|
|
----- Original Message ----- From: "Jed Sheckler" <jedsheckler@xxxxxxxxx> > On 9/6/06, Charles Duffy <cduffy@xxxxxxxxxxx> wrote: > > > > The error you're posting is very much indicative of the keys being > > wrong, particularly the tls-auth key. Mind using md5sum or a similar > > tool to be *absolutely certain* they haven't been munged somehow? > > > > > > Using a single tap adapter for multiple VPNs will indeed work so long as > > only one OpenVPN daemon is (running, and thus) bound to a given adapter > > at the same time. > > > > > > > My apologies for the faux pas. > > I am absolutely certain that the key files are the same. The config files > were copied in their entirety, with nothing related to the security > parameters changed. The same security files (not copies!), in the same > directories, work every time over UDP (with 100% reliability, I might add - > very nice!) I ran an md5sum check regardless, to make sure I wasn't crazy: > > Server Checksum:/etc/openvpn/easy-rsa/keys$ md5sum ta.key > 3c70d1bd236c901bafafa17934972c39 ta.key > > Client Checksum: > C:\Program Files\OpenVPN\easy-rsa\keys>md5sum ta.key > 3c70d1bd236c901bafafa17934972c39 *ta.key > > Are there any other possible circumstances that could cause this error? I posted something about this sort of error some time ago but have not been able to find a solution. In my situation, I see this error particularly when there is a lot of LAG on the link (I noticed it particularly when connecting to a server in the UK from New Zealand). I have also seen it when the link was congested where the tunnel will take a couple goes to get started and in the server error logs I see these HMAC failures. I have considered not using HMAC auth as a result, but it protects my servers from DOS attacks, so I retained it for the sake of the few occurences of this I have had. The problem is definitely not the TLS auth keys being wrong as the tunnel does work most of the time. Perhaps TCP Fragmentation is the cause of this where the disasembly and reassembly of fragmented packets somehow screws up the HMAC sig? Is James Yonan watching this list? Perhaps he might have some suggestions as to the circumstances that might cause this sot of problem. Cheers Roland ______________________ OpenVPN mailing lists https://lists.sourceforge.net/lists/listinfo/openvpn-users Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-09/msg00039.html on line 233 Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-09/msg00039.html on line 233 |