OpenVPN

Email Archive: openvpn-users (read-only)

2002:	_Jan	_Feb	_Mar (12)	_Apr (45)	_May (34)	_Jun (50)	_Jul (39)	_Aug (39)	_Sep (29)	_Oct (28)	_Nov (30)	_Dec (28)
2003:	_Jan (18)	_Feb (20)	_Mar (10)	_Apr (19)	_May (72)	_Jun (42)	_Jul (31)	_Aug (153)	_Sep (156)	_Oct (233)	_Nov (213)	_Dec (137)
2004:	_Jan (255)	_Feb (292)	_Mar (449)	_Apr (241)	_May (412)	_Jun (541)	_Jul (532)	_Aug (611)	_Sep (689)	_Oct (804)	_Nov (676)	_Dec (715)
2005:	_Jan (639)	_Feb (695)	_Mar (756)	_Apr (562)	_May (497)	_Jun (424)	_Jul (394)	_Aug (427)	_Sep (390)	_Oct (418)	_Nov (387)	_Dec (494)
2006:	_Jan (503)	_Feb (436)	_Mar (563)	_Apr (448)	_May (400)	_Jun (420)	_Jul (240)	_Aug (362)	_Sep (292)	_Oct (408)	_Nov (318)	_Dec (245)
2007:	_Jan (330)	_Feb (241)	_Mar (259)	_Apr (216)	_May (305)	_Jun (277)	_Jul (288)	_Aug (269)	_Sep (273)	_Oct (248)	_Nov (267)	_Dec (265)
2008:	_Jan (312)	_Feb (454)	_Mar (358)	_Apr (195)	_May (352)	_Jun (305)	_Jul (233)	_Aug (385)	_Sep (441)	_Oct (325)	_Nov (301)	_Dec (329)
2009:	_Jan (344)	_Feb (263)	_Mar (350)	_Apr (262)	_May (255)	_Jun (161)	_Jul (330)	_Aug (281)	_Sep (285)	_Oct (230)	_Nov (304)	_Dec (284)
2010:	_Jan (353)	_Feb (260)	_Mar (357)	_Apr (403)	_May (335)	_Jun (236)	_Jul (199)	_Aug (247)	_Sep (212)	_Oct (160)	_Nov (118)	_Dec (110)
2011:	_Jan (172)	_Feb (105)	_Mar (113)	_Apr (120)	_May (124)	_Jun (88)	_Jul (94)	_Aug (63)	_Sep (78)	_Oct (42)	_Nov (137)	_Dec (90)
2012:	_Jan (75)	_Feb (113)	_Mar (90)	_Apr (77)	_May (68)	_Jun (58)	_Jul (67)	_Aug (119)	_Sep (56)	_Oct (60)	_Nov (72)	_Dec (48)
2013:	_Jan (78)	_Feb (93)	_Mar (114)	_Apr (79)	_May (39)	_Jun	_Jul	_Aug	_Sep	_Oct	_Nov	_Dec


S	M	T	W	T	F	S
			1	2	3	4
			(23)	(43)	(38)	(21)
5	6	7	8	9	10	11
(16)	(8)	(17)	(34)	(27)	(13)	(6)
12	13	14	15	16	17	18
(10)	(27)	(36)	(29)	(20)	(33)	(15)
19	20	21	22	23	24	25
(16)	(22)	(23)	(37)	(19)	(42)	(12)
26	27	28	29	30
	(26)	(12)	(26)	(38)

RE: [Openvpn-users] no ping on XP

From: Palic, Darko <darko.palic@gm...> - 2004-09-07 23:33

And your server?

