TLS handshake failed / OpenVPN with NetworkManager



  • hello,

    i am trying to get a VPN setup between my pfsense-1.2.3 boxes and a debian lenny client using NetworkManager.

    i followed this guide to create the CA, server, and client certificates and keys:

    http://thegoldenear.org/toolbox/unices/pfsense-1.2-openvpn-certificates-keys.html#client-certs

    my VPN settings in pfsense:

    
    protocol: UDP
    local port: something random
    address pool: new /24 subnet
    local network: my LAN subnet
    cryptography: AES-128-CBC
    authentication method: PKI
    custom options: engine cryptodev
    

    i pasted in the CA Cert, Server cert, Server key, and DH params. i am using a netgate firewall with dual alix.2d3 boards (with CARP) so that is why i added 'engine cryptodev'

    i added a UDP firewall rule, allow any to single host (CARP shared WAN address), dest port range matches VPN port.

    when i try to initiate the connection from my debian client using NetworkManager, i can see in the pfsense firewall log that the connection was allowed.  but, in the openvpn logs i see "TLS handshake failed".  in NetworkManager / VPN properties, i made sure to match the cipher (AES-128-CBC).

    i think that's about it… what else can i check?  thanks



  • ah cool… i figured it out!

    i think i just had to add the option 'local <wan carp="" ip="">' to the VPN's custom options in addition to the 'engine cryptodev'

    i also added an AON rule before trying this, which didn't help, but maybe it was needed too?  i made the rule for source <new 24="" subnet="">:* to : with NAT address<wan carp="" ip=""></wan></new></wan>


Log in to reply