Community discussions

MikroTik App
  4. RouterOS
  5. General

OVPN drops exactly every 60min with "wrong keyID 1" message

Post Reply
 
dadaniel
Member Candidate
Member Candidate
Topic Author
Posts: 221
Joined: Fri May 14, 2010 11:51 pm

OVPN drops exactly every 60min with "wrong keyID 1" message

Wed Sep 27, 2023 5:05 pm

What could be the problem here? V7.12b9, imported .ovpn file:

/interface ovpn-client
add cipher=aes128-cbc connect-to=xxx.xxx.xxx.xxx mac-address=xx:xx:xx:xx:xx:xx name=ovpn-import1695809348 port=1080 protocol=udp use-peer-dns=no user=xxx
Code: Select all
13:53:21 ovpn,debug,error packet with wrong keyID 1, expected 3, dropping
 13:53:30 ovpn,debug,error packet with wrong keyID 1, expected 4, dropping
 13:53:46 ovpn,debug,error packet with wrong keyID 1, expected 5, dropping
 13:53:48 ovpn,info ovpn-import1695809348: disconnected <TLS error: handshake timed out (6)>
 13:53:48 ovpn,info ovpn-import1695809348: terminating... - TLS error: handshake timed out (6)
 13:53:48 ovpn,info ovpn-import1695809348: disconnected
 13:53:48 ovpn,info ovpn-import1695809348: initializing...
 13:53:48 ovpn,info ovpn-import1695809348: connecting...
 13:53:48 ovpn,info ovpn-import1695809348: using encoding - AES-128-CBC/SHA1
 13:53:48 ovpn,info ovpn-import1695809348: connected
 14:53:30 ovpn,debug,error packet with wrong keyID 1, expected 3, dropping
 14:53:37 ovpn,debug,error packet with wrong keyID 1, expected 4, dropping
 14:53:54 ovpn,debug,error packet with wrong keyID 1, expected 5, dropping
 14:53:56 ovpn,info ovpn-import1695809348: disconnected <TLS error: handshake timed out (6)>
 14:53:56 ovpn,info ovpn-import1695809348: terminating... - TLS error: handshake timed out (6)
 14:53:56 ovpn,info ovpn-import1695809348: disconnected
 14:53:56 ovpn,info ovpn-import1695809348: initializing...
 14:53:56 ovpn,info ovpn-import1695809348: connecting...
 14:53:56 ovpn,info ovpn-import1695809348: using encoding - AES-128-CBC/SHA1
 14:53:56 ovpn,info ovpn-import1695809348: connected
 15:51:24 ovpn,debug,error packet with wrong keyID 1, expected 3, dropping
 15:51:32 ovpn,debug,error packet with wrong keyID 1, expected 4, dropping
 15:51:48 ovpn,debug,error packet with wrong keyID 1, expected 5, dropping
 15:51:50 ovpn,info ovpn-import1695809348: disconnected <TLS error: handshake timed out (6)>
 15:51:50 ovpn,info ovpn-import1695809348: terminating... - TLS error: handshake timed out (6)
 15:51:51 ovpn,info ovpn-import1695809348: disconnected
 15:51:51 ovpn,info ovpn-import1695809348: initializing...
 15:51:51 ovpn,info ovpn-import1695809348: connecting...
 15:51:51 ovpn,info ovpn-import1695809348: using encoding - AES-128-CBC/SHA1
 15:51:51 ovpn,info ovpn-import1695809348: connected
It seems to be related to reneg-sec parameter, but I can't set it in the ovpn-file, the message "unsupported configuration parameter 'reneg-sec'" appears in the log.
This parameter can be set in Mikrotik's OVPN-server and even get exported since 7.11 Beta 7, so why it is not supported in Mikrotik's OVPN client?
OVPN documentation says it is available on both server and client. I have no access to the server, so I'm screwed 😞
Top
 
holvoetn
Forum Guru
Forum Guru
Posts: 6279
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: OVPN drops exactly every 60min with "wrong keyID 1" message

Fri Sep 29, 2023 6:22 am

You may want to contact support on this.
supout.rif will be needed as well so better to include it already in the ticket.
Top
 
User avatar
raphaps
just joined
Posts: 23
Joined: Fri Feb 03, 2023 12:29 am
Location: Brasil
Contact:
Contact raphaps

Re: OVPN drops exactly every 60min with "wrong keyID 1" message

Fri Sep 29, 2023 7:49 am

The OpenVPN client on MikroTik has the "reneg-sec" parameter disabled by default, meaning it is set to 0. I have noticed this in several tests I have been conducting recently because if "reneg-sec" is disabled on the server, it does not renegotiate the keys when the client is a MikroTik device; there is only the initial negotiation when the client connects.

There is also an important detail: even if you can set the "reneg-sec" parameter to 0 on the client, you would only be disabling key renegotiation on your side. If the server is set to 3600, renegotiation would still occur every hour, just as it is currently happening.
Top
 
dadaniel
Member Candidate
Member Candidate
Topic Author
Posts: 221
Joined: Fri May 14, 2010 11:51 pm

Re: OVPN drops exactly every 60min with "wrong keyID 1" message

Fri Sep 29, 2023 3:55 pm

You may want to contact support on this.
supout.rif will be needed as well so better to include it already in the ticket.
Done, SUP-129623
Top
Post Reply

Who is online

Users browsing this forum: aboiles, massinia, Renfrew and 45 guests
  4. RouterOS
  5. General