> #config on windows XP SP1
> 
> remote foo.co
> proto tcp-client
> ifconfig 10.0.0.2 255.255.255.252
> dev tap
> ip-win32 dynamic
> 
> tls-client
> # Certificate Authority file
> ca cacert.pem
> 
> # Our certificate/public key
> cert home.crt
> 
> # Our private key
> key home.key
> 
> #and your route for remote lan
> ;route
> 
> tony

[Openvpn-users] OpenVPN Checksum error

From: Steven Bollinger <sobo@tw...> - 2004-09-07 22:19

I receive incorrect TCP checksum errors during OpenVPN connection
initiation (OpenVPN 2.0_beta11 both client and server). Client OS is
WinXP, Server RHEL AS 2.1 UPD 2. 
After that a RST is received and connection dropped. This is
reproducable, only 5 packets are exchanged for each connection attempt.
Tcpdump (Ethereal) output, server and client debug messages at log level
6 attached below. Reboot of XP does not help, this Problem does not show
up with another server (Fedora Core 2) though the client seems to have
the problem.

Any ideas?

Steven


------------------- TCPDUMP (Ethereal) Output  -------------------

No.     Time        Source                Destination           Protocol Info
      1 0.000000    10.136.35.52          10.136.151.199        TCP      3050 > ftp [SYN] Seq=0 Ack=0 Win=64240 Len=0 MSS=1460

Frame 1 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src: 00:08:02:dd:12:94, Dst: 00:00:0c:07:ac:23
Internet Protocol, Src Addr: 10.136.35.52 (10.136.35.52), Dst Addr: 10.136.151.199 (10.136.151.199)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 48
    Identification: 0x046e (1134)
    Flags: 0x04 (Don't Fragment)
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x264f (correct)
    Source: 10.136.35.52 (10.136.35.52)
    Destination: 10.136.151.199 (10.136.151.199)
Transmission Control Protocol, Src Port: 3050 (3050), Dst Port: ftp (21), Seq: 0, Ack: 0, Len: 0
    Source port: 3050 (3050)
    Destination port: ftp (21)
    Sequence number: 0    (relative sequence number)
    Header length: 28 bytes
    Flags: 0x0002 (SYN)
    Window size: 64240
    Checksum: 0x98df (correct)
    Options: (8 bytes)

0000  00 00 0c 07 ac 23 00 08 02 dd 12 94 08 00 45 00   .....#........E.
0010  00 30 04 6e 40 00 80 06 26 4f 0a 88 23 34 0a 88   .0.n@.....
0020  97 c7 0b ea 00 15 47 3e cc 06 00 00 00 00 70 02   ......G>......p.
0030  fa f0 98 df 00 00 02 04 05 b4 01 01 04 02         ..............

No.     Time        Source                Destination           Protocol Info
      2 0.020258    10.136.151.199        10.136.35.52          TCP      ftp > 3050 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1380

Frame 2 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src: 00:50:2a:b6:e4:00, Dst: 00:08:02:dd:12:94
Internet Protocol, Src Addr: 10.136.151.199 (10.136.151.199), Dst Addr: 10.136.35.52 (10.136.35.52)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0xa0 (DSCP 0x28: Class Selector 5; ECN: 0x00)
    Total Length: 48
    Identification: 0x0000 (0)
    Flags: 0x04 (Don't Fragment)
    Fragment offset: 0
    Time to live: 49
    Protocol: TCP (0x06)
    Header checksum: 0x791d (correct)
    Source: 10.136.151.199 (10.136.151.199)
    Destination: 10.136.35.52 (10.136.35.52)
Transmission Control Protocol, Src Port: ftp (21), Dst Port: 3050 (3050), Seq: 0, Ack: 1, Len: 0
    Source port: ftp (21)
    Destination port: 3050 (3050)
    Sequence number: 0    (relative sequence number)
    Acknowledgement number: 1    (relative ack number)
    Header length: 28 bytes
    Flags: 0x0012 (SYN, ACK)
    Window size: 5840
    Checksum: 0x3d39 (correct)
    Options: (8 bytes)
    SEQ/ACK analysis

0000  00 08 02 dd 12 94 00 50 2a b6 e4 00 08 00 45 a0   .......P*.....E.
0010  00 30 00 00 40 00 31 06 79 1d 0a 88 97 c7 0a 88   .0..@..........
0020  23 34 00 15 0b ea 8a 88 b5 7d 47 3e cc 07 70 12   #4.......}G>..p.
0030  16 d0 3d 39 00 00 02 04 05 64 01 01 04 02         ..=9.....d....

