2.5 OpenVPN to 2.4.5 NCP Algorithms

chpalmer · Dec 2, 2020, 5:44 PM

Ive got a 2.5 box in the lab here on its own WAN. I have my primary 2.4.5 box connected to the 2.5 box over an OpenVPN connection.

Using Shared Key.

Using NCP Algorithms= AES-256-CBC The boxes will no longer connect to each other. (Its been a month or two. I have not worked with it since it stopped until now.)

Camellia-256-CBC does work however. So I know its not a config issue.

jimp · Dec 2, 2020, 7:51 PM

There isn't nearly enough information to go by here. It's highly unlikely to be a problem with just that one cipher.

Usually, though, in a case like that it turns out to be related to hardware crypto acceleration not working as expected with certain ciphers or certain key lengths.

So the first thing to look at is the hardware and what options you have enabled in that regard.

Also, use AES-128-GCM or AES-256-GCM if both sides support it (which since both are pfSense, they do).

chpalmer · Dec 2, 2020, 11:12 PM

Sure. Just set up an whole new tunnel.

Not working.

Dec 2 15:05:00 openvpn 49509 Bad compression stub (swap) decompression header byte: 40

Dec 2 15:05:00 openvpn 49509 Bad compression stub (swap) decompression header byte: 42

These two lines show up in the logs over and over.

edit= I did go back and click the box on the client side "Enable Negotiable Cryptographic Paremeters"..

I will do some more when I get back later. But as you can see all my other tunnels work fine. This was working a couple of months ago. What else do you want to see?

jimp · Dec 3, 2020, 1:37 PM

Those errors are from compression, not encryption. Make sure it's disabled on both.

chpalmer · Dec 3, 2020, 6:54 PM

Thanks Jimp! Ill get back to this over the weekend most likely.

Is there anything that would have changed on 2.5 that you know of that would have possibly defaulted to something other than what was set before? Updating from one snap to a later one caused me to lose the connection with no changes from me.

Just would like to know before I start updating to 2.5 release when it happens. :)

jimp · Dec 3, 2020, 6:55 PM

Not unless it was an older snapshot that didn't have OpenVPN 2.5.0 and now it does have OpenVPN 2.5.0 -- their defaults changed and behavior changed in various ways, especially with compression.

Rico · Dec 4, 2020, 2:29 PM

OpenVPN compression stuff is a bit messy for some time.

-Rico

jimp · Dec 4, 2020, 3:01 PM

@rico said in 2.5 OpenVPN to 2.4.5 NCP Algorithms:

OpenVPN compression stuff is a bit messy for some time.

They have it pretty well straightened out in 2.5.0 from what I've seen.

Generally speaking it should be off for everyone everywhere since Compression+Encryption has been shown to be vulnerable to various attacks.

But on OpenVPN 2.5.0 they have a setting where it can accept compressed packets but it won't transmit them (so asymmetric) and it should interoperate with old clients while allowing them to transition to disabling encryption.

Rico · Dec 4, 2020, 3:21 PM

I never managed to disable compression with our type of traffic tbh, still stuck with lz4-v2 and some Sites comp-lzo.
The day I disabled it turned out into horror with my phone ringing the whole day and people asking why the network is so terrible slow.

-Rico