PFSENSE TLS Error: TLS key negotiation failed to occur within 60 seconds



  • Hi Experts,

    i am trying to connect my office Pfsense network remotely but getting the subjected error whose logs are as below:

    Sat Oct 03 20:45:15 2015 OpenVPN 2.3.8 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug  4 2015
    Sat Oct 03 20:45:15 2015 library versions: OpenSSL 1.0.1p 9 Jul 2015, LZO 2.08
    Enter Management Password:
    Sat Oct 03 20:45:26 2015 Control Channel Authentication: using 'Nestle-udp-1194-vpnuser1-tls.key' as a OpenVPN static key file
    Sat Oct 03 20:45:26 2015 UDPv4 link local (bound): [undef]
    Sat Oct 03 20:45:26 2015 UDPv4 link remote: [AF_INET]221.120.215.34:1194
    Sat Oct 03 20:46:27 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Sat Oct 03 20:46:27 2015 TLS Error: TLS handshake failed
    Sat Oct 03 20:46:27 2015 SIGUSR1[soft,tls-error] received, process restarting
    Sat Oct 03 20:46:29 2015 UDPv4 link local (bound): [undef]
    Sat Oct 03 20:46:29 2015 UDPv4 link remote: [AF_INET]221.120.215.34:1194
    Sat Oct 03 20:47:29 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Sat Oct 03 20:47:29 2015 TLS Error: TLS handshake failed
    Sat Oct 03 20:47:29 2015 SIGUSR1[soft,tls-error] received, process restarting
    Sat Oct 03 20:47:31 2015 UDPv4 link local (bound): [undef]
    Sat Oct 03 20:47:31 2015 UDPv4 link remote: [AF_INET]221.120.215.34:1194
    Sat Oct 03 20:48:31 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Sat Oct 03 20:48:31 2015 TLS Error: TLS handshake failed
    Sat Oct 03 20:48:31 2015 SIGUSR1[soft,tls-error] received, process restarting
    Sat Oct 03 20:48:33 2015 UDPv4 link local (bound): [undef]
    Sat Oct 03 20:48:33 2015 UDPv4 link remote: [AF_INET]221.120.215.34:1194
    Sat Oct 03 20:49:10 2015 SIGTERM[hard,] received, process exiting

    please help me out ASAP so that i may connect.

    Thanks.



  • I have the same problem that this guys, i'll post a little bit information about my system,

    I've install pfsense 2.2.4 last week, everthing work fine but i'm trying to configure an remote access server. And i can't figure out to make it work. I've follow the documentation on the official page.

    Here are the client log  file  with Windows 10, (i'll try linux client and windows 7 this weekend) :

    Mon Oct 05 22:08:34 2015 UDPv4 link remote: [AF_INET]XX.XX.XXX.XX:1194
    Mon Oct 05 22:09:34 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Mon Oct 05 22:09:34 2015 TLS Error: TLS handshake failed
    Mon Oct 05 22:09:34 2015 SIGUSR1[soft,tls-error] received, process restarting
    Mon Oct 05 22:09:36 2015 UDPv4 link local (bound): [undef]
    Mon Oct 05 22:09:36 2015 UDPv4 link remote: [AF_INET]XX.XX.XXX.XX:1194
    Mon Oct 05 22:10:36 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Mon Oct 05 22:10:36 2015 TLS Error: TLS handshake failed
    Mon Oct 05 22:10:36 2015 SIGUSR1[soft,tls-error] received, process restarting
    Mon Oct 05 22:10:38 2015 UDPv4 link local (bound): [undef]
    Mon Oct 05 22:10:38 2015 UDPv4 link remote: [AF_INET]XX.XX.XXX.XX:1194
    Mon Oct 05 22:11:39 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Mon Oct 05 22:11:39 2015 TLS Error: TLS handshake failed
    Mon Oct 05 22:11:39 2015 SIGUSR1[soft,tls-error] received, process restarting
    Mon Oct 05 22:11:41 2015 UDPv4 link local (bound): [undef]
    Mon Oct 05 22:11:41 2015 UDPv4 link remote: [AF_INET]XX.XX.XXX.XX:1194
    Mon Oct 05 22:11:55 2015 SIGTERM[hard,] received, process exiting

    Here are the server log  file :