No.     Time        Source                Destination           Protocol Info
      3 0.020310    10.136.35.52          10.136.151.199        TCP      3050 > ftp [ACK] Seq=1 Ack=1 Win=64860 [CHECKSUM INCORRECT] Len=0

Frame 3 (54 bytes on wire, 54 bytes captured)
Ethernet II, Src: 00:08:02:dd:12:94, Dst: 00:00:0c:07:ac:23
Internet Protocol, Src Addr: 10.136.35.52 (10.136.35.52), Dst Addr: 10.136.151.199 (10.136.151.199)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 40
    Identification: 0x0471 (1137)
    Flags: 0x04 (Don't Fragment)
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x2654 (correct)
    Source: 10.136.35.52 (10.136.35.52)
    Destination: 10.136.151.199 (10.136.151.199)
Transmission Control Protocol, Src Port: 3050 (3050), Dst Port: ftp (21), Seq: 1, Ack: 1, Len: 0
    Source port: 3050 (3050)
    Destination port: ftp (21)
    Sequence number: 1    (relative sequence number)
    Acknowledgement number: 1    (relative ack number)
    Header length: 20 bytes
    Flags: 0x0010 (ACK)
    Window size: 64860
    Checksum: 0xd025 (incorrect, should be 0x8320)
    SEQ/ACK analysis

0000  00 00 0c 07 ac 23 00 08 02 dd 12 94 08 00 45 00   .....#........E.
0010  00 28 04 71 40 00 80 06 26 54 0a 88 23 34 0a 88   .(.q@.....
0020  97 c7 0b ea 00 15 47 3e cc 07 8a 88 b5 7e 50 10   ......G>.....~P.
0030  fd 5c d0 25 00 00                                 .\.%..

No.     Time        Source                Destination           Protocol Info
      4 0.020508    10.136.35.52          10.136.151.199        FTP      Request: \000\0168\257r\350q_H*#\000\000\000\000\000

Frame 4 (70 bytes on wire, 70 bytes captured)
Ethernet II, Src: 00:08:02:dd:12:94, Dst: 00:00:0c:07:ac:23
Internet Protocol, Src Addr: 10.136.35.52 (10.136.35.52), Dst Addr: 10.136.151.199 (10.136.151.199)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 56
    Identification: 0x0472 (1138)
    Flags: 0x04 (Don't Fragment)
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x2643 (correct)
    Source: 10.136.35.52 (10.136.35.52)
    Destination: 10.136.151.199 (10.136.151.199)
Transmission Control Protocol, Src Port: 3050 (3050), Dst Port: ftp (21), Seq: 1, Ack: 1, Len: 16
    Source port: 3050 (3050)
    Destination port: ftp (21)
    Sequence number: 1    (relative sequence number)
    Next sequence number: 17    (relative sequence number)
    Acknowledgement number: 1    (relative ack number)
    Header length: 20 bytes
    Flags: 0x0018 (PSH, ACK)
    Window size: 64860
    Checksum: 0xd035 (incorrect, should be 0xfad8)
File Transfer Protocol (FTP)

0000  00 00 0c 07 ac 23 00 08 02 dd 12 94 08 00 45 00   .....#........E.
0010  00 38 04 72 40 00 80 06 26 43 0a 88 23 34 0a 88   .8.r@.....
0020  97 c7 0b ea 00 15 47 3e cc 07 8a 88 b5 7e 50 18   ......G>.....~P.
0030  fd 5c d0 35 00 00 00 0e 38 af 72 e8 71 5f 48 2a   .\.5....8.r.q_H*
0040  23 00 00 00 00 00                                 #.....

