It is currently 22.08.2017 03:33


All times are UTC




Post new topic Reply to topic  [ 1 post ] 
Author Message
 Post subject: Ethernet-Tunnel – VERIFY ERROR: depth=0, error=unsupported..
PostPosted: 30.12.2014 08:00 
Tripple-DES
Tripple-DES

Joined: 30.12.2014 06:26
Posts: 10
Ethernet-Tunnel – VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=...

Hallo!

Ich möchte einen Ethernet-Tunnel zwischen mobilen Rechnern (Notebooks) und lokalem Netz realisieren. Das ganze soll mit Zertifikaten abgesichert werden und unter Windows 8.1 64 Bit laufen.

  • Auf dem OpenVPN-Server wurde eine Brücke zwischen dem TAP- und dem Ethernet-Adapter errichtet. Diese hat eine feste IP-Adresse, einen Standardgateway und einen DNS-Server zugewiesen. Der OpenVPN-Server ist darunter im LAN erreichbar und kommt auch ins Internet.
  • Der Router im LAN (Fritz!Box 7490) hat die jeweils für UDP und TCP eine Weiterleitung auf den OpenVPN-Server.
  • Die Firewalls (auf dem OpenVPN-Server und dem Testclient) für die Tests vorsorglich deaktiviert. Dabei handelt es sich auf beiden Rechnern um die Windows-Firewall.
  • easy-rsa ist installiert und konfiguriert. Damit wurden die Zertifikate erstellt:
    • Eine Zeile der Datei openssl-1.0.0.cnf wurde aus Sicherheitsgründen geändert:
      Code:
      Aus
      default_md = md5
      wurde
      default_md = sha512
    • vars.bat wurde angepasst (u. a. "set KEY_SIZE=2048").
    • Commandline geöffnet.
    • vars.bat ausgeführt.
    • clean-all.bat ausgeführt.
    • Stammzertifikat mit build-ca.bat erstellt.
    • Diffie-Hellman-Parameter für den Schlüsselaustausch mit build-dh.bat erstellt
    • Server-Zertifikat mit build-key-server.bat erstellt.
    • Client-Zertifikat mit build-key.bat erstellt.
    • Zertifikate mit build-key-pkcs12.bat zusammengefasst.
    • Alle Zertifikate mit unterschiedlichen CNs
    • Zertifikate verteilt – Serverzertifikat auf dem OpenVPN-Server und das Clientzertifikat auf ein Notebook.
  • Konfigurationsdateien erstellt:
    Server:
    Code:
    #
    # Der gesamte Ethernet-Verkehr soll über den Tunnel fließen.

    # OpenVPN soll indas Kofigurationsverzeichnis wechseln.
    cd "C:/Program Files/OpenVPN/config/"

    #Device für den den Tunnel
    dev tap0

    # Port und Protokoll
    port 1194
    proto udp

    # Paketgrößen
    tun-mtu 1500
    fragment 1300
    mssfix

    # Server
    # 192.168.70.180 192.168.70.199 im DHCP ausgeschlossen.
    mode server
    server-bridge 192.168.70.205 255.255.255.0 192.168.70.180 192.168.70.199

    # Teilnehmer eines virtuellen Netzwerkes sollen sich untereinander sehen.
    client-to-client

    connect-freq 1 sec
    keepalive 10 120
    persist-key
    persist-tun

    # Client eine neue Route und einen neuen Gateway zuweisen.
    push "route 192.168.70.0 255.255.255.0"
    push "redirect-gateway def1 local"

    # IPs merken.
    ifconfig-pool-persist ipp.txt

    # Auth.-Server
    tls-server
    crl-verify crls/crl.pem

    #Zertifikat
    pkcs12 certs/server.p12

    # Diffie-Hellman-Parameter
    dh dh2048.pem

    # Kompression einschalten.
    comp-lzo yes

    # Debug-Level
    verb 5


    Client:
    Code:
    #
    # Der gesamte Ethernet-Verkehr soll über den Tunnel fließen.
    #

    # OpenVPN soll indas Kofigurationsverzeichnis wechseln.
    cd "C:/Program Files/OpenVPN/config/"

    # IP des Gateways (OpenVPN-Server)
    # remote aaa.bbb.ccc.ddd
    remote sub.example.tld    # Wird richtig in aaa.bbb.ccc.ddd aufgelöst.

    #Device für den den Tunnel
    dev tap0

    # Port und Protokoll
    port 1194
    proto udp

    # Paketgrößen
    tun-mtu 1500
    fragment 1300
    mssfix

    # Auth.-Client
    tls-client
    pull

    #Zertifikat
    # ca ca.crt
    # cert client1.crt
    # key client1.key
    pkcs12 certs/client1.p12

    # Kompression einschalten.
    comp-lzo yes

    # Debug-Level
    verb 3
Der Server startet ohne Probleme und wartet munter auf eine Verbindung. Nun starte ich den Testclient: Das merkt der Server, aber dann kommt auf der Clientseite zu einem Fehler. Hier die Logs (Adressen unkenntlich gemacht, da zum Teil statisch und ich nicht weiß, ob ich sie veröffentlichen darf):

