[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

[Openvpn-users] Connecting an openvpn 2.0 client to a openvpn 1.6 server problems

  • Subject: [Openvpn-users] Connecting an openvpn 2.0 client to a openvpn 1.6 server problems
  • From: Darcy Brodie <darcy@xxxxxxxxx>
  • Date: Thu, 05 May 2005 20:32:26 -0600
Hello
I am attempting to create a tunnel vpn between 2 linux firewalls, to allow computers on the protected network behind firewall #2 to access the servers behind firewall #1, with the high probability of more clients being added to this (the additional
Server information

Openvpn ip range 10.1.0.0/24

Firewall #1 (set to be the vpn server)
Linux Mandrake, version 9.0 kernel 2.4.19
Internal IP range is 192.168.1.0/24
External IP is a static IP from Shaw
Firewall #2 (set to be the vpn client)
Linux Red Hat Enterprise 4.0, kernel 2.6.9
Internal IP range is 192.168.66.0/24
External IP is a dynamic IP from Shaw (it hasn't changed in almost 2 years!)

The only version of the openvpn that I could get installed on firewall #1 is the 1.6 version (I couldn't upgrade the pam and ssl high enough to allow the openvpn ver 2.0 to install)
Firewall #2 has Openvpn 2.0 installed

There is a good chance that in the future, that I will be upgrading the Firewall #1 to a newer kernel, and it will then be upgraded to the openvpn 2.0, however, as mentioned above, there will be additional clients that will remain on the linux 2.4 kernel, and will proably require the openvpn ver 1.6

Here is my problem. When I initiate the connection, I receive the following output on the client firewall

Thu May 5 19:31:07 2005 us=731761 Control Channel Authentication: using '/etc/openvpn/ta.key' as a OpenVPN static key file
Thu May 5 19:31:07 2005 us=732347 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu May 5 19:31:07 2005 us=732835 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu May 5 19:31:07 2005 us=733307 LZO compression initialized
Thu May 5 19:31:07 2005 us=736104 Control Channel MTU parms [ L:1542 D:166 EF:66 EB:0 ET:0 EL:0 ]
Thu May 5 19:31:07 2005 us=737008 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:23 ET:0 EL:0 AF:3/1 ]
Thu May 5 19:31:07 2005 us=737870 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,
keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Thu May 5 19:31:07 2005 us=738177 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,
proto UDPv4,comp-lzo,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Thu May 5 19:31:07 2005 us=738940 Local Options hash (VER=V4): '504e774e'
Thu May 5 19:31:07 2005 us=739400 Expected Remote Options hash (VER=V4): '14168603'
Thu May 5 19:31:07 2005 us=739824 Socket Buffers: R=[110592->131072] S=[110592->131072]
Thu May 5 19:31:07 2005 us=740171 UDPv4 link local: [undef]
Thu May 5 19:31:07 2005 us=740498 UDPv4 link remote: 11.22.33.44:1194
Thu May 5 19:31:07 2005 us=750310 TLS: Initial packet from 55.66.77.88:1194, sid=ae83b1d4 493122ed
Thu May 5 19:31:08 2005 us=121645 VERIFY OK: depth=1, /C=CA/ST=Alberta/L=Calgary/O=xxxx./CN=xxxxx
Thu May 5 19:31:08 2005 us=129032 VERIFY OK: depth=0, /C=CA/ST=Alberta/O=xxxxx./CN=gxxxx/xxxxx
Thu May 5 19:31:09 2005 us=229399 NOTE: Options consistency check may be skewed by version differences
Thu May 5 19:31:09 2005 us=229927 WARNING: 'version' is used inconsistently, local='version V4', remote='version V3'
Thu May 5 19:31:09 2005 us=230431 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1542', remote='link-mtu 1574'
Thu May 5 19:31:09 2005 us=230835 WARNING: 'tun-mtu' is used inconsistently, local='tun-mtu 1500', remote='tun-mtu 1532'
Thu May 5 19:31:09 2005 us=238829 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu May 5 19:31:09 2005 us=240186 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu May 5 19:31:09 2005 us=241690 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu May 5 19:31:09 2005 us=242191 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu May 5 19:31:09 2005 us=243305 Control Channel: TLSv1, cipher TLSv1/SSLv3 YYYY-YYY-YYY-YYYY-YYY-YYY, 1024 bit RSA
Thu May 5 19:31:09 2005 us=243858 [g7d9q1.rbsecurity.ca] Peer Connection Initiated with 11.22.33.44:1194
Thu May 5 19:31:10 2005 us=309419 SENT CONTROL [g7d9q1.rbsecurity.ca]: 'PUSH_REQUEST' (status=1)
Thu May 5 19:31:15 2005 us=377063 SENT CONTROL [g7d9q1.rbsecurity.ca]: 'PUSH_REQUEST' (status=1)
Thu May 5 19:31:20 2005 us=444688 SENT CONTROL [g7d9q1.rbsecurity.ca]: 'PUSH_REQUEST' (status=1)
Thu May 5 19:31:25 2005 us=524323 SENT CONTROL [g7d9q1.rbsecurity.ca]: 'PUSH_REQUEST' (status=1)
Thu May 5 19:31:28 2005 us=829144 event_wait : Interrupted system call (code=4)
Thu May 5 19:31:28 2005 us=833724 TCP/UDP: Closing socket
Thu May 5 19:31:28 2005 us=834310 SIGINT[hard,] received, process exiting


As noted in the above log, the client is requesting a PUSH (I suspect it is looking for the server to push the route information to it), however, the openvpn ver 1.6 does not have a push option. There is also 3 warnings regarding values for 'version', 'link-mtu', and 'tun-mtu'. As the line above the warnings states, I suspect that the difference in these values is because of the different openvpn versions. While attempting to start the tunnel, ifconfig does show the tun0 device on the server, but nothing on the client

I have searched google, and the archives, with no success

Thank you for your assistance
------------------------------------------------------------------
##server.conf
dev tun
ifconfig 10.1.0.1 10.1.0.2
up /etc/openvpn/office.up
log /var/log/openvpn/server.log
tls-server
tls-auth /etc/openvpn/ta.key 0
dh /etc/openvpn/dh1024.pem
ca /etc/openvpn/ca.crt
cert /etc/openvpn/g7d9q1.crt
key /etc/openvpn/g7d9q1.key
port 1194
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
key-method 2
#user nobody
#group nobody
comp-lzo
route 192.168.66.0 255.255.255.0
#client-to-client
#push "route 192.168.66.0 255.255.255.0"
## this ping will keep stateful firewall connection alive
#ping 15
## This will allow for a more reliable detection when a system
## loses its connection.
# ping 15
# ping-restart  45
# ping-timer-rem
# persist-on
# persist-key
##Verbosity Level
#verb 3
verb 5
--------------------------------------------------------------
##client.conf
client
dev tun
proto udp
remote 68.146.98.19 1194
ifconfig 10.1.0.2 10.1.0.1
up /etc/openvpn/home.up
resolv-retry infinite
nobind
#user nobody
#group nobody
persist-key
persist-tun
log /var/log/openvpn/client.log
status /var/log/openvpn/openvpn-status.log
ca /etc/openvpn/ca.crt
cert /etc/openvpn/g7d9q1a.crt
key /etc/openvpn/g7d9q1a.key
tls-auth /etc/openvpn/ta.key 1
cipher BF-CBC
comp-lzo
#verb 3
verb 5
;mute 20



____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users


Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-05/msg00067.html on line 341

Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-05/msg00067.html on line 341