OpenSolaris authentication issues

This forum is for all inquiries relating to the installation of OpenVPN from source and with binaries.
Forum rules
Please visit (and READ) the OpenVPN HowTo http://openvpn.net/howto prior to asking any questions in here!
Post Reply
oshman
OpenVpn Newbie
Posts: 3
Joined: Sun Jan 03, 2010 6:39 am

OpenSolaris authentication issues

Post by oshman » Sun Jan 03, 2010 7:04 am

I have installed OpenVPN based along the following guide:

http://blogs.reucon.com/srt/2008/12/17/ ... 08_11.html

Everything is setup correctly with the tun0 interface. I used the 2.1.1 source to build:

root@opensolaris:~# ifconfig tun0
tun0: flags=10008d0<POINTOPOINT,RUNNING,NOARP,MULTICAST,IPv4> mtu 1500 index 3
inet 0.0.0.0 --> 0.0.0.0 netmask 0
ether 2:0:0:0:0:0

root@opensolaris:/usr/local/src/openvpn-2.1.1# /usr/local/sbin/openvpn --version
OpenVPN 2.1.1 i386-pc-solaris2.11 [SSL] [LZO2] built on Jan 2 2010
Originally developed by James Yonan
Copyright (C) 2002-2009 OpenVPN Technologies, Inc. <sales@openvpn.net>

Authentication keeps failing with:

Jan 2 23:03:08 opensolaris openvpn[27952]: [ID 583609 daemon.notice] [vpn.mycompany.com] Peer Connection Initiated with xxx.xxx.xxx.xxx:1194
Jan 2 23:03:10 opensolaris openvpn[27952]: [ID 583609 daemon.notice] SENT CONTROL [vpn.mycompany.com]: 'PUSH_REQUEST' (status=1)
Jan 2 23:03:10 opensolaris openvpn[27952]: [ID 583609 daemon.notice] AUTH: Received AUTH_FAILED control message
Jan 2 23:03:10 opensolaris openvpn[27952]: [ID 583609 daemon.notice] TCP/UDP: Closing socket
Jan 2 23:03:10 opensolaris openvpn[27952]: [ID 583609 daemon.notice] SIGTERM[soft,auth-failure] received, process exiting

I am using a configuration file supplied by my company and it works fine with Win7/Linux. The Linux version I use successfully:

OpenVPN 2.1_rc18 x86_64-suse-linux [SSL] [LZO2] [EPOLL] [PKCS11] built on Oct 24 2009
Developed by James Yonan
Copyright (C) 2002-2009 OpenVPN Technologies, Inc. <sales@openvpn.net>

I have tried building 2.1_rc18 and get the same results. It seems that my OpenSolaris build lacks "[EPOLL] [PKCS11] " support. I've tried building with PKCS11 support but it doesn't seem to take. EPOLL shouldn't matter on Solaris and PKCS11 is included by default looking at the configure.ac file (I think).

When start the damon I get the same password prompt:

root@opensolaris:/usr/local/src/# /usr/local/sbin/openvpn --daemon --writepid /tmp/openvpn.pid --config /etc/openvpn/mycompany-vpn.conf --cd /etc/openvpn/
Enter Auth Username:username
Enter Auth Password:

Input the same password and always and it fails with above error. Is my problem server or client side here?

Any help is appreciated. Thx in advance!

User avatar
krzee
Forum Team
Posts: 729
Joined: Fri Aug 29, 2008 5:42 pm

Re: OpenSolaris authentication issues

Post by krzee » Tue Jan 05, 2010 3:16 am

please also post the server log of the client trying to connect, maybe it will tell us something useful.

oshman
OpenVpn Newbie
Posts: 3
Joined: Sun Jan 03, 2010 6:39 am

Re: OpenSolaris authentication issues

Post by oshman » Wed Jan 06, 2010 6:11 am

Here is everything from when a session is initiated with verb 9:

