MikroTik

Community discussions
https://forum.mikrotik.com/

Can't get OpenVPN (tun) up with win client - TLS fail

https://forum.mikrotik.com/viewtopic.php?t=62025

Page 1 of 1

Can't get OpenVPN (tun) up with win client - TLS fail

Posted: Mon May 14, 2012 8:54 pm
by sveno
Hi,

I have a router running 5.16 set up according the openVPN Wiki guide (http://wiki.mikrotik.com/wiki/OpenVPN)
using cacert.org and tun (ip) mode.

the openvpn gui shows this error:

Mon May 14 20:40:36 2012 TLS: Initial packet from (server ip):1194, sid=f0fc6eab 56522674
Mon May 14 20:40:36 2012 VERIFY OK: depth=1, /O=Root_CA/OU=http://www.cacert.org/CN=CA_Cert_Signin ... cacert.org
Mon May 14 20:40:36 2012 VERIFY OK: depth=0, /CN=www.*****.***
Mon May 14 20:41:36 2012 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon May 14 20:41:36 2012 TLS Error: TLS handshake failed
Mon May 14 20:41:36 2012 Fatal TLS error (check_tls_errors_co), restarting


winbox log shows:
TPC connection established...
dialling...
using encoding...
terminating... -peer disconnected


What I am really unsure of is that according to the wiki:
-no new interface was added (openvpn appears automatically when I attempt to connect)
-no new dhcp server (only pool)
-didn't create nat rule because I already have: add action=masquerade chain=srcnat comment="Added by webbox" disabled=no out-interface=INET to-addresses=0.0.0.0


I am quite a noob when it comes to routeros so please advise what other info I should post. What are the next steps to take to troubleshoot?

Thank you!

Re: Can't get OpenVPN (tun) up with win client - TLS fail

Posted: Sat May 19, 2012 6:38 pm
by sveno
I'm now using easy-rsa generated keys and get the same result on win7 with openvpn 2.2.2 as client.

The client says this:
Code: Select all
Sat May 19 18:20:29 2012 us=50000 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
Sat May 19 18:20:29 2012 us=50000 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Sat May 19 18:20:29 2012 us=50000 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Sat May 19 18:20:29 2012 us=50000 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Sat May 19 18:20:29 2012 us=924000 Control Channel MTU parms [ L:1559 D:140 EF:40 EB:0 ET:0 EL:0 ]
Sat May 19 18:20:29 2012 us=924000 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sat May 19 18:20:29 2012 us=924000 Data Channel MTU parms [ L:1559 D:1450 EF:59 EB:4 ET:0 EL:0 ]
Sat May 19 18:20:29 2012 us=924000 Local Options String: 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client'
Sat May 19 18:20:29 2012 us=924000 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-server'
Sat May 19 18:20:29 2012 us=924000 Local Options hash (VER=V4): '5cb3f8dc'
Sat May 19 18:20:29 2012 us=924000 Expected Remote Options hash (VER=V4): '898ae6c6'
Sat May 19 18:20:29 2012 us=924000 Attempting to establish TCP connection with **********:1194
Sat May 19 18:20:30 2012 us=501000 TCP connection established with ********:1194
Sat May 19 18:20:30 2012 us=501000 TCPv4_CLIENT link local: [undef]
Sat May 19 18:20:30 2012 us=501000 TCPv4_CLIENT link remote:***********:1194
Sat May 19 18:20:30 2012 us=735000 TLS: Initial packet from ********:1194, sid=2b293838 41b5c920
Sat May 19 18:20:36 2012 us=507000 VERIFY OK: depth=1, /C=EE/ST=************************************* (CA)
Sat May 19 18:20:36 2012 us=507000 VERIFY OK: depth=0, /C=EE/ST=******************************************* (server)
Sat May 19 18:20:41 2012 us=952000 Connection reset, restarting [0]
Sat May 19 18:20:41 2012 us=952000 TCP/UDP: Closing socket
Sat May 19 18:20:41 2012 us=952000 SIGUSR1[soft,connection-reset] received, process restarting
Sat May 19 18:20:41 2012 us=952000 Restart pause, 5 second(s)
Routerboard this:
Code: Select all
18:20:31 ovpn,info TCP connection established from ************* 
18:20:31 ovpn,info <ovpn-0>: dialing... 
18:20:42 ovpn,info <ovpn-0>: using encoding - AES-256-CBC/SHA1 
18:20:48 ovpn,info TCP connection established from ************ 
18:20:48 ovpn,info <ovpn-0>: dialing... 
18:20:48 ovpn,debug <***********>: disconnected <peer disconnected> 
18:20:48 ovpn,info <ovpn-0>: terminating... - peer disconnected 
18:20:48 ovpn,info <ovpn-0>: disconnected
Now how can I look deeper what might be causing the problem?

Is my client conf file ok?
Code: Select all
client

dev tun

proto tcp

remote ******** 1194


resolv-retry infinite

nobind

persist-key
persist-tun

ca ca.crt
cert certs/cleint.crt
key certs/client.key

verb 5
ping 10
cipher AES-256-CBC
auth SHA1
pull
I even tried L2TP but that didn't go any further either :/
Please advise.

UPDATE: Got L2TP running and aborted OVPN access. Thanks for taking a look.
All times are UTC+02:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/