It is currently 19.10.2017 16:22


All times are UTC




Post new topic Reply to topic  [ 4 posts ] 
Author Message
 Post subject: Some Roadwarriors cannot connect anymore
PostPosted: 04.10.2010 22:12 
DES
DES

Joined: 13.06.2008 20:02
Posts: 9
I have an IPCOP firewall running ZERINA-0.9.7a14. I have half a dozen road warriors defined and all was working well until 2 days ago. Two out of the six warriors are unable to make a connection. The OPENVPN log shows the following when attempting to connect. The log shows the following messages
Quote:
17:11:50 openvpnserver MULTI: multi_create_instance called
17:11:50 openvpnserver 99.245.91.116:1194 Re-using SSL/TLS context
17:11:50 openvpnserver 99.245.91.116:1194 WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1400)
17:11:50 openvpnserver 99.245.91.116:1194 Control Channel MTU parms [ L:1441 D:138 EF:38 EB:0 ET:0 EL:0 ]
17:11:50 openvpnserver 99.245.91.116:1194 Data Channel MTU parms [ L:1441 D:1441 EF:41 EB:4 ET:0 EL:0 ]
17:11:50 openvpnserver 99.245.91.116:1194 Local Options hash (VER=V4): '778eeec5'
17:11:50 openvpnserver 99.245.91.116:1194 Expected Remote Options hash (VER=V4): '57657c3f'
17:11:50 openvpnserver 99.245.91.116:1194 TLS: Initial packet from 99.243.96.116:1194, sid=6efbc35f 73f 9bf35
17:11:51 openvpnserver 99.245.91.116:1194 VERIFY SCRIPT OK: depth=1, /C=CA/O=Gango_Supplies/CN=Gango_Su pplies_CA
17:11:51 openvpnserver 99.245.91.116:1194 CRL CHECK OK: /C=CA/O=Gango_Supplies/CN=Gango_Supplies_CA
17:11:51 openvpnserver 99.245.91.116:1194 VERIFY OK: depth=1, /C=CA/O=Gango_Supplies/CN=Gango_Supplies_ CA
17:11:51 openvpnserver 99.245.91.116:1194 VERIFY SCRIPT OK: depth=0, /C=CA/O=Gango_Supplies/CN=Don_Pate runas
17:11:51 openvpnserver 99.245.91.116:1194 CRL CHECK FAILED: /C=CA/O=Gango_Supplies/CN=Don_Paterunas is REVOKED
17:11:51 openvpnserver 99.245.91.116:1194 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2: SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
17:11:51 openvpnserver 99.245.91.116:1194 TLS Error: TLS object -> incoming plaintext read error
17:11:51 openvpnserver 99.245.91.116:1194 TLS Error: TLS handshake failed
17:11:51 openvpnserver 99.245.91.116:1194 SIGUSR1[soft,tls-error] received, client-instance restarting
17:12:37 openvpnserver MULTI: multi_create_instance called


The roadwarrior config file looks like this:
Quote:
#OpenVPN Client conf
tls-client
client
dev tun
proto udp
tun-mtu 1400
remote GOTOON12-12466432.sdsl.ca 1194
pkcs12 DonGango.p12
cipher BF-CBC
verb 3
ns-cert-type server
ping 10
ping-restart 45


I have also seen on the client side of the warriors that aren't working, errors referring to "TLS keys are out of sync"

I don't know how to fix this. Any help would be appreciated


Top
Offline Profile  
Reply with quote  
 Post subject: Re: Some Roadwarriors cannot connect anymore
PostPosted: 05.10.2010 07:37 
openvpn.eu Admin
openvpn.eu Admin
User avatar

Joined: 23.01.2006 08:05
Posts: 3321
Location: near Vienna
Hello

The connection is refused by the server because the certificate "C=CA/O=Gango_Supplies/CN=Don_Paterunas" was revoked.

_________________
regards,
note
Please take a look at our rules. Besucht mal unsere Wiki !


Top
Offline Profile  
Reply with quote  
 Post subject: Re: Some Roadwarriors cannot connect anymore
PostPosted: 05.10.2010 13:28 
DES
DES

Joined: 13.06.2008 20:02
Posts: 9
Thanks for your quick response.

note wrote:
Hello

The connection is refused by the server because the certificate "C=CA/O=Gango_Supplies/CN=Don_Paterunas" was revoked.


How did this happen? And with two at the same time? I assume I can fix this by generating new certificates, but how can I avoid this problem in the future?


Top
Offline Profile  
Reply with quote  
 Post subject: Re: Some Roadwarriors cannot connect anymore
PostPosted: 05.10.2010 15:25 
Profi
Profi

Joined: 23.10.2007 12:10
Posts: 2185
you killed some lines in configuration ?
look for the web-interface and you should see all possible certificates.

F.


Top
Offline Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ]  Moderator: Moderators

All times are UTC


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Theme created StylerBB.net