[OpenVPN home]	[Date Prev]	[Date Index]	[Date Next]
[OpenVPN mailing lists]	[Thread Prev]	[Thread Index]	[Thread Next]
[Openvpn-users] ECONNREFUSED and TLS Error during handshake

Subject: [Openvpn-users] ECONNREFUSED and TLS Error during handshake
From: Val <vace117@xxxxxxxx>
Date: Fri, 2 Mar 2007 18:40:34 +0000 (UTC)
Hello.

I have an OpenVPN problem that I hope someone here might be able to help me 
with.

I was running OpenVPN for a long time without any trouble, but something
happened recently and I can no longer connect. I don't know what changed and I
am not seeing any obvious error messages.

The server log says this:
================================================================
Fri Mar  2 03:08:45 2007 us=310726 OpenVPN 2.0.9 i686-pc-linux [SSL] [LZO] built
on Oct 22 2006
Fri Mar  2 03:08:47 2007 us=625401 Diffie-Hellman initialized with 4096 bit key
Fri Mar  2 03:08:47 2007 us=633136 LZO compression initialized
Fri Mar  2 03:08:47 2007 us=633972 Control Channel MTU parms [ L:1542 D:138
EF:38 EB:0 ET:0 EL:0 ]
Fri Mar  2 03:08:47 2007 us=634770 TUN/TAP device tun1 opened
Fri Mar  2 03:08:47 2007 us=634918 TUN/TAP TX queue length set to 100
Fri Mar  2 03:08:47 2007 us=635045 /sbin/ifconfig tun1 172.16.0.1 pointopoint
172.16.0.2 mtu 1500
Fri Mar  2 03:08:47 2007 us=647516 Data Channel MTU parms [ L:1542 D:1450 EF:42
EB:135 ET:0 EL:0 AF:3/1 ]
Fri Mar  2 03:08:47 2007 us=647752 Local Options String: 'V4,dev-type
tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,ifconfig 172.16.0.2 
172.16.0.1,comp-lzo
,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Fri Mar  2 03:08:47 2007 us=647800 Expected Remote Options String: 'V4,dev-type
tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,ifconfig 172.16.0.1 172.16.0.
2,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Fri Mar  2 03:08:47 2007 us=647952 Local Options hash (VER=V4): '02890f1b'
Fri Mar  2 03:08:47 2007 us=648051 Expected Remote Options hash (VER=V4): 
'8a042371'
Fri Mar  2 03:08:47 2007 us=652935 GID set to nobody
Fri Mar  2 03:08:47 2007 us=653128 UID set to nobody
Fri Mar  2 03:08:47 2007 us=653252 Socket Buffers: R=[107520->131072]
S=[107520->131072]
Fri Mar  2 03:08:47 2007 us=653376 UDPv4 link local (bound): [undef]:15000
Fri Mar  2 03:08:47 2007 us=653424 UDPv4 link remote: [undef]
Fri Mar  2 03:09:17 2007 us=75470 UDPv4 READ [14] from 192.168.7.130:15000:
P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Fri Mar  2 03:09:17 2007 us=75633 TLS: Initial packet from 192.168.7.130:15000,
sid=cfeb000b e1045c1e
Fri Mar  2 03:09:17 2007 us=75871 UDPv4 WRITE [26] to 192.168.7.130:15000:
P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 0 ] pid=0 DATA len=0
Fri Mar  2 03:09:17 2007 us=89021 UDPv4 READ [22] from 192.168.7.130:15000:
P_ACK_V1 kid=0 [ 0 ]
Fri Mar  2 03:09:17 2007 us=89489 UDPv4 READ [114] from 192.168.7.130:15000:
P_CONTROL_V1 kid=0 [ ] pid=1 DATA len=100
================================================================

