OpenVPN Client - Estado UP pero sin poder llegar con ping al server



  • Buen día.
    Tengo un server PfSense 2.2.5-RELEASE (amd64) con dos interfaces de red (WAN y LAN) que oficia de Firewall/router en una escuela secundaria.
    Quiero establecer una tunel con un server OpenVPN que esta en un VPS. El tema que es que el tunel se establece pero tengo algo en mis reglas del firewall (u otra cosa) que me esta molestando porque no llego a la 10.8.1.1 que seria el GW del VPN.

    Mire varios links como ayuda para montar el tunel:

    https://forum.pfsense.org/index.php?topic=29944.0
    http://www.bellera.cat/josep/pfsense/openvpn_cs.html
    http://pheriko.blogspot.com.ar/2011/07/pfsense-20.html
    https://forum.pfsense.org/index.php/topic,49136.0.html
    https://chubbable.com/setup-pfsense-as-openvpn-client
    https://www.privateinternetaccess.com/forum/discussion/18111/openvpn-step-by-step-setup-for-pfsense-firewall-router-with-video

    Tengo en Status OpenVPN:

    Name             Status  Connected Since        Virtual Addr Remote Host Bytes Sent  Bytes Rcvd
    openvpn-vps UDP up Thu Dec 17 11:57:07 2015 10.8.1.18  ip_server_ovpn   22 KB       7 KB

    Tengo estos logs de OpenVPN en el PfSense:

    Dec 17 11:57:01 openvpn[73136]: OpenVPN 2.3.8 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Aug 21 2015
    Dec 17 11:57:01 openvpn[73136]: library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09
    Dec 17 11:57:01 openvpn[73147]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
    Dec 17 11:57:01 openvpn[73147]: NOTE: the current –script-security setting may allow this configuration to call user-defined scripts
    Dec 17 11:57:01 openvpn[73147]: Control Channel Authentication: using '/var/etc/openvpn/client1.tls-auth' as a OpenVPN static key file
    Dec 17 11:57:01 openvpn[73147]: UDPv4 link local (bound): [AF_INET]192.168.1.4
    Dec 17 11:57:01 openvpn[73147]: UDPv4 link remote: [AF_INET]ip_server_ovpn:1194
    Dec 17 11:57:05 openvpn[73147]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1562', remote='link-mtu 1542'
    Dec 17 11:57:05 openvpn[73147]: WARNING: 'mtu-dynamic' is present in local config but missing in remote config, local='mtu-dynamic'
    Dec 17 11:57:05 openvpn[73147]: WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC'
    Dec 17 11:57:05 openvpn[73147]: [Diego H. Cancelo] Peer Connection Initiated with [AF_INET]ip_server_ovpn:1194
    Dec 17 11:57:07 openvpn[73147]: TUN/TAP device ovpnc1 exists previously, keep at program end
    Dec 17 11:57:07 openvpn[73147]: TUN/TAP device /dev/tun1 opened
    Dec 17 11:57:07 openvpn[73147]: do_ifconfig, tt->ipv6=1, tt->did_ifconfig_ipv6_setup=0
    Dec 17 11:57:07 openvpn[73147]: /sbin/ifconfig ovpnc1 10.8.1.18 10.8.1.17 mtu 1500 netmask 255.255.255.255 up
    Dec 17 11:57:07 openvpn[73147]: /usr/local/sbin/ovpn-linkup ovpnc1 1500 1562 10.8.1.18 10.8.1.17 init
    Dec 17 11:57:07 openvpn[73147]: Initialization Sequence Completed
    Dec 17 11:57:37 openvpn[73147]: Authenticate/Decrypt packet error: cipher final failed

    Tengo creada la interfaz OpenVPN1

    Y el GateWay OPENVPN1_VPNV4 como dynamic

    En el Firewall tengo en LAN:

    ID Proto Source     Port Dest Port Gateway Queue
    IPv4  *   OPENVPN1 net *   *   *     *         none

    En el Firewall en OPENVPN1 tengo:

    ID Proto Source    Port Dest Port Gateway Queue
    IPv4  *             *        *   *   *     *         none

    En el Firewall en WAN tambien tengo:

    IPv4 * OPENVPN1 net * * * * none

    En los LOGs de mi server OpenVPN en el VPS tengo esto:

