TLS key negotiation failed on asymmetric routing

michaelb · Post by **michaelb** » Tue Mar 15, 2011 9:33 am

Hello!

I have an OpenVPN server (OpenVPN 2.1.4 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL] built on Dec 2 2010) on CentOS 5.5. This server is acting as router with multiple external and internal interfaces (vlans).

Problem is when client is trying to connect to this OpenVPN server's IP address with asymmetric routing, for example:

Code: Select all

Route TO server FROM client:
CLIENT - CLIENTS-ISP - ISP1 - ISP2 - SERVER

Route FROM server TO client:
SERVER - ISP3 - ISP1 - CLIENTS-ISP - CLIENT

If client specifies server's IP address with the same backwards route - everything's fine.

Client is Tunnelblick 3.1.6 (build 2190.2392) on Mac OS X 10.6 (haven't tested with Windows or Linux, though).

Server's config:

Code: Select all

port 1194
proto udp
dev tun
ca keys/ca.crt
cert keys/intranet.crt
key keys/intranet.key
dh keys/dh1024.pem
server 10.8.21.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.1.1.0 255.255.255.0"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DOMAIN domain.com"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3

Client's config:

Code: Select all

client
dev tun
proto udp
remote SERVER_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
verb 3

When I connect to the server with asymmetric routing following is being logged on server:

Code: Select all

Mar 15 11:02:59 gw01 openvpn[13759]: CLIENT_IP:53549 Re-using SSL/TLS context
Mar 15 11:02:59 gw01 openvpn[13759]: CLIENT_IP:53549 LZO compression initialized
Mar 15 11:02:59 gw01 openvpn[13759]: CLIENT_IP:53549 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mar 15 11:02:59 gw01 openvpn[13759]: CLIENT_IP:53549 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mar 15 11:02:59 gw01 openvpn[13759]: CLIENT_IP:53549 Local Options hash (VER=V4): '530fdded'
Mar 15 11:02:59 gw01 openvpn[13759]: CLIENT_IP:53549 Expected Remote Options hash (VER=V4): '41690919'
Mar 15 11:02:59 gw01 openvpn[13759]: CLIENT_IP:53549 TLS: Initial packet from CLIENT_IP:53549, sid=f57438df d995c11e
Mar 15 11:03:59 gw01 openvpn[13759]: CLIENT_IP:53549 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mar 15 11:03:59 gw01 openvpn[13759]: CLIENT_IP:53549 TLS Error: TLS handshake failed
Mar 15 11:03:59 gw01 openvpn[13759]: CLIENT_IP:53549 SIGUSR1[soft,tls-error] received, client-instance restarting

Both server and client have their firewalls disabled for testing purposes.

Any help with the issue will be MUCH appreciated, thank you in advance.

Post by **janjust** » Tue Mar 15, 2011 11:12 am

you will have to resort to source routing to get this working : the route from client to server needs to be the same as from server to client, as otherwise it is not possible to securely establish a connection . The same is true for any SSL/TLS connection. This is not a design flaw but a security measure.

Post by **maikcat** » Tue Mar 15, 2011 11:41 am

hi there,

just my 2 cents...

try adding float on your configs

michael.

OpenVPN Support Forum

TLS key negotiation failed on asymmetric routing

TLS key negotiation failed on asymmetric routing

Re: TLS key negotiation failed on asymmetric routing

Re: TLS key negotiation failed on asymmetric routing