• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Errors with my OpenVPN

Scheduled Pinned Locked Moved OpenVPN
8 Posts 3 Posters 6.8k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D
    DamienD
    last edited by Jun 9, 2012, 1:37 PM Jun 9, 2012, 1:35 PM

    Hello,

    I have my openVPN set up for more than one year and recently it started to give me errors like:

    Sat Jun 09 15:23:55 2012 OpenVPN 2.3-alpha1 Win32-MSVC++ [SSL (OpenSSL)] [LZO2] [PF_INET6] [IPv6 payload 20110522-1 (2.2.0)] built on Feb 21 2012
Enter Management Password:
Sat Jun 09 15:24:04 2012 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Sat Jun 09 15:24:04 2012 WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
Sat Jun 09 15:24:04 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sat Jun 09 15:24:04 2012 Control Channel Authentication: using 'grenwall-udp-1194-tls.key' as a OpenVPN static key file
Sat Jun 09 15:24:04 2012 UDPv4 link local (bound): [undef]
Sat Jun 09 15:24:04 2012 UDPv4 link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
Sat Jun 09 15:24:05 2012 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sat Jun 09 15:24:05 2012 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sat Jun 09 15:24:05 2012 TLS Error: incoming packet authentication failed from [AF_INET]XXX.XXX.XXX.XXX:1194
Sat Jun 09 15:24:05 2012 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sat Jun 09 15:24:05 2012 TLS Error: incoming packet authentication failed from [AF_INET]XXX.XXX.XXX.XXX:1194
Sat Jun 09 15:24:05 2012 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sat Jun 09 15:24:05 2012 TLS Error: incoming packet authentication failed from [AF_INET]XXX.XXX.XXX.XXX:1194
Sat Jun 09 15:24:13 2012 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sat Jun 09 15:24:13 2012 TLS Error: incoming packet authentication failed from [AF_INET]XXX.XXX.XXX.XXX:1194
Sat Jun 09 15:24:17 2012 TLS Error: unknown opcode received from [AF_INET]XXX.XXX.XXX.XXX:1194 op=12
Sat Jun 09 15:24:23 2012 [Road Warrior Server Certificate] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:1194
Sat Jun 09 15:24:25 2012 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sat Jun 09 15:24:25 2012 TLS Error: incoming packet authentication failed from [AF_INET]XXX.XXX.XXX.XXX:1194
Sat Jun 09 15:24:28 2012 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sat Jun 09 15:24:28 2012 open_tun, tt->ipv6=0
Sat Jun 09 15:24:28 2012 TAP-WIN32 device [Connexion au réseau local 2] opened: \\.\Global\{6415A5F7-F1C9-480C-B99B-477592EC39AC}.tap
Sat Jun 09 15:24:28 2012 Notified TAP-Win32 driver to set a DHCP IP/netmask of 192.168.200.6/255.255.255.252 on interface {6415A5F7-F1C9-480C-B99B-477592EC39AC} [DHCP-serv: 192.168.200.5, lease-time: 31536000]
Sat Jun 09 15:24:28 2012 Successful ARP Flush on interface [15] {6415A5F7-F1C9-480C-B99B-477592EC39AC}
Sat Jun 09 15:24:33 2012 Initialization Sequence Completed
Sat Jun 09 15:24:40 2012 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sat Jun 09 15:25:04 2012 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sat Jun 09 15:25:04 2012 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sat Jun 09 15:25:04 2012 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sat Jun 09 15:25:07 2012 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sat Jun 09 15:25:09 2012 Authenticate/Decrypt packet error: packet HMAC authentication failed
Sat Jun 09 15:25:13 2012 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #259 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Sat Jun 09 15:25:17 2012 Authenticate/Decrypt packet error: packet HMAC authentication failed

    pFSense 2.0.1-RELEASE (i386) on an ALIX
    Windows 7 client

    any idea?

    Thank you for your time!

    1 Reply Last reply Reply Quote 0
    • N
      Nachtfalke
      last edited by Jun 9, 2012, 3:37 PM

      Did you check the OpenVPN man page ?

      http://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html
      Take a look at:
      –no-replay
      --replay-window n [t]

      They wrote to set OpenVPN verbose to 4 and check if the replay-windows is ok.

      1 Reply Last reply Reply Quote 0
      • D
        DamienD
        last edited by Jun 19, 2012, 11:49 AM

        Hello thank you for your time, apologies I hav'nt been able to look at it yet.

        I'll come back to you as soon as I find time!

        1 Reply Last reply Reply Quote 0
        • J
          jimp Rebel Alliance Developer Netgate
          last edited by Jun 24, 2012, 5:12 PM

          Those errors usually indicate a couple things:

          1. cipher mismatch between server and client
          2. clock is way off on one or the other

          It could also be some other general mismatch of settings, but to say for sure we'd need to see the server and client config both

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • D
            DamienD
            last edited by Jun 24, 2012, 7:57 PM Jun 24, 2012, 7:55 PM

            Hello,

            1. It worked flawlessly for about one year so I don't understand what could be wrong
            2. It is not the case

            I also used the client export plugin…

            What files do you need to see?

            1 Reply Last reply Reply Quote 0
            • J
              jimp Rebel Alliance Developer Netgate
              last edited by Jun 24, 2012, 7:59 PM

              The client config file, and /var/etc/openvpn/server(whatever).conf

              Could also be a TLS key mismatch, something would have to have changed for it to do this though. Unless it's something in between corrupting the traffic.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • D
                DamienD
                last edited by Jun 24, 2012, 8:22 PM

                @/var/etc/openvpn/server2.conf:

                dev ovpns2
                dev-type tun
                dev-node /dev/tun2
                writepid /var/run/openvpn_server2.pid
                #user nobody
                #group nobody
                script-security 3
                daemon
                keepalive 10 60
                ping-timer-rem
                persist-tun
                persist-key
                proto udp
                cipher BF-CBC
                up /usr/local/sbin/ovpn-linkup
                down /usr/local/sbin/ovpn-linkdown
                local 178.198.100.136
                tls-server
                server 192.168.200.0 255.255.255.0
                client-config-dir /var/etc/openvpn-csc
                username-as-common-name
                auth-user-pass-verify /var/etc/openvpn/server2.php via-env
                tls-verify /var/etc/openvpn/server2.tls-verify.php
                lport 1194
                management /var/etc/openvpn/server2.sock unix
                max-clients 4
                push "route 192.168.1.0 255.255.255.0"
                client-to-client
                ca /var/etc/openvpn/server2.ca
                cert /var/etc/openvpn/server2.cert
                key /var/etc/openvpn/server2.key
                dh /etc/dh-parameters.1024
                tls-auth /var/etc/openvpn/server2.tls-auth 0
                comp-lzo
                persist-remote-ip
                float

                @openvpn.ovpn:

                dev tun
                persist-tun
                persist-key
                proto udp
                cipher BF-CBC
                tls-client
                client
                resolv-retry infinite
                remote MYADRESS 1194
                tls-remote Road Warrior Server Certificate
                auth-user-pass
                pkcs12 grenwall-udp-1194.p12
                tls-auth grenwall-udp-1194-tls.key 1
                comp-lzo

                1 Reply Last reply Reply Quote 0
                • D
                  DamienD
                  last edited by Jul 5, 2012, 9:46 AM

                  Did I put the wrong files??  ???

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    [[user:consent.lead]]
                    [[user:consent.not_received]]