|
|
> using OpenVPN 1.1.0 (and also with 1.0.3) I get errors when using > any kind of encryption (only tried static): Are you having 1.1.0 talk to 1.0.3? -- that would cause problems because 1.1.0 adds a packet IV by default. I would recommend sticking to 1.1.0 if you can. > All machines involved are Slackware Linux 8.0. One is my production > machine (with full development stuff installed) the others two are > firewall gateways, thus lacking anything but the necessities. > > I compiled OpenVPN on the production machine, where I also installed > LZO lib. The binary, along with a generated private key, was copied > to either gateway (configure --disable-lzo). > > As long as I start the tunnel without encryption everything works PG ! > > --- VPN start script follows --- > openvpn --mktun --dev tun7 > ifconfig tun7 10.1.0.1 pointopoint 10.1.0.2 mtu 1450 > openvpn --remote 192.168.1.8 \ > --dev tun7 --verb 4 \ > 1>> /var/log/OpenVPN.log 2>> /var/log/OpenVPN.err & > route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.1.0.2 > --- script end --- > > as soon as I start OpenVPN with the following switches things get > wierd: > > openvpn --remote 192.168.1.8 \ > --dev tun7 --verb 4 \ > --secret /root/OpenVPN/openvpn.key \ > 1>> /var/log/OpenVPN.log 2>> /var/log/OpenVPN.err & > > With OpenVPN v1.0.3 the following message appears: > > 50: OpenVPN 1.0.3 Built On Apr 9 2002 > 51: UDP link local (bound): [undef]:5000 > 52: UDP link remote: 192.168.1.8:5000 > 53: TUN/TAP device tun7 opened > 54: Static: Cipher 'BF-CBC' initialized with 128 bit key > 55: Static: Using 160 bit message digest 'SHA1' for HMAC > authentication > 56: Data Channel MTU parms: mtu=1450 extra_frame=28 extra_buffer=28 > 57: Authenticate/Decrypt packet error: packet HMAC authentication > failed > 58: Authenticate/Decrypt packet error: packet HMAC authentication > failed > ... and so on ... > > Whereas with v1.1.0 it reads: > > 47: OpenVPN 1.1.0 Built On Apr 16 2002 > 48: UDP link local (bound): [undef]:5000 > 49: UDP link remote: 192.168.1.8:5000 > 50: TUN/TAP device tun7 opened > 51: Static Encrypt: Cipher 'BF-CBC' initialized with 128 bit key > 52: Static Encrypt: Using 160 bit message digest 'SHA1' for HMAC > authentication > 53: Static Decrypt: Cipher 'BF-CBC' initialized with 128 bit key > 54: Static Decrypt: Using 160 bit message digest 'SHA1' for HMAC > authentication > 55: Data Channel MTU parms: mtu=1450 extra_frame=44 extra_buffer=44 > extra_tun=0 > 56: Peer Connection Initiated with 192.168.1.8:5000 > > and nothing crosses the tunnel. > > WHAT DID I MESS UP ??? Try running the above test with --verb 8, then do a ping across the tunnel and email the output from both sides (and generate a temporary key, since --verb 8 will also spew forth the key into the output). You might also try selectively adding --no-iv, --no-replay, --auth none, or --cipher none to both sides to isolate the problem. > Do I miss any libraries on the gateway systems ? Can I create > statically linked executables, so that I don't need to install lib on > the gateways ? (there is not even a 'make' installed ...) To statically link OpenVPN, you should download OpenSSL 0.9.6c from the OpenSSL web site http://openssl.org -- build it, and either install it, or if you don't want to wipe out an existing openssl shared lib that other apps use, then just point openvpn's configure script to the header and library directory after you've built a new openssl library with make (but no make install) -- do ./configure --help for more info on pointing openvpn to another dir for openssl. If you link with openssl in this way, it should be a static link. James _______________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users |