Server (http://www.xxx.yyy.zzz ist die öffentliche Adresse am Client-Router):
Code:
Tue Dec 30 08:25:42 2014 us=198766 Current Parameter Settings:
Tue Dec 30 08:25:42 2014 us=198766   config = 'ethernet.ovpn'
Tue Dec 30 08:25:42 2014 us=198766   mode = 1
Tue Dec 30 08:25:42 2014 us=198766   show_ciphers = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   show_digests = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   show_engines = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   genkey = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   key_pass_file = '[UNDEF]'
Tue Dec 30 08:25:42 2014 us=198766   show_tls_ciphers = DISABLED
Tue Dec 30 08:25:42 2014 us=198766 Connection profiles [default]:
Tue Dec 30 08:25:42 2014 us=198766   proto = udp
Tue Dec 30 08:25:42 2014 us=198766   local = '[UNDEF]'
Tue Dec 30 08:25:42 2014 us=198766   local_port = 1194
Tue Dec 30 08:25:42 2014 us=198766   remote = '[UNDEF]'
Tue Dec 30 08:25:42 2014 us=198766   remote_port = 1194
Tue Dec 30 08:25:42 2014 us=198766   remote_float = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   bind_defined = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   bind_local = ENABLED
Tue Dec 30 08:25:42 2014 us=198766   connect_retry_seconds = 5
Tue Dec 30 08:25:42 2014 us=198766   connect_timeout = 10
Tue Dec 30 08:25:42 2014 us=198766   connect_retry_max = 0
Tue Dec 30 08:25:42 2014 us=198766   socks_proxy_server = '[UNDEF]'
Tue Dec 30 08:25:42 2014 us=198766   socks_proxy_port = 0
Tue Dec 30 08:25:42 2014 us=198766   socks_proxy_retry = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   tun_mtu = 1500
Tue Dec 30 08:25:42 2014 us=198766   tun_mtu_defined = ENABLED
Tue Dec 30 08:25:42 2014 us=198766   link_mtu = 1500
Tue Dec 30 08:25:42 2014 us=198766   link_mtu_defined = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   tun_mtu_extra = 32
Tue Dec 30 08:25:42 2014 us=198766   tun_mtu_extra_defined = ENABLED
Tue Dec 30 08:25:42 2014 us=198766   mtu_discover_type = -1
Tue Dec 30 08:25:42 2014 us=198766   fragment = 1300
Tue Dec 30 08:25:42 2014 us=198766   mssfix = 1300
Tue Dec 30 08:25:42 2014 us=198766   explicit_exit_notification = 0
Tue Dec 30 08:25:42 2014 us=198766 Connection profiles END
Tue Dec 30 08:25:42 2014 us=198766   remote_random = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   ipchange = '[UNDEF]'
Tue Dec 30 08:25:42 2014 us=198766   dev = 'tap0'
Tue Dec 30 08:25:42 2014 us=198766   dev_type = '[UNDEF]'
Tue Dec 30 08:25:42 2014 us=198766   dev_node = '[UNDEF]'
Tue Dec 30 08:25:42 2014 us=198766   lladdr = '[UNDEF]'
Tue Dec 30 08:25:42 2014 us=198766   topology = 1
Tue Dec 30 08:25:42 2014 us=198766   tun_ipv6 = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   ifconfig_local = '[UNDEF]'
Tue Dec 30 08:25:42 2014 us=198766   ifconfig_remote_netmask = '[UNDEF]'
Tue Dec 30 08:25:42 2014 us=198766   ifconfig_noexec = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   ifconfig_nowarn = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   ifconfig_ipv6_local = '[UNDEF]'
Tue Dec 30 08:25:42 2014 us=198766   ifconfig_ipv6_netbits = 0
Tue Dec 30 08:25:42 2014 us=198766   ifconfig_ipv6_remote = '[UNDEF]'
Tue Dec 30 08:25:42 2014 us=198766   shaper = 0
Tue Dec 30 08:25:42 2014 us=198766   mtu_test = 0
Tue Dec 30 08:25:42 2014 us=198766   mlock = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   keepalive_ping = 10
Tue Dec 30 08:25:42 2014 us=198766   keepalive_timeout = 120
Tue Dec 30 08:25:42 2014 us=198766   inactivity_timeout = 0
Tue Dec 30 08:25:42 2014 us=198766   ping_send_timeout = 10
Tue Dec 30 08:25:42 2014 us=198766   ping_rec_timeout = 240
Tue Dec 30 08:25:42 2014 us=198766   ping_rec_timeout_action = 2
Tue Dec 30 08:25:42 2014 us=198766   ping_timer_remote = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   remap_sigusr1 = 0
Tue Dec 30 08:25:42 2014 us=198766   persist_tun = ENABLED
Tue Dec 30 08:25:42 2014 us=198766   persist_local_ip = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   persist_remote_ip = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   persist_key = ENABLED
Tue Dec 30 08:25:42 2014 us=198766   passtos = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   resolve_retry_seconds = 1000000000
Tue Dec 30 08:25:42 2014 us=198766   username = '[UNDEF]'
Tue Dec 30 08:25:42 2014 us=198766   groupname = '[UNDEF]'
Tue Dec 30 08:25:42 2014 us=198766   chroot_dir = '[UNDEF]'
Tue Dec 30 08:25:42 2014 us=198766   cd_dir = 'C:/Program Files/OpenVPN/config/'
Tue Dec 30 08:25:42 2014 us=198766   writepid = '[UNDEF]'
Tue Dec 30 08:25:42 2014 us=198766   up_script = '[UNDEF]'
Tue Dec 30 08:25:42 2014 us=198766   down_script = '[UNDEF]'