The client log says this:
================================================================
Fri Mar  2 03:16:25 2007 us=655359 OpenVPN 2.0.2 i486-pc-linux-gnu [SSL] [LZO] 
[EPOLL] built on Aug 31 2005
Fri Mar  2 03:16:25 2007 us=655466 WARNING: you are using user/group/chroot 
without persist-key/persist-tun -- this may cause restarts to fail
Fri Mar  2 03:16:25 2007 us=655490 WARNING: No server certificate verification 
method has been enabled.  See http://openvpn.net/howto.html#mitm for more
 info.
Fri Mar  2 03:16:25 2007 us=657887 LZO compression initialized
Fri Mar  2 03:16:25 2007 us=657950 MTU DYNAMIC mtu=0, flags=1, 0 -> 138
Fri Mar  2 03:16:25 2007 us=657997 PID packet_id_init seq_backtrack=64 
time_backtrack=15
Fri Mar  2 03:16:25 2007 us=658096 PID packet_id_init seq_backtrack=64 
time_backtrack=15
Fri Mar  2 03:16:25 2007 us=658124 PID packet_id_init seq_backtrack=64 
time_backtrack=15
Fri Mar  2 03:16:25 2007 us=658193 PID packet_id_init seq_backtrack=64 
time_backtrack=15
Fri Mar  2 03:16:25 2007 us=658223 Control Channel MTU parms [ L:1542 D:138 
EF:38 EB:0 ET:0 EL:0 ]
Fri Mar  2 03:16:25 2007 us=658272 MTU DYNAMIC mtu=1450, flags=2, 1542 -> 1450
Fri Mar  2 03:16:25 2007 us=658296 REMOTE_LIST len=1 current=0
Fri Mar  2 03:16:25 2007 us=658318 [0] 192.168.7.129:15000
Fri Mar  2 03:16:25 2007 us=658415 RESOLVE_REMOTE flags=0x0001 phase=1 rrs=0 
sig=-1 status=1
Fri Mar  2 03:16:25 2007 us=664615 TUN/TAP device tun1 opened
Fri Mar  2 03:16:25 2007 us=664765 TUN/TAP TX queue length set to 100
Fri Mar  2 03:16:25 2007 us=664851 ifconfig tun1 172.16.0.2 pointopoint 
172.16.0.1 mtu 1500
Fri Mar  2 03:16:25 2007 us=665645 SYSTEM[2] 'ifconfig tun1 172.16.0.2 
pointopoint 172.16.0.1 mtu 1500'
Fri Mar  2 03:16:25 2007 us=683676 SYSTEM return=0
Fri Mar  2 03:16:25 2007 us=683827 Data Channel MTU parms [ L:1542 D:1450 EF:42 
EB:135 ET:0 EL:0 AF:3/1 ]
Fri Mar  2 03:16:25 2007 us=683918 Local Options String: 'V4,dev-type 
tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,ifconfig 172.16.0.1 
172.16.0.2,comp-lzo
,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'                   
                                                                       
