OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

[Solved]Problem with Open VPN

https://forums.openvpn.net/viewtopic.php?t=18740

Page 1 of 2

[Solved]Problem with Open VPN

Posted: Tue Apr 28, 2015 8:19 am
by aigini82
I work in an office, where we have a team that uses OpenVPN to log on to certain servers.
There is a guy in that team that when he uses the OpenVPN it sort of causes a clash with my OpenVPN.
This means that when we both use the OpenVPN at the same time, we get intermittent connection, and get kicked out of the OpenVPN.

I tried changing the public key and the crt for my OpenVPN usage, and thought that this would resolve the issue, but it did not.
I cannot think of anything else that could cause the problem mentioned?

Please help.

Re: Problem with Open VPN

Posted: Tue Apr 28, 2015 11:40 am
by maikcat
are you using the same certificate?

Michael.

Re: Problem with Open VPN

Posted: Wed Apr 29, 2015 2:15 am
by aigini82
I have checked our certs (*.crt), and they appear to be different.

Re: Problem with Open VPN

Posted: Wed Apr 29, 2015 5:25 am
by maikcat
are you using ccd files?

Michael.

Re: Problem with Open VPN

Posted: Wed Apr 29, 2015 5:41 am
by aigini82
Sorry I do not know what are ccd files.

Re: Problem with Open VPN

Posted: Wed Apr 29, 2015 7:05 am
by maikcat
do you have access to server configs/logs?

Michael.

Re: Problem with Open VPN

Posted: Thu Apr 30, 2015 10:08 am
by aigini82
Yes I do.
The conf file is located in /etc/openvpn. And the name of this file is server.conf

The log file is located in /var/log/. The name of the log file here is openvpn.log.

But how would looking at these files help? What error do we search for in openvpn.log?

Re: Problem with Open VPN

Posted: Thu Apr 30, 2015 12:19 pm
by maikcat
can you post them here?

Michael.

Re: Problem with Open VPN

Posted: Fri May 01, 2015 6:56 am
by aigini82
server.conf :

Code: Select all

port xxxx
proto udp
dev tun
ca /usr/share/openvpn/easy-rsa/2.0/keys/ca.crt
cert /usr/share/openvpn/easy-rsa/2.0/keys/abc.crt
key /usr/share/openvpn/easy-rsa/2.0/keys/abc.key  # This file should be kept secret
dh /usr/share/openvpn/easy-rsa/2.0/keys/dh1024.pem
server 10.x.x.x 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.x.x.x 255.255.0.0"
client-to-client
keepalive 10 120
cipher AES-256-CBC
comp-lzo
max-clients 30
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append  /var/log/openvpn.log
verb 3

openvpn.log :

Code: Select all

Mon Apr 27 00:32:38 2015 121.121.117.19:57218 TLS: Initial packet from [AF_INET]121.121.117.19:57218, sid=787f0638 76057f13
Mon Apr 27 00:32:38 2015 121.121.117.19:57218 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=changeme, name=changeme, emailAddress=mail@host.domain
Mon Apr 27 00:32:38 2015 121.121.117.19:57218 VERIFY OK: depth=0, C=MY, ST=SGR, L=PJ, O=Tunelabs, OU=Technical, CN=spare5, name=spare5, emailAddress=mail@host.domain
Mon Apr 27 00:32:38 2015 121.121.117.19:57218 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Apr 27 00:32:38 2015 121.121.117.19:57218 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 27 00:32:38 2015 121.121.117.19:57218 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Apr 27 00:32:38 2015 121.121.117.19:57218 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 27 00:32:38 2015 121.121.117.19:57218 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Apr 27 00:32:38 2015 121.121.117.19:57218 [spare5] Peer Connection Initiated with [AF_INET]121.121.117.19:57218
Mon Apr 27 00:32:38 2015 spare5/121.121.117.19:57218 MULTI_sva: pool returned IPv4=10.0.254.46, IPv6=(Not enabled)
Mon Apr 27 00:32:38 2015 spare5/121.121.117.19:57218 MULTI: Learn: 10.0.254.46 -> spare5/121.121.117.19:57218
Mon Apr 27 00:32:38 2015 spare5/121.121.117.19:57218 MULTI: primary virtual IP for spare5/121.121.117.19:57218: 10.0.254.46
Mon Apr 27 00:32:41 2015 spare5/121.121.117.19:57218 PUSH: Received control message: 'PUSH_REQUEST'
Mon Apr 27 00:32:41 2015 spare5/121.121.117.19:57218 send_push_reply(): safe_cap=940
Mon Apr 27 00:32:41 2015 spare5/121.121.117.19:57218 SENT CONTROL [spare5]: 'PUSH_REPLY,route 10.0.0.0 255.255.0.0,route 10.0.254.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.0.254.46 10.0.254.45' (status=1)
Mon Apr 27 00:54:05 2015 spare5/121.121.117.19:57218 [spare5] Inactivity timeout (--ping-restart), restarting
Mon Apr 27 00:54:05 2015 spare5/121.121.117.19:57218 SIGUSR1[soft,ping-restart] received, client-instance restarting
Mon Apr 27 01:02:56 2015 121.121.117.19:53910 TLS: Initial packet from [AF_INET]121.121.117.19:53910, sid=8cbc69b5 8843daa3
Mon Apr 27 01:02:56 2015 121.121.117.19:53910 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=changeme, name=changeme, emailAddress=mail@host.domain
Mon Apr 27 01:02:56 2015 121.121.117.19:53910 VERIFY OK: depth=0, C=MY, ST=SGR, L=PJ, O=Tunelabs, OU=Technical, CN=spare5, name=spare5, emailAddress=mail@host.domain
Mon Apr 27 01:02:56 2015 121.121.117.19:53910 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Apr 27 01:02:56 2015 121.121.117.19:53910 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 27 01:02:56 2015 121.121.117.19:53910 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Apr 27 01:02:56 2015 121.121.117.19:53910 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 27 01:02:56 2015 121.121.117.19:53910 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Apr 27 01:02:56 2015 121.121.117.19:53910 [spare5] Peer Connection Initiated with [AF_INET]121.121.117.19:53910
Mon Apr 27 01:02:56 2015 spare5/121.121.117.19:53910 MULTI_sva: pool returned IPv4=10.0.254.46, IPv6=(Not enabled)
Mon Apr 27 01:02:56 2015 spare5/121.121.117.19:53910 MULTI: Learn: 10.0.254.46 -> spare5/121.121.117.19:53910
Mon Apr 27 01:02:56 2015 spare5/121.121.117.19:53910 MULTI: primary virtual IP for spare5/121.121.117.19:53910: 10.0.254.46
Mon Apr 27 01:02:59 2015 spare5/121.121.117.19:53910 PUSH: Received control message: 'PUSH_REQUEST'
Mon Apr 27 01:02:59 2015 spare5/121.121.117.19:53910 send_push_reply(): safe_cap=940
Mon Apr 27 01:02:59 2015 spare5/121.121.117.19:53910 SENT CONTROL [spare5]: 'PUSH_REPLY,route 10.0.0.0 255.255.0.0,route 10.0.254.0 255.255.:

