TLS key negotiation failed to occur within 60 seconds

[makintach]

i installed openvpn 2.0.9 according to this site

http://www.howtoforge.com/openvpn-server-on-centos-5.2


i always get this error:

MULTI: multi_create_instance called
Re-using SSL/TLS context
LZO compression initialized
Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Local Options hash (VER=V4): 'c0103fa8'
Expected Remote Options hash (VER=V4): '69109d17'
TCP connection established with 79.127.10.178:2011
TCPv4_SERVER link local: [undef]
TCPv4_SERVER link remote: 79.127.10.178:2011
79.127.10.178:2011 TLS: Initial packet from 79.127.10.178:2011, sid=775f4680 914c7d85
79.127.10.178:2011 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
79.127.10.178:2011 TLS Error: TLS handshake failed
79.127.10.178:2011 Fatal TLS error (check_tls_errors_co), restarting
79.127.10.178:2011 SIGUSR1[soft,tls-error] received, client-instance restarting
TCP/UDP: Closing socket

this is my iptable config:

# Generated by iptables-save v1.3.5 on Fri Nov 26 16:19:11 2010
*nat
: PREROUTING ACCEPT [2982:186567]
: POSTROUTING ACCEPT [524:34711]
:OUTPUT ACCEPT [551:62404]
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Nov 26 16:19:11 2010
# Generated by iptables-save v1.3.5 on Fri Nov 26 16:19:11 2010
*mangle
: PREROUTING ACCEPT [53258:11490087]
:INPUT ACCEPT [53141:11476050]
:FORWARD ACCEPT [100:9349]
:OUTPUT ACCEPT [62269:60021798]
: POSTROUTING ACCEPT [62146:59990437]
COMMIT
# Completed on Fri Nov 26 16:19:11 2010
# Generated by iptables-save v1.3.5 on Fri Nov 26 16:19:11 2010
*filter
:INPUT DROP [1:554]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with tcp-reset
-A INPUT -m state --state INVALID -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8880 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -s 79.127.100.72 -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j DROP
-A INPUT -s 79.127.100.72 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j DROP
-A INPUT -p tcp -m tcp --dport 587 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 106 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5432 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9008 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9080 -j ACCEPT
-A INPUT -p udp -m udp --dport 137 -j ACCEPT
-A INPUT -p udp -m udp --dport 138 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 139 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 445 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -s 79.127.100.72 -p icmp -m icmp --icmp-type 8/0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8/0 -j DROP
-A INPUT -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 1723 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 1723 -j ACCEPT
-A INPUT -i eth0 -p gre -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 1723 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 1723 -j ACCEPT
-A INPUT -i eth0 -p gre -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with tcp-reset
-A FORWARD -m state --state INVALID -j DROP
-A FORWARD -i lo -o lo -j ACCEPT
-A FORWARD -j DROP
-A FORWARD -i ppp+ -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o ppp+ -j ACCEPT
-A FORWARD -i ppp+ -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o ppp+ -j ACCEPT


-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with tcp-reset
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j ACCEPT
COMMIT
# Completed on Fri Nov 26 16:19:11 2010


################## OPEN VPN #####################
# External Interface for VPN
# VPN Interface
VPNIF="tun0"
VPNNET="172.16.0.0/24"
VPNIP="172.16.0.1"
### OpenVPN
$IPTABLES -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --destination-port 1723 -j ACCEPT # OpenVPN
$IPTABLES -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --destination-port 1723 -j ACCEPT # OpenVPN
# Allow TUN interface connections to OpenVPN server
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $VPNNET -j ACCEPT
$IPTABLES -A OUTPUT -o $VPNIF -s $EXTIP -d $VPNNET -j ACCEPT
# OpenVPN
$IPTABLES -A FORWARD -i $EXTIF -o $VPNIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -o $INTIF -s $EXTIP -d $VPNNET -j ACCEPT
$IPTABLES -A FORWARD -o $VPNIF -s $EXTIP -d $VPNIP -j ACCEPT
$IPTABLES -A FORWARD -o $EXTIF -s $EXTIP -d $VPNNET -j ACCEPT
$IPTABLES -A FORWARD -o $VPNIF -s $INTNET -d $VPNNET -j ACCEPT

[maikcat]

hi there,

2 questions for start...

