Openvpn 2.3.8 and pfsense 2.2.4 no working
-
Dear Forum Members,
I'm busy configurating a client to server OpenVPN connection on PFSense 2.2.4.Fri Sep 04 11:04:26 2015 UDPv4 link remote: [AF_INET]xx.xx.xx.xx:1194 Fri Sep 04 11:04:26 2015 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=xx, ST=xx, L=xxx, O=xxx, emailAddress=xxxxx, CN=xx Fri Sep 04 11:04:26 2015 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Fri Sep 04 11:04:26 2015 TLS Error: TLS object -> incoming plaintext read error Fri Sep 04 11:04:26 2015 TLS Error: TLS handshake failed Fri Sep 04 11:04:26 2015 SIGUSR1[soft,tls-error] received, process restarting Fri Sep 04 11:04:31 2015 UDPv4 link local (bound): [undef] Fri Sep 04 11:04:31 2015 UDPv4 link remote: [AF_INET]xx.xx.xx.xxx:1194 Fri Sep 04 11:04:31 2015 TLS Error: TLS object -> incoming plaintext read error Fri Sep 04 11:04:31 2015 TLS Error: TLS handshake failed Fri Sep 04 11:04:31 2015 SIGUSR1[soft,tls-error] received, process restarting Fri Sep 04 11:04:37 2015 SIGTERM[hard,init_instance] received, process exiting
-
"error=unsupported certificate purpose"
What part is confusing about this to you?? Did you run through the openvpn wizard and let it create the CA and server cert for you..
Look on your cert
-
how i can fix please -
Create Server cert, or just use the openvpn wizard tab that walks you through setting up openvpn…
-
thinks but i have another problem
Fri Sep 04 13:43:35 2015 Control Channel Authentication: using 'pfSense-TCP-1194-khairy-tls.key' as a OpenVPN static key file Fri Sep 04 13:43:35 2015 Attempting to establish TCP connection with [AF_INET]XX.XX.XX.XX1194 [nonblock] Fri Sep 04 13:43:36 2015 TCP connection established with [AF_INET]XX.XX.XX.XX:1194 Fri Sep 04 13:43:36 2015 TCPv4_CLIENT link local (bound): [undef] Fri Sep 04 13:43:36 2015 TCPv4_CLIENT link remote: [AF_INET]xx.xx.xx.xx:1194 Fri Sep 04 13:43:36 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Fri Sep 04 13:43:37 2015 [gopalace] Peer Connection Initiated with [AF_INET]xxx.xx.xx.xx:1194 Fri Sep 04 13:43:40 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Fri Sep 04 13:43:40 2015 open_tun, tt->ipv6=0 Fri Sep 04 13:43:40 2015 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{79DB1C6E-1FA2-4F9B-B115-69A730E2D70A}.tap Fri Sep 04 13:43:40 2015 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.2.6/255.255.255.252 on interface {79DB1C6E-1FA2-4F9B-B115-69A730E2D70A} [DHCP-serv: 192.168.2.5, lease-time: 31536000] Fri Sep 04 13:43:40 2015 Successful ARP Flush on interface [23] {79DB1C6E-1FA2-4F9B-B115-69A730E2D70A} Fri Sep 04 13:43:45 2015 Warning: address 172.16.20.0 is not a network address in relation to netmask 255.255.0.0 Fri Sep 04 13:43:45 2015 ROUTE: route addition failed using CreateIpForwardEntry: The parameter is incorrect. [status=87 if_index=23] Fri Sep 04 13:43:45 2015 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem Fri Sep 04 13:43:45 2015 Initialization Sequence Completed
i can not connect from 192.168.2.6 to 172.16.20.1
-
172.16.20.0 is not a network address in relation to netmask 255.255.0.0
Again, what's unclear there? And – why are you using /16 in the first place?!?
-
thinks i have mistake
CIDR 172.16.0.0 /16 -
yeah that error again is pretty clear.. 172.16.20.0/16 is not a valid network 172.16.0.0/16 would be a valid network. 172.20.0.0/16 would be a valid network
172.16.20.0 would be a HOST address with a /16 mask.
What is with using such large networks? Really you have 65k some devices?
-
ip subnetting is like measuring certain body parts …. bigger must always be better :p
-
Well then he should be using 10/8 ;)