Mon Apr 27 01:02:59 2015 spare5/121.121.117.19:53910 SENT CONTROL [spare5]: 'PUSH_REPLY,route 10.0.0.0 255.255.0.0,route 10.0.254.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.0.254.46 10.0.254.45' (status=1)
Mon Apr 27 01:26:25 2015 spare5/121.121.117.19:53910 [spare5] Inactivity timeout (--ping-restart), restarting
Mon Apr 27 01:26:25 2015 spare5/121.121.117.19:53910 SIGUSR1[soft,ping-restart] received, client-instance restarting
Mon Apr 27 09:50:02 2015 103.14.28.2:3093 TLS: Initial packet from [AF_INET]103.14.28.2:3093, sid=529e12db d3b8477f
Mon Apr 27 09:50:02 2015 103.14.28.2:3093 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=changeme, name=changeme, emailAddress=mail@host.domain
Mon Apr 27 09:50:02 2015 103.14.28.2:3093 VERIFY OK: depth=0, C=MY, ST=SGR, L=PJ, O=Tunelabs, OU=Technical, CN=nazar, name=nazar, emailAddress=mail@host.domain
Mon Apr 27 09:50:02 2015 103.14.28.2:3093 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Apr 27 09:50:02 2015 103.14.28.2:3093 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 27 09:50:02 2015 103.14.28.2:3093 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Apr 27 09:50:02 2015 103.14.28.2:3093 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 27 09:50:02 2015 103.14.28.2:3093 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Apr 27 09:50:02 2015 103.14.28.2:3093 [nazar] Peer Connection Initiated with [AF_INET]103.14.28.2:3093
Mon Apr 27 09:50:02 2015 nazar/103.14.28.2:3093 MULTI_sva: pool returned IPv4=10.0.254.14, IPv6=(Not enabled)
Mon Apr 27 09:50:02 2015 nazar/103.14.28.2:3093 MULTI: Learn: 10.0.254.14 -> nazar/103.14.28.2:3093
Mon Apr 27 09:50:02 2015 nazar/103.14.28.2:3093 MULTI: primary virtual IP for nazar/103.14.28.2:3093: 10.0.254.14
Mon Apr 27 09:50:04 2015 nazar/103.14.28.2:3093 PUSH: Received control message: 'PUSH_REQUEST'
Mon Apr 27 09:50:04 2015 nazar/103.14.28.2:3093 send_push_reply(): safe_cap=940
Mon Apr 27 09:50:04 2015 nazar/103.14.28.2:3093 SENT CONTROL [nazar]: 'PUSH_REPLY,route 10.0.0.0 255.255.0.0,route 10.0.254.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.0.254.14 10.0.254.13' (status=1)
Mon Apr 27 10:49:47 2015 103.14.28.2:41675 TLS: Initial packet from [AF_INET]103.14.28.2:41675, sid=1404b288 2efc94f5
Mon Apr 27 10:49:47 2015 103.14.28.2:41675 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=changeme, name=changeme, emailAddress=mail@host.domain
Mon Apr 27 10:49:47 2015 103.14.28.2:41675 VERIFY OK: depth=0, C=MY, ST=SGr, L=PJ, O=Tunelabs, OU=Technical, CN=alwin, name=alwin, emailAddress=admin@tunelabs.asia
Mon Apr 27 10:49:47 2015 103.14.28.2:41675 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Apr 27 10:49:47 2015 103.14.28.2:41675 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 27 10:49:47 2015 103.14.28.2:41675 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Apr 27 10:49:47 2015 103.14.28.2:41675 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 27 10:49:47 2015 103.14.28.2:41675 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Apr 27 10:49:47 2015 103.14.28.2:41675 [alwin] Peer Connection Initiated with [AF_INET]103.14.28.2:41675
Mon Apr 27 10:49:47 2015 alwin/103.14.28.2:41675 MULTI_sva: pool returned IPv4=10.0.254.10, IPv6=(Not enabled)
Mon Apr 27 10:49:47 2015 alwin/103.14.28.2:41675 MULTI: Learn: 10.0.254.10 -> alwin/103.14.28.2:41675
Mon Apr 27 10:49:47 2015 alwin/103.14.28.2:41675 MULTI: primary virtual IP for alwin/103.14.28.2:41675: 10.0.254.10
Mon Apr 27 10:49:49 2015 alwin/103.14.28.2:41675 PUSH: Received control message: 'PUSH_REQUEST'
Mon Apr 27 10:49:49 2015 alwin/103.14.28.2:41675 send_push_reply(): safe_cap=940
:

