TLS key negotiation failed on asymmetric routing
Posted: Tue Mar 15, 2011 9:33 am
Hello!
I have an OpenVPN server (OpenVPN 2.1.4 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL] built on Dec 2 2010) on CentOS 5.5. This server is acting as router with multiple external and internal interfaces (vlans).
Problem is when client is trying to connect to this OpenVPN server's IP address with asymmetric routing, for example:
If client specifies server's IP address with the same backwards route - everything's fine.
Client is Tunnelblick 3.1.6 (build 2190.2392) on Mac OS X 10.6 (haven't tested with Windows or Linux, though).
Server's config:
Client's config:
When I connect to the server with asymmetric routing following is being logged on server:
Both server and client have their firewalls disabled for testing purposes.
Any help with the issue will be MUCH appreciated, thank you in advance.
I have an OpenVPN server (OpenVPN 2.1.4 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL] built on Dec 2 2010) on CentOS 5.5. This server is acting as router with multiple external and internal interfaces (vlans).
Problem is when client is trying to connect to this OpenVPN server's IP address with asymmetric routing, for example:
Code: Select all
Route TO server FROM client:
CLIENT - CLIENTS-ISP - ISP1 - ISP2 - SERVER
Route FROM server TO client:
SERVER - ISP3 - ISP1 - CLIENTS-ISP - CLIENT
Client is Tunnelblick 3.1.6 (build 2190.2392) on Mac OS X 10.6 (haven't tested with Windows or Linux, though).
Server's config:
Code: Select all
port 1194
proto udp
dev tun
ca keys/ca.crt
cert keys/intranet.crt
key keys/intranet.key
dh keys/dh1024.pem
server 10.8.21.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.1.1.0 255.255.255.0"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DOMAIN domain.com"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
Code: Select all
client
dev tun
proto udp
remote SERVER_IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
verb 3
Code: Select all
Mar 15 11:02:59 gw01 openvpn[13759]: CLIENT_IP:53549 Re-using SSL/TLS context
Mar 15 11:02:59 gw01 openvpn[13759]: CLIENT_IP:53549 LZO compression initialized
Mar 15 11:02:59 gw01 openvpn[13759]: CLIENT_IP:53549 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mar 15 11:02:59 gw01 openvpn[13759]: CLIENT_IP:53549 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mar 15 11:02:59 gw01 openvpn[13759]: CLIENT_IP:53549 Local Options hash (VER=V4): '530fdded'
Mar 15 11:02:59 gw01 openvpn[13759]: CLIENT_IP:53549 Expected Remote Options hash (VER=V4): '41690919'
Mar 15 11:02:59 gw01 openvpn[13759]: CLIENT_IP:53549 TLS: Initial packet from CLIENT_IP:53549, sid=f57438df d995c11e
Mar 15 11:03:59 gw01 openvpn[13759]: CLIENT_IP:53549 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mar 15 11:03:59 gw01 openvpn[13759]: CLIENT_IP:53549 TLS Error: TLS handshake failed
Mar 15 11:03:59 gw01 openvpn[13759]: CLIENT_IP:53549 SIGUSR1[soft,tls-error] received, client-instance restarting
Any help with the issue will be MUCH appreciated, thank you in advance.