Fri Mar  2 03:16:25 2007 us=683941 Expected Remote Options String: 'V4,dev-type 
tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,ifconfig 172.16.0.2 172.16.0.
1,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Fri Mar  2 03:16:25 2007 us=684010 Local Options hash (VER=V4): '8a042371'
Fri Mar  2 03:16:25 2007 us=684052 Expected Remote Options hash (VER=V4): 
'02890f1b'
Fri Mar  2 03:16:25 2007 us=685463 GID set to nobody
Fri Mar  2 03:16:25 2007 us=685544 UID set to nobody
Fri Mar  2 03:16:25 2007 us=685593 Socket Buffers: R=[111616->131072] 
S=[111616->131072]                                                              
Fri Mar  2 03:16:25 2007 us=685638 UDPv4 link local (bound): [undef]:15000
Fri Mar  2 03:16:25 2007 us=685678 UDPv4 link remote: 192.168.7.129:15000       
Fri Mar  2 03:16:25 2007 us=686033 UDPv4 WRITE [14] to 192.168.7.129:15000: 
P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Fri Mar  2 03:16:25 2007 us=691339 UDPv4 READ [26] from 192.168.7.129:15000: 
P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 0 ] pid=0 DATA len=0
Fri Mar  2 03:16:25 2007 us=691438 TLS: Initial packet from 
192.168.7.129:15000, sid=d36329f9 24791806
Fri Mar  2 03:16:25 2007 us=691595 UDPv4 WRITE [22] to 192.168.7.129:15000: 
P_ACK_V1 kid=0 [ 0 ]
Fri Mar  2 03:16:25 2007 us=691803 UDPv4 WRITE [114] to 192.168.7.129:15000: 
P_CONTROL_V1 kid=0 [ ] pid=1 DATA len=100
Fri Mar  2 03:16:28 2007 us=62097 UDPv4 WRITE [114] to 192.168.7.129:15000: 
P_CONTROL_V1 kid=0 [ ] pid=1 DATA len=100
Fri Mar  2 03:16:28 2007 us=63968 read UDPv4 [ECONNREFUSED]: Connection refused 
(code=111)
Fri Mar  2 03:16:28 2007 us=64038 UDPv4 READ [-1] from [undef]: DATA UNDEF 
len=-1
Fri Mar  2 03:16:30 2007 us=421265 UDPv4 WRITE [114] to 192.168.7.129:15000: 
P_CONTROL_V1 kid=0 [ ] pid=1 DATA len=100
Fri Mar  2 03:16:30 2007 us=423239 read UDPv4 [ECONNREFUSED]: Connection 
refused (code=111)
Fri Mar  2 03:16:30 2007 us=423274 UDPv4 READ [-1] from [undef]: DATA UNDEF 
len=-1
Fri Mar  2 03:16:32 2007 us=780945 UDPv4 WRITE [114] to 192.168.7.129:15000: 
P_CONTROL_V1 kid=0 [ ] pid=1 DATA len=100
Fri Mar  2 03:16:32 2007 us=790631 read UDPv4 [ECONNREFUSED]: Connection 
refused (code=111)
...................[this continues for a while and then:]..............
Fri Mar  2 03:17:31 2007 us=754694 TLS Error: TLS key negotiation failed to
occur within 60 seconds (check your network connectivity)
Fri Mar  2 03:17:31 2007 us=754737 TLS Error: TLS handshake failed

================================================================


I have verified that there is connectivity between 192.168.7.129 (server) and
192.168.7.130 (client) in both directions on port UDP 15000 with netcat. There
is no ICMP traffic allowed, but then I never allowed it before either.

Here is the server config:
  /usr/local/sbin/openvpn \
        --dev tun1 \
        --port 15000 \
        --ifconfig 172.16.0.1 172.16.0.2 \
        --tls-server \
        --push "redirect-gateway local def1" \
        --persist-key \
        --persist-tun \
        --dh /etc/ssl/private/dh4096.pem \
        --ca /etc/ssl/certs/VACE-Root-CA/VACE-Wifi-CA/VACE-Wifi-CA-Chain.crt \
        --cert
/etc/ssl/certs/VACE-Root-CA/VACE-Wifi-CA/gatekeeper-wifi-server/gatekeeper-wifi-
server.crt
\
        --key /etc/ssl/private/gatekeeper.key \
        --user nobody \
        --group nobody \
        --comp-lzo \
        --verb 6 \
        --daemon \
        --log-append /var/log/openvpn/wifi.log

and the client config:
daemon

tls-client

dev tun1
port 15000
ifconfig 172.16.0.2 172.16.0.1
remote 192.168.7.129

ca /etc/ssl/certs/VACE-Wifi-CA-Chain.crt
cert /etc/ssl/certs/laptop-wifi-client.crt
key /etc/ssl/private/laptop.key

user nobody
group nobody

comp-lzo
verb 7
log-append /var/log/openvpn/wifi.log


Any ideas would be greatly appreciated. Thanks.

Val



______________________
OpenVPN mailing lists
https://lists.sourceforge.net/lists/listinfo/openvpn-users
Follow-Ups:
- Re: [Openvpn-users] ECONNREFUSED and TLS Error during handshake
  - From: Val
Prev by Date: [Openvpn-users] easy-rsa questions
Next by Date: Re: [Openvpn-users] ECONNREFUSED and TLS Error during handshake
Previous by thread: Re: [Openvpn-users] easy-rsa questions
Next by thread: Re: [Openvpn-users] ECONNREFUSED and TLS Error during handshake
Index(es):
- Date
- Thread