Mon Apr 27 10:49:49 2015 alwin/103.14.28.2:41675 SENT CONTROL [alwin]: 'PUSH_REPLY,route 10.0.0.0 255.255.0.0,route 10.0.254.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.0.254.10 10.0.254.9' (status=1)
Mon Apr 27 10:50:02 2015 nazar/103.14.28.2:3093 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=changeme, name=changeme, emailAddress=mail@host.domain
Mon Apr 27 10:50:02 2015 nazar/103.14.28.2:3093 VERIFY OK: depth=0, C=MY, ST=SGR, L=PJ, O=Tunelabs, OU=Technical, CN=nazar, name=nazar, emailAddress=mail@host.domain
Mon Apr 27 10:50:02 2015 nazar/103.14.28.2:3093 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Apr 27 10:50:02 2015 nazar/103.14.28.2:3093 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 27 10:50:02 2015 nazar/103.14.28.2:3093 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Apr 27 10:50:02 2015 nazar/103.14.28.2:3093 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 27 10:50:02 2015 nazar/103.14.28.2:3093 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Apr 27 11:02:36 2015 103.14.28.2:63935 TLS: Initial packet from [AF_INET]103.14.28.2:63935, sid=5b75e966 6cab8581
Mon Apr 27 11:02:37 2015 103.14.28.2:63935 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=changeme, name=changeme, emailAddress=mail@host.domain
Mon Apr 27 11:02:37 2015 103.14.28.2:63935 VERIFY OK: depth=0, C=MY, ST=SGR, L=PJ, O=Tunelabs, OU=Technical, CN=spare5, name=spare5, emailAddress=mail@host.domain
Mon Apr 27 11:02:42 2015 103.14.28.2:63935 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Apr 27 11:02:42 2015 103.14.28.2:63935 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 27 11:02:42 2015 103.14.28.2:63935 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Apr 27 11:02:42 2015 103.14.28.2:63935 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 27 11:02:42 2015 103.14.28.2:63935 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Apr 27 11:02:42 2015 103.14.28.2:63935 [spare5] Peer Connection Initiated with [AF_INET]103.14.28.2:63935
Mon Apr 27 11:02:42 2015 spare5/103.14.28.2:63935 MULTI_sva: pool returned IPv4=10.0.254.46, IPv6=(Not enabled)
Mon Apr 27 11:02:42 2015 spare5/103.14.28.2:63935 MULTI: Learn: 10.0.254.46 -> spare5/103.14.28.2:63935
Mon Apr 27 11:02:42 2015 spare5/103.14.28.2:63935 MULTI: primary virtual IP for spare5/103.14.28.2:63935: 10.0.254.46
Mon Apr 27 11:02:46 2015 spare5/103.14.28.2:63935 PUSH: Received control message: 'PUSH_REQUEST'
Mon Apr 27 11:02:46 2015 spare5/103.14.28.2:63935 send_push_reply(): safe_cap=940
Mon Apr 27 11:02:46 2015 spare5/103.14.28.2:63935 SENT CONTROL [spare5]: 'PUSH_REPLY,route 10.0.0.0 255.255.0.0,route 10.0.254.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.0.254.46 10.0.254.45' (status=1)
Mon Apr 27 11:32:52 2015 alwin/103.14.28.2:41675 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #218152 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Mon Apr 27 11:32:52 2015 alwin/103.14.28.2:41675 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #218153 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Mon Apr 27 11:49:47 2015 alwin/103.14.28.2:41675 TLS: soft reset sec=0 bytes=581407423/0 pkts=720304/0
Mon Apr 27 11:49:47 2015 alwin/103.14.28.2:41675 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=changeme, name=changeme, emailAddress=mail@host.domain
Mon Apr 27 11:49:47 2015 alwin/103.14.28.2:41675 VERIFY OK: depth=0, C=MY, ST=SGr, L=PJ, O=Tunelabs, OU=Technical, CN=alwin, name=alwin, emailAddress=admin@tunelabs.asia
:
Mon Apr 27 11:49:47 2015 alwin/103.14.28.2:41675 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Apr 27 11:49:47 2015 alwin/103.14.28.2:41675 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 27 11:49:47 2015 alwin/103.14.28.2:41675 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Apr 27 11:49:47 2015 alwin/103.14.28.2:41675 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 27 11:49:47 2015 alwin/103.14.28.2:41675 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Apr 27 11:50:01 2015 nazar/103.14.28.2:3093 TLS: tls_process: killed expiring key
