[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

[Openvpn-users] Re: TLS Error: local/remote TLS keys are out of sync


  • Subject: [Openvpn-users] Re: TLS Error: local/remote TLS keys are out of sync
  • From: Steve Shellswell <steve@xxxxxxxxxxxxxxxx>
  • Date: Wed, 01 Dec 2004 09:37:39 +0000

BTW: Just to clarify, the port that the error message reads is 900, not 1194.

When I changed the ip address I changed the port aswell.

Thanks for this.

Steve


Steve Shellswell wrote:
Charles Duffy wrote:

On Wed, 01 Dec 2004 08:33:23 +0000, Steve Shellswell wrote:


I am still struggling with this. Please can anyone shed any light on the error message?

TLS Error: local/remote TLS keys are out of sync: 1.2.3.4:1194 [0]



I don't know the error, but the code that would result in the different (desired) path being taken follows:

              if (DECRYPT_KEY_ENABLED (multi, ks)
                  && key_id == ks->key_id
                  && ks->authenticated
                  && addr_port_match(from, &ks->remote_addr))

so... DECRYPT_KEY_ENABLED could be false, the key_id values could fail to
match, the key_state (ks) could be unauthenticated, or we could have no
remote address match.

Without more context (and better knowledge of the surrounding codebase),
I'm not in a good condition to make suggesions wrt which is most likely.
So, let's back up:

This happens every time, immediately after startup -- right?


No. Just sometimes. I first noticed it after I had started and stopped the client end several times in relatively quick succession. This is the output from starting openvpn manually...

-----------------------------------------------------------

Thu Nov 25 10:30:55 2004 us=161333 Current Parameter Settings:
Thu Nov 25 10:30:55 2004 us=161452 config = 'config.ovpn'
Thu Nov 25 10:30:55 2004 us=161502 mode = 0
Thu Nov 25 10:30:55 2004 us=161544 show_ciphers = DISABLED
Thu Nov 25 10:30:55 2004 us=161582 show_digests = DISABLED
Thu Nov 25 10:30:55 2004 us=161619 show_engines = DISABLED
Thu Nov 25 10:30:55 2004 us=161656 genkey = DISABLED
Thu Nov 25 10:30:55 2004 us=161693 key_pass_file = '[UNDEF]'
Thu Nov 25 10:30:55 2004 us=161731 show_tls_ciphers = DISABLED
Thu Nov 25 10:30:55 2004 us=161794 proto = 0
Thu Nov 25 10:30:55 2004 us=161835 NOTE: --mute triggered...
Thu Nov 25 10:30:55 2004 us=161977 173 variation(s) on previous 10 message(s) suppressed by --mute
Thu Nov 25 10:30:55 2004 us=161992 OpenVPN 2.0_beta15 Win32-MinGW [SSL] [LZO] built on Oct 28 2004
Thu Nov 25 10:30:55 2004 us=165986 LZO compression initialized
Thu Nov 25 10:30:55 2004 us=166131 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Nov 25 10:30:55 2004 us=182889 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:19 ET:32 EL:0 ]
Thu Nov 25 10:30:55 2004 us=182970 Local Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Thu Nov 25 10:30:55 2004 us=182988 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Thu Nov 25 10:30:55 2004 us=183020 Local Options hash (VER=V4): 'd79ca330'
Thu Nov 25 10:30:55 2004 us=183042 Expected Remote Options hash (VER=V4): 'f7df56b8'
Thu Nov 25 10:30:55 2004 us=183091 Socket Buffers: R=[8192->8192] S=[8192->8192]
Thu Nov 25 10:30:55 2004 us=183117 UDPv4 link local (bound): [undef]:900
Thu Nov 25 10:30:55 2004 us=183133 UDPv4 link remote: 1.2.3.4:900
Thu Nov 25 10:30:55 2004 us=602337 TLS Error: local/remote TLS keys are out of sync: 1.2.3.4:900 [0]
Thu Nov 25 10:31:06 2004 us=398701 TLS Error: local/remote TLS keys are out of sync: 1.2.3.4:900 [0]
Thu Nov 25 10:31:11 2004 us=304750 TLS Error: local/remote TLS keys are out of sync: 1.2.3.4:900 [0]
Thu Nov 25 10:31:21 2004 us=413660 TLS Error: local/remote TLS keys are out of sync: 1.2.3.4:900 [0]


------------------------------------------------------------


How did you generate your CA/key/cert?


Following the instructions on the howto page.

You're using the same CA on both

ends, right?


Yep, CA on the server.

Any other errorlike messages in your output?


Mind posting your config files?


Client end (windows XP) config file:

---------------------------------------------------------------

remote 1.2.3.4

port 900

proto udp

dev tap


tls-client ca cacert.pem cert cert.pem key key.pem


resolv-retry 86400

up-delay

ping 10
ping-restart 300

comp-lzo

verb 4
mute 10

----------------------------------------------------------------

Server End config file (debian):

----------------------------------------------------------------

port 900
mode server
proto udp

tls-server
dh ../ssl/dh1024.pem
ca ../ssl/cacert.pem
cert ovpncert.pem
key ovpnkey.pem
key-method 2

user nobody
group nogroup
persist-key

ping 10
comp-lzo
client-config-dir /etc/openvpn/clients

verb 4
mute 10
up /etc/local/sbin/tapup

dev tap
persist-tun

----------------------------------------------------------------




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/




-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/


____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users