound): [AF_INET]192.168.2.190
Jul 18 08:01:11 openvpn 64579 UDPv4 link remote: [AF_INET]serverip:1195
Jul 18 08:01:16 openvpn 64579 Peer Connection Initiated with [AF_INET]serverip:1195
Jul 18 08:01:16 openvpn 64579 Initialization Sequence Completed
Jul 18 08:01:21 openvpn 64579 WARNING: &#39;tun-ipv6&#39; is present in local config but missing in remote config, local=&#39;tun-ipv6&#39;

Server conf file :

dev ovpns3
verb 1
dev-type tun
dev-node /dev/tun3
writepid /var/run/openvpn_server3.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-256-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local serverip
ifconfig 10.10.10.1 10.10.10.2
lport 1195
management /var/etc/openvpn/server3.sock unix
max-clients 1
route 192.168.3.0 255.255.255.0
route 192.168.2.0 255.255.255.0
secret /var/etc/openvpn/server3.secret

Client conf :

dev ovpnc1
verb 1
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 192.168.2.190
lport 0
management /var/etc/openvpn/client1.sock unix
remote serverip 1195
ifconfig 10.10.10.2 10.10.10.1
route 172.16.0.0 255.255.254.0
secret /var/etc/openvpn/client1.secret
resolv-retry infinite

EDIT: Both shared keys are identical (checked 2017-07-18 1:56PM)

jimp · Jul 18, 2018, 4:05 PM

Are you certain both systems are using the exact same shared key? That's the easiest way to get that error.

carobell · Jul 18, 2018, 5:56 PM

@jimp said in packet HMAC authentication failed on peer-to-peer (shared key):

Are you certain both systems are using the exact same shared key? That's the easiest way to get that error.

I'm waiting to get the file from the client, but last time I checked (2 weeks ago when we first brought it online) they were the same.

EDIT: Checked and both are identical.