It is currently 24.04.2014 11:57


All times are UTC




Post new topic Reply to topic  [ 1 post ] 
Author Message
 Post subject: Tunnel from the Twilight Zone
PostPosted: 22.08.2008 14:42 
DES
DES

Joined: 22.08.2008 13:54
Posts: 1
Hi.. I've been working on this issue and have been perplext for weeks now. I'm trying to upgrade some boxes running OpenBSD with OpenVPN (OpenVPN 2.0.9 i386-unknown-openbsd4.3 [SSL] [LZO] built on Aug 21 2008). I'm using the exact same certs and configs as the boxes that are still in service. Things seem to pause after the server says to push routes out to the client. The client never brings up the tunnel interface (tun0) nor add the routes. Here are the logs on the server:

Thu Aug 21 16:34:57 2008 us=593178 sensor2/client_ip:1194 UDPv4 WRITE [61] to client_ip:1194: P_DATA_V1 kid=0 DATA len=60
Thu Aug 21 16:34:58 2008 us=825103 sensor2/client_ip:1194 UDPv4 WRITE [16] to client_ip:1194: P_CONTROL_V1 kid=0 [ ] pid=35 DATA len=2
Thu Aug 21 16:35:01 2008 us=9314 sensor2/client_ip:1194 UDPv4 WRITE [16] to client_ip:1194: P_CONTROL_V1 kid=0 [ ] pid=35 DATA len=2
Thu Aug 21 16:35:01 2008 us=9705 sensor2/client_ip:1194 UDPv4 WRITE [541] to client_ip:1194: P_DATA_V1 kid=0 DATA len=540
Thu Aug 21 16:35:03 2008 us=251788 sensor2/client_ip:1194 UDPv4 WRITE [16] to client_ip:1194: P_CONTROL_V1 kid=0 [ ] pid=35 DATA len=2
Thu Aug 21 16:35:04 2008 us=483822 sensor2/client_ip:1194 UDPv4 WRITE [61] to client_ip:1194: P_DATA_V1 kid=0 DATA len=60
Thu Aug 21 16:35:05 2008 us=573166 sensor2/client_ip:1194 UDPv4 WRITE [16] to client_ip:1194: P_CONTROL_V1 kid=0 [ ] pid=35 DATA len=2
Thu Aug 21 16:35:07 2008 us=665242 sensor2/client_ip:1194 UDPv4 WRITE [16] to client_ip:1194: P_CONTROL_V1 kid=0 [ ] pid=35 DATA len=2
Thu Aug 21 16:35:07 2008 us=665665 sensor2/client_ip:1194 UDPv4 WRITE [541] to client_ip:1194: P_DATA_V1 kid=0 DATA len=540
Thu Aug 21 16:35:09 2008 us=757339 sensor2/client_ip:1194 UDPv4 WRITE [16] to client_ip:1194: P_CONTROL_V1 kid=0 [ ] pid=35 DATA len=2
Thu Aug 21 16:35:10 2008 us=849399 sensor2/client_ip:1194 NOTE: --mute triggered...
Thu Aug 21 16:35:57 2008 us=9603 sensor2/client_ip:1194 36 variation(s) on previous 10 message(s) suppressed by --mute
Thu Aug 21 16:35:57 2008 us=9678 sensor2/client_ip:1194 [sensor2] Inactivity timeout (--ping-restart), restarting
Thu Aug 21 16:35:57 2008 us=9696 sensor2/client_ip:1194 SIGUSR1[soft,ping-restart] received, client-instance restarting


Here are the logs on the client:

