PFSENSE TLS Error: TLS key negotiation failed to occur within 60 seconds

alirazafaisal

Hi Experts,

i am trying to connect my office Pfsense network remotely but getting the subjected error whose logs are as below:

Sat Oct 03 20:45:15 2015 OpenVPN 2.3.8 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug  4 2015
Sat Oct 03 20:45:15 2015 library versions: OpenSSL 1.0.1p 9 Jul 2015, LZO 2.08
Enter Management Password:
Sat Oct 03 20:45:26 2015 Control Channel Authentication: using 'Nestle-udp-1194-vpnuser1-tls.key' as a OpenVPN static key file
Sat Oct 03 20:45:26 2015 UDPv4 link local (bound): [undef]
Sat Oct 03 20:45:26 2015 UDPv4 link remote: [AF_INET]221.120.215.34:1194
Sat Oct 03 20:46:27 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Oct 03 20:46:27 2015 TLS Error: TLS handshake failed
Sat Oct 03 20:46:27 2015 SIGUSR1[soft,tls-error] received, process restarting
Sat Oct 03 20:46:29 2015 UDPv4 link local (bound): [undef]
Sat Oct 03 20:46:29 2015 UDPv4 link remote: [AF_INET]221.120.215.34:1194
Sat Oct 03 20:47:29 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Oct 03 20:47:29 2015 TLS Error: TLS handshake failed
Sat Oct 03 20:47:29 2015 SIGUSR1[soft,tls-error] received, process restarting
Sat Oct 03 20:47:31 2015 UDPv4 link local (bound): [undef]
Sat Oct 03 20:47:31 2015 UDPv4 link remote: [AF_INET]221.120.215.34:1194
Sat Oct 03 20:48:31 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sat Oct 03 20:48:31 2015 TLS Error: TLS handshake failed
Sat Oct 03 20:48:31 2015 SIGUSR1[soft,tls-error] received, process restarting
Sat Oct 03 20:48:33 2015 UDPv4 link local (bound): [undef]
Sat Oct 03 20:48:33 2015 UDPv4 link remote: [AF_INET]221.120.215.34:1194
Sat Oct 03 20:49:10 2015 SIGTERM[hard,] received, process exiting

please help me out ASAP so that i may connect.

Thanks.

jolejo10

I have the same problem that this guys, i'll post a little bit information about my system,

I've install pfsense 2.2.4 last week, everthing work fine but i'm trying to configure an remote access server. And i can't figure out to make it work. I've follow the documentation on the official page.

Here are the client log  file  with Windows 10, (i'll try linux client and windows 7 this weekend) :

Mon Oct 05 22:08:34 2015 UDPv4 link remote: [AF_INET]XX.XX.XXX.XX:1194
Mon Oct 05 22:09:34 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Oct 05 22:09:34 2015 TLS Error: TLS handshake failed
Mon Oct 05 22:09:34 2015 SIGUSR1[soft,tls-error] received, process restarting
Mon Oct 05 22:09:36 2015 UDPv4 link local (bound): [undef]
Mon Oct 05 22:09:36 2015 UDPv4 link remote: [AF_INET]XX.XX.XXX.XX:1194
Mon Oct 05 22:10:36 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Oct 05 22:10:36 2015 TLS Error: TLS handshake failed
Mon Oct 05 22:10:36 2015 SIGUSR1[soft,tls-error] received, process restarting
Mon Oct 05 22:10:38 2015 UDPv4 link local (bound): [undef]
Mon Oct 05 22:10:38 2015 UDPv4 link remote: [AF_INET]XX.XX.XXX.XX:1194
Mon Oct 05 22:11:39 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Oct 05 22:11:39 2015 TLS Error: TLS handshake failed
Mon Oct 05 22:11:39 2015 SIGUSR1[soft,tls-error] received, process restarting
Mon Oct 05 22:11:41 2015 UDPv4 link local (bound): [undef]
Mon Oct 05 22:11:41 2015 UDPv4 link remote: [AF_INET]XX.XX.XXX.XX:1194
Mon Oct 05 22:11:55 2015 SIGTERM[hard,] received, process exiting

Here are the server log  file :

