|
|
Cabel, To the extend I could see the config looks alright. In our case we are using tun interface not tap. We use reneg 86400 and we don't get frequent renogtiations. I feel that it may not be reneg issue, it is possible that your wireless lan is misbehaving and connection is hitting inactivity time-outs? If that is the case, just auth-nocache at client will force them to put the correct pass phrase rather than the client using cached ones. It may also help to increase time-outs if lan is the problem. However, I don't get any idea about your core problem - server crashing when auth fails! Regs Sunil >>> "Caleb Pal" <m1009@xxxxxxxxxxxx> 02/01/07 3:51 AM >>> Here is my conf for both server and client <client> remote xxx.xx.xxx.xxx port 1194 dev tap tls-client ifconfig xxx.xxx.xxx 255.255.255.0 ifconfig-nowarn ca file.crt cert file.crt key file.key ping 15 ping-restart 45 ping-timer-rem persist-tun persist-key comp-lzo verb 3 auth-user-pass pull reneg-sec 0 </client> <server> dev tap0 tls-server dh dh.pem ca file.crt cert file.crt key file.key port 1194 user nobody group nobody comp-lzo plugin /etc/openvpn/openvpn-auth-pam.so openvpn reneg-sec 0 ping 15 ping-restart 45 ping-timer-rem persist-tun persist-key # Verbosity level. # 0 -- quiet except for fatal errors. # 1 -- mostly quiet, but display non-fatal network errors. # 3 -- medium output, good for normal operation. # 9 -- verbose, good for troubleshooting verb 3 </server> The file /etc/pam.d/openvpn has this line auth required pam_securid.so debug This works with SecurID correctly, but when auth fails, it kills the server process. Sunil, do you have reneg-sec set to 0 also? I have this set, it disables time-based negotiation, keeping the same session key during the entire session. Lowers security, but I haven't found a way around it. This keeps the VPN from having to re-auth every hour, and in my case, also prevents the server from dying every hour. Client caches user/pass, tries to re-auth in an hour, fails, and then the server dies. I could set auth-nocache, which would keep it from caching, but does not help the fact that somewhere down the road a user is going to type a password wrong, and wreck havoc in my case. Thanks again, Caleb ______________________ OpenVPN mailing lists https://lists.sourceforge.net/lists/listinfo/openvpn-users This e-mail message is only to be used by intended recipients and all others may kindly delete it and notify the sender. Unless expressly authorized by HPCL, the views expressed and the message itself is that of the individual sender and recipients are cautioned to check messages/ attachments for any viruses before use. Users acknowledge that messages may contain confidential, proprietary or privileged information and that HPCL neither assures nor guarantees integrity or content of messages. ______________________ OpenVPN mailing lists https://lists.sourceforge.net/lists/listinfo/openvpn-users |