Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PFSENSE TLS Error: TLS key negotiation failed to occur within 60 seconds

    Scheduled Pinned Locked Moved OpenVPN
    13 Posts 4 Posters 37.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jolejo10
      last edited by

      I have the same problem that this guys, i'll post a little bit information about my system,

      I've install pfsense 2.2.4 last week, everthing work fine but i'm trying to configure an remote access server. And i can't figure out to make it work. I've follow the documentation on the official page.

      Here are the client log  file  with Windows 10, (i'll try linux client and windows 7 this weekend) :

      Mon Oct 05 22:08:34 2015 UDPv4 link remote: [AF_INET]XX.XX.XXX.XX:1194
      Mon Oct 05 22:09:34 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
      Mon Oct 05 22:09:34 2015 TLS Error: TLS handshake failed
      Mon Oct 05 22:09:34 2015 SIGUSR1[soft,tls-error] received, process restarting
      Mon Oct 05 22:09:36 2015 UDPv4 link local (bound): [undef]
      Mon Oct 05 22:09:36 2015 UDPv4 link remote: [AF_INET]XX.XX.XXX.XX:1194
      Mon Oct 05 22:10:36 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
      Mon Oct 05 22:10:36 2015 TLS Error: TLS handshake failed
      Mon Oct 05 22:10:36 2015 SIGUSR1[soft,tls-error] received, process restarting
      Mon Oct 05 22:10:38 2015 UDPv4 link local (bound): [undef]
      Mon Oct 05 22:10:38 2015 UDPv4 link remote: [AF_INET]XX.XX.XXX.XX:1194
      Mon Oct 05 22:11:39 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
      Mon Oct 05 22:11:39 2015 TLS Error: TLS handshake failed
      Mon Oct 05 22:11:39 2015 SIGUSR1[soft,tls-error] received, process restarting
      Mon Oct 05 22:11:41 2015 UDPv4 link local (bound): [undef]
      Mon Oct 05 22:11:41 2015 UDPv4 link remote: [AF_INET]XX.XX.XXX.XX:1194
      Mon Oct 05 22:11:55 2015 SIGTERM[hard,] received, process exiting

      Here are the server log  file :

      Oct  5 20:51:02 pfSense openvpn[17080]: OpenVPN 2.3.7 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Jun 19 2015
      Oct  5 20:51:02 pfSense openvpn[17080]: library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09
      Oct  5 20:51:02 pfSense openvpn[18097]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
      Oct  5 20:51:02 pfSense openvpn[18097]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
      Oct  5 20:51:02 pfSense openvpn[18097]: TUN/TAP device ovpns1 exists previously, keep at program end
      Oct  5 20:51:02 pfSense openvpn[18097]: TUN/TAP device /dev/tun1 opened
      Oct  5 20:51:02 pfSense openvpn[18097]: ioctl(TUNSIFMODE): Device busy: Device busy (errno=16)
      Oct  5 20:51:02 pfSense openvpn[18097]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
      Oct  5 20:51:02 pfSense openvpn[18097]: /sbin/ifconfig ovpns1 10.0.10.1 10.0.10.2 mtu 1500 netmask 255.255.255.255 up
      Oct  5 20:51:02 pfSense openvpn[18097]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1557 10.0.10.1 10.0.10.2 init
      Oct  5 20:51:03 pfSense openvpn[18097]: UDPv4 link local (bound): [AF_INET]XX.XX.XX.XX:1194
      Oct  5 20:51:03 pfSense openvpn[18097]: UDPv4 link remote: [undef]
      Oct  5 20:51:03 pfSense openvpn[18097]: Initialization Sequence Completed
      Oct  5 21:34:18 pfSense openvpn[55483]: OpenVPN 2.3.7 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Jun 19 2015
      Oct  5 21:34:18 pfSense openvpn[55483]: library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09
      Oct  5 21:34:18 pfSense openvpn[55625]: WARNING: using –duplicate-cn and --client-config-dir together is probably not what you want
      Oct  5 21:34:18 pfSense openvpn[55625]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
      Oct  5 21:34:18 pfSense openvpn[55625]: Control Channel Authentication: using '/var/etc/openvpn/server2.tls-auth' as a OpenVPN static key file
      Oct  5 21:34:18 pfSense openvpn[55625]: TUN/TAP device ovpns2 exists previously, keep at program end
      Oct  5 21:34:18 pfSense openvpn[55625]: TUN/TAP device /dev/tun2 opened
      Oct  5 21:34:18 pfSense openvpn[55625]: ioctl(TUNSIFMODE): Device busy: Device busy (errno=16)
      Oct  5 21:34:18 pfSense openvpn[55625]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
      Oct  5 21:34:18 pfSense openvpn[55625]: /sbin/ifconfig ovpns2 10.0.15.1 10.0.15.2 mtu 1500 netmask 255.255.255.255 up
      Oct  5 21:34:18 pfSense openvpn[55625]: /usr/local/sbin/ovpn-linkup ovpns2 1500 1557 10.0.15.1 10.0.15.2 init
      Oct  5 21:34:18 pfSense openvpn[55625]: UDPv4 link local (bound): [AF_INET]XX.XX.XX.XX:1195
      Oct  5 21:34:18 pfSense openvpn[55625]: UDPv4 link remote: [undef]
      Oct  5 21:34:18 pfSense openvpn[55625]: Initialization Sequence Completed
      Oct  5 21:48:12 pfSense openvpn[18097]: /usr/local/sbin/ovpn-linkdown ovpns1 1500 1557 10.0.10.1 10.0.10.2 init
      Oct  5 21:48:12 pfSense openvpn[18097]: SIGTERM[hard,] received, process exiting
      Oct  5 21:48:13 pfSense openvpn[99344]: Options error: –server directive network/netmask combination is invalid
      Oct  5 21:48:13 pfSense openvpn[99344]: Use –help for more information.
      Oct  5 21:49:34 pfSense openvpn[55625]: event_wait : Interrupted system call (code=4)
      Oct  5 21:49:34 pfSense openvpn[55625]: /usr/local/sbin/ovpn-linkdown ovpns2 1500 1557 10.0.15.1 10.0.15.2 init
      Oct  5 21:49:34 pfSense openvpn[55625]: SIGTERM[hard,] received, process exiting