No.     Time        Source                Destination           Protocol Info
      5 0.021170    10.136.151.199        10.136.35.52          TCP      ftp > 3050 [RST] Seq=1 Ack=1 Win=0 Len=0

Frame 5 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: 00:50:2a:b6:e4:00, Dst: 00:08:02:dd:12:94
Internet Protocol, Src Addr: 10.136.151.199 (10.136.151.199), Dst Addr: 10.136.35.52 (10.136.35.52)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
    Total Length: 40
    Identification: 0x0472 (1138)
    Flags: 0x04 (Don't Fragment)
    Fragment offset: 0
    Time to live: 55
    Protocol: TCP (0x06)
    Header checksum: 0x6f53 (correct)
    Source: 10.136.151.199 (10.136.151.199)
    Destination: 10.136.35.52 (10.136.35.52)
Transmission Control Protocol, Src Port: ftp (21), Dst Port: 3050 (3050), Seq: 1, Ack: 1, Len: 0
    Source port: ftp (21)
    Destination port: 3050 (3050)
    Sequence number: 1    (relative sequence number)
    Header length: 20 bytes
    Flags: 0x0004 (RST)
    Window size: 0
    Checksum: 0x8089 (correct)
    SEQ/ACK analysis

0000  00 08 02 dd 12 94 00 50 2a b6 e4 00 08 00 45 00   .......P*.....E.
0010  00 28 04 72 40 00 37 06 6f 53 0a 88 97 c7 0a 88   .(.r@.........
0020  23 34 00 15 0b ea 8a 88 b5 7e 47 3e cc 07 50 04   #4.......~G>..P.
0030  00 00 80 89 00 00 00 00 00 00 00 00               ............



