OpenVpn Site-Site not working



  • Hi,

    I've just moved to Pfsense. I've got two router that are both perfectly fine performing NAt for 2 lans

    My second goal was to have a site-site vpn using OpenVpn. I've done this before with other software and always worked perfectly however this time I can't seem to get it working:

    I always get the error:
    That the remote options are not the expected ones.

    For info the client logs using VERB 7 as an additional parameter to generate more logfiles.

    Server log:
    Apr 20 22:32:35 openvpn[23871]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/server1.sock
    Apr 20 22:32:35 openvpn[23871]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Apr 20 22:32:35 openvpn[23871]: PID packet_id_init seq_backtrack=64 time_backtrack=15
    Apr 20 22:32:35 openvpn[23871]: ******* WARNING *******: null cipher specified, no encryption will be used
    Apr 20 22:32:35 openvpn[23871]: Static Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Apr 20 22:32:35 openvpn[23871]: Static Encrypt: HMAC KEY: 4441f40d 77e49aae e9979622 29a33a97 d286effe
    Apr 20 22:32:35 openvpn[23871]: Static Encrypt: HMAC size=20 block_size=64
    Apr 20 22:32:35 openvpn[23871]: Static Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Apr 20 22:32:35 openvpn[23871]: Static Decrypt: HMAC KEY: 4441f40d 77e49aae e9979622 29a33a97 d286effe
    Apr 20 22:32:35 openvpn[23871]: Static Decrypt: HMAC size=20 block_size=64
    Apr 20 22:32:35 openvpn[23871]: LZO compression initialized
    Apr 20 22:32:35 openvpn[23871]: MTU DYNAMIC mtu=1450, flags=2, 1529 -> 1450
    Apr 20 22:32:35 openvpn[23871]: Socket Buffers: R=[42080->65536] S=[57344->65536]
    Apr 20 22:32:35 openvpn[23871]: ROUTE default_gateway=SERVER_GATEWAY
    Apr 20 22:32:35 openvpn[23871]: TUN/TAP device /dev/tun1 opened
    Apr 20 22:32:35 openvpn[23871]: do_ifconfig, tt->ipv6=0
    Apr 20 22:32:35 openvpn[23871]: /sbin/ifconfig ovpns1 10.0.8.1 10.0.8.2 mtu 1500 netmask 255.255.255.255 up
    Apr 20 22:32:35 openvpn[23871]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1529 10.0.8.1 10.0.8.2 init
    Apr 20 22:32:35 openvpn[23871]: /sbin/route add -net 192.168.2.0 10.0.8.2 255.255.255.0
    Apr 20 22:32:35 openvpn[23871]: Data Channel MTU parms [ L:1529 D:1450 EF:29 EB:135 ET:0 EL:0 AF:14/29 ]
    Apr 20 22:32:36 openvpn[23871]: Local Options String: 'V4,dev-type tun,link-mtu 1529,tun-mtu 1500,proto UDPv4,ifconfig 10.0.8.2 10.0.8.1,comp-lzo,cipher [null-cipher],auth SHA1,keysize 0,secret'
    Apr 20 22:32:36 openvpn[23871]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1529,tun-mtu 1500,proto UDPv4,ifconfig 10.0.8.1 10.0.8.2,comp-lzo,cipher [null-cipher],auth SHA1,keysize 0,secret'
    Apr 20 22:32:36 openvpn[23871]: Local Options hash (VER=V4): '98e351ba'
    Apr 20 22:32:36 openvpn[23871]: Expected Remote Options hash (VER=V4): '38c9ff18'
    Apr 20 22:32:36 openvpn[28194]: UDPv4 link local (bound): [AF_INET]SERVER IP:1194
    Apr 20 22:32:36 openvpn[28194]: UDPv4 link remote: [undef]
    Apr 20 22:32:36 openvpn[28194]: SENT PING
    Apr 20 22:32:41 openvpn[28194]: TUN READ [52]
    Apr 20 22:32:41 openvpn[28194]: MSS: 1460 -> 1381
    Apr 20 22:32:44 openvpn[28194]: TUN READ [52]
    Apr 20 22:32:44 openvpn[28194]: MSS: 1460 -> 1381
    Apr 20 22:32:46 openvpn[28194]: SENT PING
    Apr 20 22:32:50 openvpn[28194]: TUN READ [48]
    Apr 20 22:32:50 openvpn[28194]: MSS: 1460 -> 1381