Mon Apr 27 11:50:02 2015 nazar/103.14.28.2:3093 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=changeme, name=changeme, emailAddress=mail@host.domain
Mon Apr 27 11:50:02 2015 nazar/103.14.28.2:3093 VERIFY OK: depth=0, C=MY, ST=SGR, L=PJ, O=Tunelabs, OU=Technical, CN=nazar, name=nazar, emailAddress=mail@host.domain
Mon Apr 27 11:50:02 2015 nazar/103.14.28.2:3093 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Apr 27 11:50:02 2015 nazar/103.14.28.2:3093 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 27 11:50:02 2015 nazar/103.14.28.2:3093 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Apr 27 11:50:02 2015 nazar/103.14.28.2:3093 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 27 11:50:02 2015 nazar/103.14.28.2:3093 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Apr 27 12:02:42 2015 spare5/103.14.28.2:63935 TLS: soft reset sec=0 bytes=218996507/0 pkts=325110/0
Mon Apr 27 12:02:42 2015 spare5/103.14.28.2:63935 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=changeme, name=changeme, emailAddress=mail@host.domain
Mon Apr 27 12:02:42 2015 spare5/103.14.28.2:63935 VERIFY OK: depth=0, C=MY, ST=SGR, L=PJ, O=Tunelabs, OU=Technical, CN=spare5, name=spare5, emailAddress=mail@host.domain
Mon Apr 27 12:02:42 2015 spare5/103.14.28.2:63935 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Apr 27 12:02:42 2015 spare5/103.14.28.2:63935 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 27 12:02:42 2015 spare5/103.14.28.2:63935 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Apr 27 12:02:42 2015 spare5/103.14.28.2:63935 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 27 12:02:42 2015 spare5/103.14.28.2:63935 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Apr 27 12:30:58 2015 alwin/103.14.28.2:41675 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #927111 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Mon Apr 27 12:30:58 2015 alwin/103.14.28.2:41675 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #927112 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Mon Apr 27 12:39:19 2015 spare5/103.14.28.2:63935 [spare5] Inactivity timeout (--ping-restart), restarting
Mon Apr 27 12:39:19 2015 spare5/103.14.28.2:63935 SIGUSR1[soft,ping-restart] received, client-instance restarting
Mon Apr 27 12:49:47 2015 alwin/103.14.28.2:41675 TLS: soft reset sec=0 bytes=4402757682/0 pkts=4568570/0
Mon Apr 27 12:49:47 2015 alwin/103.14.28.2:41675 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=changeme, name=changeme, emailAddress=mail@host.domain
Mon Apr 27 12:49:47 2015 alwin/103.14.28.2:41675 VERIFY OK: depth=0, C=MY, ST=SGr, L=PJ, O=Tunelabs, OU=Technical, CN=alwin, name=alwin, emailAddress=admin@tunelabs.asia
Mon Apr 27 12:49:47 2015 alwin/103.14.28.2:41675 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
:
Mon Apr 27 12:49:47 2015 alwin/103.14.28.2:41675 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 27 12:49:47 2015 alwin/103.14.28.2:41675 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Apr 27 12:49:47 2015 alwin/103.14.28.2:41675 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 27 12:49:47 2015 alwin/103.14.28.2:41675 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Apr 27 12:50:01 2015 nazar/103.14.28.2:3093 TLS: tls_process: killed expiring key
Mon Apr 27 12:50:02 2015 nazar/103.14.28.2:3093 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=changeme, name=changeme, emailAddress=mail@host.domain
Mon Apr 27 12:50:02 2015 nazar/103.14.28.2:3093 VERIFY OK: depth=0, C=MY, ST=SGR, L=PJ, O=Tunelabs, OU=Technical, CN=nazar, name=nazar, emailAddress=mail@host.domain
Mon Apr 27 12:50:02 2015 nazar/103.14.28.2:3093 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Apr 27 12:50:02 2015 nazar/103.14.28.2:3093 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 27 12:50:02 2015 nazar/103.14.28.2:3093 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Apr 27 12:50:02 2015 nazar/103.14.28.2:3093 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 27 12:50:02 2015 nazar/103.14.28.2:3093 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Apr 27 13:49:47 2015 alwin/103.14.28.2:41675 TLS: soft reset sec=0 bytes=40828737/0 pkts=111277/0