------------------- Server Debug Output -------------------

# openvpn ./server.conf
Tue Sep  7 22:54:33 2004 us=848715 Current Parameter Settings:
Tue Sep  7 22:54:33 2004 us=848826   config = './server.conf'
Tue Sep  7 22:54:33 2004 us=848838   mode = 1
Tue Sep  7 22:54:33 2004 us=848847   persist_config = DISABLED
Tue Sep  7 22:54:33 2004 us=848856   persist_mode = 1
Tue Sep  7 22:54:33 2004 us=848865   show_ciphers = DISABLED
Tue Sep  7 22:54:33 2004 us=848874   show_digests = DISABLED
Tue Sep  7 22:54:33 2004 us=848883   genkey = DISABLED
Tue Sep  7 22:54:33 2004 us=848894   askpass = DISABLED
Tue Sep  7 22:54:33 2004 us=848903   show_tls_ciphers = DISABLED
Tue Sep  7 22:54:33 2004 us=848913   proto = 1
Tue Sep  7 22:54:33 2004 us=848922   local = '10.136.151.199'
Tue Sep  7 22:54:33 2004 us=848931   remote_list = NULL
Tue Sep  7 22:54:33 2004 us=848940   remote_random = DISABLED
Tue Sep  7 22:54:33 2004 us=848950   local_port = 21
Tue Sep  7 22:54:33 2004 us=848959   remote_port = 21
Tue Sep  7 22:54:33 2004 us=848968   remote_float = DISABLED
Tue Sep  7 22:54:33 2004 us=848977   ipchange = '[UNDEF]'
Tue Sep  7 22:54:33 2004 us=848986   bind_local = ENABLED
Tue Sep  7 22:54:33 2004 us=848996   dev = 'tun'
Tue Sep  7 22:54:33 2004 us=849006   dev_type = '[UNDEF]'
Tue Sep  7 22:54:33 2004 us=849014   dev_node = '[UNDEF]'
Tue Sep  7 22:54:33 2004 us=849023   tun_ipv6 = DISABLED
Tue Sep  7 22:54:33 2004 us=849032   ifconfig_local = '192.168.137.1'
Tue Sep  7 22:54:33 2004 us=849044   ifconfig_remote_netmask = '192.168.137.2'
Tue Sep  7 22:54:33 2004 us=849053   ifconfig_noexec = DISABLED
Tue Sep  7 22:54:33 2004 us=849062   ifconfig_nowarn = DISABLED
Tue Sep  7 22:54:33 2004 us=849072   shaper = 0
Tue Sep  7 22:54:33 2004 us=849081   tun_mtu = 1500
Tue Sep  7 22:54:33 2004 us=849091   tun_mtu_defined = ENABLED
Tue Sep  7 22:54:33 2004 us=849100   link_mtu = 1500
Tue Sep  7 22:54:33 2004 us=849109   link_mtu_defined = DISABLED
Tue Sep  7 22:54:33 2004 us=849119   tun_mtu_extra = 0
Tue Sep  7 22:54:33 2004 us=849128   tun_mtu_extra_defined = DISABLED
Tue Sep  7 22:54:33 2004 us=849137   fragment = 0
Tue Sep  7 22:54:33 2004 us=849146   mtu_discover_type = -1
Tue Sep  7 22:54:33 2004 us=849155   mtu_test = 0
Tue Sep  7 22:54:33 2004 us=849165   mlock = DISABLED
Tue Sep  7 22:54:33 2004 us=849174   keepalive_ping = 10
Tue Sep  7 22:54:33 2004 us=849183   keepalive_timeout = 60
Tue Sep  7 22:54:33 2004 us=849192   inactivity_timeout = 0
Tue Sep  7 22:54:33 2004 us=849201   ping_send_timeout = 10
Tue Sep  7 22:54:33 2004 us=849210   ping_rec_timeout = 120
Tue Sep  7 22:54:33 2004 us=849220   ping_rec_timeout_action = 2
Tue Sep  7 22:54:33 2004 us=849230   ping_timer_remote = DISABLED
Tue Sep  7 22:54:33 2004 us=849239   explicit_exit_notification = 0
Tue Sep  7 22:54:33 2004 us=849248   persist_tun = ENABLED
Tue Sep  7 22:54:33 2004 us=849258   persist_local_ip = DISABLED
Tue Sep  7 22:54:33 2004 us=849267   persist_remote_ip = DISABLED
Tue Sep  7 22:54:33 2004 us=849276   persist_key = ENABLED
Tue Sep  7 22:54:33 2004 us=849286   mssfix = 1450
Tue Sep  7 22:54:33 2004 us=849296   passtos = DISABLED
Tue Sep  7 22:54:33 2004 us=849305   resolve_retry_seconds = 0
Tue Sep  7 22:54:33 2004 us=849314   connect_retry_seconds = 5
