TLS Error : TLS key negotiation failed

[sowmya]

Hello,

I am using openvpn linux server and windows xp as client. Firewall is disabled in both the client and server. I don't understand why I am getting as "TLS error: TLS handshake failed". I am using UDP port 1194 in both the server and client. TLS initial packet is sent from the server but client could not respond to it. Could any one please help me in resolving this problem.TLS Authentication key is 2048 bit key and diffie hiellman is 1024 bit. I connected my server and client back to back(ethernet interfacee) using a switch and there are no other intermediate interfaces. Please find config and log files.

server Config

Code: Select all

port 1194

Code: Select all

proto udp

Code: Select all

dev tun

Code: Select all

ca /etc/OpenVPN/openvpn-2.3.14/ca.crt

Code: Select all

cert /etc/OpenVPN/openvpn-2.3.14/server.crt

Code: Select all

key /etc/OpenVPN/openvpn-2.3.14/server.key  # This file should be kept secret

Code: Select all

dh /etc/OpenVPN/openvpn-2.3.14/dh1024.pem

Code: Select all

server 192.168.2.0 255.255.255.0

Code: Select all

ifconfig-pool-persist ipp.txt

Code: Select all

keepalive 10 120

Code: Select all

tls-auth /etc/OpenVPN/easy-rsa-old-master/easy-rsa/2.0/keys/ta.key 0 

Code: Select all

cipher AES-256-CFB

Code: Select all

persist-key

Code: Select all

persist-tun

Code: Select all

status openvpn-status.log

Code: Select all

verb 3

Client Config

Code: Select all

client

Code: Select all

dev tun

Code: Select all

proto udp

Code: Select all

remote 192.168.2.66 1194

Code: Select all

resolv-retry infinite

Code: Select all

nobind

Code: Select all

persist-key

Code: Select all

persist-tun

Code: Select all

ca  "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt"

Code: Select all

cert  "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\client1.crt"

Code: Select all

key  "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\client1.key"

