Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PFSENSE TLS Error: TLS key negotiation failed to occur within 60 seconds

    Scheduled Pinned Locked Moved OpenVPN
    13 Posts 4 Posters 37.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      alirazafaisal
      last edited by

      Hi Experts,

      i am trying to connect my office Pfsense network remotely but getting the subjected error whose logs are as below:

      Sat Oct 03 20:45:15 2015 OpenVPN 2.3.8 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug  4 2015
      Sat Oct 03 20:45:15 2015 library versions: OpenSSL 1.0.1p 9 Jul 2015, LZO 2.08
      Enter Management Password:
      Sat Oct 03 20:45:26 2015 Control Channel Authentication: using 'Nestle-udp-1194-vpnuser1-tls.key' as a OpenVPN static key file
      Sat Oct 03 20:45:26 2015 UDPv4 link local (bound): [undef]
      Sat Oct 03 20:45:26 2015 UDPv4 link remote: [AF_INET]221.120.215.34:1194
      Sat Oct 03 20:46:27 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
      Sat Oct 03 20:46:27 2015 TLS Error: TLS handshake failed
      Sat Oct 03 20:46:27 2015 SIGUSR1[soft,tls-error] received, process restarting
      Sat Oct 03 20:46:29 2015 UDPv4 link local (bound): [undef]
      Sat Oct 03 20:46:29 2015 UDPv4 link remote: [AF_INET]221.120.215.34:1194
      Sat Oct 03 20:47:29 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
      Sat Oct 03 20:47:29 2015 TLS Error: TLS handshake failed
      Sat Oct 03 20:47:29 2015 SIGUSR1[soft,tls-error] received, process restarting
      Sat Oct 03 20:47:31 2015 UDPv4 link local (bound): [undef]
      Sat Oct 03 20:47:31 2015 UDPv4 link remote: [AF_INET]221.120.215.34:1194
      Sat Oct 03 20:48:31 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
      Sat Oct 03 20:48:31 2015 TLS Error: TLS handshake failed
      Sat Oct 03 20:48:31 2015 SIGUSR1[soft,tls-error] received, process restarting
      Sat Oct 03 20:48:33 2015 UDPv4 link local (bound): [undef]
      Sat Oct 03 20:48:33 2015 UDPv4 link remote: [AF_INET]221.120.215.34:1194
      Sat Oct 03 20:49:10 2015 SIGTERM[hard,] received, process exiting

      please help me out ASAP so that i may connect.

      Thanks.

      1 Reply Last reply Reply Quote 0
      • J
        jolejo10
        last edited by

        I have the same problem that this guys, i'll post a little bit information about my system,

        I've install pfsense 2.2.4 last week, everthing work fine but i'm trying to configure an remote access server. And i can't figure out to make it work. I've follow the documentation on the official page.

        Here are the client log  file  with Windows 10, (i'll try linux client and windows 7 this weekend) :

        Mon Oct 05 22:08:34 2015 UDPv4 link remote: [AF_INET]XX.XX.XXX.XX:1194
        Mon Oct 05 22:09:34 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
        Mon Oct 05 22:09:34 2015 TLS Error: TLS handshake failed
        Mon Oct 05 22:09:34 2015 SIGUSR1[soft,tls-error] received, process restarting
        Mon Oct 05 22:09:36 2015 UDPv4 link local (bound): [undef]
        Mon Oct 05 22:09:36 2015 UDPv4 link remote: [AF_INET]XX.XX.XXX.XX:1194
        Mon Oct 05 22:10:36 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
        Mon Oct 05 22:10:36 2015 TLS Error: TLS handshake failed
        Mon Oct 05 22:10:36 2015 SIGUSR1[soft,tls-error] received, process restarting
        Mon Oct 05 22:10:38 2015 UDPv4 link local (bound): [undef]
        Mon Oct 05 22:10:38 2015 UDPv4 link remote: [AF_INET]XX.XX.XXX.XX:1194
        Mon Oct 05 22:11:39 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
        Mon Oct 05 22:11:39 2015 TLS Error: TLS handshake failed
        Mon Oct 05 22:11:39 2015 SIGUSR1[soft,tls-error] received, process restarting
        Mon Oct 05 22:11:41 2015 UDPv4 link local (bound): [undef]
        Mon Oct 05 22:11:41 2015 UDPv4 link remote: [AF_INET]XX.XX.XXX.XX:1194
        Mon Oct 05 22:11:55 2015 SIGTERM[hard,] received, process exiting