      Here my config .ovpn

      dev tun
      persist-tun
      persist-key
      cipher AES-256-CBC
      auth SHA1
      tls-client
      client
      resolv-retry infinite
      remote XX.XX.XXX.XX 1194 udp
      lport 0
      verify-x509-name "myuservpn" name
      auth-user-pass
      pkcs12 pfSense-udp-1194-myuservpn.p12
      tls-auth pfSense-udp-1194-myuservpn-tls.key 1

      I've only need a clue on the path that is not working, tks

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        Ensure that the server is reachable from the clients site at UDP 1194.

        WAN rules okay?

        1 Reply Last reply Reply Quote 0
        • J
          jolejo10
          last edited by

          Yes the port is open|filtered, i'll check the wan rules tonight

          https://pentest-tools.com/network-vulnerability-scanning/udp-port-scanner-online-nmap

          1 Reply Last reply Reply Quote 0
          • A
            alirazafaisal
            last edited by

            Can anyone please help me how to check server logs and config.vpn file so that i may also share it here to resolve my issue.
            Thanks

            1 Reply Last reply Reply Quote 0
            • A
              alirazafaisal
              last edited by

              As i am new and you all are experts, kindly help me for step by step procedure. I will be grateful for this.

              1 Reply Last reply Reply Quote 0
              • V
                viragomann
                last edited by

                @alirazafaisal:

                Can anyone please help me how to check server logs and config.vpn file so that i may also share it here to resolve my issue.
                Thanks

                Go to Diagnostics > Command Prompt
                In the field beside "File to download" enter "/var/log/openvpn.log" and press Download.
                Then do the same with /var/etc/openvpn/server1.conf. If you have more than one server also download /var/etc/openvpn/server2.conf and so on.

                However, please respond to my question above.

                1 Reply Last reply Reply Quote 0
                • J
                  jolejo10
                  last edited by

                  Here a look


                  1 Reply Last reply Reply Quote 0
                  • V
                    viragomann
                    last edited by

                    Your WAN rule is okay to allow OpenVPN connections. The server should be reachable.

                    So try to establish a connection from client and take a look in the server protocol (/var/log/openvpn.log) if the connection attempt is been logged.
                    In doubt run Packet Capture from Diagnostic menu at WAN interface to see if your packet arrive. Maybe they don't.

                    1 Reply Last reply Reply Quote 0
                    • B
                      bitboy0
                      last edited by

                      I had the very same Problem here … because my client-router only likes SHA1 and PfSense creates CA/CERTS with SHA256 per default...

                      1 Reply Last reply Reply Quote 0
                      • J
                        jolejo10
                        last edited by

                        If anyone is still interest, here the step i made to make it work fiinaly,

                        1. I factory reset the pfsense
                        2. I did the same step that before but did something more in the open vpn -> client export
                        3. I check this option and put a password

                        Certificate Export Options
                        X Use Microsoft Certificate Storage instead of local files.
                        X Use a password to protect the pkcs12 file contents or key in Viscosity bundle.

                        4. I download the  Windows Installers (2.3.8-Ix01):…

                        5. In my other computer on another network  i uninstall openvpn and install it back with the new installer that contain the microsoft cert....

                        And it WORK :)
                        This time i did not change the network ip of my internal lan but i don't think that was why it didn't work....
                        I change it back after the vpn was right

                        1 Reply Last reply Reply Quote 0
                        • A
                          alirazafaisal
                          last edited by

                          Can you please let me know which procedure you adopted for the OPENVPN to work. please share the link so that I may get help.

                          1 Reply Last reply Reply Quote 0
                          • J
                            jolejo10
                            last edited by

                            If you check  online, they basicly do all the same procedure on youtube or on website, but you can follow this video
                            PfSense Open VPN Tutorial (with Narrator)    from    DlStreamnet
                            https://www.youtube.com/watch?v=VdAHVSTl1ys

                            The only step that i did more was the step that i write in the commend below

                            Certificate Export Options   
                                  X Use Microsoft Certificate Storage instead of local files.
                                  X Use a password to protect the pkcs12 file contents or key in Viscosity bundle.

                            Make sur you check those before download the openvpn file….

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.