    Oct  5 20:51:02 pfSense openvpn[17080]: OpenVPN 2.3.7 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Jun 19 2015
    Oct  5 20:51:02 pfSense openvpn[17080]: library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09
    Oct  5 20:51:02 pfSense openvpn[18097]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Oct  5 20:51:02 pfSense openvpn[18097]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
    Oct  5 20:51:02 pfSense openvpn[18097]: TUN/TAP device ovpns1 exists previously, keep at program end
    Oct  5 20:51:02 pfSense openvpn[18097]: TUN/TAP device /dev/tun1 opened
    Oct  5 20:51:02 pfSense openvpn[18097]: ioctl(TUNSIFMODE): Device busy: Device busy (errno=16)
    Oct  5 20:51:02 pfSense openvpn[18097]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
    Oct  5 20:51:02 pfSense openvpn[18097]: /sbin/ifconfig ovpns1 10.0.10.1 10.0.10.2 mtu 1500 netmask 255.255.255.255 up
    Oct  5 20:51:02 pfSense openvpn[18097]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1557 10.0.10.1 10.0.10.2 init
    Oct  5 20:51:03 pfSense openvpn[18097]: UDPv4 link local (bound): [AF_INET]XX.XX.XX.XX:1194
    Oct  5 20:51:03 pfSense openvpn[18097]: UDPv4 link remote: [undef]
    Oct  5 20:51:03 pfSense openvpn[18097]: Initialization Sequence Completed
    Oct  5 21:34:18 pfSense openvpn[55483]: OpenVPN 2.3.7 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Jun 19 2015
    Oct  5 21:34:18 pfSense openvpn[55483]: library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09
    Oct  5 21:34:18 pfSense openvpn[55625]: WARNING: using –duplicate-cn and --client-config-dir together is probably not what you want
    Oct  5 21:34:18 pfSense openvpn[55625]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Oct  5 21:34:18 pfSense openvpn[55625]: Control Channel Authentication: using '/var/etc/openvpn/server2.tls-auth' as a OpenVPN static key file
    Oct  5 21:34:18 pfSense openvpn[55625]: TUN/TAP device ovpns2 exists previously, keep at program end
    Oct  5 21:34:18 pfSense openvpn[55625]: TUN/TAP device /dev/tun2 opened
    Oct  5 21:34:18 pfSense openvpn[55625]: ioctl(TUNSIFMODE): Device busy: Device busy (errno=16)
    Oct  5 21:34:18 pfSense openvpn[55625]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
    Oct  5 21:34:18 pfSense openvpn[55625]: /sbin/ifconfig ovpns2 10.0.15.1 10.0.15.2 mtu 1500 netmask 255.255.255.255 up
    Oct  5 21:34:18 pfSense openvpn[55625]: /usr/local/sbin/ovpn-linkup ovpns2 1500 1557 10.0.15.1 10.0.15.2 init
    Oct  5 21:34:18 pfSense openvpn[55625]: UDPv4 link local (bound): [AF_INET]XX.XX.XX.XX:1195
    Oct  5 21:34:18 pfSense openvpn[55625]: UDPv4 link remote: [undef]
    Oct  5 21:34:18 pfSense openvpn[55625]: Initialization Sequence Completed
    Oct  5 21:48:12 pfSense openvpn[18097]: /usr/local/sbin/ovpn-linkdown ovpns1 1500 1557 10.0.10.1 10.0.10.2 init
    Oct  5 21:48:12 pfSense openvpn[18097]: SIGTERM[hard,] received, process exiting
    Oct  5 21:48:13 pfSense openvpn[99344]: Options error: –server directive network/netmask combination is invalid
    Oct  5 21:48:13 pfSense openvpn[99344]: Use –help for more information.
    Oct  5 21:49:34 pfSense openvpn[55625]: event_wait : Interrupted system call (code=4)
    Oct  5 21:49:34 pfSense openvpn[55625]: /usr/local/sbin/ovpn-linkdown ovpns2 1500 1557 10.0.15.1 10.0.15.2 init
    Oct  5 21:49:34 pfSense openvpn[55625]: SIGTERM[hard,] received, process exiting

    Here my config .ovpn

    dev tun
    persist-tun
    persist-key
    cipher AES-256-CBC
    auth SHA1
    tls-client
    client
    resolv-retry infinite
    remote XX.XX.XXX.XX 1194 udp
    lport 0
    verify-x509-name "myuservpn" name
    auth-user-pass
    pkcs12 pfSense-udp-1194-myuservpn.p12
    tls-auth pfSense-udp-1194-myuservpn-tls.key 1

    I've only need a clue on the path that is not working, tks



  • Ensure that the server is reachable from the clients site at UDP 1194.

    WAN rules okay?



  • Yes the port is open|filtered, i'll check the wan rules tonight

    https://pentest-tools.com/network-vulnerability-scanning/udp-port-scanner-online-nmap



  • Can anyone please help me how to check server logs and config.vpn file so that i may also share it here to resolve my issue.
    Thanks



  • As i am new and you all are experts, kindly help me for step by step procedure. I will be grateful for this.



  • @alirazafaisal:

    Can anyone please help me how to check server logs and config.vpn file so that i may also share it here to resolve my issue.
    Thanks

    Go to Diagnostics > Command Prompt
    In the field beside "File to download" enter "/var/log/openvpn.log" and press Download.
    Then do the same with /var/etc/openvpn/server1.conf. If you have more than one server also download /var/etc/openvpn/server2.conf and so on.

    However, please respond to my question above.



  • Here a look




  • Your WAN rule is okay to allow OpenVPN connections. The server should be reachable.

    So try to establish a connection from client and take a look in the server protocol (/var/log/openvpn.log) if the connection attempt is been logged.
    In doubt run Packet Capture from Diagnostic menu at WAN interface to see if your packet arrive. Maybe they don't.



  • I had the very same Problem here … because my client-router only likes SHA1 and PfSense creates CA/CERTS with SHA256 per default...



  • If anyone is still interest, here the step i made to make it work fiinaly,

    1. I factory reset the pfsense
    2. I did the same step that before but did something more in the open vpn -> client export
    3. I check this option and put a password

    Certificate Export Options
    X Use Microsoft Certificate Storage instead of local files.
    X Use a password to protect the pkcs12 file contents or key in Viscosity bundle.

    4. I download the  Windows Installers (2.3.8-Ix01):…

    5. In my other computer on another network  i uninstall openvpn and install it back with the new installer that contain the microsoft cert....

    And it WORK :)
    This time i did not change the network ip of my internal lan but i don't think that was why it didn't work....
    I change it back after the vpn was right



  • Can you please let me know which procedure you adopted for the OPENVPN to work. please share the link so that I may get help.



  • If you check  online, they basicly do all the same procedure on youtube or on website, but you can follow this video
    PfSense Open VPN Tutorial (with Narrator)    from    DlStreamnet
    Youtube Video

    The only step that i did more was the step that i write in the commend below

    Certificate Export Options   
          X Use Microsoft Certificate Storage instead of local files.
          X Use a password to protect the pkcs12 file contents or key in Viscosity bundle.

    Make sur you check those before download the openvpn file….


Log in to reply