Tue Dec 30 08:25:42 2014 us=198766   down_pre = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   up_restart = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   up_delay = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   daemon = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   inetd = 0
Tue Dec 30 08:25:42 2014 us=198766   log = ENABLED
Tue Dec 30 08:25:42 2014 us=198766   suppress_timestamps = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   nice = 0
Tue Dec 30 08:25:42 2014 us=198766   verbosity = 5
Tue Dec 30 08:25:42 2014 us=198766   mute = 0
Tue Dec 30 08:25:42 2014 us=198766   status_file = '[UNDEF]'
Tue Dec 30 08:25:42 2014 us=198766   status_file_version = 1
Tue Dec 30 08:25:42 2014 us=198766   status_file_update_freq = 60
Tue Dec 30 08:25:42 2014 us=198766   occ = ENABLED
Tue Dec 30 08:25:42 2014 us=198766   rcvbuf = 0
Tue Dec 30 08:25:42 2014 us=198766   sndbuf = 0
Tue Dec 30 08:25:42 2014 us=198766   sockflags = 0
Tue Dec 30 08:25:42 2014 us=198766   fast_io = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   lzo = 3
Tue Dec 30 08:25:42 2014 us=198766   route_script = '[UNDEF]'
Tue Dec 30 08:25:42 2014 us=198766   route_default_gateway = '[UNDEF]'
Tue Dec 30 08:25:42 2014 us=198766   route_default_metric = 0
Tue Dec 30 08:25:42 2014 us=198766   route_noexec = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   route_delay = 0
Tue Dec 30 08:25:42 2014 us=198766   route_delay_window = 30
Tue Dec 30 08:25:42 2014 us=198766   route_delay_defined = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   route_nopull = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   route_gateway_via_dhcp = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   max_routes = 100
Tue Dec 30 08:25:42 2014 us=198766   allow_pull_fqdn = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   management_addr = '127.0.0.1'
Tue Dec 30 08:25:42 2014 us=198766   management_port = 25340
Tue Dec 30 08:25:42 2014 us=198766   management_user_pass = 'stdin'
Tue Dec 30 08:25:42 2014 us=198766   management_log_history_cache = 250
Tue Dec 30 08:25:42 2014 us=198766   management_echo_buffer_size = 100
Tue Dec 30 08:25:42 2014 us=198766   management_write_peer_info_file = '[UNDEF]'
Tue Dec 30 08:25:42 2014 us=198766   management_client_user = '[UNDEF]'
Tue Dec 30 08:25:42 2014 us=198766   management_client_group = '[UNDEF]'
Tue Dec 30 08:25:42 2014 us=198766   management_flags = 6
Tue Dec 30 08:25:42 2014 us=198766   shared_secret_file = '[UNDEF]'
Tue Dec 30 08:25:42 2014 us=198766   key_direction = 0
Tue Dec 30 08:25:42 2014 us=198766   ciphername_defined = ENABLED
Tue Dec 30 08:25:42 2014 us=198766   ciphername = 'BF-CBC'
Tue Dec 30 08:25:42 2014 us=198766   authname_defined = ENABLED
Tue Dec 30 08:25:42 2014 us=198766   authname = 'SHA1'
Tue Dec 30 08:25:42 2014 us=198766   prng_hash = 'SHA1'
Tue Dec 30 08:25:42 2014 us=198766   prng_nonce_secret_len = 16
Tue Dec 30 08:25:42 2014 us=198766   keysize = 0
Tue Dec 30 08:25:42 2014 us=198766   engine = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   replay = ENABLED
Tue Dec 30 08:25:42 2014 us=198766   mute_replay_warnings = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   replay_window = 64
Tue Dec 30 08:25:42 2014 us=198766   replay_time = 15
Tue Dec 30 08:25:42 2014 us=198766   packet_id_file = '[UNDEF]'
Tue Dec 30 08:25:42 2014 us=198766   use_iv = ENABLED
Tue Dec 30 08:25:42 2014 us=198766   test_crypto = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   tls_server = ENABLED
Tue Dec 30 08:25:42 2014 us=198766   tls_client = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   key_method = 2
Tue Dec 30 08:25:42 2014 us=198766   ca_file = '[UNDEF]'
Tue Dec 30 08:25:42 2014 us=198766   ca_path = '[UNDEF]'
Tue Dec 30 08:25:42 2014 us=198766   dh_file = 'dh2048.pem'
Tue Dec 30 08:25:42 2014 us=198766   cert_file = '[UNDEF]'
Tue Dec 30 08:25:42 2014 us=198766   priv_key_file = '[UNDEF]'
Tue Dec 30 08:25:42 2014 us=198766   pkcs12_file = 'certs/server.p12'
Tue Dec 30 08:25:42 2014 us=198766   cryptoapi_cert = '[UNDEF]'
Tue Dec 30 08:25:42 2014 us=198766   cipher_list = '[UNDEF]'
Tue Dec 30 08:25:42 2014 us=198766   tls_verify = '[UNDEF]'
Tue Dec 30 08:25:42 2014 us=198766   tls_export_cert = '[UNDEF]'
Tue Dec 30 08:25:42 2014 us=198766   verify_x509_type = 0
Tue Dec 30 08:25:42 2014 us=198766   verify_x509_name = '[UNDEF]'
Tue Dec 30 08:25:42 2014 us=198766   crl_file = 'crls/crl.pem'
Tue Dec 30 08:25:42 2014 us=198766   ns_cert_type = 0
Tue Dec 30 08:25:42 2014 us=198766   remote_cert_ku[i] = 0
Tue Dec 30 08:25:42 2014 us=198766   remote_cert_ku[i] = 0
Tue Dec 30 08:25:42 2014 us=198766   remote_cert_ku[i] = 0
Tue Dec 30 08:25:42 2014 us=198766   remote_cert_ku[i] = 0
Tue Dec 30 08:25:42 2014 us=198766   remote_cert_ku[i] = 0
Tue Dec 30 08:25:42 2014 us=198766   remote_cert_ku[i] = 0
Tue Dec 30 08:25:42 2014 us=198766   remote_cert_ku[i] = 0
Tue Dec 30 08:25:42 2014 us=198766   remote_cert_ku[i] = 0
