Cant get setup to work - TLS handshake failed.

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
internee
OpenVpn Newbie
Posts: 2
Joined: Thu May 18, 2017 7:59 am

Cant get setup to work - TLS handshake failed.

Post by internee » Thu May 18, 2017 9:09 am

Hello everyone

As my nickname suggests im currently an intern for a well known company in my area.
They need a vpn server to manage installations at other companies and its my task to realise this.
Currently working with Acces Server because it requires an site to site setup to control the environment system our mechanics have placed at costumers

I first tried it with the free version. after some tweaking i managed to run it on Ubuntu 16.04 but a bit later we realised that it wasnt fit for how we have intended it. ( we needed site to site :!: )

Installed AS on VHD and walked trough the init file. kept the orginal settings from the cisco ASA.
Setup things on the AS webgui:
Web Interface Settings
10.200.0.0/16 Dynamic IP Address Network
10.100.0.0/19 Static IP Address Network
Hostname or IP address: xxx.xxx.xxx.xxx
Interface: 10.10.1.23 (Port: 943 for admin / client)
Port: 1194
Proto: UDP
Osi layer for vpn tunneling: Layer 3 (Routing/NAT)
User Pietje
VPN Static IP Address: 10.100.0.2
VPN Gateway: 192.168.2.1/24
Allow Acces From: all server-side private subnets (yes)
Should client Internet traffic be routed through the VPN?: Yes
Should clients be allowed to access network services on the VPN gateway IP address?: Yes
Allow Auto Login: Yes
Use NAT: Yes
Example:

Virtual AS > cisco asa 5510 > Internet > ASUS 4G-AC55U with Openvpn client > Environment system
i currently made a test setup with instead of the system a laptop so i can monitor traffic and logs.

Now after a good amount of hours i still cant get it to work and would like get some fresh insight of fora over here.
Client Config
# Automatically generated OpenVPN client config file
# Generated on Wed May 17 23:38:20 2017 by openvpnas2
# Note: this config file contains inline private keys
# and therefore should be kept confidential!
# Note: this configuration is user-locked to the username below
# OVPN_ACCESS_SERVER_USERNAME=pietje
# Define the profile name of this particular configuration file
# OVPN_ACCESS_SERVER_PROFILE=pietje@xxx.xxx.xxx.xxx/AUTOLOGIN
# OVPN_ACCESS_SERVER_AUTOLOGIN=1
# OVPN_ACCESS_SERVER_CLI_PREF_ALLOW_WEB_IMPORT=True
# OVPN_ACCESS_SERVER_CLI_PREF_BASIC_CLIENT=False
# OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_CONNECT=True
# OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_XD_PROXY=True
# OVPN_ACCESS_SERVER_WSHOST=xxx.xxx.xxx.xxx:943
# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_START
# -----BEGIN CERTIFICATE-----
# MIIDBjCCAe6gAwIBAgIEWRqp/DANBgkqhkiG9w0BAQsFADA8MTowOAYDVQQDDDFP
# cGVuVlBOIFdlYiBDQSAyMDE3LjA1LjE2IDAwOjI3OjU2IFBEVCBvcGVudnBuYXMy
# -----END CERTIFICATE-----
# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_STOP
# OVPN_ACCESS_SERVER_IS_OPENVPN_WEB_CA=1
# OVPN_ACCESS_SERVER_ORGANIZATION=Pranger-Rosier installaties
setenv FORWARD_COMPATIBLE 1
client
proto udp
nobind
remote xxx.xxx.xxx.xxx 1194
port 1194
dev tun
dev-type tun
ns-cert-type server
setenv opt tls-version-min 1.0 or-highest
reneg-sec 604800
sndbuf 100000
rcvbuf 100000
# NOTE: LZO commands are pushed by the Access Server at connect time.
# NOTE: The below line doesn't disable LZO.
comp-lzo no
verb 6
setenv PUSH_PEER_INFO

<ca>
-----BEGIN CERTIFICATE-----
MIICuDCCAaCgAwIBAgIEWRqp9jANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDDApP
cGVuVlBOIENBMB4XDTE3MDUwOTA3Mjc1MFoXDTI3MDUxNDA3Mjc1MFowFTETMBEG
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
MIICyTCCAbGgAwIBAgIBAzANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDDApPcGVu
VlBOIENBMB4XDTE3MDUwOTExMjA1NloXDTI3MDUxNDExMjA1NlowGTEXMBUGA1UE
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDJdX5bfF7Txtzu
8dE9gMhelsC0ypnZd0D4mcF/U//u9DNrRD2LviDz9ebYO1VySEmfSrZsJSkqgPot
-----END PRIVATE KEY-----
</key>

key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key (Server Agent)
#
-----BEGIN OpenVPN Static key V1-----
172d8c743193012adf0d3552060dab52
0e8cf0f9fd924242c5cce67ba5bbdc85
-----END OpenVPN Static key V1-----
</tls-auth>