Tue Sep  7 22:54:33 2004 us=849323   username = 'openvpn'
Tue Sep  7 22:54:33 2004 us=849332   groupname = 'openvpn'
Tue Sep  7 22:54:33 2004 us=849341   chroot_dir = '[UNDEF]'
Tue Sep  7 22:54:33 2004 us=849351   cd_dir = '[UNDEF]'
Tue Sep  7 22:54:33 2004 us=849360   writepid = '[UNDEF]'
Tue Sep  7 22:54:33 2004 us=849369   up_script = '[UNDEF]'
Tue Sep  7 22:54:33 2004 us=849378   down_script = '[UNDEF]'
Tue Sep  7 22:54:33 2004 us=849387   up_restart = DISABLED
Tue Sep  7 22:54:33 2004 us=849397   up_delay = DISABLED
Tue Sep  7 22:54:33 2004 us=849406   daemon = DISABLED
Tue Sep  7 22:54:33 2004 us=849415   inetd = 0
Tue Sep  7 22:54:33 2004 us=849424   log = DISABLED
Tue Sep  7 22:54:33 2004 us=849433   nice = 0
Tue Sep  7 22:54:33 2004 us=849442   verbosity = 6
Tue Sep  7 22:54:33 2004 us=849454   mute = 0
Tue Sep  7 22:54:33 2004 us=849462   gremlin = DISABLED
Tue Sep  7 22:54:33 2004 us=849471   status_file = '/tmp/openvpn-status.log'
Tue Sep  7 22:54:33 2004 us=849481   status_file_update_freq = 60
Tue Sep  7 22:54:33 2004 us=849490   occ = ENABLED
Tue Sep  7 22:54:33 2004 us=849499   rcvbuf = 65536
Tue Sep  7 22:54:33 2004 us=849509   sndbuf = 65536
Tue Sep  7 22:54:33 2004 us=849518   http_proxy_server = '[UNDEF]'
Tue Sep  7 22:54:33 2004 us=849527   http_proxy_port = 0
Tue Sep  7 22:54:33 2004 us=849536   http_proxy_auth_method = '[UNDEF]'
Tue Sep  7 22:54:33 2004 us=849545   http_proxy_auth_file = '[UNDEF]'
Tue Sep  7 22:54:33 2004 us=849557   http_proxy_retry = DISABLED
Tue Sep  7 22:54:33 2004 us=849566   socks_proxy_server = '[UNDEF]'
Tue Sep  7 22:54:33 2004 us=849575   socks_proxy_port = 0
Tue Sep  7 22:54:33 2004 us=849584   socks_proxy_retry = DISABLED
Tue Sep  7 22:54:33 2004 us=849593   comp_lzo = ENABLED
Tue Sep  7 22:54:33 2004 us=849604   comp_lzo_adaptive = ENABLED
Tue Sep  7 22:54:33 2004 us=849614   route_script = '[UNDEF]'
Tue Sep  7 22:54:33 2004 us=849623   route_default_gateway = '[UNDEF]'
Tue Sep  7 22:54:33 2004 us=849632   route_noexec = DISABLED
Tue Sep  7 22:54:33 2004 us=849641   route_delay = 0
Tue Sep  7 22:54:33 2004 us=849651   route_delay_window = 30
Tue Sep  7 22:54:33 2004 us=849660   route_delay_defined = DISABLED
Tue Sep  7 22:54:33 2004 us=849671   route 192.168.137.0/255.255.255.0/nil/nil
Tue Sep  7 22:54:33 2004 us=849680   shared_secret_file = '[UNDEF]'
Tue Sep  7 22:54:33 2004 us=849689   key_direction = 0
Tue Sep  7 22:54:33 2004 us=849698   ciphername_defined = ENABLED
Tue Sep  7 22:54:33 2004 us=849708   ciphername = 'BF-CBC'
Tue Sep  7 22:54:33 2004 us=849718   authname_defined = ENABLED
Tue Sep  7 22:54:33 2004 us=849727   authname = 'SHA1'
Tue Sep  7 22:54:33 2004 us=849737   keysize = 0
Tue Sep  7 22:54:33 2004 us=849745   engine = DISABLED
Tue Sep  7 22:54:33 2004 us=849754   replay = ENABLED
Tue Sep  7 22:54:33 2004 us=849764   mute_replay_warnings = DISABLED
Tue Sep  7 22:54:33 2004 us=849774   replay_window = 0
Tue Sep  7 22:54:33 2004 us=849783   replay_time = 0
Tue Sep  7 22:54:33 2004 us=849792   packet_id_file = '[UNDEF]'
Tue Sep  7 22:54:33 2004 us=849801   use_iv = ENABLED
Tue Sep  7 22:54:33 2004 us=849810   test_crypto = DISABLED
Tue Sep  7 22:54:33 2004 us=849820   tls_server = ENABLED
Tue Sep  7 22:54:33 2004 us=849829   tls_client = DISABLED
Tue Sep  7 22:54:33 2004 us=849838   key_method = 2