Tue Dec 30 08:25:42 2014 us=198766   remote_cert_ku[i] = 0
Tue Dec 30 08:25:42 2014 us=198766   remote_cert_ku[i] = 0
Tue Dec 30 08:25:42 2014 us=198766   remote_cert_ku[i] = 0
Tue Dec 30 08:25:42 2014 us=198766   remote_cert_ku[i] = 0
Tue Dec 30 08:25:42 2014 us=198766   remote_cert_ku[i] = 0
Tue Dec 30 08:25:42 2014 us=198766   remote_cert_ku[i] = 0
Tue Dec 30 08:25:42 2014 us=198766   remote_cert_ku[i] = 0
Tue Dec 30 08:25:42 2014 us=198766   remote_cert_ku[i] = 0
Tue Dec 30 08:25:42 2014 us=198766   remote_cert_eku = '[UNDEF]'
Tue Dec 30 08:25:42 2014 us=198766   ssl_flags = 0
Tue Dec 30 08:25:42 2014 us=198766   tls_timeout = 2
Tue Dec 30 08:25:42 2014 us=198766   renegotiate_bytes = 0
Tue Dec 30 08:25:42 2014 us=198766   renegotiate_packets = 0
Tue Dec 30 08:25:42 2014 us=198766   renegotiate_seconds = 3600
Tue Dec 30 08:25:42 2014 us=198766   handshake_window = 60
Tue Dec 30 08:25:42 2014 us=198766   transition_window = 3600
Tue Dec 30 08:25:42 2014 us=198766   single_session = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   push_peer_info = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   tls_exit = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   tls_auth_file = '[UNDEF]'
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_protected_authentication = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_protected_authentication = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_protected_authentication = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_protected_authentication = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_protected_authentication = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_protected_authentication = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_protected_authentication = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_protected_authentication = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_protected_authentication = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_protected_authentication = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_protected_authentication = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_protected_authentication = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_protected_authentication = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_protected_authentication = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_protected_authentication = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_protected_authentication = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_private_mode = 00000000
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_private_mode = 00000000
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_private_mode = 00000000
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_private_mode = 00000000
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_private_mode = 00000000
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_private_mode = 00000000
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_private_mode = 00000000
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_private_mode = 00000000
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_private_mode = 00000000
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_private_mode = 00000000
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_private_mode = 00000000
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_private_mode = 00000000
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_private_mode = 00000000
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_private_mode = 00000000
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_private_mode = 00000000
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_private_mode = 00000000
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_cert_private = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_cert_private = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_cert_private = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_cert_private = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_cert_private = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_cert_private = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_cert_private = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_cert_private = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_cert_private = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_cert_private = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_cert_private = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_cert_private = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_cert_private = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_cert_private = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_cert_private = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_cert_private = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_pin_cache_period = -1