Code: Select all

remote-cert-tls server

Code: Select all

tls-auth "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ta.key"  1

Code: Select all

cipher AES-256-CFB

Code: Select all

verb 3

Server Log

[root@localhost openvpn-2.3.14]# openvpn server.conf
Wed Apr 19 09:28:42 2017 OpenVPN 2.3.14 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Apr 10 2017
Wed Apr 19 09:28:42 2017 library versions: OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008, LZO 2.09
Wed Apr 19 09:28:42 2017 Diffie-Hellman initialized with 1024 bit key
Wed Apr 19 09:28:42 2017 Control Channel Authentication: using '/etc/OpenVPN/easy-rsa-old-master/easy-rsa/2.0/keys/ta.key' as a OpenVPN static key file
Wed Apr 19 09:28:42 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Apr 19 09:28:42 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Apr 19 09:28:42 2017 Socket Buffers: R=[87380->87380] S=[16384->16384]
Wed Apr 19 09:28:42 2017 ROUTE_GATEWAY 192.168.2.27/255.255.255.0 IFACE=eth0 HWADDR=74:d4:35:e3:ff:5b
Wed Apr 19 09:28:42 2017 TUN/TAP device tun0 opened
Wed Apr 19 09:28:42 2017 TUN/TAP TX queue length set to 100
Wed Apr 19 09:28:42 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Apr 19 09:28:42 2017 /sbin/ifconfig tun0 192.168.2.1 pointopoint 192.168.2.2 mtu 1500
Wed Apr 19 09:28:42 2017 /sbin/route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.2.2
Wed Apr 19 09:28:42 2017 Listening for incoming TCP connection on [undef]
Wed Apr 19 09:28:42 2017 TCPv4_SERVER link local (bound): [undef]
Wed Apr 19 09:28:42 2017 TCPv4_SERVER link remote: [undef]
Wed Apr 19 09:28:42 2017 MULTI: multi_init called, r=256 v=256
Wed Apr 19 09:28:42 2017 IFCONFIG POOL: base=192.168.2.4 size=62, ipv6=0
Wed Apr 19 09:28:42 2017 ifconfig_pool_read(), in='client1,192.168.2.4', TODO: IPv6
Wed Apr 19 09:28:42 2017 succeeded -> ifconfig_pool_set()
Wed Apr 19 09:28:42 2017 IFCONFIG POOL LIST
Wed Apr 19 09:28:42 2017 client1,192.168.2.4
Wed Apr 19 09:28:42 2017 MULTI: TCP INIT maxclients=1024 maxevents=1028
Wed Apr 19 09:28:42 2017 Initialization Sequence Completed
Wed Apr 19 09:29:12 2017 /sbin/route del -net 192.168.2.0 netmask 255.255.255.0
Wed Apr 19 09:29:12 2017 Closing TUN/TAP interface
Wed Apr 19 09:29:12 2017 /sbin/ifconfig tun0 0.0.0.0
Wed Apr 19 09:29:12 2017 SIGINT[hard,] received, process exiting
[root@localhost openvpn-2.3.14]#
[root@localhost openvpn-2.3.14]#
[root@localhost openvpn-2.3.14]# openvpn server.conf
Wed Apr 19 09:58:42 2017 OpenVPN 2.3.14 i686-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Apr 10 2017
Wed Apr 19 09:58:42 2017 library versions: OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008, LZO 2.09
Wed Apr 19 09:58:42 2017 Diffie-Hellman initialized with 1024 bit key
Wed Apr 19 09:58:42 2017 Control Channel Authentication: using '/etc/OpenVPN/easy-rsa-old-master/easy-rsa/2.0/keys/ta.key' as a OpenVPN static key file
Wed Apr 19 09:58:42 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Apr 19 09:58:42 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Apr 19 09:58:42 2017 Socket Buffers: R=[110592->110592] S=[110592->110592]
Wed Apr 19 09:58:42 2017 ROUTE_GATEWAY 192.168.2.27/255.255.255.0 IFACE=eth0 HWADDR=74:d4:35:e3:ff:5b
Wed Apr 19 09:58:42 2017 TUN/TAP device tun0 opened
Wed Apr 19 09:58:42 2017 TUN/TAP TX queue length set to 100
Wed Apr 19 09:58:42 2017 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Wed Apr 19 09:58:42 2017 /sbin/ifconfig tun0 192.168.2.1 pointopoint 192.168.2.2 mtu 1500
Wed Apr 19 09:58:42 2017 /sbin/route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.2.2
Wed Apr 19 09:58:42 2017 UDPv4 link local (bound): [undef]
Wed Apr 19 09:58:42 2017 UDPv4 link remote: [undef]
Wed Apr 19 09:58:42 2017 MULTI: multi_init called, r=256 v=256
Wed Apr 19 09:58:42 2017 IFCONFIG POOL: base=192.168.2.4 size=62, ipv6=0
Wed Apr 19 09:58:42 2017 ifconfig_pool_read(), in='client1,192.168.2.4', TODO: IPv6
Wed Apr 19 09:58:42 2017 succeeded -> ifconfig_pool_set()
Wed Apr 19 09:58:42 2017 IFCONFIG POOL LIST
Wed Apr 19 09:58:42 2017 client1,192.168.2.4
Wed Apr 19 09:58:42 2017 Initialization Sequence Completed
Wed Apr 19 09:58:56 2017 192.168.2.27:1062 TLS: Initial packet from [AF_INET]192.168.2.27:1062, sid=8cf524e8 5e0c2e97
Wed Apr 19 09:59:56 2017 192.168.2.27:1062 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Apr 19 09:59:56 2017 192.168.2.27:1062 TLS Error: TLS handshake failed
Wed Apr 19 09:59:56 2017 192.168.2.27:1062 SIGUSR1[soft,tls-error] received, client-instance restarting
Wed Apr 19 09:59:59 2017 192.168.2.27:1065 TLS: Initial packet from [AF_INET]192.168.2.27:1065, sid=ef43d119 ab145c22
Wed Apr 19 10:00:59 2017 192.168.2.27:1065 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Apr 19 10:00:59 2017 192.168.2.27:1065 TLS Error: TLS handshake failed
Wed Apr 19 10:00:59 2017 192.168.2.27:1065 SIGUSR1[soft,tls-error] received, client-instance restarting
Wed Apr 19 10:01:02 2017 192.168.2.27:1070 TLS: Initial packet from [AF_INET]192.168.2.27:1070, sid=e36d1038 63e494ed
Wed Apr 19 10:02:02 2017 192.168.2.27:1070 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Apr 19 10:02:02 2017 192.168.2.27:1070 TLS Error: TLS handshake failed
Wed Apr 19 10:02:02 2017 192.168.2.27:1070 SIGUSR1[soft,tls-error] received, client-instance restarting
Wed Apr 19 10:02:05 2017 192.168.2.27:1073 TLS: Initial packet from [AF_INET]192.168.2.27:1073, sid=24a7e80e d71664b7
Wed Apr 19 10:03:05 2017 192.168.2.27:1073 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Apr 19 10:03:05 2017 192.168.2.27:1073 TLS Error: TLS handshake failed
Wed Apr 19 10:03:05 2017 192.168.2.27:1073 SIGUSR1[soft,tls-error] received, client-instance restarting
Wed Apr 19 10:03:07 2017 192.168.2.27:1076 TLS: Initial packet from [AF_INET]192.168.2.27:1076, sid=8acf37bc adbb9f35
Wed Apr 19 10:04:07 2017 192.168.2.27:1076 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Apr 19 10:04:07 2017 192.168.2.27:1076 TLS Error: TLS handshake failed
Wed Apr 19 10:04:07 2017 192.168.2.27:1076 SIGUSR1[soft,tls-error] received, client-instance restarting
Wed Apr 19 10:04:09 2017 192.168.2.27:1081 TLS: Initial packet from [AF_INET]192.168.2.27:1081, sid=2d82cfd4 a0c399a5
Wed Apr 19 10:05:09 2017 192.168.2.27:1081 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Wed Apr 19 10:05:09 2017 192.168.2.27:1081 TLS Error: TLS handshake failed


