pfsense as client, linux as server

[jjandrob]

Hey all,

I currently have my windows 7 machine talking to my linux openvpn server and everything is working as expected.

I'm attempting to move this configuration to the pfsense server which will allow me to turn off my workstation when not in use.

The pfsense client will not connect. The logs on the pfsense server are showing the following.
TLS Error: cannot locate HMAC in incoming packet from [AF_INET]97.X.X.227:1194

The server is showing
TLS Error: reading acknowledgement record from packet

Any suggestions on how i can fix this?


*server config*

Code: Select all

management localhost 7505
client-config-dir /etc/openvpn
#route 10.1.1.0 255.255.255.0
route 192.168.1.0 255.255.255.0
local 97.X.X.227
port 1194
proto udp
dev tap0
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh1024.pem
#server 10.1.1.0 255.255.255.0
#server-bridge 10.0.1.25 255.255.255.0 10.0.1.26 10.0.1.27
server-bridge 192.168.1.1 255.255.255.0 192.168.1.2 192.168.1.3
ifconfig-pool-persist ipp.txt
client-to-client
duplicate-cn
keepalive 60 120
comp-lzo
max-clients 51
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log         openvpn.log
log-append  openvpn.log
#verb 4
verb 6


tls-server

*pfsense config*

Code: Select all

server mode = Peer to peer (ssl/tls)
protocol = UDP
device mode = tap
interface = wan
server host = 97.XX.XX.227
server port = 1194
Enable authentication of tls packets = checked
advanced section = verb 6;tun-mtu 1532;fragment 1300;keysize 128;redirect-gateway def1;persist-key;

*pfsense server log*

Code: Select all

Jan 15 19:32:40	openvpn[37125]: push_ifconfig_ipv6_defined = DISABLED
Jan 15 19:32:40	openvpn[37125]: push_ifconfig_ipv6_local = ::/0
Jan 15 19:32:40	openvpn[37125]: push_ifconfig_ipv6_remote = ::
Jan 15 19:32:40	openvpn[37125]: enable_c2c = DISABLED
Jan 15 19:32:40	openvpn[37125]: duplicate_cn = DISABLED
Jan 15 19:32:40	openvpn[37125]: cf_max = 0
Jan 15 19:32:40	openvpn[37125]: cf_per = 0
Jan 15 19:32:40	openvpn[37125]: max_clients = 1024
Jan 15 19:32:40	openvpn[37125]: max_routes_per_client = 256
Jan 15 19:32:40	openvpn[37125]: auth_user_pass_verify_script = '[UNDEF]'
Jan 15 19:32:40	openvpn[37125]: auth_user_pass_verify_script_via_file = DISABLED
Jan 15 19:32:40	openvpn[37125]: ssl_flags = 0
Jan 15 19:32:40	openvpn[37125]: port_share_host = '[UNDEF]'
Jan 15 19:32:40	openvpn[37125]: port_share_port = 0
Jan 15 19:32:40	openvpn[37125]: client = ENABLED
Jan 15 19:32:40	openvpn[37125]: pull = ENABLED
Jan 15 19:32:40	openvpn[37125]: auth_user_pass_file = '[UNDEF]'
Jan 15 19:32:40	openvpn[37125]: OpenVPN 2.2.0 amd64-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Aug 11 2011
Jan 15 19:32:40	openvpn[37125]: MANAGEMENT: unix domain socket listening on /var/etc/openvpn/client1.sock
Jan 15 19:32:40	openvpn[37125]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Jan 15 19:32:40	openvpn[37125]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jan 15 19:32:40	openvpn[37125]: Control Channel Authentication: using '/var/etc/openvpn/client1.tls-auth' as a OpenVPN static key file
Jan 15 19:32:40	openvpn[37125]: Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 15 19:32:40	openvpn[37125]: Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 15 19:32:40	openvpn[37125]: WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1532)
Jan 15 19:32:40	openvpn[37125]: Control Channel MTU parms [ L:1609 D:166 EF:66 EB:0 ET:0 EL:0 ]
Jan 15 19:32:40	openvpn[37125]: Socket Buffers: R=[42080->65536] S=[57344->65536]
Jan 15 19:32:40	openvpn[37125]: Data Channel MTU parms [ L:1609 D:1450 EF:45 EB:4 ET:32 EL:0 ]
Jan 15 19:32:40	openvpn[37125]: Fragmentation MTU parms [ L:1609 D:1300 EF:45 EB:4 ET:32 EL:0 ]
Jan 15 19:32:40	openvpn[37125]: Local Options String: 'V4,dev-type tap,link-mtu 1609,tun-mtu 1564,proto UDPv4,mtu-dynamic,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Jan 15 19:32:40	openvpn[37125]: Expected Remote Options String: 'V4,dev-type tap,link-mtu 1609,tun-mtu 1564,proto UDPv4,mtu-dynamic,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Jan 15 19:32:40	openvpn[37125]: Local Options hash (VER=V4): '7dd889ee'
Jan 15 19:32:40	openvpn[37125]: Expected Remote Options hash (VER=V4): '4a37497a'
Jan 15 19:32:40	openvpn[37405]: UDPv4 link local (bound): [AF_INET]174.55.165.175
Jan 15 19:32:40	openvpn[37405]: UDPv4 link remote: [AF_INET]97.XX.XX.227:1194
Jan 15 19:32:40	openvpn[37405]: UDPv4 WRITE [42] to [AF_INET]97.XX.XX.227:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #1 ] [ ] pid=0 DATA len=0
Jan 15 19:32:40	openvpn[37405]: UDPv4 READ [14] from [AF_INET]97.XX.XX.227:1194: P_CONTROL_HARD_RESET_SERVER_V2 kid=0
Jan 15 19:32:40	openvpn[37405]: TLS: Initial packet from [AF_INET]97.XX.XX.227:1194, sid=f7281a91 08763866
Jan 15 19:32:40	openvpn[37405]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]97.XX.XX.227:1194
Jan 15 19:32:42	openvpn[37405]: UDPv4 READ [14] from [AF_INET]97.XX.XX.227:1194: P_CONTROL_HARD_RESET_SERVER_V2 kid=0
Jan 15 19:32:42	openvpn[37405]: TLS: Initial packet from [AF_INET]97.XX.XX.227:1194, sid=f7281a91 08763866
Jan 15 19:32:42	openvpn[37405]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]97.XX.XX.227:1194
Jan 15 19:32:42	openvpn[37405]: UDPv4 WRITE [42] to [AF_INET]97.XX.XX.227:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #2 ] [ ] pid=0 DATA len=0
Jan 15 19:32:46	openvpn[37405]: UDPv4 READ [14] from [AF_INET]97.XX.XX.227:1194: P_CONTROL_HARD_RESET_SERVER_V2 kid=0
Jan 15 19:32:46	openvpn[37405]: TLS: Initial packet from [AF_INET]97.XX.XX.227:1194, sid=f7281a91 08763866
Jan 15 19:32:46	openvpn[37405]: TLS Error: cannot locate HMAC in incoming packet from [AF_INET]97.XX.XX.227:1194
Jan 15 19:32:46	openvpn[37405]: UDPv4 WRITE [42] to [AF_INET]97.XX.XX.227:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #3 ] [ ] pid=0 DATA len=0
Jan 15 19:32:53	openvpn[37405]: event_wait : Interrupted system call (code=4)
Jan 15 19:32:53	openvpn[37405]: TCP/UDP: Closing socket
Jan 15 19:32:53	openvpn[37405]: SIGTERM[hard,] received, process exiting