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_id = '[UNDEF]'
Tue Dec 30 08:25:42 2014 us=198766   pkcs11_id_management = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   server_network = 0.0.0.0
Tue Dec 30 08:25:42 2014 us=198766   server_netmask = 0.0.0.0
Tue Dec 30 08:25:42 2014 us=198766   server_network_ipv6 = ::
Tue Dec 30 08:25:42 2014 us=198766   server_netbits_ipv6 = 0
Tue Dec 30 08:25:42 2014 us=198766   server_bridge_ip = 192.168.70.205
Tue Dec 30 08:25:42 2014 us=198766   server_bridge_netmask = 255.255.255.0
Tue Dec 30 08:25:42 2014 us=198766   server_bridge_pool_start = 192.168.70.180
Tue Dec 30 08:25:42 2014 us=198766   server_bridge_pool_end = 192.168.70.199
Tue Dec 30 08:25:42 2014 us=198766   push_entry = 'route 192.168.70.0 255.255.255.0'
Tue Dec 30 08:25:42 2014 us=198766   push_entry = 'redirect-gateway def1 local'
Tue Dec 30 08:25:42 2014 us=198766   push_entry = 'route-gateway 192.168.70.205'
Tue Dec 30 08:25:42 2014 us=198766   push_entry = 'ping 10'
Tue Dec 30 08:25:42 2014 us=198766   push_entry = 'ping-restart 120'
Tue Dec 30 08:25:42 2014 us=198766   ifconfig_pool_defined = ENABLED
Tue Dec 30 08:25:42 2014 us=198766   ifconfig_pool_start = 192.168.70.180
Tue Dec 30 08:25:42 2014 us=198766   ifconfig_pool_end = 192.168.70.199
Tue Dec 30 08:25:42 2014 us=198766   ifconfig_pool_netmask = 255.255.255.0
Tue Dec 30 08:25:42 2014 us=198766   ifconfig_pool_persist_filename = 'ipp.txt'
Tue Dec 30 08:25:42 2014 us=198766   ifconfig_pool_persist_refresh_freq = 600
Tue Dec 30 08:25:42 2014 us=198766   ifconfig_ipv6_pool_defined = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   ifconfig_ipv6_pool_base = ::
Tue Dec 30 08:25:42 2014 us=198766   ifconfig_ipv6_pool_netbits = 0
Tue Dec 30 08:25:42 2014 us=198766   n_bcast_buf = 256
Tue Dec 30 08:25:42 2014 us=198766   tcp_queue_limit = 64
Tue Dec 30 08:25:42 2014 us=198766   real_hash_size = 256
Tue Dec 30 08:25:42 2014 us=198766   virtual_hash_size = 256
Tue Dec 30 08:25:42 2014 us=198766   client_connect_script = '[UNDEF]'
Tue Dec 30 08:25:42 2014 us=198766   learn_address_script = '[UNDEF]'
Tue Dec 30 08:25:42 2014 us=198766   client_disconnect_script = '[UNDEF]'
Tue Dec 30 08:25:42 2014 us=198766   client_config_dir = '[UNDEF]'
Tue Dec 30 08:25:42 2014 us=198766   ccd_exclusive = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   tmp_dir = 'C:\Users\ADMINI~1\AppData\Local\Temp\'
Tue Dec 30 08:25:42 2014 us=198766   push_ifconfig_defined = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   push_ifconfig_local = 0.0.0.0
Tue Dec 30 08:25:42 2014 us=198766   push_ifconfig_remote_netmask = 0.0.0.0
Tue Dec 30 08:25:42 2014 us=198766   push_ifconfig_ipv6_defined = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   push_ifconfig_ipv6_local = ::/0
Tue Dec 30 08:25:42 2014 us=198766   push_ifconfig_ipv6_remote = ::
Tue Dec 30 08:25:42 2014 us=198766   enable_c2c = ENABLED
Tue Dec 30 08:25:42 2014 us=198766   duplicate_cn = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   cf_max = 1
Tue Dec 30 08:25:42 2014 us=198766   cf_per = 0
Tue Dec 30 08:25:42 2014 us=198766   max_clients = 1024
Tue Dec 30 08:25:42 2014 us=198766   max_routes_per_client = 256
Tue Dec 30 08:25:42 2014 us=198766   auth_user_pass_verify_script = '[UNDEF]'
Tue Dec 30 08:25:42 2014 us=198766   auth_user_pass_verify_script_via_file = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   client = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   pull = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   auth_user_pass_file = '[UNDEF]'
Tue Dec 30 08:25:42 2014 us=198766   show_net_up = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   route_method = 0
Tue Dec 30 08:25:42 2014 us=198766   ip_win32_defined = DISABLED
Tue Dec 30 08:25:42 2014 us=198766   ip_win32_type = 3
Tue Dec 30 08:25:42 2014 us=198766   dhcp_masq_offset = 0
Tue Dec 30 08:25:42 2014 us=198766   dhcp_lease_time = 31536000
Tue Dec 30 08:25:42 2014 us=198766   tap_sleep = 10
Tue Dec 30 08:25:42 2014 us=214392   dhcp_options = DISABLED
Tue Dec 30 08:25:42 2014 us=214392   dhcp_renew = DISABLED
Tue Dec 30 08:25:42 2014 us=214392   dhcp_pre_release = DISABLED
Tue Dec 30 08:25:42 2014 us=214392   dhcp_release = DISABLED
Tue Dec 30 08:25:42 2014 us=214392   domain = '[UNDEF]'
Tue Dec 30 08:25:42 2014 us=214392   netbios_scope = '[UNDEF]'
Tue Dec 30 08:25:42 2014 us=214392   netbios_node_type = 0
Tue Dec 30 08:25:42 2014 us=214392   disable_nbt = DISABLED
Tue Dec 30 08:25:42 2014 us=214392 OpenVPN 2.3.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug  7 2014
Tue Dec 30 08:25:42 2014 us=214392 library versions: OpenSSL 1.0.1i 6 Aug 2014, LZO 2.05
Enter Management Password:
