Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    AEAD Decrypt error: cipher final failed - after 2.6.0 to 2.7.2 Update

    Scheduled Pinned Locked Moved OpenVPN
    2 Posts 2 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fholzer
      last edited by fholzer

      I had a "weird" problem today with OpenVPN / S2S (/30 separated).
      Maybe I ran into a bug...

      Updated the main pfSense from 2.6.0 to 2.7.2.
      4 sites also to from 2.6.0 to 2.7.2.
      1 site was still running on 2.6.0.

      The 2.7.2 sites all had the error: "AEAD Decrypt error: cipher final failed" after the update.
      The 2.6.0 site was still up and running → no errors.

      So I checked the ciphers and the configuration ... in the past it was old ciphers or a "weird" combination/fallback.

      Adjusted a lot, tried a lot:

      • Different TLS Key Usage Mode, TLS Keydir directions, ...
      • Different Data Encryption Algorithms, None Fallback, other Fallback,
      • Different Auth digest algorithm from SHA-1 to SHA384, ...
      • Different Custom Options from setenv disable-dco 1, over mtu settings, mssfix, ...

      The interesting part → I changed these settings on the 2.7.2 server, the 2.7.2 client side, and on the 2.6.0 client side (just to make sure - since it should work on both, the old and new versions).

      The 2.6.0 client always worked with every cipher/combination I tried. (which should work in my brain)
      The 2.7.2 client never worked. Always the "AEAD Decrypt error: cipher final failed" error.

      a small log:

      Mar 3 16:39:21	openvpn	47146	Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519
Mar 3 16:39:21	openvpn	47146	[vpn.xxxx.xx] Peer Connection Initiated with [AF_INET]xx.83.xx.206:1194
Mar 3 16:39:21	openvpn	47146	TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
Mar 3 16:39:21	openvpn	47146	TLS: tls_multi_process: initial untrusted session promoted to trusted
Mar 3 16:39:22	openvpn	47146	Data Channel MTU parms [ mss_fix:1403 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
Mar 3 16:39:22	openvpn	47146	Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mar 3 16:39:22	openvpn	47146	Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Mar 3 16:39:22	openvpn	47146	Initialization Sequence Completed
Mar 3 16:39:22	openvpn	47146	Data Channel: cipher 'AES-256-GCM'
Mar 3 16:39:22	openvpn	47146	Timers: ping 10, ping-restart 60
Mar 3 16:39:31	openvpn	47146	AEAD Decrypt error: cipher final failed

      the "solution":

      So in the end i added a pull in the "Custom options" Field (cause i thought ... why not ...) and the 2.7.2 client started to work again.
      No error in the logs, i can reach the remote site again.

      removing the pull -> error is back.

      ====

      If the openvpn is in client mode, shouldn't it use pull on its own?!

      A 1 Reply Last reply Reply Quote 0
      • A
        allxi @fholzer
        last edited by

        @fholzer I have re-generated all certificates to 2.7.0 version.there are still fixes https://github.com/pfsense/pfsense/commit/48cf54f850c5bf4fe26a8e33deb449807e71c204.patch [PATCH] OpenVPN Enforce key usage option fix. Issue #13056 , Fix OpenVPN forming invalid route statements for empty local networks (After applying, edit/save affected entries or reboot, Redmine #14919). Use IP/system_patches.php

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.