Tue Sep  7 22:54:33 2004 us=849848   ca_file = '/usr/local/etc/openvpn/keys/ca.crt'
Tue Sep  7 22:54:33 2004 us=849858   dh_file = '/usr/local/etc/openvpn/keys/dh1024.pem'
Tue Sep  7 22:54:33 2004 us=849867   cert_file = '/usr/local/etc/openvpn/keys/server.crt'
Tue Sep  7 22:54:33 2004 us=849879   priv_key_file = '/usr/local/etc/openvpn/keys/server.key'
Tue Sep  7 22:54:33 2004 us=849889   pkcs12_file = '[UNDEF]'
Tue Sep  7 22:54:33 2004 us=849898   cipher_list = '[UNDEF]'
Tue Sep  7 22:54:33 2004 us=849907   tls_verify = '[UNDEF]'
Tue Sep  7 22:54:33 2004 us=849916   tls_remote = '[UNDEF]'
Tue Sep  7 22:54:33 2004 us=849925   crl_file = '[UNDEF]'
Tue Sep  7 22:54:33 2004 us=849935   tls_timeout = 2
Tue Sep  7 22:54:33 2004 us=849944   renegotiate_bytes = 0
Tue Sep  7 22:54:33 2004 us=849954   renegotiate_packets = 0
Tue Sep  7 22:54:33 2004 us=849963   renegotiate_seconds = 3600
Tue Sep  7 22:54:33 2004 us=849972   handshake_window = 60
Tue Sep  7 22:54:33 2004 us=849981   transition_window = 3600
Tue Sep  7 22:54:33 2004 us=849991   single_session = DISABLED
Tue Sep  7 22:54:33 2004 us=850001   tls_auth_file = '[UNDEF]'
Tue Sep  7 22:54:33 2004 us=850012   server_network = 192.168.137.0
Tue Sep  7 22:54:33 2004 us=850022   server_netmask = 255.255.255.0
Tue Sep  7 22:54:33 2004 us=850033   server_bridge_ip = 0.0.0.0
Tue Sep  7 22:54:33 2004 us=850044   server_bridge_netmask = 0.0.0.0
Tue Sep  7 22:54:33 2004 us=850056   server_bridge_pool_start = 0.0.0.0
Tue Sep  7 22:54:33 2004 us=850067   server_bridge_pool_end = 0.0.0.0
Tue Sep  7 22:54:33 2004 us=850076   client = DISABLED
Tue Sep  7 22:54:33 2004 us=850089   push_list = 'route 192.168.137.1,ping 10,ping-restart 60'
Tue Sep  7 22:54:33 2004 us=850099   pull = DISABLED
Tue Sep  7 22:54:33 2004 us=850109   ifconfig_pool_defined = ENABLED
Tue Sep  7 22:54:33 2004 us=850120   ifconfig_pool_start = 192.168.137.4
Tue Sep  7 22:54:33 2004 us=850130   ifconfig_pool_end = 192.168.137.251
Tue Sep  7 22:54:33 2004 us=850141   ifconfig_pool_netmask = 0.0.0.0
Tue Sep  7 22:54:33 2004 us=850150   n_bcast_buf = 256
Tue Sep  7 22:54:33 2004 us=850161   tcp_queue_limit = 64
Tue Sep  7 22:54:33 2004 us=850170   real_hash_size = 256
Tue Sep  7 22:54:33 2004 us=850179   virtual_hash_size = 256
Tue Sep  7 22:54:33 2004 us=850188   client_connect_script = '[UNDEF]'
Tue Sep  7 22:54:33 2004 us=850198   learn_address_script = '[UNDEF]'
Tue Sep  7 22:54:33 2004 us=850207   client_disconnect_script = '[UNDEF]'
Tue Sep  7 22:54:33 2004 us=850217   client_config_dir = '[UNDEF]'
Tue Sep  7 22:54:33 2004 us=850226   tmp_dir = '[UNDEF]'
Tue Sep  7 22:54:33 2004 us=850236   push_ifconfig_defined = DISABLED
Tue Sep  7 22:54:33 2004 us=850246   push_ifconfig_local = 0.0.0.0
Tue Sep  7 22:54:33 2004 us=850256   push_ifconfig_remote_netmask = 0.0.0.0
Tue Sep  7 22:54:33 2004 us=850266   enable_c2c = DISABLED
Tue Sep  7 22:54:33 2004 us=850276   duplicate_cn = ENABLED
Tue Sep  7 22:54:33 2004 us=850285   cf_max = 0
Tue Sep  7 22:54:33 2004 us=850294   cf_per = 0
Tue Sep  7 22:54:33 2004 us=850303   max_clients = 10
Tue Sep  7 22:54:33 2004 us=850325 OpenVPN 2.0_beta11 i686-pc-linux [SSL] [LZO] built on Aug 26 2004
Tue Sep  7 22:54:33 2004 us=860399 Diffie-Hellman initialized with 1024 bit key