Mon Apr 27 13:50:01 2015 nazar/103.14.28.2:3093 TLS: tls_process: killed expiring key
Mon Apr 27 13:50:02 2015 nazar/103.14.28.2:3093 TLS: soft reset sec=0 bytes=10189810/0 pkts=33311/0
Mon Apr 27 13:50:47 2015 alwin/103.14.28.2:41675 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Apr 27 13:50:47 2015 alwin/103.14.28.2:41675 TLS Error: TLS handshake failed
Mon Apr 27 13:50:47 2015 alwin/103.14.28.2:41675 TLS: move_session: dest=TM_LAME_DUCK src=TM_ACTIVE reinit_src=1
Mon Apr 27 13:51:02 2015 alwin/103.14.28.2:41675 TLS: Initial packet from [AF_INET]103.14.28.2:41675, sid=516127d0 581dab17
Mon Apr 27 13:51:02 2015 nazar/103.14.28.2:3093 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Apr 27 13:51:02 2015 nazar/103.14.28.2:3093 TLS Error: TLS handshake failed
Mon Apr 27 13:51:02 2015 nazar/103.14.28.2:3093 TLS: move_session: dest=TM_LAME_DUCK src=TM_ACTIVE reinit_src=1
Mon Apr 27 13:51:16 2015 nazar/103.14.28.2:3093 TLS: Initial packet from [AF_INET]103.14.28.2:3093, sid=021edf95 1a4531bd
Mon Apr 27 13:52:02 2015 alwin/103.14.28.2:41675 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Apr 27 13:52:02 2015 alwin/103.14.28.2:41675 TLS Error: TLS handshake failed
Mon Apr 27 13:52:16 2015 nazar/103.14.28.2:3093 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Apr 27 13:52:16 2015 nazar/103.14.28.2:3093 TLS Error: TLS handshake failed
Mon Apr 27 13:52:17 2015 alwin/103.14.28.2:41675 TLS: Initial packet from [AF_INET]103.14.28.2:41675, sid=05ade881 71861201
Mon Apr 27 13:52:31 2015 nazar/103.14.28.2:3093 TLS: Initial packet from [AF_INET]103.14.28.2:3093, sid=931f9e52 3130f58f
Mon Apr 27 13:53:17 2015 alwin/103.14.28.2:41675 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
:
Mon Apr 27 13:53:17 2015 alwin/103.14.28.2:41675 TLS Error: TLS handshake failed
Mon Apr 27 13:53:31 2015 nazar/103.14.28.2:3093 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Apr 27 13:53:31 2015 nazar/103.14.28.2:3093 TLS Error: TLS handshake failed
Mon Apr 27 13:53:32 2015 alwin/103.14.28.2:41675 TLS: Initial packet from [AF_INET]103.14.28.2:41675, sid=0ef9e298 e8185ae5
Mon Apr 27 13:53:45 2015 nazar/103.14.28.2:3093 TLS: Initial packet from [AF_INET]103.14.28.2:3093, sid=7342e271 14b0201f
Mon Apr 27 13:54:31 2015 nazar/103.14.28.2:3093 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Apr 27 13:54:31 2015 nazar/103.14.28.2:3093 TLS Error: TLS handshake failed
Mon Apr 27 13:54:32 2015 alwin/103.14.28.2:41675 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Apr 27 13:54:32 2015 alwin/103.14.28.2:41675 TLS Error: TLS handshake failed
Mon Apr 27 13:54:46 2015 nazar/103.14.28.2:3093 TLS: Initial packet from [AF_INET]103.14.28.2:3093, sid=ec8336f6 a46f8aa5
Mon Apr 27 13:54:46 2015 alwin/103.14.28.2:41675 TLS: Initial packet from [AF_INET]103.14.28.2:41675, sid=201ee779 77d0f12a
Mon Apr 27 13:55:46 2015 nazar/103.14.28.2:3093 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Apr 27 13:55:46 2015 nazar/103.14.28.2:3093 TLS Error: TLS handshake failed
Mon Apr 27 13:55:46 2015 alwin/103.14.28.2:41675 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Apr 27 13:55:46 2015 alwin/103.14.28.2:41675 TLS Error: TLS handshake failed
Mon Apr 27 13:56:00 2015 nazar/103.14.28.2:3093 TLS: Initial packet from [AF_INET]103.14.28.2:3093, sid=290410e0 b6ecc7a4
Mon Apr 27 13:56:01 2015 alwin/103.14.28.2:41675 TLS: Initial packet from [AF_INET]103.14.28.2:41675, sid=23ac61b9 cb1f9797
Mon Apr 27 13:57:00 2015 nazar/103.14.28.2:3093 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Apr 27 13:57:00 2015 nazar/103.14.28.2:3093 TLS Error: TLS handshake failed
Mon Apr 27 13:57:01 2015 alwin/103.14.28.2:41675 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Apr 27 13:57:01 2015 alwin/103.14.28.2:41675 TLS Error: TLS handshake failed
Mon Apr 27 13:57:45 2015 nazar/103.14.28.2:3093 TLS Error: Unroutable control packet received from [AF_INET]103.14.28.2:3093 (si=3 op=P_ACK_V1)
