Cannot Authenticate OpenVPN with Active Directory/RADIUS
-
We have properly configured the Active Directory/RADIUS to authenticate OpenVPN users (on Windows 7 64-bit) with, but each time we try to connect (regardless if we run the program as admin or not) we are receiving the error message:
TLS Error: incoming packet authentication failed from [AF_INET]
Our configuration previously worked, and the only thing that has changed with pfSense is that the sync went haywire when I changed the admin password some time ago. The sync issues have all been resolved, but still the VPN connection fails every time.
Here's a brief copy of what the logs look like:
openvpn[96169]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Sep 26 10:13:00 openvpn[96169]: TLS Error: incoming packet authentication failed from [AF_INET]192.168.0.16:1194
Sep 26 10:13:15 openvpn[96169]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Sep 26 10:13:15 openvpn[96169]: TLS Error: incoming packet authentication failed from [AF_INET]192.168.0.16:1194
Sep 26 10:13:48 openvpn[96169]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Sep 26 10:13:48 openvpn[96169]: TLS Error: incoming packet authentication failed from [AF_INET]192.168.0.16:1194
Sep 26 10:13:50 openvpn[96169]: Authenticate/Decrypt packet error: packet HMAC authentication failed
Sep 26 10:13:50 openvpn[96169]: TLS Error: incoming packet authentication failed from [AF_INET]192.168.0.16:1194When I go to test the authentication via pfSense and RADIUS (Diagnostics > Authentication > RADIUS server and AD credentials, it comes back successful. But still, no luck with the connection.
All certificates have been created according to the cookbooks for using AD/RADIUS and pfSense for OpenVPN, so I don't believe it's the actual certificates that are failing.
If it helps, the OpenVPN client works on non-domain accounts using our other OpenVPN server (we have two on the same box, one for non-domain accounts, the other for AD accounts). So I don't think it's a pfSense issue.
Any suggestions? If you need anymore information please let me know.
-
Those are not AD/RADIUS auth errors, those are packet-level authentication errors.
The top suspects there are:
1. Inaccurate Clocks
2. A mismatched TLS key
3. You are connecting to your own WAN IP from inside your LAN or other internal segment, rather than connecting from the outside/disconnected network. -
Hi jimp,
I have tried this VPN connection on both internal and external networks and receive the same error message. We have multiple WAN lines, each with a different WAN IP address, as well as some hotspots that are completely unrelated to our infrastructure.
1. I changed the clocks on my boxes to reflect accurate times.
2. How do I verify that I have a mismatched key or not? I'm almost positive I created the keys properly through the cert manager and downloading the corresponding Client Export.
3. See first part of my response.Thanks for your assistance.
