Errors with my OpenVPN



  • Hello,

    I have my openVPN set up for more than one year and recently it started to give me errors like:

    Sat Jun 09 15:23:55 2012 OpenVPN 2.3-alpha1 Win32-MSVC++ [SSL (OpenSSL)] [LZO2] [PF_INET6] [IPv6 payload 20110522-1 (2.2.0)] built on Feb 21 2012
    Enter Management Password:
    Sat Jun 09 15:24:04 2012 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
    Sat Jun 09 15:24:04 2012 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
    Sat Jun 09 15:24:04 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Sat Jun 09 15:24:04 2012 Control Channel Authentication: using 'grenwall-udp-1194-tls.key' as a OpenVPN static key file
    Sat Jun 09 15:24:04 2012 UDPv4 link local (bound): [undef]
    Sat Jun 09 15:24:04 2012 UDPv4 link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
    Sat Jun 09 15:24:05 2012 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Sat Jun 09 15:24:05 2012 Authenticate/Decrypt packet error: packet HMAC authentication failed
    Sat Jun 09 15:24:05 2012 TLS Error: incoming packet authentication failed from [AF_INET]XXX.XXX.XXX.XXX:1194
    Sat Jun 09 15:24:05 2012 Authenticate/Decrypt packet error: packet HMAC authentication failed
    Sat Jun 09 15:24:05 2012 TLS Error: incoming packet authentication failed from [AF_INET]XXX.XXX.XXX.XXX:1194
    Sat Jun 09 15:24:05 2012 Authenticate/Decrypt packet error: packet HMAC authentication failed
    Sat Jun 09 15:24:05 2012 TLS Error: incoming packet authentication failed from [AF_INET]XXX.XXX.XXX.XXX:1194
    Sat Jun 09 15:24:13 2012 Authenticate/Decrypt packet error: packet HMAC authentication failed
    Sat Jun 09 15:24:13 2012 TLS Error: incoming packet authentication failed from [AF_INET]XXX.XXX.XXX.XXX:1194
    Sat Jun 09 15:24:17 2012 TLS Error: unknown opcode received from [AF_INET]XXX.XXX.XXX.XXX:1194 op=12
    Sat Jun 09 15:24:23 2012 [Road Warrior Server Certificate] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:1194
    Sat Jun 09 15:24:25 2012 Authenticate/Decrypt packet error: packet HMAC authentication failed
    Sat Jun 09 15:24:25 2012 TLS Error: incoming packet authentication failed from [AF_INET]XXX.XXX.XXX.XXX:1194
    Sat Jun 09 15:24:28 2012 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Sat Jun 09 15:24:28 2012 open_tun, tt->ipv6=0
    Sat Jun 09 15:24:28 2012 TAP-WIN32 device [Connexion au réseau local 2] opened: \\.\Global\{6415A5F7-F1C9-480C-B99B-477592EC39AC}.tap
    Sat Jun 09 15:24:28 2012 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.200.6/255.255.255.252 on interface {6415A5F7-F1C9-480C-B99B-477592EC39AC} [DHCP-serv: 192.168.200.5, lease-time: 31536000]
    Sat Jun 09 15:24:28 2012 Successful ARP Flush on interface [15] {6415A5F7-F1C9-480C-B99B-477592EC39AC}
    Sat Jun 09 15:24:33 2012 Initialization Sequence Completed
    Sat Jun 09 15:24:40 2012 Authenticate/Decrypt packet error: packet HMAC authentication failed
    Sat Jun 09 15:25:04 2012 Authenticate/Decrypt packet error: packet HMAC authentication failed
    Sat Jun 09 15:25:04 2012 Authenticate/Decrypt packet error: packet HMAC authentication failed
    Sat Jun 09 15:25:04 2012 Authenticate/Decrypt packet error: packet HMAC authentication failed
    Sat Jun 09 15:25:07 2012 Authenticate/Decrypt packet error: packet HMAC authentication failed
    Sat Jun 09 15:25:09 2012 Authenticate/Decrypt packet error: packet HMAC authentication failed
    Sat Jun 09 15:25:13 2012 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #259 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
    Sat Jun 09 15:25:17 2012 Authenticate/Decrypt packet error: packet HMAC authentication failed
    

    pFSense 2.0.1-RELEASE (i386) on an ALIX
    Windows 7 client

    any idea?

    Thank you for your time!



  • Did you check the OpenVPN man page ?

    http://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html
    Take a look at:
    –no-replay
    --replay-window n [t]

    They wrote to set OpenVPN verbose to 4 and check if the replay-windows is ok.



  • Hello thank you for your time, apologies I hav'nt been able to look at it yet.

    I'll come back to you as soon as I find time!


  • Rebel Alliance Developer Netgate

    Those errors usually indicate a couple things:

    1. cipher mismatch between server and client
    2. clock is way off on one or the other

    It could also be some other general mismatch of settings, but to say for sure we'd need to see the server and client config both



  • Hello,

    1. It worked flawlessly for about one year so I don't understand what could be wrong
    2. It is not the case

    I also used the client export plugin…

    What files do you need to see?


  • Rebel Alliance Developer Netgate

    The client config file, and /var/etc/openvpn/server(whatever).conf

    Could also be a TLS key mismatch, something would have to have changed for it to do this though. Unless it's something in between corrupting the traffic.



  • @/var/etc/openvpn/server2.conf:

    dev ovpns2
    dev-type tun
    dev-node /dev/tun2
    writepid /var/run/openvpn_server2.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher BF-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 178.198.100.136
    tls-server
    server 192.168.200.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc
    username-as-common-name
    auth-user-pass-verify /var/etc/openvpn/server2.php via-env
    tls-verify /var/etc/openvpn/server2.tls-verify.php
    lport 1194
    management /var/etc/openvpn/server2.sock unix
    max-clients 4
    push "route 192.168.1.0 255.255.255.0"
    client-to-client
    ca /var/etc/openvpn/server2.ca
    cert /var/etc/openvpn/server2.cert
    key /var/etc/openvpn/server2.key
    dh /etc/dh-parameters.1024
    tls-auth /var/etc/openvpn/server2.tls-auth 0
    comp-lzo
    persist-remote-ip
    float

    @openvpn.ovpn:

    dev tun
    persist-tun
    persist-key
    proto udp
    cipher BF-CBC
    tls-client
    client
    resolv-retry infinite
    remote MYADRESS 1194
    tls-remote Road Warrior Server Certificate
    auth-user-pass
    pkcs12 grenwall-udp-1194.p12
    tls-auth grenwall-udp-1194-tls.key 1
    comp-lzo



  • Did I put the wrong files??  ???


Locked