packet HMAC authentication failed on peer-to-peer (shared key)
-
I'm trying to join my network and a remote network together but for some reason it just does not want to go through. The status of the connection says it is "up" but status logs only give out "Authenticate/Decrypt packet error: packet HMAC authentication failed" on the server.
All the config match and rules were added on both side to let anything pass through the port (1195).Client is also behind two gateways (double nat) but forwarding is done and everything seems to pass as it should (this cannot be changed) :
remoteip (goes to first gateway) > 192.168.2.190 (pfsense wan) > 192.168.3.1 (pfsense lan)
Server OpenVPN status :
Firewall UDP4:1195 up Wed Jul 18 10:42:06 2018 10.10.10.1 clientip 7 KiB / 10 KiB
Server/client Wan rule :
1 /30.86 MiB IPv4 UDP * * WAN address 1195 * none
Server/client OpenVPN rule :
8 /22.77 GiB IPv4 * * * * * * none
Server NAT outbound
WAN 10.10.10.0/28 * * * WAN address *
Sever logs :
Jul 18 10:42:26 openvpn 9130 Authenticate/Decrypt packet error: packet HMAC authentication failed Jul 18 10:42:10 openvpn 9130 Authenticate/Decrypt packet error: packet HMAC authentication failed Jul 18 10:42:09 openvpn 9130 WARNING: 'tun-ipv6' is present in remote config but missing in local config, remote='tun-ipv6' Jul 18 10:42:06 openvpn 9130 Initialization Sequence Completed Jul 18 10:42:06 openvpn 9130 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Jul 18 10:42:06 openvpn 9130 Peer Connection Initiated with [AF_INET]clientip:5399 Jul 18 10:42:01 openvpn 9130 Authenticate/Decrypt packet error: packet HMAC authentication failed Jul 18 10:41:59 openvpn 9130 UDPv4 link remote: [AF_UNSPEC] Jul 18 10:41:59 openvpn 9130 UDPv4 link local (bound): [AF_INET]serverip:1195 Jul 18 10:41:59 openvpn 9130 /usr/local/sbin/ovpn-linkup ovpns3 1500 1560 10.10.10.1 10.10.10.2 init Jul 18 10:41:59 openvpn 9130 /sbin/ifconfig ovpns3 10.10.10.1 10.10.10.2 mtu 1500 netmask 255.255.255.255 up Jul 18 10:41:59 openvpn 9130 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Jul 18 10:41:59 openvpn 9130 TUN/TAP device /dev/tun3 opened Jul 18 10:41:59 openvpn 9130 TUN/TAP device ovpns3 exists previously, keep at program end Jul 18 10:41:59 openvpn 9130 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Jul 18 10:41:59 openvpn 9096 library versions: OpenSSL 1.0.2m-freebsd 2 Nov 2017, LZO 2.10 Jul 18 10:41:59 openvpn 9096 OpenVPN 2.4.4 amd64-portbld-freebsd11.1 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Mar 16 2018 Jul 18 10:41:59 openvpn 9096 disabling NCP mode (--ncp-disable) because not in P2MP client or server mode Jul 18 10:41:59 openvpn 12190 SIGTERM[hard,] received, process exiting Jul 18 10:41:59 openvpn 12190 /usr/local/sbin/ovpn-linkdown ovpns3 1500 1560 10.10.10.1 10.10.10.2 init Jul 18 10:41:59 openvpn 12190 event_wait : Interrupted system call (code=4)
Client logs :
Jul 18 08:01:11 openvpn 64579 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Jul 18 08:01:11 openvpn 64579 Re-using pre-shared static key Jul 18 08:01:11 openvpn 64579 Preserving previous TUN/TAP instance: ovpnc1 Jul 18 08:01:11 openvpn 64579 UDPv4 link local (bound): [AF_INET]192.168.2.190 Jul 18 08:01:11 openvpn 64579 UDPv4 link remote: [AF_INET]serverip:1195 Jul 18 08:01:16 openvpn 64579 Peer Connection Initiated with [AF_INET]serverip:1195 Jul 18 08:01:16 openvpn 64579 Initialization Sequence Completed Jul 18 08:01:21 openvpn 64579 WARNING: 'tun-ipv6' is present in local config but missing in remote config, local='tun-ipv6'
Server conf file :
dev ovpns3 verb 1 dev-type tun dev-node /dev/tun3 writepid /var/run/openvpn_server3.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp4 cipher AES-256-CBC auth SHA1 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local serverip ifconfig 10.10.10.1 10.10.10.2 lport 1195 management /var/etc/openvpn/server3.sock unix max-clients 1 route 192.168.3.0 255.255.255.0 route 192.168.2.0 255.255.255.0 secret /var/etc/openvpn/server3.secret
Client conf :
dev ovpnc1 verb 1 dev-type tun tun-ipv6 dev-node /dev/tun1 writepid /var/run/openvpn_client1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-256-CBC auth SHA1 up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 192.168.2.190 lport 0 management /var/etc/openvpn/client1.sock unix remote serverip 1195 ifconfig 10.10.10.2 10.10.10.1 route 172.16.0.0 255.255.254.0 secret /var/etc/openvpn/client1.secret resolv-retry infinite
EDIT: Both shared keys are identical (checked 2017-07-18 1:56PM)
-
Are you certain both systems are using the exact same shared key? That's the easiest way to get that error.
-
@jimp said in packet HMAC authentication failed on peer-to-peer (shared key):
Are you certain both systems are using the exact same shared key? That's the easiest way to get that error.
I'm waiting to get the file from the client, but last time I checked (2 weeks ago when we first brought it online) they were the same.
EDIT: Checked and both are identical.