client log
Tue Apr 18 10:46:54 2017 OpenVPN 2.3.14 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Feb 1 2017
Tue Apr 18 10:46:54 2017 Windows version 5.1 (Windows XP) 32bit
Tue Apr 18 10:46:54 2017 library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.09
Tue Apr 18 10:46:54 2017 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Tue Apr 18 10:46:54 2017 Need hold release from management interface, waiting...
Tue Apr 18 10:46:54 2017 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Tue Apr 18 10:46:54 2017 MANAGEMENT: CMD 'state on'
Tue Apr 18 10:46:54 2017 MANAGEMENT: CMD 'log all on'
Tue Apr 18 10:46:54 2017 MANAGEMENT: CMD 'hold off'
Tue Apr 18 10:46:54 2017 MANAGEMENT: CMD 'hold release'
Tue Apr 18 10:46:54 2017 Control Channel Authentication: using 'C:\Program Files\OpenVPN\easy-rsa\keys\ta.key' as a OpenVPN static key file
Tue Apr 18 10:46:54 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Apr 18 10:46:54 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Apr 18 10:46:54 2017 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Apr 18 10:46:54 2017 UDPv4 link local: [undef]
Tue Apr 18 10:46:54 2017 UDPv4 link remote: [AF_INET]192.168.2.66:1194
Tue Apr 18 10:46:54 2017 MANAGEMENT: >STATE:1492492614,WAIT,,,
Tue Apr 18 10:49:23 2017 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Tue Apr 18 10:49:23 2017 TLS Error: TLS handshake failed
Tue Apr 18 10:49:23 2017 SIGUSR1[soft,tls-error] received, process restarting
Tue Apr 18 10:49:23 2017 MANAGEMENT: >STATE:1492492763,RECONNECTING,tls-error,,
Tue Apr 18 10:49:23 2017 Restart pause, 2 second(s)
Tue Apr 18 10:49:25 2017 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Apr 18 10:49:25 2017 UDPv4 link local: [undef]
Tue Apr 18 10:49:25 2017 UDPv4 link remote: [AF_INET]192.168.2.66:1194
Tue Apr 18 10:49:25 2017 MANAGEMENT: >STATE:1492492765,WAIT,,,

Please help me in solving this....

[TinCanTech]

server 192.168.2.0 255.255.255.0

Per the HOWTO:

Code: Select all

server 10.8.0.0 255.255.255.0

[sowmya]

My Linux PC is server. Do I need to configure my server ip as 10.8.0.0 ? Why can't I configure it as 192.168.2.0 ? Is this is the only problem in my configurations ?

[TinCanTech]

Why can't I configure it as 192.168.2.0 ?

Because .. !

Is this is the only problem in my configurations ?

No !

[sowmya]

Even If I configure my server IP as 10.8.0.0 my problem is not resolved.I don't find any mistakes in my configuration could you please help me on resolving this issue.....

[TinCanTech]

Please post your new configs and logs.

[sowmya]

This problem got resolved thank you for your response...

But I have some other problem could you please help me ?

I am using openvpn Linux centos server and client.My server and client have peer to peer connection directly without any intermediate device. Tap interface is created between my server and client and UDP port 1194 is used. I am using AES-256-CBC.I don't understand how to exchange data between my server and client ? How to know whether data is encrypted or not ? I am able to establish connection between my server and client confirming by a message "Initialization sequence completed" in my server and client.

But I don't understand how to send data through data channel between server and client , how to encrypt this data and how to know whether it is encrypted or not ? Could anyone please help me in understanding this concepts?

[sowmya]

Hi,

I want to port openvpn in lwip stack. I don't know whether this question makes any sense or not. Can any one suggest me that Can I port openvpn into lwip stack? Will lwip stack supports creation of TUN?TAP Interface ? or Do I need to look after for some other alternative?


Thanks in advance and please help me....

[natv]

>> This problem got resolved thank you for your response...


sowmya, what was the solution please update this thread?

I don't know about your second question but maybe someone else can help with that, but please post how you resolve the first error for those finding this post when searching for the same error.

Thanks

[TinCanTech]

what was the solution please update this thread?

There is no solution .. if you need help please see this.

[sputnik87]

Why can't I configure it as 192.168.2.0 ?

Because .. !

Is this is the only problem in my configurations ?

No !

TinCanTech - Your responses are not useful to anyone. Please be more descriptive, or don't respond at all. Or commit suicide. Regardless of which option you choose, any of them would be more beneficial to society than what you had originally provided.

[TinCanTech]

I have help with thousands of problems here on this forum.

When people deliberately try to break openvpn they have to live with the consequences.