    Client log:
    Apr 20 20:37:04 openvpn[44803]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Apr 20 20:37:04 openvpn[44803]: PID packet_id_init seq_backtrack=64 time_backtrack=15
    Apr 20 20:37:04 openvpn[44803]: Re-using pre-shared static key
    Apr 20 20:37:04 openvpn[44803]: LZO compression initialized
    Apr 20 20:37:04 openvpn[44803]: MTU DYNAMIC mtu=1450, flags=2, 1529 -> 1450
    Apr 20 20:37:04 openvpn[44803]: Socket Buffers: R=[42080->65536] S=[57344->65536]
    Apr 20 20:37:04 openvpn[44803]: RESOLVE_REMOTE flags=0x0501 phase=1 rrs=0 sig=-1 status=1
    Apr 20 20:37:04 openvpn[44803]: Preserving previous TUN/TAP instance: ovpnc1
    Apr 20 20:37:04 openvpn[44803]: Data Channel MTU parms [ L:1529 D:1450 EF:29 EB:135 ET:0 EL:0 AF:14/29 ]
    Apr 20 20:37:04 openvpn[44803]: Local Options String: 'V4,dev-type tun,link-mtu 1529,tun-mtu 1500,proto UDPv4,ifconfig 10.0.8.2 10.0.8.1,comp-lzo,cipher [null-cipher],auth SHA1,keysize 0,secret'
    Apr 20 20:37:04 openvpn[44803]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1529,tun-mtu 1500,proto UDPv4,ifconfig 10.0.8.1 10.0.8.2,comp-lzo,cipher [null-cipher],auth SHA1,keysize 0,secret'
    Apr 20 20:37:04 openvpn[44803]: Local Options hash (VER=V4): '98e351ba'
    Apr 20 20:37:04 openvpn[44803]: Expected Remote Options hash (VER=V4): '38c9ff18'
    Apr 20 20:37:04 openvpn[44803]: UDPv4 link local (bound): [AF_INET]217.19.22.209
    Apr 20 20:37:04 openvpn[44803]: UDPv4 link remote: [AF_INET]SERVER IP:1194
    Apr 20 20:37:04 openvpn[44803]: SENT PING
    Apr 20 20:37:04 openvpn[44803]: UDPv4 WRITE [45] to [AF_INET]SERVER IP:1194: DATA len=45
    Apr 20 20:37:10 openvpn[44803]: TUN READ [95]
    Apr 20 20:37:10 openvpn[44803]: UDPv4 WRITE [124] to [AF_INET]SERVER IP:1194: DATA len=124
    Apr 20 20:37:11 openvpn[44803]: TUN READ [95]
    Apr 20 20:37:11 openvpn[44803]: UDPv4 WRITE [124] to [AF_INET]SERVER IP:1194: DATA len=124
    Apr 20 20:37:12 openvpn[44803]: TUN READ [95]
    Apr 20 20:37:12 openvpn[44803]: UDPv4 WRITE [124] to [AF_INET]SERVER IP:1194: DATA len=124
    Apr 20 20:37:14 openvpn[44803]: TUN READ [95]
    Apr 20 20:37:14 openvpn[44803]: UDPv4 WRITE [124] to [AF_INET]SERVER IP:1194: DATA len=124
    Apr 20 20:37:14 openvpn[44803]: UDPv4 WRITE [46] to [AF_INET]SERVER IP:1194: DATA len=46
    Apr 20 20:37:18 openvpn[44803]: TUN READ [95]
    Apr 20 20:37:18 openvpn[44803]: UDPv4 WRITE [124] to [AF_INET]SERVER IP:1194: DATA len=

    I've tried with and without shared key, and on the client side as TUN or TAP but nothing works.

    Anybody any suggestions?


  • Rebel Alliance Developer Netgate

    We'd need to see exactly how you have the client and server configured to offer much in the way of help. Screenshots of the config pages would be nice, as well as the contents of /var/etc/openvpn/*.conf for the server/client.



  • Problem solved in a way.

    When I moved to SSL/TLS VPN with a certificate on both ends the tunnel worked perfectly, without making any other changes.


Locked