Mon Apr 27 13:57:46 2015 alwin/103.14.28.2:41675 TLS: Initial packet from [AF_INET]103.14.28.2:41675, sid=9ee2d142 548ed13a
Mon Apr 27 13:57:46 2015 alwin/103.14.28.2:41675 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=changeme, name=changeme, emailAddress=mail@host.domain
Mon Apr 27 13:57:46 2015 alwin/103.14.28.2:41675 VERIFY OK: depth=0, C=MY, ST=SGr, L=PJ, O=Tunelabs, OU=Technical, CN=alwin, name=alwin, emailAddress=admin@tunelabs.asia
Mon Apr 27 13:57:46 2015 alwin/103.14.28.2:41675 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Apr 27 13:57:46 2015 alwin/103.14.28.2:41675 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
:
Mon Apr 27 13:57:46 2015 alwin/103.14.28.2:41675 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Apr 27 13:57:46 2015 alwin/103.14.28.2:41675 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 27 13:57:46 2015 alwin/103.14.28.2:41675 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Apr 27 13:58:15 2015 nazar/103.14.28.2:3093 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Apr 27 13:58:15 2015 nazar/103.14.28.2:3093 TLS Error: TLS handshake failed
Mon Apr 27 13:58:30 2015 nazar/103.14.28.2:3093 TLS: Initial packet from [AF_INET]103.14.28.2:3093, sid=8524ea09 3b6c59df
Mon Apr 27 13:58:35 2015 nazar/103.14.28.2:3093 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=changeme, name=changeme, emailAddress=mail@host.domain
Mon Apr 27 13:58:35 2015 nazar/103.14.28.2:3093 VERIFY OK: depth=0, C=MY, ST=SGR, L=PJ, O=Tunelabs, OU=Technical, CN=nazar, name=nazar, emailAddress=mail@host.domain
Mon Apr 27 13:58:35 2015 nazar/103.14.28.2:3093 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Apr 27 13:58:35 2015 nazar/103.14.28.2:3093 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 27 13:58:35 2015 nazar/103.14.28.2:3093 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Apr 27 13:58:35 2015 nazar/103.14.28.2:3093 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 27 13:58:35 2015 nazar/103.14.28.2:3093 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Apr 27 14:09:52 2015 103.14.28.2:5494 TLS: Initial packet from [AF_INET]103.14.28.2:5494, sid=c3f90af0 3bf3308f
Mon Apr 27 14:09:52 2015 103.14.28.2:5494 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=changeme, name=changeme, emailAddress=mail@host.domain
Mon Apr 27 14:09:52 2015 103.14.28.2:5494 VERIFY OK: depth=0, C=MY, ST=SGR, L=PJ, O=Tunelabs, OU=Technical, CN=spare5, name=spare5, emailAddress=mail@host.domain
Mon Apr 27 14:09:52 2015 103.14.28.2:5494 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Apr 27 14:09:52 2015 103.14.28.2:5494 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 27 14:09:52 2015 103.14.28.2:5494 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Apr 27 14:09:52 2015 103.14.28.2:5494 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 27 14:09:52 2015 103.14.28.2:5494 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Apr 27 14:09:52 2015 103.14.28.2:5494 [spare5] Peer Connection Initiated with [AF_INET]103.14.28.2:5494
Mon Apr 27 14:09:52 2015 spare5/103.14.28.2:5494 MULTI_sva: pool returned IPv4=10.0.254.46, IPv6=(Not enabled)
Mon Apr 27 14:09:52 2015 spare5/103.14.28.2:5494 MULTI: Learn: 10.0.254.46 -> spare5/103.14.28.2:5494
Mon Apr 27 14:09:52 2015 spare5/103.14.28.2:5494 MULTI: primary virtual IP for spare5/103.14.28.2:5494: 10.0.254.46
Mon Apr 27 14:09:55 2015 spare5/103.14.28.2:5494 PUSH: Received control message: 'PUSH_REQUEST'
Mon Apr 27 14:09:55 2015 spare5/103.14.28.2:5494 send_push_reply(): safe_cap=940
Mon Apr 27 14:09:55 2015 spare5/103.14.28.2:5494 SENT CONTROL [spare5]: 'PUSH_REPLY,route 10.0.0.0 255.255.0.0,route 10.0.254.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.0.254.46 10.0.254.45' (status=1)
Mon Apr 27 14:17:04 2015 alwin/103.14.28.2:41675 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #477291 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Mon Apr 27 14:17:04 2015 alwin/103.14.28.2:41675 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #477292 ] -- see the :

