Cipher problem when connecting from Android
-
OpenVPN for Android (client) is trying to connect to pfsense (OpenVPN server).
I have pfsense 2.4.5-release-p1 and in System -> Advanced -> Miscellaneous, Cryptographic Hardware is "None".
Connecting gives an error on Android client:"ERROR: failed to negotiate cipher with server. Add the server's cipher ('AES-128-CBC') to --data-ciphers (currently 'AES-128-GCM') if you want to connect to this server"
OpenVPN for Android is 0.7.21 and have ciphers in following order:
AES-256-GCM
AES-128-GCM
AES-128-CBCAs I understand I already have AES-128-CBC in the client.
What should be changed to get a connection?
Not an expert on OpenVPN ... just a user ... -
On the server side, make sure NCP is enabled and make sure you have those three ciphers added to the NCP list, not just picked as the encryption algorithm.
OpenVPN 2.5.0 changed a bit about how those ciphers are negotiated, but usually it's more forgiving than that. I made a bunch of changes for pfSense 2.5.0 and OpenVPN 2.5.0 to make that better.
-
As you can see I have NCP enabled and the three ciphers added (attached pfsense.jpg) 
Still I dont't get connection to work ... error messages from logfile in OpenVPN for Android:ERROR: Failed to apply push options
OPTIONS ERROR: failed to negotiate cipher with server. Add the server's cipher ('AES-128-CBC') to --data-ciphers (currently 'AES-128-GCM') if you want to connect to this server. -
This post is deleted! -
Problem solved.
After I enabled NCP and added ncp-ciphers AES-256-GCM:AES-128-GCM:AES-128-CBC I forgot to create a new client certificate ... my mistake.
Creating a new client certificate got me connected.
