OpenVPN Connection Problem (Resolved)



  • As of Current Release, 18th August 2011, 2.0 RC3

    The issues I have been experiencing with OpenVPN have been resolved.

    Thanks very much to the Dev Team!

    Hi Guys.

    I have updated both routers to current version PF2.0. I am using OpenVPN for site-to-site, with one router as Server and the other as client.

    I have noticed when I restart the OpenVPN Server router, the client is unable to re-establish connection, unless I change the encryption algorithm.

    When this is done, the client is able to re-establish connection and I am able to ping both LAN sides.

    Is there a workaround for this behaviour? IS this issue currently being worked on?

    Thanks, jits

    Aug 10 20:42:15 openvpn[58883]: Initialization Sequence Completed
    Aug 10 20:42:14 openvpn[58883]: Peer Connection Initiated with [AF_INET]x.x.160.186:16147
    Aug 10 20:42:09 openvpn[58883]: UDPv4 link remote: [undef]
    Aug 10 20:42:09 openvpn[58883]: UDPv4 link local (bound): [AF_INET]x.x.244.210:1195
    Aug 10 20:42:09 openvpn[57801]: /usr/local/sbin/ovpn-linkup ovpns2 1500 1545 10.11.11.1 10.11.11.2 init
    Aug 10 20:42:09 openvpn[57801]: /sbin/ifconfig ovpns2 10.11.11.1 10.11.11.2 mtu 1500 netmask 255.255.255.255 up
    Aug 10 20:42:09 openvpn[57801]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Aug 10 20:42:09 openvpn[57801]: TUN/TAP device /dev/tun2 opened
    Aug 10 20:42:09 openvpn[57801]: LZO compression initialized
    Aug 10 20:42:09 openvpn[57801]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Aug 10 20:42:08 openvpn[57801]: OpenVPN 2.2.0 i386-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Aug 8 2011
    Aug 10 20:41:38 openvpn[15332]: Exiting
    Aug 10 20:41:38 openvpn[15332]: Cipher 'BF-CFB' uses a mode not supported by OpenVPN in your current configuration. CBC mode is always supported, while CFB and OFB modes are supported only when using SSL/TLS authentication and key exchange mode, and when OpenVPN has been built with ALLOW_NON_CBC_CIPHERS.
    Aug 10 20:41:38 openvpn[15332]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Aug 10 20:41:38 openvpn[15332]: OpenVPN 2.2.0 i386-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Aug 8 2011
    Aug 10 20:41:38 openvpn[31775]: SIGTERM[hard,] received, process exiting
    Aug 10 20:41:38 openvpn[31775]: /usr/local/sbin/ovpn-linkdown ovpns2 1500 1545 10.11.11.1 10.11.11.2 init
    Aug 10 20:41:38 openvpn[31775]: event_wait : Interrupted system call (code=4)
    Aug 10 20:37:53 openvpn[31775]: Initialization Sequence Completed
    Aug 10 20:37:52 openvpn[31775]: Peer Connection Initiated with [AF_INET]x.x.160.186:16147
    Aug 10 20:37:41 openvpn[43402]: Initialization Sequence Completed
    Aug 10 20:37:41 openvpn[43402]: UDPv4 link remote: [undef]
    Aug 10 20:37:41 openvpn[43402]: UDPv4 link local (bound): [AF_INET]x.x.244.210:1194
    Aug 10 20:37:40 openvpn[25098]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1542 10.11.12.1 10.11.12.2 init
    Aug 10 20:37:40 openvpn[25098]: /sbin/ifconfig ovpns1 10.11.12.1 10.11.12.2 mtu 1500 netmask 255.255.255.255 up
    Aug 10 20:37:40 openvpn[25098]: do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Aug 10 20:37:40 openvpn[25098]: TUN/TAP device /dev/tun1 opened
    Aug 10 20:37:40 openvpn[25098]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
    Aug 10 20:37:40 openvpn[31775]: UDPv4 link remote: [undef]
    Aug 10 20:37:40 openvpn[31775]: UDPv4 link local (bound): [AF_INET]x.x.244.210:1195



  • Hi Guys,

    Just updated again to most recent RC3 update and no change in behavior for OpenVPN site-to-site connection.

    FYI

    I have two WAN connections. They are configured as VLAN's on the WAN interface re0. WAN interface, assigned to re0 is NOT enabled. VLAN's assigned to WAN interface re0 are ENABLED.

    Prior to this, IPsec was configured for all sites. Those configurations have all been deleted and turned off.

    The only way to get client to talk to server is to change the Encryption Algorithm, and then change it back again. Restarting Router will not work.

    Any ideas?

    Thanks, Jits.


  • Rebel Alliance Developer Netgate

    What encryption do you have chosen on both ends? Read the log, it doesn't like what you have:

    Aug 10 20:41:38    openvpn[15332]: Cipher 'BF-CFB' uses a mode not supported by OpenVPN in your current configuration. CBC mode is always supported, while CFB and OFB modes are supported only when using SSL/TLS authentication and key exchange mode, and when OpenVPN has been built with ALLOW_NON_CBC_CIPHERS.
    
    


  • Hi Jimp,

    That's what I was saying….in order to get OpenVPN site-to-site to work, I have to change the Encryption Algorithm to one that will not work. After this, I change back to the Encryption Algorithm that WILL work, and then success! Site-to-site works, and I can ping both sides of the network.

    Thus far, I have employed this method to each and every update of 2.0 RC3.

    Jits.



  • Thank You Very Much!  :) :) :)

    It works!!


Locked