Mon Apr 27 14:17:04 2015 alwin/103.14.28.2:41675 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #477292 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Mon Apr 27 14:17:04 2015 alwin/103.14.28.2:41675 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #477291 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Mon Apr 27 14:17:04 2015 alwin/103.14.28.2:41675 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #477292 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Mon Apr 27 14:22:50 2015 alwin/103.14.28.2:41675 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #885197 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Mon Apr 27 14:22:50 2015 alwin/103.14.28.2:41675 Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #885198 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
Mon Apr 27 14:49:47 2015 alwin/103.14.28.2:41675 TLS: tls_multi_process: killed expiring key
Mon Apr 27 14:50:02 2015 nazar/103.14.28.2:3093 TLS: tls_multi_process: killed expiring key
Mon Apr 27 14:57:46 2015 alwin/103.14.28.2:41675 TLS: soft reset sec=0 bytes=2433213169/0 pkts=2640294/0
Mon Apr 27 14:57:46 2015 alwin/103.14.28.2:41675 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=changeme, name=changeme, emailAddress=mail@host.domain
Mon Apr 27 14:57:46 2015 alwin/103.14.28.2:41675 VERIFY OK: depth=0, C=MY, ST=SGr, L=PJ, O=Tunelabs, OU=Technical, CN=alwin, name=alwin, emailAddress=admin@tunelabs.asia
Mon Apr 27 14:57:46 2015 alwin/103.14.28.2:41675 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Apr 27 14:57:46 2015 alwin/103.14.28.2:41675 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 27 14:57:46 2015 alwin/103.14.28.2:41675 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Apr 27 14:57:46 2015 alwin/103.14.28.2:41675 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 27 14:57:46 2015 alwin/103.14.28.2:41675 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Apr 27 14:58:35 2015 nazar/103.14.28.2:3093 TLS: soft reset sec=0 bytes=216166488/0 pkts=257603/0
Mon Apr 27 14:58:35 2015 nazar/103.14.28.2:3093 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=changeme, name=changeme, emailAddress=mail@host.domain
Mon Apr 27 14:58:35 2015 nazar/103.14.28.2:3093 VERIFY OK: depth=0, C=MY, ST=SGR, L=PJ, O=Tunelabs, OU=Technical, CN=nazar, name=nazar, emailAddress=mail@host.domain
Mon Apr 27 14:58:35 2015 nazar/103.14.28.2:3093 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Apr 27 14:58:35 2015 nazar/103.14.28.2:3093 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 27 14:58:35 2015 nazar/103.14.28.2:3093 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Apr 27 14:58:35 2015 nazar/103.14.28.2:3093 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 27 14:58:35 2015 nazar/103.14.28.2:3093 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Apr 27 15:09:52 2015 spare5/103.14.28.2:5494 TLS: soft reset sec=0 bytes=122991523/0 pkts=215815/0
Mon Apr 27 15:09:52 2015 spare5/103.14.28.2:5494 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=changeme, name=changeme, emailAddress=mail@host.domain
Mon Apr 27 15:09:52 2015 spare5/103.14.28.2:5494 VERIFY OK: depth=0, C=MY, ST=SGR, L=PJ, O=Tunelabs, OU=Technical, CN=spare5, name=spare5, emailAddress=mail@host.domain
:
Mon Apr 27 15:09:52 2015 spare5/103.14.28.2:5494 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Apr 27 15:09:52 2015 spare5/103.14.28.2:5494 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 27 15:09:52 2015 spare5/103.14.28.2:5494 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Apr 27 15:09:52 2015 spare5/103.14.28.2:5494 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 27 15:09:52 2015 spare5/103.14.28.2:5494 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Apr 27 15:16:57 2015 103.14.28.2:21351 TLS: Initial packet from [AF_INET]103.14.28.2:21351, sid=4e110cb9 c3b834aa
Mon Apr 27 15:16:57 2015 103.14.28.2:21351 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=changeme, name=changeme, emailAddress=mail@host.domain
Mon Apr 27 15:16:57 2015 103.14.28.2:21351 VERIFY OK: depth=0, C=MY, ST=SGR, L=PJ, O=Tunelabs, OU=changeme, CN=spare1, name=changeme, emailAddress=mail@host.domain
Mon Apr 27 15:16:57 2015 103.14.28.2:21351 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Apr 27 15:16:57 2015 103.14.28.2:21351 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 27 15:16:57 2015 103.14.28.2:21351 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Apr 27 15:16:57 2015 103.14.28.2:21351 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 27 15:16:57 2015 103.14.28.2:21351 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Apr 27 15:16:57 2015 103.14.28.2:21351 [spare1] Peer Connection Initiated with [AF_INET]103.14.28.2:21351
Mon Apr 27 15:16:57 2015 spare1/103.14.28.2:21351 MULTI_sva: pool returned IPv4=10.0.254.58, IPv6=(Not enabled)
Mon Apr 27 15:16:57 2015 spare1/103.14.28.2:21351 MULTI: Learn: 10.0.254.58 -> spare1/103.14.28.2:21351
Mon Apr 27 15:16:57 2015 spare1/103.14.28.2:21351 MULTI: primary virtual IP for spare1/103.14.28.2:21351: 10.0.254.58
Mon Apr 27 15:16:59 2015 spare1/103.14.28.2:21351 PUSH: Received control message: 'PUSH_REQUEST'
Mon Apr 27 15:16:59 2015 spare1/103.14.28.2:21351 send_push_reply(): safe_cap=940
Mon Apr 27 15:16:59 2015 spare1/103.14.28.2:21351 SENT CONTROL [spare1]: 'PUSH_REPLY,route 10.0.0.0 255.255.0.0,route 10.0.254.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.0.254.58 10.0.254.57' (status=1)
Mon Apr 27 15:30:14 2015 103.14.28.2:54131 TLS: Initial packet from [AF_INET]103.14.28.2:54131, sid=d1b64897 6be7711c
Mon Apr 27 15:30:58 2015 103.14.28.2:54131 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=changeme, name=changeme, emailAddress=mail@host.domain
Mon Apr 27 15:30:58 2015 103.14.28.2:54131 VERIFY OK: depth=0, C=MY, ST=SGR, L=PJ, O=Tunelabs, OU=changeme, CN=spare1, name=changeme, emailAddress=mail@host.domain
Mon Apr 27 15:30:58 2015 103.14.28.2:54131 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Apr 27 15:30:58 2015 103.14.28.2:54131 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 27 15:30:58 2015 103.14.28.2:54131 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Mon Apr 27 15:30:58 2015 103.14.28.2:54131 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Apr 27 15:30:58 2015 103.14.28.2:54131 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mon Apr 27 15:30:58 2015 103.14.28.2:54131 [spare1] Peer Connection Initiated with [AF_INET]103.14.28.2:54131
Mon Apr 27 15:30:58 2015 MULTI: new connection by client 'spare1' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
:

