2.0.2 -> 2.0.3 migration, Authenticate/Decrypt packet error: cipher final failed

  • Hi,
    After upgrading two pfsense from 2.0.2 to 2.0.3 version, the Site2Site openVPN tunnel was down.
    After multiples tries to restart/reload, the vpn went up again but with following error message on the
    server: Authenticate/Decrypt packet error: cipher final failed
    The client has two WAN interfaces: ADSL (default gateway) and SDSL (used for vpn).
    With "verb 6" parameter, I saw that the client not always using the SDSL interface (configured for this vpn).
    log extract on server side:
    openvpn[22062]: UDPv4READ [116] from %client_public_ip_SDSL%
    openvpn[22062]: TUN WRITE [52]
    openvpn[22062]: UDPv4READ [116] from %client_public_ip_ADSL%
    openvpn[22062]: Authenticate/Decrypt packet error: cipher final failed

    any idea ?

  • Rebel Alliance Developer Netgate

    Make sure you don't have a mismatch in the selected cipher, that's usually what that means (e.g. one side on BF-CBC or nothing set, other end on AES-128)

  • I've checked this, and its OK.
    After some testing, this symptom appears even in 2.0.1 and 2.0.2.
    The OpenVPN client regularly tries to reach the server on the wrong interface, and this cause the error message to appear in log….
    This is really strange. pfsense is configured with double WAN interface.

    Any idea ?
    Is this misconfiguration or bug ?

Log in to reply