Tue Dec 30 08:25:42 2014 us=214392 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Tue Dec 30 08:25:42 2014 us=214392 Need hold release from management interface, waiting...
Tue Dec 30 08:25:42 2014 us=230016 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Tue Dec 30 08:25:42 2014 us=355033 MANAGEMENT: CMD 'state on'
Tue Dec 30 08:25:42 2014 us=355033 MANAGEMENT: CMD 'log all on'
Tue Dec 30 08:25:42 2014 us=651896 MANAGEMENT: CMD 'hold off'
Tue Dec 30 08:25:42 2014 us=667521 MANAGEMENT: CMD 'hold release'
Tue Dec 30 08:25:42 2014 us=667521 NOTE: when bridging your LAN adapter with the TAP adapter, note that the new bridge adapter will often take on its own IP address that is different from what the LAN adapter was previously set to
Tue Dec 30 08:25:42 2014 us=855021 Diffie-Hellman initialized with 2048 bit key
Tue Dec 30 08:25:42 2014 us=870648 TLS-Auth MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Dec 30 08:25:42 2014 us=870648 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Dec 30 08:25:42 2014 us=886272 open_tun, tt->ipv6=0
Tue Dec 30 08:25:42 2014 us=886272 TAP-WIN32 device [OpenVPN-Netzwerkadapter (TAP)] opened: \\.\Global\{B74C9838-2755-4FB1-850D-2DA4C461EF2B}.tap
Tue Dec 30 08:25:42 2014 us=886272 TAP-Windows Driver Version 9.21
Tue Dec 30 08:25:42 2014 us=886272 TAP-Windows MTU=1500
Tue Dec 30 08:25:42 2014 us=901899 Sleeping for 10 seconds...
Tue Dec 30 08:25:52 2014 us=978343 NOTE: FlushIpNetTable failed on interface [9] {B74C9838-2755-4FB1-850D-2DA4C461EF2B} (status=1168) : Element nicht gefunden. 
Tue Dec 30 08:25:52 2014 us=978343 Data Channel MTU parms [ L:1574 D:1300 EF:42 EB:135 ET:32 EL:0 AF:3/1 ]
Tue Dec 30 08:25:52 2014 us=978343 UDPv4 link local (bound): [undef]
Tue Dec 30 08:25:52 2014 us=993952 UDPv4 link remote: [undef]
Tue Dec 30 08:25:52 2014 us=993952 MULTI: multi_init called, r=256 v=256
Tue Dec 30 08:25:52 2014 us=993952 IFCONFIG POOL: base=192.168.70.180 size=20, ipv6=0
Tue Dec 30 08:25:52 2014 us=993952 IFCONFIG POOL LIST
Tue Dec 30 08:25:52 2014 us=993952 Initialization Sequence Completed
Tue Dec 30 08:25:52 2014 us=993952 MANAGEMENT: >STATE:1419924352,CONNECTED,SUCCESS,,
Tue Dec 30 08:26:56 2014 us=947772 MULTI: multi_create_instance called
Tue Dec 30 08:26:56 2014 us=947772 www.xxx.yyy.zzz:1194 Re-using SSL/TLS context
Tue Dec 30 08:26:56 2014 us=947772 www.xxx.yyy.zzz:1194 LZO compression initialized
Tue Dec 30 08:26:56 2014 us=947772 www.xxx.yyy.zzz:1194 Control Channel MTU parms [ L:1578 D:138 EF:38 EB:0 ET:0 EL:0 ]
Tue Dec 30 08:26:56 2014 us=947772 www.xxx.yyy.zzz:1194 Data Channel MTU parms [ L:1578 D:1300 EF:46 EB:135 ET:32 EL:0 AF:3/1 ]
Tue Dec 30 08:26:56 2014 us=947772 www.xxx.yyy.zzz:1194 Fragmentation MTU parms [ L:1578 D:1300 EF:45 EB:135 ET:33 EL:0 AF:3/1 ]
Tue Dec 30 08:26:56 2014 us=947772 www.xxx.yyy.zzz:1194 Local Options String: 'V4,dev-type tap,link-mtu 1578,tun-mtu 1532,proto UDPv4,comp-lzo,mtu-dynamic,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Tue Dec 30 08:26:56 2014 us=947772 www.xxx.yyy.zzz:1194 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1578,tun-mtu 1532,proto UDPv4,comp-lzo,mtu-dynamic,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Tue Dec 30 08:26:56 2014 us=947772 www.xxx.yyy.zzz:1194 Local Options hash (VER=V4): 'e2a912d8'
Tue Dec 30 08:26:56 2014 us=947772 www.xxx.yyy.zzz:1194 Expected Remote Options hash (VER=V4): '9a22532e'
Tue Dec 30 08:26:56 2014 us=947772 www.xxx.yyy.zzz:1194 TLS: Initial packet from [AF_INET]www.xxx.yyy.zzz:1194, sid=04b565aa c4d2edc7
Tue Dec 30 08:26:57 2014 us=259317 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Tue Dec 30 08:26:59 2014 us=195110 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Tue Dec 30 08:26:59 2014 us=278196 www.xxx.yyy.zzz:1194 TLS: new session incoming connection from [AF_INET]www.xxx.yyy.zzz:1194
Tue Dec 30 08:27:00 2014 us=603141 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Tue Dec 30 08:27:01 2014 us=589768 www.xxx.yyy.zzz:1194 TLS: new session incoming connection from [AF_INET]www.xxx.yyy.zzz:1194
Tue Dec 30 08:27:04 2014 us=45768 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Tue Dec 30 08:27:05 2014 us=988190 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Tue Dec 30 08:27:07 2014 us=753290 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Tue Dec 30 08:27:11 2014 us=210858 read UDPv4: Connection reset by peer (WSAECONNRESET) (code=10054)
Tue Dec 30 08:27:13 2014 us=766473 TCP/UDP: Closing socket
Tue Dec 30 08:27:13 2014 us=766473 Closing TUN/TAP interface
Tue Dec 30 08:27:13 2014 us=766473 SIGTERM[hard,] received, process exiting
Tue Dec 30 08:27:13 2014 us=766473 MANAGEMENT: >STATE:1419924433,EXITING,SIGTERM,,
RWRRWRWRWWWWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWWRWRRWRWRWWWWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWWWWRWWWWWRWWWWWWWWWWW