Code: Select all

Jan  5 23:33:25 opensolaris openvpn[771]: [ID 583609 daemon.notice] OpenVPN 2.1.1 i386-pc-solaris2.11 [SSL] [LZO2] built on Jan  2 2010
Jan  5 23:33:32 opensolaris openvpn[771]: [ID 583609 daemon.warning] NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Jan  5 23:33:32 opensolaris openvpn[771]: [ID 583609 daemon.notice] Control Channel Authentication: using '/etc/openvpn/mycompany.com-keys/ta.key' as a OpenVPN static key file
Jan  5 23:33:32 opensolaris openvpn[771]: [ID 583609 daemon.notice] Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan  5 23:33:32 opensolaris openvpn[771]: [ID 583609 daemon.notice] Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan  5 23:33:32 opensolaris openvpn[771]: [ID 583609 daemon.notice] LZO compression initialized
Jan  5 23:33:32 opensolaris openvpn[771]: [ID 583609 daemon.notice] Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Jan  5 23:33:32 opensolaris openvpn[771]: [ID 583609 daemon.notice] Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Jan  5 23:33:32 opensolaris openvpn[771]: [ID 583609 daemon.notice] Local Options hash (VER=V4): '53f7fc82'
Jan  5 23:33:32 opensolaris openvpn[771]: [ID 583609 daemon.notice] Expected Remote Options hash (VER=V4): 'b5edb94e'
Jan  5 23:33:32 opensolaris openvpn[772]: [ID 583609 daemon.notice] NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Jan  5 23:33:32 opensolaris openvpn[772]: [ID 583609 daemon.notice] Socket Buffers: R=[57344->65536] S=[57344->65536]
Jan  5 23:33:32 opensolaris openvpn[772]: [ID 583609 daemon.notice] UDPv4 link local: [undef]
Jan  5 23:33:32 opensolaris openvpn[772]: [ID 583609 daemon.notice] UDPv4 link remote: xxx.xxx.xxx.xxx:1194
Jan  5 23:33:32 opensolaris openvpn[772]: [ID 583609 daemon.notice] TLS: Initial packet from xxx.xxx.xxx.xxx:1194, sid=06c869aa 43837031
Jan  5 23:33:32 opensolaris openvpn[772]: [ID 583609 daemon.warning] WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jan  5 23:33:33 opensolaris openvpn[772]: [ID 583609 daemon.notice] VERIFY OK: depth=1, /C=EN/ST=USA/L=HOUSTON/O=mycompany.com_Server/CN=ca.vpn.mycompany.com/emailAddress=helpdesk@mycompany.com
Jan  5 23:33:33 opensolaris openvpn[772]: [ID 583609 daemon.notice] VERIFY OK: nsCertType=SERVER
Jan  5 23:33:33 opensolaris openvpn[772]: [ID 583609 daemon.notice] VERIFY OK: depth=0, /C=EN/ST=USA/O=mycompany.com_Server/CN=vpn.mycompany.com/emailAddress=helpdesk@mycompany.com
Jan  5 23:33:34 opensolaris openvpn[772]: [ID 583609 daemon.notice] Data Channel Encrypt: Cipher 'DES-EDE3-CBC' initialized with 192 bit key
Jan  5 23:33:34 opensolaris openvpn[772]: [ID 583609 daemon.notice] Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan  5 23:33:34 opensolaris openvpn[772]: [ID 583609 daemon.notice] Data Channel Decrypt: Cipher 'DES-EDE3-CBC' initialized with 192 bit key
Jan  5 23:33:34 opensolaris openvpn[772]: [ID 583609 daemon.notice] Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan  5 23:33:34 opensolaris openvpn[772]: [ID 583609 daemon.notice] Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Jan  5 23:33:34 opensolaris openvpn[772]: [ID 583609 daemon.notice] [vpn.mycompany.com] Peer Connection Initiated with xxx.xxx.xxx.xxx:1194
Jan  5 23:33:37 opensolaris openvpn[772]: [ID 583609 daemon.notice] SENT CONTROL [vpn.mycompany.com]: 'PUSH_REQUEST' (status=1)
Jan  5 23:33:37 opensolaris openvpn[772]: [ID 583609 daemon.notice] AUTH: Received AUTH_FAILED control message
Jan  5 23:33:37 opensolaris openvpn[772]: [ID 583609 daemon.notice] TCP/UDP: Closing socket
Jan  5 23:33:37 opensolaris openvpn[772]: [ID 583609 daemon.notice] SIGTERM[soft,auth-failure] received, process exiting
I'll have to ask our helpdesk for server logs but do you really think it could be server side? I'm using the same exact config/keys. The only differences are that on linux I used an init script and and pre-compiled binaries.

On OSOL, I compiled openvpn with following:

./configure --with-lzo-lib=/usr/local/lib

And start with:

/usr/local/sbin/openvpn --daemon --writepid /tmp/openvpn.pid --cd /etc/openvpn/ --config /etc/openvpn/mycompany.com.conf