    Thu Dec 17 14:56:54 2015 us=146554 MULTI: multi_create_instance called
    Thu Dec 17 14:56:54 2015 us=168425 200.61.16.66:29305 Re-using SSL/TLS context
    Thu Dec 17 14:56:54 2015 us=168493 200.61.16.66:29305 LZO compression initialized
    Thu Dec 17 14:56:54 2015 us=168601 200.61.16.66:29305 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
    Thu Dec 17 14:56:54 2015 us=168621 200.61.16.66:29305 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
    Thu Dec 17 14:56:54 2015 us=168658 200.61.16.66:29305 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
    Thu Dec 17 14:56:54 2015 us=168672 200.61.16.66:29305 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
    Thu Dec 17 14:56:54 2015 us=168695 200.61.16.66:29305 Local Options hash (VER=V4): '14168603'
    Thu Dec 17 14:56:54 2015 us=168724 200.61.16.66:29305 Expected Remote Options hash (VER=V4): '504e774e'
    Thu Dec 17 14:56:54 2015 us=168767 200.61.16.66:29305 TLS: Initial packet from [AF_INET]200.61.16.66:29305, sid=e66ab87f 7ed53aad
    Thu Dec 17 14:56:57 2015 us=100773 200.61.16.66:29305 CRL CHECK OK: C=AR, ST=Neuquen, L=Las Ovejas, O=Boot Sector, OU=IServicios en TI, CN=, emailAddress=
    Thu Dec 17 14:56:57 2015 us=100834 200.61.16.66:29305 VERIFY OK: depth=1, C=AR, ST=Neuquen, L=Las Ovejas, O=Boot Sector, OU=IServicios en TI, CN=, emailAddress=
    Thu Dec 17 14:56:57 2015 us=101119 200.61.16.66:29305 CRL CHECK OK: C=AR, ST=Neuquen, O=Boot Sector, OU=Informatica, CN=pfsense.epea1.com.ar, emailAddress=
    Thu Dec 17 14:56:57 2015 us=101159 200.61.16.66:29305 VERIFY OK: depth=0, C=AR, ST=Neuquen, O=Boot Sector, OU=Informatica, CN=pfsense.epea1.com.ar, emailAddress=
    Thu Dec 17 14:56:57 2015 us=558199 200.61.16.66:29305 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1562'
    Thu Dec 17 14:56:57 2015 us=558254 200.61.16.66:29305 WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-128-CBC'
    Thu Dec 17 14:56:57 2015 us=558309 200.61.16.66:29305 WARNING: 'mtu-dynamic' is present in remote config but missing in local config, remote='mtu-dynamic'
    Thu Dec 17 14:56:57 2015 us=558483 200.61.16.66:29305 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Thu Dec 17 14:56:57 2015 us=558500 200.61.16.66:29305 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Thu Dec 17 14:56:57 2015 us=558562 200.61.16.66:29305 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Thu Dec 17 14:56:57 2015 us=558576 200.61.16.66:29305 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Thu Dec 17 14:56:57 2015 us=771625 200.61.16.66:29305 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
    Thu Dec 17 14:56:57 2015 us=771683 200.61.16.66:29305 [pfsense.epea1.com.ar] Peer Connection Initiated with [AF_INET]200.61.16.66:29305
    Thu Dec 17 14:56:57 2015 us=780207 pfsense.epea1.com.ar/200.61.16.66:29305 MULTI_sva: pool returned IPv4=10.8.1.18, IPv6=(Not enabled)
    Thu Dec 17 14:56:57 2015 us=780274 pfsense.epea1.com.ar/200.61.16.66:29305 MULTI: Learn: 10.8.1.18 -> pfsense.epea1.com.ar/200.61.16.66:29305
    Thu Dec 17 14:56:57 2015 us=780290 pfsense.epea1.com.ar/200.61.16.66:29305 MULTI: primary virtual IP for pfsense.epea1.com.ar/200.61.16.66:29305: 10.8.1.18
    Thu Dec 17 14:57:00 2015 us=82093 pfsense.epea1.com.ar/200.61.16.66:29305 PUSH: Received control message: 'PUSH_REQUEST'
    Thu Dec 17 14:57:00 2015 us=82141 pfsense.epea1.com.ar/200.61.16.66:29305 send_push_reply(): safe_cap=940
    Thu Dec 17 14:57:00 2015 us=82178 pfsense.epea1.com.ar/200.61.16.66:29305 SENT CONTROL [pfsense.epea1.com.ar]: 'PUSH_REPLY,dhcp-option DNS 10.8.1.1,route 10.8.1.1,topology net30,ping 30,ping-restart 180,ifconfig 10.8.1.18 10.8.1.17' (status=1)
    Thu Dec 17 14:57:00 2015 us=669091 pfsense.epea1.com.ar/200.61.16.66:29305 Authenticate/Decrypt packet error: cipher final failed

    Y despues siguen varias lineas como esta última: 200.61.16.66:29305 Authenticate/Decrypt packet error: cipher final failed

    Pero al hacer un ping del VPS a la 10.8.1.18 que es la asignada al pfsense tampoco llego.

    ¿A alguien se le ocurre cual podria llegar a ser el problema?
    Muchas gracias por leerme.



  • Hola,

    Fíjate en estas tres líneas:

    Dec 17 11:57:05   openvpn[73147]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1562', remote='link-mtu 1542'
    Dec 17 11:57:05   openvpn[73147]: WARNING: 'mtu-dynamic' is present in local config but missing in remote config, local='mtu-dynamic'
    Dec 17 11:57:05   openvpn[73147]: WARNING: 'cipher' is used inconsistently, local='cipher AES-128-CBC', remote='cipher BF-CBC'
    

    Te indica que no coincide el tamaño del mtu y el tipo de cifrado. Lo segundo no estoy seguro del todo (soy principiante también). Tienes que configurar lo mismo en ambos lados, por lo que tienes que configurar el servidor para que coincida con lo que pone en "local", o cambiar la configuración del cliente.

    Si quieres cambiar la del cliente, prueba añadiendo o cambiando esto en tu fichero de configuración del cliente y nos cuentas:

    cipher BF-CBC
    link-mtu 1542
    

    ¡Un saludo!


Log in to reply