Client (aaa.bbb.ccc.ddd ist die öffentliche Adresse am LAN-Router):

Code:
Tue Dec 30 08:26:48 2014 OpenVPN 2.3.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug  7 2014
Tue Dec 30 08:26:48 2014 library versions: OpenSSL 1.0.1i 6 Aug 2014, LZO 2.05
Enter Management Password:
Tue Dec 30 08:26:48 2014 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Tue Dec 30 08:26:48 2014 Need hold release from management interface, waiting...
Tue Dec 30 08:26:49 2014 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Tue Dec 30 08:26:49 2014 MANAGEMENT: CMD 'state on'
Tue Dec 30 08:26:49 2014 MANAGEMENT: CMD 'log all on'
Tue Dec 30 08:26:49 2014 MANAGEMENT: CMD 'hold off'
Tue Dec 30 08:26:49 2014 MANAGEMENT: CMD 'hold release'
Tue Dec 30 08:26:49 2014 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Tue Dec 30 08:26:56 2014 MANAGEMENT: CMD 'password [...]'
Tue Dec 30 08:26:56 2014 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Dec 30 08:26:56 2014 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Dec 30 08:26:56 2014 MANAGEMENT: >STATE:1419924416,RESOLVE,,,
Tue Dec 30 08:26:56 2014 UDPv4 link local (bound): [undef]
Tue Dec 30 08:26:56 2014 UDPv4 link remote: [AF_INET]aaa.bbb.ccc.ddd:1194
Tue Dec 30 08:26:56 2014 MANAGEMENT: >STATE:1419924416,WAIT,,,
Tue Dec 30 08:26:57 2014 MANAGEMENT: >STATE:1419924417,AUTH,,,
Tue Dec 30 08:26:57 2014 TLS: Initial packet from [AF_INET]aaa.bbb.ccc.ddd:1194, sid=2bfd9772 de0ecbcd
Tue Dec 30 08:26:57 2014 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=DE, ST=BUNDESLAND, L="MeineStadt", O="MeineFirma", OU=Netzwerk, CN=server, name=server, emailAddress=name@example.tld
Tue Dec 30 08:26:57 2014 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Tue Dec 30 08:26:57 2014 TLS Error: TLS object -> incoming plaintext read error
Tue Dec 30 08:26:57 2014 TLS Error: TLS handshake failed
Tue Dec 30 08:26:57 2014 SIGUSR1[soft,tls-error] received, process restarting
Tue Dec 30 08:26:57 2014 MANAGEMENT: >STATE:1419924417,RECONNECTING,tls-error,,
Tue Dec 30 08:26:57 2014 Restart pause, 2 second(s)
Tue Dec 30 08:26:59 2014 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Tue Dec 30 08:26:59 2014 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Dec 30 08:26:59 2014 MANAGEMENT: >STATE:1419924419,RESOLVE,,,
Tue Dec 30 08:26:59 2014 UDPv4 link local (bound): [undef]
Tue Dec 30 08:26:59 2014 UDPv4 link remote: [AF_INET]aaa.bbb.ccc.ddd:1194
Tue Dec 30 08:26:59 2014 MANAGEMENT: >STATE:1419924419,WAIT,,,
Tue Dec 30 08:26:59 2014 MANAGEMENT: >STATE:1419924419,AUTH,,,
Tue Dec 30 08:26:59 2014 TLS: Initial packet from [AF_INET]aaa.bbb.ccc.ddd:1194, sid=62aa52c3 88548315
Tue Dec 30 08:26:59 2014 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=DE, ST=BUNDESLAND, L="MeineStadt", O="MeineFirma", OU=Netzwerk, CN=server, name=server, emailAddress=name@example.tld
Tue Dec 30 08:26:59 2014 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Tue Dec 30 08:26:59 2014 TLS Error: TLS object -> incoming plaintext read error
Tue Dec 30 08:26:59 2014 TLS Error: TLS handshake failed
Tue Dec 30 08:26:59 2014 SIGUSR1[soft,tls-error] received, process restarting
Tue Dec 30 08:26:59 2014 MANAGEMENT: >STATE:1419924419,RECONNECTING,tls-error,,
Tue Dec 30 08:26:59 2014 Restart pause, 2 second(s)
Tue Dec 30 08:27:01 2014 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Tue Dec 30 08:27:01 2014 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Dec 30 08:27:01 2014 MANAGEMENT: >STATE:1419924421,RESOLVE,,,
Tue Dec 30 08:27:01 2014 UDPv4 link local (bound): [undef]
Tue Dec 30 08:27:01 2014 UDPv4 link remote: [AF_INET]aaa.bbb.ccc.ddd:1194
Tue Dec 30 08:27:01 2014 MANAGEMENT: >STATE:1419924421,WAIT,,,
Tue Dec 30 08:27:01 2014 TLS Error: Unroutable control packet received from [AF_INET]aaa.bbb.ccc.ddd:1194 (si=3 op=P_CONTROL_V1)
Tue Dec 30 08:27:01 2014 TLS Error: Unroutable control packet received from [AF_INET]aaa.bbb.ccc.ddd:1194 (si=3 op=P_CONTROL_V1)
Tue Dec 30 08:27:01 2014 TLS Error: Unroutable control packet received from [AF_INET]aaa.bbb.ccc.ddd:1194 (si=3 op=P_ACK_V1)
Tue Dec 30 08:27:02 2014 TLS Error: Unroutable control packet received from [AF_INET]aaa.bbb.ccc.ddd:1194 (si=3 op=P_CONTROL_V1)
Tue Dec 30 08:27:02 2014 TLS Error: Unroutable control packet received from [AF_INET]aaa.bbb.ccc.ddd:1194 (si=3 op=P_CONTROL_V1)
Tue Dec 30 08:27:03 2014 TLS Error: Unroutable control packet received from [AF_INET]aaa.bbb.ccc.ddd:1194 (si=3 op=P_CONTROL_V1)
Tue Dec 30 08:27:03 2014 TLS Error: Unroutable control packet received from [AF_INET]aaa.bbb.ccc.ddd:1194 (si=3 op=P_CONTROL_V1)
Tue Dec 30 08:27:03 2014 TLS Error: Unroutable control packet received from [AF_INET]aaa.bbb.ccc.ddd:1194 (si=3 op=P_ACK_V1)
Tue Dec 30 08:27:03 2014 SIGTERM[hard,] received, process exiting
Tue Dec 30 08:27:03 2014 MANAGEMENT: >STATE:1419924423,EXITING,SIGTERM,,