        Here are the server log  file :

        Oct  5 20:51:02 pfSense openvpn[17080]: OpenVPN 2.3.7 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Jun 19 2015
        Oct  5 20:51:02 pfSense openvpn[17080]: library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09
        Oct  5 20:51:02 pfSense openvpn[18097]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
        Oct  5 20:51:02 pfSense openvpn[18097]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
        Oct  5 20:51:02 pfSense openvpn[18097]: TUN/TAP device ovpns1 exists previously, keep at program end
        Oct  5 20:51:02 pfSense openvpn[18097]: TUN/TAP device /dev/tun1 opened
        Oct  5 20:51:02 pfSense openvpn[18097]: ioctl(TUNSIFMODE): Device busy: Device busy (errno=16)
        Oct  5 20:51:02 pfSense openvpn[18097]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
        Oct  5 20:51:02 pfSense openvpn[18097]: /sbin/ifconfig ovpns1 10.0.10.1 10.0.10.2 mtu 1500 netmask 255.255.255.255 up
        Oct  5 20:51:02 pfSense openvpn[18097]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1557 10.0.10.1 10.0.10.2 init
        Oct  5 20:51:03 pfSense openvpn[18097]: UDPv4 link local (bound): [AF_INET]XX.XX.XX.XX:1194
        Oct  5 20:51:03 pfSense openvpn[18097]: UDPv4 link remote: [undef]
        Oct  5 20:51:03 pfSense openvpn[18097]: Initialization Sequence Completed
        Oct  5 21:34:18 pfSense openvpn[55483]: OpenVPN 2.3.7 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Jun 19 2015
        Oct  5 21:34:18 pfSense openvpn[55483]: library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09
        Oct  5 21:34:18 pfSense openvpn[55625]: WARNING: using –duplicate-cn and --client-config-dir together is probably not what you want
        Oct  5 21:34:18 pfSense openvpn[55625]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
        Oct  5 21:34:18 pfSense openvpn[55625]: Control Channel Authentication: using '/var/etc/openvpn/server2.tls-auth' as a OpenVPN static key file
        Oct  5 21:34:18 pfSense openvpn[55625]: TUN/TAP device ovpns2 exists previously, keep at program end
        Oct  5 21:34:18 pfSense openvpn[55625]: TUN/TAP device /dev/tun2 opened
        Oct  5 21:34:18 pfSense openvpn[55625]: ioctl(TUNSIFMODE): Device busy: Device busy (errno=16)
        Oct  5 21:34:18 pfSense openvpn[55625]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
        Oct  5 21:34:18 pfSense openvpn[55625]: /sbin/ifconfig ovpns2 10.0.15.1 10.0.15.2 mtu 1500 netmask 255.255.255.255 up
        Oct  5 21:34:18 pfSense openvpn[55625]: /usr/local/sbin/ovpn-linkup ovpns2 1500 1557 10.0.15.1 10.0.15.2 init
        Oct  5 21:34:18 pfSense openvpn[55625]: UDPv4 link local (bound): [AF_INET]XX.XX.XX.XX:1195
        Oct  5 21:34:18 pfSense openvpn[55625]: UDPv4 link remote: [undef]
        Oct  5 21:34:18 pfSense openvpn[55625]: Initialization Sequence Completed
        Oct  5 21:48:12 pfSense openvpn[18097]: /usr/local/sbin/ovpn-linkdown ovpns1 1500 1557 10.0.10.1 10.0.10.2 init
        Oct  5 21:48:12 pfSense openvpn[18097]: SIGTERM[hard,] received, process exiting
        Oct  5 21:48:13 pfSense openvpn[99344]: Options error: –server directive network/netmask combination is invalid
        Oct  5 21:48:13 pfSense openvpn[99344]: Use –help for more information.
        Oct  5 21:49:34 pfSense openvpn[55625]: event_wait : Interrupted system call (code=4)
        Oct  5 21:49:34 pfSense openvpn[55625]: /usr/local/sbin/ovpn-linkdown ovpns2 1500 1557 10.0.15.1 10.0.15.2 init
        Oct  5 21:49:34 pfSense openvpn[55625]: SIGTERM[hard,] received, process exiting