Oct  5 20:51:02 pfSense openvpn[17080]: OpenVPN 2.3.7 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Jun 19 2015
Oct  5 20:51:02 pfSense openvpn[17080]: library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09
Oct  5 20:51:02 pfSense openvpn[18097]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Oct  5 20:51:02 pfSense openvpn[18097]: Control Channel Authentication: using '/var/etc/openvpn/server1.tls-auth' as a OpenVPN static key file
Oct  5 20:51:02 pfSense openvpn[18097]: TUN/TAP device ovpns1 exists previously, keep at program end
Oct  5 20:51:02 pfSense openvpn[18097]: TUN/TAP device /dev/tun1 opened
Oct  5 20:51:02 pfSense openvpn[18097]: ioctl(TUNSIFMODE): Device busy: Device busy (errno=16)
Oct  5 20:51:02 pfSense openvpn[18097]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Oct  5 20:51:02 pfSense openvpn[18097]: /sbin/ifconfig ovpns1 10.0.10.1 10.0.10.2 mtu 1500 netmask 255.255.255.255 up
Oct  5 20:51:02 pfSense openvpn[18097]: /usr/local/sbin/ovpn-linkup ovpns1 1500 1557 10.0.10.1 10.0.10.2 init
Oct  5 20:51:03 pfSense openvpn[18097]: UDPv4 link local (bound): [AF_INET]XX.XX.XX.XX:1194
Oct  5 20:51:03 pfSense openvpn[18097]: UDPv4 link remote: [undef]
Oct  5 20:51:03 pfSense openvpn[18097]: Initialization Sequence Completed
Oct  5 21:34:18 pfSense openvpn[55483]: OpenVPN 2.3.7 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Jun 19 2015
Oct  5 21:34:18 pfSense openvpn[55483]: library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09
Oct  5 21:34:18 pfSense openvpn[55625]: WARNING: using –duplicate-cn and --client-config-dir together is probably not what you want
Oct  5 21:34:18 pfSense openvpn[55625]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
Oct  5 21:34:18 pfSense openvpn[55625]: Control Channel Authentication: using '/var/etc/openvpn/server2.tls-auth' as a OpenVPN static key file
Oct  5 21:34:18 pfSense openvpn[55625]: TUN/TAP device ovpns2 exists previously, keep at program end
Oct  5 21:34:18 pfSense openvpn[55625]: TUN/TAP device /dev/tun2 opened
Oct  5 21:34:18 pfSense openvpn[55625]: ioctl(TUNSIFMODE): Device busy: Device busy (errno=16)
Oct  5 21:34:18 pfSense openvpn[55625]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
Oct  5 21:34:18 pfSense openvpn[55625]: /sbin/ifconfig ovpns2 10.0.15.1 10.0.15.2 mtu 1500 netmask 255.255.255.255 up
Oct  5 21:34:18 pfSense openvpn[55625]: /usr/local/sbin/ovpn-linkup ovpns2 1500 1557 10.0.15.1 10.0.15.2 init
Oct  5 21:34:18 pfSense openvpn[55625]: UDPv4 link local (bound): [AF_INET]XX.XX.XX.XX:1195
Oct  5 21:34:18 pfSense openvpn[55625]: UDPv4 link remote: [undef]
Oct  5 21:34:18 pfSense openvpn[55625]: Initialization Sequence Completed
Oct  5 21:48:12 pfSense openvpn[18097]: /usr/local/sbin/ovpn-linkdown ovpns1 1500 1557 10.0.10.1 10.0.10.2 init
Oct  5 21:48:12 pfSense openvpn[18097]: SIGTERM[hard,] received, process exiting
Oct  5 21:48:13 pfSense openvpn[99344]: Options error: –server directive network/netmask combination is invalid
Oct  5 21:48:13 pfSense openvpn[99344]: Use –help for more information.
Oct  5 21:49:34 pfSense openvpn[55625]: event_wait : Interrupted system call (code=4)
Oct  5 21:49:34 pfSense openvpn[55625]: /usr/local/sbin/ovpn-linkdown ovpns2 1500 1557 10.0.15.1 10.0.15.2 init
Oct  5 21:49:34 pfSense openvpn[55625]: SIGTERM[hard,] received, process exiting

Here my config .ovpn

dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote XX.XX.XXX.XX 1194 udp
lport 0
verify-x509-name "myuservpn" name
auth-user-pass
pkcs12 pfSense-udp-1194-myuservpn.p12
tls-auth pfSense-udp-1194-myuservpn-tls.key 1

I've only need a clue on the path that is not working, tks

viragomann

Ensure that the server is reachable from the clients site at UDP 1194.

WAN rules okay?

jolejo10

Yes the port is open|filtered, i'll check the wan rules tonight

https://pentest-tools.com/network-vulnerability-scanning/udp-port-scanner-online-nmap

alirazafaisal

Can anyone please help me how to check server logs and config.vpn file so that i may also share it here to resolve my issue.
Thanks

alirazafaisal

As i am new and you all are experts, kindly help me for step by step procedure. I will be grateful for this.

viragomann

@alirazafaisal:

Can anyone please help me how to check server logs and config.vpn file so that i may also share it here to resolve my issue.
Thanks

Go to Diagnostics > Command Prompt
In the field beside "File to download" enter "/var/log/openvpn.log" and press Download.
Then do the same with /var/etc/openvpn/server1.conf. If you have more than one server also download /var/etc/openvpn/server2.conf and so on.

However, please respond to my question above.

jolejo10

Here a look

viragomann

Your WAN rule is okay to allow OpenVPN connections. The server should be reachable.

So try to establish a connection from client and take a look in the server protocol (/var/log/openvpn.log) if the connection attempt is been logged.
In doubt run Packet Capture from Diagnostic menu at WAN interface to see if your packet arrive. Maybe they don't.

bitboy0

I had the very same Problem here … because my client-router only likes SHA1 and PfSense creates CA/CERTS with SHA256 per default...

jolejo10

If anyone is still interest, here the step i made to make it work fiinaly,

1. I factory reset the pfsense
2. I did the same step that before but did something more in the open vpn -> client export
3. I check this option and put a password

Certificate Export Options
X Use Microsoft Certificate Storage instead of local files.
X Use a password to protect the pkcs12 file contents or key in Viscosity bundle.

4. I download the  Windows Installers (2.3.8-Ix01):…

5. In my other computer on another network  i uninstall openvpn and install it back with the new installer that contain the microsoft cert....

And it WORK :)
This time i did not change the network ip of my internal lan but i don't think that was why it didn't work....
I change it back after the vpn was right

alirazafaisal

Can you please let me know which procedure you adopted for the OPENVPN to work. please share the link so that I may get help.

jolejo10

If you check  online, they basicly do all the same procedure on youtube or on website, but you can follow this video
PfSense Open VPN Tutorial (with Narrator)    from    DlStreamnet
https://www.youtube.com/watch?v=VdAHVSTl1ys

The only step that i did more was the step that i write in the commend below

Certificate Export Options   
      X Use Microsoft Certificate Storage instead of local files.
      X Use a password to protect the pkcs12 file contents or key in Viscosity bundle.

Make sur you check those before download the openvpn file….