[Solved]TLS : new session incoming connection from error !

[FarAway]

Hello everybody,

I am using OpenVPN to make connection between a server and a client ( which is a device(not another computer)) .... ok ....my problem is about CERTIFICATE , i created all i needed , "ca, server , and client" ....the problem is that, everytime i get a "tls error", and a "handshake failure" error, see the picture attached ...... i dont have any problem of firewall, ....actually i did the test with an old certificate, and it works perfectly.....but when i create a new certificates .....i get the error messages .....i really dont know from where can be the problem.... i repeat, my configuration is OKAY when using my old certificate .....i did the comparaison between the both ....any thing looked to me weird, the common name is okay, the name....etc

Please help me on that if you have met this kind of problem....thank you, and happy day.

msg error is : TLS : new session incoming connection from [AF_NET]
TLS Error : Tls key negociation failed to occur within 60 seconds....etc

[maikcat]

please post your complete logs and configs.

Michael.

[FarAway]

This is the log file

Mon Mar 30 08:31:22 2015 OpenVPN 2.3.2 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Aug 22 2013
Enter Management Password:
Mon Mar 30 08:31:22 2015 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Mon Mar 30 08:31:22 2015 Need hold release from management interface, waiting...
Mon Mar 30 08:31:22 2015 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Mon Mar 30 08:31:22 2015 MANAGEMENT: CMD 'state on'
Mon Mar 30 08:31:22 2015 MANAGEMENT: CMD 'log all on'
Mon Mar 30 08:31:22 2015 MANAGEMENT: CMD 'hold off'
Mon Mar 30 08:31:22 2015 MANAGEMENT: CMD 'hold release'
Mon Mar 30 08:31:22 2015 NOTE: your local LAN uses the extremely common subnet address xxx.xxx.xxx.xxx or xxx.xxx.xxx.xxx. Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Mon Mar 30 08:31:22 2015 Diffie-Hellman initialized with 1024 bit key
Mon Mar 30 08:31:22 2015 Socket Buffers: R=[8192->8192] S=[8192->8192]
Mon Mar 30 08:31:22 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Mar 30 08:31:22 2015 MANAGEMENT: >STATE:1427700682,ASSIGN_IP,,10.9.0.1,
Mon Mar 30 08:31:22 2015 open_tun, tt->ipv6=0
Mon Mar 30 08:31:22 2015 TAP-WIN32 device [Connexion au réseau local 2] opened: \\.\Global\{06CC012F-5BFD-4BF1-81E0-F8798B790E22}.tap
Mon Mar 30 08:31:22 2015 TAP-Windows Driver Version 9.9
Mon Mar 30 08:31:22 2015 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.9.x.x/255.255.255.252 on interface {06CC012F-5BFD-4BF1-81E0-F8798B790E22} [DHCP-serv: 10.9.x.x, lease-time: 31536000]
Mon Mar 30 08:31:22 2015 Sleeping for 10 seconds...
Mon Mar 30 08:31:32 2015 Successful ARP Flush on interface [24] {06CC012F-5BFD-4BF1-81E0-F8798B790E22}
Mon Mar 30 08:31:32 2015 MANAGEMENT: >STATE:1427700692,ADD_ROUTES,,,
Mon Mar 30 08:31:32 2015 C:\Windows\system32\route.exe ADD xxx.xxx.x.x MASK 255.255.255.0 10.9.x.x
Mon Mar 30 08:31:32 2015 Warning: route gateway is not reachable on any active network adapters: 10.9.x.x
Mon Mar 30 08:31:32 2015 Route addition via IPAPI failed [adaptive]
Mon Mar 30 08:31:32 2015 Route addition fallback to route.exe
Mon Mar 30 08:31:32 2015 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Mon Mar 30 08:31:33 2015 C:\Windows\system32\route.exe ADD 10.9.x.x MASK 255.255.255.0 10.9.x.x
Mon Mar 30 08:31:33 2015 Warning: route gateway is not reachable on any active network adapters: 10.9.x.x
Mon Mar 30 08:31:33 2015 Route addition via IPAPI failed [adaptive]
Mon Mar 30 08:31:33 2015 Route addition fallback to route.exe
Mon Mar 30 08:31:33 2015 env_block: add PATH=C:\Windows\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
Mon Mar 30 08:31:33 2015 UDPv4 link local (bound): [undef]
Mon Mar 30 08:31:33 2015 UDPv4 link remote: [undef]
Mon Mar 30 08:31:33 2015 MULTI: multi_init called, r=256 v=256
Mon Mar 30 08:31:33 2015 IFCONFIG POOL: base=10.9.x.x size=62, ipv6=0
Mon Mar 30 08:31:33 2015 IFCONFIG POOL LIST
Mon Mar 30 08:31:33 2015 Initialization Sequence Completed
Mon Mar 30 08:31:33 2015 MANAGEMENT: >STATE:1427700693,CONNECTED,SUCCESS,10.9.x.x,
Mon Mar 30 08:31:33 2015 154.121.251.182:56491 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:56491, sid=5ea6ca0b 1d0485a3
Mon Mar 30 08:31:36 2015 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Mon Mar 30 08:31:38 2015 154.121.251.182:56491 TLS: new session incoming connection from [AF_INET]xxx.xxx.xxx.xxx:56491
Mon Mar 30 08:31:40 2015 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Mon Mar 30 08:31:42 2015 154.121.251.182:56491 TLS: new session incoming connection from [AF_INET]xxx.xxx.xxx.xxx:56491
Mon Mar 30 08:32:33 2015 154.121.251.182:56491 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Mar 30 08:32:33 2015 154.121.251.182:56491 TLS Error: TLS handshake failed
Mon Mar 30 08:32:33 2015 154.121.251.182:56491 SIGUSR1[soft,tls-error] received, client-instance restarting
Mon Mar 30 08:32:44 2015 154.121.251.182:56491 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:56491, sid=2ad08e61 c6b41a5c
Mon Mar 30 08:32:48 2015 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)


And this is the server file configuration


port 1194
proto udp
dev tun
ca ca.crt
cert certificat_xxxxx.crt
key certificat_xxxxx.key # This file should be kept secret
dh dh1024.pem
server 10.9.x.x 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route xxx.xxx.xxx.xxx 255.255.255.0"
client-config-dir zeralda
route xxx.xxx.xxx.xxx 255.255.255.0
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3



Hi, i'm pretty sure that the problem is about certificate, coz my configuration works, i just dont understand what's wrong with new certificates, i used the MSDos way to create them

[maikcat]

read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)

these usually come from packet filtering...

client logs?

did you changed the CA also?

Michael

[FarAway]

Packet filtering ?

i dnt have client log, ....my client needs just to upload in a pkcs12 certificate ....so when i create my certificate beginning from Ca, and server, .....i put the commande "build-key-pkcs12" , but it worked on my old certificate client ......

And yes as said before, i have changed CA certificate .....

[FarAway]

read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)

these usually come from packet filtering...

client logs?

did you changed the CA also?

Michael

Hi, finaly it worked with my new certificate, i'm not pretty sure about what i've done, coz i changed many parameters in the same time, but i guess, i changed the ip adress which is very common address used, and i changed my client ( the device) by a computer and i dnt know , it just unlocked....thank you for your support... bye