        Here my config .ovpn

        dev tun
        persist-tun
        persist-key
        cipher AES-256-CBC
        auth SHA1
        tls-client
        client
        resolv-retry infinite
        remote XX.XX.XXX.XX 1194 udp
        lport 0
        verify-x509-name "myuservpn" name
        auth-user-pass
        pkcs12 pfSense-udp-1194-myuservpn.p12
        tls-auth pfSense-udp-1194-myuservpn-tls.key 1

        I've only need a clue on the path that is not working, tks

        1 Reply Last reply Reply Quote 0
        • V
          viragomann
          last edited by

          Ensure that the server is reachable from the clients site at UDP 1194.

          WAN rules okay?

          1 Reply Last reply Reply Quote 0
          • J
            jolejo10
            last edited by

            Yes the port is open|filtered, i'll check the wan rules tonight

            https://pentest-tools.com/network-vulnerability-scanning/udp-port-scanner-online-nmap

            1 Reply Last reply Reply Quote 0
            • A
              alirazafaisal
              last edited by

              Can anyone please help me how to check server logs and config.vpn file so that i may also share it here to resolve my issue.
              Thanks

              1 Reply Last reply Reply Quote 0
              • A
                alirazafaisal
                last edited by

                As i am new and you all are experts, kindly help me for step by step procedure. I will be grateful for this.

                1 Reply Last reply Reply Quote 0
                • V
                  viragomann
                  last edited by

                  @alirazafaisal:

                  Can anyone please help me how to check server logs and config.vpn file so that i may also share it here to resolve my issue.
                  Thanks

                  Go to Diagnostics > Command Prompt
                  In the field beside "File to download" enter "/var/log/openvpn.log" and press Download.
                  Then do the same with /var/etc/openvpn/server1.conf. If you have more than one server also download /var/etc/openvpn/server2.conf and so on.

                  However, please respond to my question above.

                  1 Reply Last reply Reply Quote 0
                  • J
                    jolejo10
                    last edited by

                    Here a look


                    1 Reply Last reply Reply Quote 0
                    • V
                      viragomann
                      last edited by

                      Your WAN rule is okay to allow OpenVPN connections. The server should be reachable.

                      So try to establish a connection from client and take a look in the server protocol (/var/log/openvpn.log) if the connection attempt is been logged.
                      In doubt run Packet Capture from Diagnostic menu at WAN interface to see if your packet arrive. Maybe they don't.

                      1 Reply Last reply Reply Quote 0
                      • B
                        bitboy0
                        last edited by

                        I had the very same Problem here … because my client-router only likes SHA1 and PfSense creates CA/CERTS with SHA256 per default...

                        1 Reply Last reply Reply Quote 0
                        • J
                          jolejo10
                          last edited by

                          If anyone is still interest, here the step i made to make it work fiinaly,

                          1. I factory reset the pfsense
                          2. I did the same step that before but did something more in the open vpn -> client export
                          3. I check this option and put a password

                          Certificate Export Options
                          X Use Microsoft Certificate Storage instead of local files.
                          X Use a password to protect the pkcs12 file contents or key in Viscosity bundle.

                          4. I download the  Windows Installers (2.3.8-Ix01):…

                          5. In my other computer on another network  i uninstall openvpn and install it back with the new installer that contain the microsoft cert....

                          And it WORK :)
                          This time i did not change the network ip of my internal lan but i don't think that was why it didn't work....
                          I change it back after the vpn was right

                          1 Reply Last reply Reply Quote 0
                          • A
                            alirazafaisal
                            last edited by

                            Can you please let me know which procedure you adopted for the OPENVPN to work. please share the link so that I may get help.

                            1 Reply Last reply Reply Quote 0
                            • J
                              jolejo10
                              last edited by

                              If you check  online, they basicly do all the same procedure on youtube or on website, but you can follow this video
                              PfSense Open VPN Tutorial (with Narrator)    from    DlStreamnet
                              https://www.youtube.com/watch?v=VdAHVSTl1ys

                              The only step that i did more was the step that i write in the commend below

                              Certificate Export Options   
                                    X Use Microsoft Certificate Storage instead of local files.
                                    X Use a password to protect the pkcs12 file contents or key in Viscosity bundle.

                              Make sur you check those before download the openvpn file….

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.