Thx for anyone's help

oshman
OpenVpn Newbie
Posts: 3
Joined: Sun Jan 03, 2010 6:39 am

Re: OpenSolaris authentication issues

Post by oshman » Wed Jan 06, 2010 6:29 am

Here are the client logs at verb 9

Code: Select all

Jan  5 23:33:25 opensolaris openvpn[771]: [ID 583609 daemon.notice] OpenVPN 2.1.1 i386-pc-solaris2.11 [SSL] [LZO2] built on Jan  2 2010
Jan  5 23:33:32 opensolaris openvpn[771]: [ID 583609 daemon.warning] NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Jan  5 23:33:32 opensolaris openvpn[771]: [ID 583609 daemon.notice] Control Channel Authentication: using '/etc/openvpn/mycompany.com-keys/ta.key' as a OpenVPN static key file
Jan  5 23:33:32 opensolaris openvpn[771]: [ID 583609 daemon.notice] Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan  5 23:33:32 opensolaris openvpn[771]: [ID 583609 daemon.notice] Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan  5 23:33:32 opensolaris openvpn[771]: [ID 583609 daemon.notice] LZO compression initialized
Jan  5 23:33:32 opensolaris openvpn[771]: [ID 583609 daemon.notice] Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Jan  5 23:33:32 opensolaris openvpn[771]: [ID 583609 daemon.notice] Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Jan  5 23:33:32 opensolaris openvpn[771]: [ID 583609 daemon.notice] Local Options hash (VER=V4): '53f7fc82'
Jan  5 23:33:32 opensolaris openvpn[771]: [ID 583609 daemon.notice] Expected Remote Options hash (VER=V4): 'b5edb94e'
Jan  5 23:33:32 opensolaris openvpn[772]: [ID 583609 daemon.notice] NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Jan  5 23:33:32 opensolaris openvpn[772]: [ID 583609 daemon.notice] Socket Buffers: R=[57344->65536] S=[57344->65536]
Jan  5 23:33:32 opensolaris openvpn[772]: [ID 583609 daemon.notice] UDPv4 link local: [undef]
Jan  5 23:33:32 opensolaris openvpn[772]: [ID 583609 daemon.notice] UDPv4 link remote: xxx.xxx.xxx.xxx:1194
Jan  5 23:33:32 opensolaris openvpn[772]: [ID 583609 daemon.notice] TLS: Initial packet from xxx.xxx.xxx.xxx:1194, sid=06c869aa 43837031
Jan  5 23:33:32 opensolaris openvpn[772]: [ID 583609 daemon.warning] WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Jan  5 23:33:33 opensolaris openvpn[772]: [ID 583609 daemon.notice] VERIFY OK: depth=1, /C=EN/ST=USA/L=HOUSTON/O=mycompany.com_Server/CN=ca.vpn.mycompany.com/emailAddress=helpdesk@mycompany.com
Jan  5 23:33:33 opensolaris openvpn[772]: [ID 583609 daemon.notice] VERIFY OK: nsCertType=SERVER
Jan  5 23:33:33 opensolaris openvpn[772]: [ID 583609 daemon.notice] VERIFY OK: depth=0, /C=EN/ST=USA/O=mycompany.com_Server/CN=vpn.mycompany.com/emailAddress=helpdesk@mycompany.com
Jan  5 23:33:34 opensolaris openvpn[772]: [ID 583609 daemon.notice] Data Channel Encrypt: Cipher 'DES-EDE3-CBC' initialized with 192 bit key
Jan  5 23:33:34 opensolaris openvpn[772]: [ID 583609 daemon.notice] Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan  5 23:33:34 opensolaris openvpn[772]: [ID 583609 daemon.notice] Data Channel Decrypt: Cipher 'DES-EDE3-CBC' initialized with 192 bit key
Jan  5 23:33:34 opensolaris openvpn[772]: [ID 583609 daemon.notice] Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan  5 23:33:34 opensolaris openvpn[772]: [ID 583609 daemon.notice] Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Jan  5 23:33:34 opensolaris openvpn[772]: [ID 583609 daemon.notice] [vpn.mycompany.com] Peer Connection Initiated with xxx.xxx.xxx.xxx:1194
Jan  5 23:33:37 opensolaris openvpn[772]: [ID 583609 daemon.notice] SENT CONTROL [vpn.mycompany.com]: 'PUSH_REQUEST' (status=1)
Jan  5 23:33:37 opensolaris openvpn[772]: [ID 583609 daemon.notice] AUTH: Received AUTH_FAILED control message
Jan  5 23:33:37 opensolaris openvpn[772]: [ID 583609 daemon.notice] TCP/UDP: Closing socket
Jan  5 23:33:37 opensolaris openvpn[772]: [ID 583609 daemon.notice] SIGTERM[soft,auth-failure] received, process exiting
Again, the config/keys work on linux and the only difference there is that I use pre-compiled binaries and an init script.

User avatar
ecrist
Forum Team
Posts: 233
Joined: Wed Nov 26, 2008 10:33 pm
Location: Minneapolis, MN
Contact:

Re: OpenSolaris authentication issues

Post by ecrist » Wed Jan 06, 2010 3:41 pm

The most helpful messages are going to be present in the server log files, unfortunately. Your client is simply getting the AUTH_FAIL control message. The reason for the AUTH_FAIL is going to be apparent in the server logs.
OpenVPN Community Administrator
IRC: #openvpn, #openvpn-devel Twitter: @ecrist
Co-Author of Mastering OpenVPN
Author of Troubleshooting OpenVPN

Post Reply