1)selinux is enabled?
2)did you try with iptables disabled?

cheers,

michael.

[gladiatr72]

Yeah. I'm not seeing port 2011 anywhere in your iptables dump.

-S

[makintach]

thanks for your answers

hi there,

2 questions for start...

1)selinux is enabled?
2)did you try with iptables disabled?

cheers,

michael.

i disables firewall
again that problem

selinux: i don know what exactly is

OpenVPN 2.0.9 i386-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Aug 28 2007
Diffie-Hellman initialized with 1024 bit key
TLS-Auth MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
TUN/TAP device tun0 opened
/sbin/ifconfig tun0 172.16.0.1 pointopoint 172.16.0.2 mtu 1500
/sbin/route add -net 172.16.0.0 netmask 255.255.255.0 gw 172.16.0.2
Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
GID set to users
UID set to nobody
Listening for incoming TCP connection on [undef]:1723
TCPv4_SERVER link local (bound): [undef]:1723
TCPv4_SERVER link remote: [undef]
MULTI: multi_init called, r=256 v=256
IFCONFIG POOL: base=172.16.0.4 size=62
IFCONFIG POOL LIST
MULTI: TCP INIT maxclients=1024 maxevents=1028
Initialization Sequence Completed
MULTI: multi_create_instance called
Re-using SSL/TLS context
LZO compression initialized
Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Local Options hash (VER=V4): 'c0103fa8'
Expected Remote Options hash (VER=V4): '69109d17'
TCP connection established with 79.127.11.218:2292
TCPv4_SERVER link local: [undef]
TCPv4_SERVER link remote: 79.127.11.218:2292
79.127.11.218:2292 TLS: Initial packet from 79.127.11.218:2292, sid=f1bd0200 eb2f42fd
79.127.11.218:2292 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your networ k connectivity)
79.127.11.218:2292 TLS Error: TLS handshake failed
79.127.11.218:2292 Fatal TLS error (check_tls_errors_co), restarting
79.127.11.218:2292 SIGUSR1[soft,tls-error] received, client-instance restarting
TCP/UDP: Closing socket

Yeah. I'm not seeing port 2011 anywhere in your iptables dump.

-S

sorry
how can i add what you say




.

[maikcat]

hi there,

login in to your centos and type

sestatus

you will get something like

SELinux status: disabled (or permissive,or enforced)

cheers,

michael

[makintach]

hi there,

login in to your centos and type

sestatus

you will get something like

SELinux status: disabled (or permissive,or enforced)

cheers,

michael

thank you

this is what my site says:


SELinux status: disabled


.

[maikcat]

hi there,

can you try to switch your config to udp protocol..

michael.

[makintach]

thank you maikcat

hi there,

can you try to switch your config to udp protocol..

michael.

i changed
i got these errors

server side error:

79.127.11.218:3336 Re-using SSL/TLS context
79.127.11.218:3336 LZO compression initialized
79.127.11.218:3336 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
79.127.11.218:3336 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
79.127.11.218:3336 Local Options hash (VER=V4): '530fdded'
79.127.11.218:3336 Expected Remote Options hash (VER=V4): '41690919'
79.127.11.218:3336 TLS: Initial packet from 79.127.11.218:3336, sid=2de6212f 3b305fb5
read UDPv4 [ECONNREFUSED]: Connection refused (code=111)

START: smtp pid=12860 from=127.0.0.1
EXIT: smtp status=0 pid=12860 duration=0(sec)
read UDPv4 [ECONNREFUSED]: Connection refused (code=111)


9.127.11.218:3336 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
79.127.11.218:3336 TLS Error: TLS handshake failed
79.127.11.218:3336 SIGUSR1[soft,tls-error] received, client-instance restarting

client side error:

Re-using SSL/TLS context
Thu Feb 03 16:16:57 2011 LZO compression initialized
Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Local Options hash (VER=V4): '41690919'
Expected Remote Options hash (VER=V4): '530fdded'
UDPv4 link local: [undef]
UDPv4 link remote: 174.142.141.78:1723
TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed
TCP/UDP: Closing socket
SIGUSR1[soft,tls-error] received, process restarting
Restart pause, 2 second(s)
OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Re-using SSL/TLS context