Re: Problem with Open VPN

Posted: Sat May 02, 2015 2:03 pm
by maikcat
please post the part of log with the 2 problematic connections,

or write which certs cause the problem.

also can you disable this directive from your server:

Code: Select all

ifconfig-pool-persist ipp.txt
Michael.

Re: Problem with Open VPN

Posted: Tue May 05, 2015 4:35 am
by aigini82
I am not sure how to spot the problematic connection from the logs.
Is it something like the highlighted line (bold) below :

Code: Select all

Tue May  5 12:29:25 2015 103.14.28.2:47729 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Tue May  5 12:29:25 2015 103.14.28.2:47729 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue May  5 12:29:25 2015 103.14.28.2:47729 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Tue May  5 12:29:25 2015 103.14.28.2:47729 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue May  5 12:29:25 2015 103.14.28.2:47729 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Tue May  5 12:29:25 2015 103.14.28.2:47729 [spare2] Peer Connection Initiated with [AF_INET]103.14.28.2:47729
[b]Tue May  5 12:29:25 2015 MULTI: new connection by client 'spare2' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.[/b]
Tue May  5 12:29:25 2015 MULTI_sva: pool returned IPv4=10.0.254.62, IPv6=(Not enabled)
Tue May  5 12:29:25 2015 MULTI: Learn: 10.0.254.62 -> spare2/103.14.28.2:47729
Tue May  5 12:29:25 2015 MULTI: primary virtual IP for spare2/103.14.28.2:47729: 10.0.254.62
I do not understand how the log shows spare2, when I do not find any key named spare2 in the location where all keys are stored, i.e :

Code: Select all

/etc/openvpn/2.0/keys
Also, when you ask about the problematic certs, does this mean each of our certs, i.e my colleagues' and mine, or the general cert mentioned in the server.conf file?

I don't think I can disable the directive :

Code: Select all

ifconfig-pool-persist ipp.txt
because then the office management would question this.

Re: Problem with Open VPN

Posted: Tue May 05, 2015 5:43 am
by maikcat
can you check BOTH certificates CN (common name) field and see if they are the same?

Michael.

Re: Problem with Open VPN

Posted: Tue May 05, 2015 8:03 am
by aigini82
Yeap, they are the same. However, even when I changed my cert's CN, this problem still persists.

Re: Problem with Open VPN

Posted: Tue May 05, 2015 10:20 am
by maikcat
curious though,how do you change certs CN field?

Michael.

Re: Problem with Open VPN

Posted: Wed May 06, 2015 2:49 am
by aigini82
vi the cert, and change the CN.

But now, I found the reason why changing the CN did not help. This is because, when we create the cert, a copy of it is created in a database (backend).
Therefore, when we use OpenVPN, I believe it calls the cert from the backend. Therefore, even if we only change the name of the CN in the cert itself, the name in the backend is still the same. This still causes conflict, and therefore we are still not able to use OpenVPN properly.

Thus to resolve this problem, I recreated a new cert with a completely different CN. Now, this issue does not persist.

Re: Problem with Open VPN

Posted: Wed May 06, 2015 4:07 am
by aigini82

Code: Select all

# ./build-key-server elmer
Generating a 2048 bit RSA private key
.....................++++++
.......................................................++++++
writing new private key to 'elmer.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [Acme Acres]:
Organization Name (eg, company) [Acme]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) [elmer]:
Name [Acme-CA]:
Email Address [roadrunner@acmecorp.org]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /root/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'CA'
localityName          :PRINTABLE:'Acme Acres'
organizationName      :PRINTABLE:'Acme'
commonName            :PRINTABLE:'elmer'
name                  :PRINTABLE:'Acme-CA'
emailAddress          :IA5STRING:'roadrunner@acmecorp.org'
Certificate is to be certified until Dec 27 19:11:59 2021 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
The code above shows the final lines that says "DB Updated" after the cert has been created. So where would the db be located?
And is it really true that the cert will be called from the db when we use Open VPN?

I can't think of any other reason than that because when I edited the CN in my existing cert, the issue was still not resolved.

Re: Problem with Open VPN

Posted: Wed May 06, 2015 5:43 am
by maikcat
you simply CANT edit a cert using vi...

if you could, then you could also change its validity etc etc

to test this out simply use

Code: Select all

openssl x509 -in yourcert.crt -noout -text
replace yourcert.crt with your certs name to see their true fields ;)

Michael.

Re: Problem with Open VPN

Posted: Wed May 06, 2015 5:52 am
by aigini82
Is there any other way to edit the cert, so that OpenVPN works after editing it?

Re: Problem with Open VPN

Posted: Wed May 06, 2015 6:05 am
by maikcat
certs are not simple text files so you cant mess with them without breaking them.

also i noticed you used build-key-server script to create the new cert, why is that?

Michael.

Re: Problem with Open VPN

Posted: Wed May 06, 2015 6:34 am
by aigini82
I do not know...that is just part of the step to create the cert.
All times are UTC
Page 1 of 2
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/