Cipher problem when connecting from Android

zkab · Nov 11, 2020, 2:10 PM

OpenVPN for Android (client) is trying to connect to pfsense (OpenVPN server).
I have pfsense 2.4.5-release-p1 and in System -> Advanced -> Miscellaneous, Cryptographic Hardware is "None".
Connecting gives an error on Android client:

"ERROR: failed to negotiate cipher with server. Add the server's cipher ('AES-128-CBC') to --data-ciphers (currently 'AES-128-GCM') if you want to connect to this server"

OpenVPN for Android is 0.7.21 and have ciphers in following order:
AES-256-GCM
AES-128-GCM
AES-128-CBC

As I understand I already have AES-128-CBC in the client.
What should be changed to get a connection?
Not an expert on OpenVPN ... just a user ...

jimp · Nov 11, 2020, 4:55 PM

On the server side, make sure NCP is enabled and make sure you have those three ciphers added to the NCP list, not just picked as the encryption algorithm.

OpenVPN 2.5.0 changed a bit about how those ciphers are negotiated, but usually it's more forgiving than that. I made a bunch of changes for pfSense 2.5.0 and OpenVPN 2.5.0 to make that better.

zkab · Nov 14, 2020, 12:24 PM

As you can see I have NCP enabled and the three ciphers added (attached pfsense.jpg) ![0_1605356306012_pfsense.jpg](Uploading 100%)
Still I dont't get connection to work ... error messages from logfile in OpenVPN for Android:

ERROR: Failed to apply push options
OPTIONS ERROR: failed to negotiate cipher with server. Add the server's cipher ('AES-128-CBC') to --data-ciphers (currently 'AES-128-GCM') if you want to connect to this server.

zkab · Nov 14, 2020, 12:27 PM

This post is deleted!

zkab · Nov 15, 2020, 1:03 PM

Problem solved.
After I enabled NCP and added ncp-ciphers AES-256-GCM:AES-128-GCM:AES-128-CBC I forgot to create a new client certificate ... my mistake.
Creating a new client certificate got me connected.