[maikcat]

can you please post both configs used..?

michael.

ps: also,what model/brand router you use? (server side)

[makintach]

can you please post both configs used..?

michael.

ps: also,what model/brand router you use? (server side)

server config:

port 1723 # (1194 is the default but on some APN networks this is blocked)
proto tcp
#proto udp
dev tun
#dev tap
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 172.16.0.0 255.255.255.0
push "dhcp-option DNS 192.168.168.1"
push "dhcp-option DNS 168.210.2.2"
#push "dhcp-option WINS 192.168.1.2"
push "route 192.168.168.0 255.255.255.0"
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group users
persist-key
persist-tun
status openvpn-status.log
verb 3
client-to-client
#duplicate-cn # (this means several users can use the same key)

client config

##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client

# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun

# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap

# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
proto tcp
;proto udp

# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.

remote ***.***.***.*** 1723


# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random

# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite

# Most clients don't need to bind to
# a specific local port number.
nobind

# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert mohopa.crt
key mohopa.key

# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
;ns-cert-type server

# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1

# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
comp-lzo

# Set log file verbosity.
verb 3

# Silence repeating messages
;mute 20

[maikcat]

to see easily if centos is the problem try the following:

set up the client into one pc inside your network,
change the remote line to your clients setup pointing to openvpn server lan ip. (yes not the public ip but the private (192.168.168.x)
comment from the servers config the push "route 192.168.168.0 255.255.255.0" line

you can connect and you can ping the 172.16.0.1 from the client..
if this works check your router config..

michael.

[makintach]

maybe these can help:


also when i restart iptables
i got this error

service iptables restart
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: filter mangle nat [ OK ]
Unloading iptables modules: [ OK ]
Applying iptables firewall rules: iptables-restore: line 87 failed [FAILED]

this is line 87:

84: ################## OPEN VPN #####################
85: # External Interface for VPN
86: # VPN Interface
87: VPNIF="tun0"
88: VPNNET="172.16.0.0/24"
89: VPNIP="172.16.0.1"
90: ### OpenVPN

and my server route

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
172.16.0.2 * 255.255.255.255 UH 0 0 0 tun0
174.142.141.72 * 255.255.255.248 U 0 0 0 eth0
67.205.111.96 * 255.255.255.224 U 0 0 0 eth0
172.16.0.0 172.16.0.2 255.255.255.0 UG 0 0 0 tun0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth0
default ip-***-***-***-*** 0.0.0.0 UG 0 0 0 eth0

[maikcat]

i think for testing purposes you should have disabled iptables until it works...

please disable them and if it works without firewall ,we try to configure it later.

cheers,

michael

ps:i assume that even with firewall off it *doesnt* work,right?

[makintach]

i think for testing purposes you should have disabled iptables until it works...

please disable them and if it works without firewall ,we try to configure it later.

cheers,

michael

ps:i assume that even with firewall off it *doesnt* work,right?

yes, does not work



.

[maikcat]

can you try to connect from another pc inside your lan..?
using the changes i mentioned.

michael.

[makintach]

can you try to connect from another pc inside your lan..?
using the changes i mentioned.

michael.

no thats not possible
our server is another another country

and we are trying to install on that server




.

[maikcat]

then you simply cannot be sure if its centos problem or something else...

last question

your client what router has?
did he configure right nat+firewall? (on his router)

michael.

[makintach]

then you simply cannot be sure if its centos problem or something else...

last question

your client what router has?
did he configure right nat+firewall? (on his router)

michael.

my modem is asus am602
and have kaspersky internet security 7

i disables kaspeskey
nothings happend


.

[maikcat]

the asus is located on server side? (not yours but your clients)

who configure the nat rules on the router? you or someone else?

did you try to restart the router on servers side?

michael.

[makintach]

the asus is located on server side? (not yours but your clients)

who configure the nat rules on the router? you or someone else?

did you try to restart the router on servers side?

michael.

i am a client not server

my router configuration is default

how can i restart the router on the server: ( in other country )
i can do it remoutly with ssh or plesk pannel


.