Thu Aug 21 16:34:55 2008 us=355255 OpenVPN 2.0.9 i386-unknown-openbsd4.3 [SSL] [LZO] built on Aug 21 2008
Thu Aug 21 16:34:55 2008 us=355724 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Thu Aug 21 16:34:55 2008 us=378760 LZO compression initialized
Thu Aug 21 16:34:55 2008 us=380133 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Aug 21 16:34:55 2008 us=380743 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Thu Aug 21 16:34:55 2008 us=380981 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher DES-CBC,auth SHA1,keysize 64,key-method 2,tls-client'
Thu Aug 21 16:34:55 2008 us=381120 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher DES-CBC,auth SHA1,keysize 64,key-method 2,tls-server'
Thu Aug 21 16:34:55 2008 us=381449 Local Options hash (VER=V4): '94012f71'
Thu Aug 21 16:34:55 2008 us=381597 Expected Remote Options hash (VER=V4): 'f2dba00b'
Thu Aug 21 16:34:55 2008 us=412784 NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Thu Aug 21 16:34:55 2008 us=413224 Socket Buffers: R=[41600->65536] S=[9216->65536]
Thu Aug 21 16:34:55 2008 us=413368 UDPv4 link local (bound): [undef]:1194
Thu Aug 21 16:34:55 2008 us=413436 UDPv4 link remote: server_ip:1194
Thu Aug 21 16:34:55 2008 us=439660 TLS: Initial packet from server_ip:1194, sid=6292b8a0 92ab4254
Thu Aug 21 16:34:55 2008 us=579274 VERIFY OK: depth=1, /C=US/ST=OH/L=Town/O=Company/CN=company/emailAddress=example@mcewenco.com
Thu Aug 21 16:34:55 2008 us=580147 VERIFY OK: depth=0, /C=US/ST=OH/O=Company/CN=vpnx/emailAddress=example@mcewenco.com
Thu Aug 21 16:34:55 2008 us=841993 Data Channel Encrypt: Cipher 'DES-CBC' initialized with 64 bit key
Thu Aug 21 16:34:55 2008 us=842107 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Aug 21 16:34:55 2008 us=842171 Data Channel Decrypt: Cipher 'DES-CBC' initialized with 64 bit key
Thu Aug 21 16:34:55 2008 us=842240 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu Aug 21 16:34:55 2008 us=842693 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Thu Aug 21 16:34:55 2008 us=842864 [vpnx] Peer Connection Initiated with server_ip:1194
Thu Aug 21 16:34:56 2008 us=861761 SENT CONTROL [vpnx]: 'PUSH_REQUEST' (status=1)
Thu Aug 21 16:34:56 2008 us=915545 PUSH: Received control message: 'PUSH_REPLY,route 192.168.70.0 255.255.255.0,route 192.168.71.0 255.255.255.0,route 192.168.72.0 255.255.255.0,route 192.168.73.0 255.255.255.0,route 192.168.74.0 255.255.255.0,route 192.168.75.0 255.255.255.0,route 192.168.76.0 255.255.255.0,route 192.168.77.0 255.255.255.0,route 192.168.78.0 255.255.255.0,route 192.168.80.0 255.255.255.0,route 192.168.81.0 255.255.255.0,route 192.168.82.0 255.255.255.0,persist-key,persist-tun,route 192.168.100.0 255.255.255.0,ping 10,ping-restart 30,ifconfig 192.168.100.5 192.168.100.1'
Thu Aug 21 16:34:56 2008 us=915832 OPTIONS IMPORT: timers and/or timeouts modified
Thu Aug 21 16:34:56 2008 us=915896 OPTIONS IMPORT: --persist options modified
Thu Aug 21 16:34:56 2008 us=915938 OPTIONS IMPORT: --ifconfig/up options modified
Thu Aug 21 16:34:56 2008 us=915980 OPTIONS IMPORT: route options modified


Here is the server config:

server 192.168.100.0 255.255.255.0
port 1194
proto udp
dev tun0
ca /var/openvpn/keys/ca.crt
cert /var/openvpn/keys/vpnx.crt
key /var/openvpn/keys/vpnx.key
dh /var/openvpn/keys/dh1024.pem
ifconfig-pool-persist /var/openvpn/ip-pool.txt
keepalive 10 30
# tun-mtu 1540
tun-mtu 1500
#fragment 1472
mssfix
comp-lzo
push "route 192.168.70.0 255.255.255.0"
push "route 192.168.71.0 255.255.255.0"
push "route 192.168.72.0 255.255.255.0"
push "route 192.168.73.0 255.255.255.0"
push "route 192.168.74.0 255.255.255.0"
push "route 192.168.75.0 255.255.255.0"
push "route 192.168.76.0 255.255.255.0"
push "route 192.168.77.0 255.255.255.0"
push "route 192.168.78.0 255.255.255.0"
push "route 192.168.79.0 255.255.255.0"
push "route 192.168.80.0 255.255.255.0"
push "route 192.168.81.0 255.255.255.0"
push "route 192.168.82.0 255.255.255.0"
# push "mlock"
push "persist-key"
push "persist-tun"
mlock
persist-key
persist-tun
status /var/log/openvpn-status.log
log /var/log/openvpn.log
verb 6
mute 10
user nobody
group nobody
tls-server
cipher DES-CBC
client-to-client
client-config-dir /etc/openvpn/ccd
route 192.168.71.0 255.255.255.0
route 192.168.72.0 255.255.255.0
route 192.168.73.0 255.255.255.0
route 192.168.74.0 255.255.255.0
route 192.168.75.0 255.255.255.0
route 192.168.76.0 255.255.255.0
route 192.168.77.0 255.255.255.0
route 192.168.78.0 255.255.255.0
route 192.168.79.0 255.255.255.0
route 192.168.80.0 255.255.255.0
route 192.168.81.0 255.255.255.0
route 192.168.82.0 255.255.255.0
ifconfig-pool-linear
#push redirect-gateway


And lastly, here is the client config:

port 1194
proto udp
dev tun0
remote server_ip
ca /var/openvpn/keys/ca.crt
cert /var/openvpn/keys/sensor2.crt
key /var/openvpn/keys/sensor2.key
comp-lzo
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 4
tls-client
client
cipher DES-CBC
user _openvpn
group _openvpn
persist-key
persist-tun


I'm in a really big bind here, if anyone could please help I would very much appreciate it.. it would save the day. Like I said, these exact configs are in place now and working... however with this new install it doesn't get past where you see the log stop. Any experts out there??


Top
Offline Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 1 post ]  Moderator: Moderators

All times are UTC


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Theme created StylerBB.net