*server log*

Code: Select all

Sun Jan 15 14:32:40 2012 us=634258 MULTI: multi_create_instance called
Sun Jan 15 14:32:40 2012 us=634413 174.55.165.175:22254 Re-using SSL/TLS context
Sun Jan 15 14:32:40 2012 us=634462 174.55.165.175:22254 LZO compression initialized
Sun Jan 15 14:32:40 2012 us=634597 174.55.165.175:22254 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Sun Jan 15 14:32:40 2012 us=634651 174.55.165.175:22254 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Sun Jan 15 14:32:40 2012 us=634709 174.55.165.175:22254 Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Sun Jan 15 14:32:40 2012 us=634750 174.55.165.175:22254 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Sun Jan 15 14:32:40 2012 us=634801 174.55.165.175:22254 Local Options hash (VER=V4): 'f7df56b8'
Sun Jan 15 14:32:40 2012 us=634864 174.55.165.175:22254 Expected Remote Options hash (VER=V4): 'd79ca330'
Sun Jan 15 14:32:40 2012 us=634939 174.55.165.175:22254 UDPv4 READ [42] from 174.55.165.175:22254: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ 2686740430 2781987738 3165323103 184896021 1515948288 335 321509376 0 ]
Sun Jan 15 14:32:40 2012 us=634991 174.55.165.175:22254 TLS: Initial packet from 174.55.165.175:22254, sid=ccfb2594 24403d2e
Sun Jan 15 14:32:40 2012 us=635029 174.55.165.175:22254 TLS Error: reading acknowledgement record from packet
Sun Jan 15 14:32:40 2012 us=635122 174.55.165.175:22254 UDPv4 WRITE [14] to 174.55.165.175:22254: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ ] pid=0 DATA len=0
Sun Jan 15 14:32:42 2012 us=667565 174.55.165.175:22254 UDPv4 WRITE [14] to 174.55.165.175:22254: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ ] pid=0 DATA len=0
Sun Jan 15 14:32:42 2012 us=715158 174.55.165.175:22254 UDPv4 READ [42] from 174.55.165.175:22254: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ 2731558911 1762745047 2144928505 2601345709 7396352 591 321509376 0 ]
Sun Jan 15 14:32:42 2012 us=715258 174.55.165.175:22254 TLS Error: reading acknowledgement record from packet
Sun Jan 15 14:32:46 2012 us=779802 174.55.165.175:22254 UDPv4 WRITE [14] to 174.55.165.175:22254: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ ] pid=0 DATA len=0
Sun Jan 15 14:32:46 2012 us=821673 174.55.165.175:22254 UDPv4 READ [42] from 174.55.165.175:22254: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ 2221179596 3293768963 1831464616 1204680356 167315712 847 321509376 0 ]
Sun Jan 15 14:32:46 2012 us=821751 174.55.165.175:22254 TLS Error: reading acknowledgement record from packet
Sun Jan 15 14:32:54 2012 us=234956 174.55.165.175:22254 UDPv4 WRITE [14] to 174.55.165.175:22254: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ ] pid=0 DATA len=0
Sun Jan 15 14:33:10 2012 us=149830 174.55.165.175:22254 UDPv4 WRITE [14] to 174.55.165.175:22254: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ ] pid=0 DATA len=0
Sun Jan 15 14:33:40 2012 us=60403 174.55.165.175:22254 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Jan 15 14:33:40 2012 us=60509 174.55.165.175:22254 TLS Error: TLS handshake failed
Sun Jan 15 14:33:40 2012 us=60632 174.55.165.175:22254 SIGUSR1[soft,tls-error] received, client-instance restarting

[jjandrob]

i needed to add the following to the server config file
tls-auth /etc/openvpn/ta.key 0

this has allowed pfsense to say the connection is up.

I however can not ping between the hosts.

I have done an iptables --flush on the linux box and did an allow any any in pfsense openvpn port.

any suggestions where to go from here?