## -----BEGIN RSA SIGNATURE-----
## DIGEST:sha256
## uZASfEW1AacN7SIHtJP2OmiK8hbpfX7IT1kDPw9y+bXfwiL2H6
## NdiD/XlRdG2P0NnX++D/MIF6ZtTLqNG6fxvRw2lA3YBgfPjP5g
## -----END RSA SIGNATURE-----
## -----BEGIN CERTIFICATE-----
## MIIC7zCCAdegAwIBAgIEWRqp/TANBgkqhkiG9w0BAQsFADA8MTowOAYDVQQDDDFP
## cGVuVlBOIFdlYiBDQSAyMDE3LjA1LjE2IDAwOjI3OjU2IFBEVCBvcGVudnBuYXMy
## -----END CERTIFICATE-----
## -----BEGIN CERTIFICATE-----
## MIIDBjCCAe6gAwIBAgIEWRqp/DANBgkqhkiG9w0BAQsFADA8MTowOAYDVQQDDDFP
## cGVuVlBOIFdlYiBDQSAyMDE3LjA1LjE2IDAwOjI3OjU2IFBEVCBvcGVudnBuYXMy
## -----END CERTIFICATE-----

ASUS 4G-AC55u log
May 18 10:33:19 openvpn[2751]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
May 18 10:33:19 openvpn[2751]: TLS Error: TLS handshake failed
May 18 10:33:19 openvpn[2751]: TCP/UDP: Closing socket
May 18 10:33:19 openvpn[2751]: SIGUSR1[soft,tls-error] received, process restarting
May 18 10:33:19 openvpn[2751]: Restart pause, 2 second(s)
May 18 10:33:21 openvpn[2751]: Re-using SSL/TLS context
May 18 10:33:21 openvpn[2751]: LZO compression initialized
May 18 10:33:21 openvpn[2751]: Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
May 18 10:33:21 openvpn[2751]: Socket Buffers: R=[163840->200000] S=[163840->200000]
May 18 10:33:21 openvpn[2751]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
May 18 10:33:21 openvpn[2751]: Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
May 18 10:33:21 openvpn[2751]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
May 18 10:33:21 openvpn[2751]: Local Options hash (VER=V4): '504e774e'
May 18 10:33:21 openvpn[2751]: Expected Remote Options hash (VER=V4): '14168603'
May 18 10:33:21 openvpn[2751]: UDPv4 link local: [undef]
May 18 10:33:21 openvpn[2751]: UDPv4 link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
May 18 10:33:21 openvpn[2751]: UDPv4 WRITE [42] to [AF_INET]xxx.xxx.xxx.xxx:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #1 ] [ ] pid=0 DATA len=0
May 18 10:33:23 openvpn[2751]: UDPv4 WRITE [42] to [AF_INET]xxx.xxx.xxx.xxx:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #2 ] [ ] pid=0 DATA len=0
May 18 10:33:27 openvpn[2751]: UDPv4 WRITE [42] to [AF_INET]xxx.xxx.xxx.xxx:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #3 ] [ ] pid=0 DATA len=0
May 18 10:33:35 openvpn[2751]: UDPv4 WRITE [42] to [AF_INET]xxx.xxx.xxx.xxx:1194: P_CONTROL_HAR
I hope i provide you guys with enough information to help me diagnose this problem.
i know it has something do with the TLS handshake but cant put my fingers quite on it.

Things i have tried already
  • Made new user with certificate.
    Went from TCP to UDP (also changed the ASA rules)
    Tried entering certifates manually in ASUS router
And yes i know my security is weak at the moment but first would like to get it to work. :cry:

Regards

internee
OpenVpn Newbie
Posts: 2
Joined: Thu May 18, 2017 7:59 am

Re: Cant get setup to work - TLS handshake failed.

Post by internee » Tue May 23, 2017 8:07 am

Took a clean VDI for the 3th time.
this time reworked ASA agian.

in the Server and client directory settings i put

--ping 15 to force the package and this worked.

Topic can be locked.

Post Reply