Nun man sieht im Client-Log folgendes Fehlermuster:

Code:
Tue Dec 30 08:26:57 2014 TLS: Initial packet from [AF_INET]aaa.bbb.ccc.ddd:1194, sid=2bfd9772 de0ecbcd
Tue Dec 30 08:26:57 2014 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=DE, ST=BUNDESLAND, L="MeineStadt", O="MeineFirma", OU=Netzwerk, CN=server, name=server, emailAddress=name@example.tld
Tue Dec 30 08:26:57 2014 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Tue Dec 30 08:26:57 2014 TLS Error: TLS object -> incoming plaintext read error
Tue Dec 30 08:26:57 2014 TLS Error: TLS handshake failed
Tue Dec 30 08:26:57 2014 SIGUSR1[soft,tls-error] received, process restarting
Tue Dec 30 08:26:57 2014 MANAGEMENT: >STATE:1419924417,RECONNECTING,tls-error,,
Tue Dec 30 08:26:57 2014 Restart pause, 2 second(s)
Tue Dec 30 08:26:59 2014 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Tue Dec 30 08:26:59 2014 Socket Buffers: R=[65536->65536] S=[65536->65536]
Tue Dec 30 08:26:59 2014 MANAGEMENT: >STATE:1419924419,RESOLVE,,,
Tue Dec 30 08:26:59 2014 UDPv4 link local (bound): [undef]
Tue Dec 30 08:26:59 2014 UDPv4 link remote: [AF_INET]aaa.bbb.ccc.ddd:1194


Das wiederholt sich und es kommt keine richtige Verbindung zustande. Ich habe bereits die Zertifikate mehrmals erstellt, aber ich erhalte immer wieder denselben Fehler und komme leider nicht weiter.

Ich wäre euch unendlich dankbar, wenn ihr mir weiterhelfen könntet.

Grüße

temuco


Top
Offline Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 1 post ]  Moderator: Moderators

All times are UTC


Who is online

Users browsing this forum: Bing [Bot] and 14 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Theme created StylerBB.net