Tue Sep  7 22:54:33 2004 us=861193 TLS-Auth MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue Sep  7 22:54:33 2004 us=864107 TUN/TAP device tun0 opened
Tue Sep  7 22:54:33 2004 us=864231 TUN/TAP TX queue length set to 100
Tue Sep  7 22:54:33 2004 us=864332 /sbin/ifconfig tun0 192.168.137.1 pointopoint 192.168.137.2 mtu 1500
Tue Sep  7 22:54:33 2004 us=874227 /sbin/route add -net 192.168.137.0 netmask 255.255.255.0 gw 192.168.137.2
Tue Sep  7 22:54:33 2004 us=880858 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:19 ET:0 EL:0 ]
Tue Sep  7 22:54:33 2004 us=881552 GID set to openvpn
Tue Sep  7 22:54:33 2004 us=881698 UID set to openvpn
Tue Sep  7 22:54:33 2004 us=881767 Listening for incoming TCP connection on 10.136.151.199:21
Tue Sep  7 22:54:33 2004 us=881856 Socket Buffers: R=[87380->131072] S=[16384->131072]
Tue Sep  7 22:54:33 2004 us=881933 TCPv4_SERVER link local (bound): 10.136.151.199:21
Tue Sep  7 22:54:33 2004 us=881993 TCPv4_SERVER link remote: [undef]
Tue Sep  7 22:54:33 2004 us=882049 MULTI: multi_init called, r=256 v=256
Tue Sep  7 22:54:33 2004 us=882131 IFCONFIG POOL: base=192.168.137.4 size=62
Tue Sep  7 22:54:33 2004 us=882197 MULTI: TCP INIT maxclients=10 maxevents=13
Tue Sep  7 22:54:57 2004 us=118043 MULTI: multi_create_instance called
Tue Sep  7 22:54:57 2004 us=118087 Re-using SSL/TLS context
Tue Sep  7 22:54:57 2004 us=118116 LZO compression initialized
Tue Sep  7 22:54:57 2004 us=118306 Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Tue Sep  7 22:54:57 2004 us=118340 Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:19 ET:0 EL:0 ]
Tue Sep  7 22:54:57 2004 us=118392 Local Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Tue Sep  7 22:54:57 2004 us=118405 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Tue Sep  7 22:54:57 2004 us=118449 Local Options hash (VER=V4): 'c0103fa8'
Tue Sep  7 22:54:57 2004 us=118467 Expected Remote Options hash (VER=V4): '69109d17'
Tue Sep  7 22:54:57 2004 us=118524 TCP connection established with 10.136.35.52:3079
Tue Sep  7 22:54:57 2004 us=118543 Socket Buffers: R=[131072->131072] S=[131072->131072]
Tue Sep  7 22:54:57 2004 us=118560 TCPv4_SERVER link local: [undef]
Tue Sep  7 22:54:57 2004 us=118572 TCPv4_SERVER link remote: 10.136.35.52:3079
Tue Sep  7 22:54:57 2004 us=118760 10.136.35.52:3079 TCPv4_SERVER WRITE [14] to 10.136.35.52:3079: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ ] pid=0 DATA len=0
Tue Sep  7 22:54:57 2004 us=137861 Connection reset, restarting [-1]


------------------- Client Debug Output -------------------


Tue Sep 07 22:59:16 2004 us=589615   sndbuf = 0
Tue Sep 07 22:59:16 2004 us=589741   http_proxy_server = '[UNDEF]'
Tue Sep 07 22:59:16 2004 us=589887   http_proxy_port = 0
Tue Sep 07 22:59:16 2004 us=590018   http_proxy_auth_method = '[UNDEF]'
Tue Sep 07 22:59:16 2004 us=590150   http_proxy_auth_file = '[UNDEF]'
Tue Sep 07 22:59:16 2004 us=590281   http_proxy_retry = DISABLED
Tue Sep 07 22:59:16 2004 us=590410   socks_proxy_server = '[UNDEF]'
Tue Sep 07 22:59:16 2004 us=590540   socks_proxy_port = 0
Tue Sep 07 22:59:16 2004 us=590668   socks_proxy_retry = DISABLED
Tue Sep 07 22:59:16 2004 us=590797   comp_lzo = ENABLED
Tue Sep 07 22:59:16 2004 us=590925   comp_lzo_adaptive = ENABLED
Tue Sep 07 22:59:16 2004 us=591054   route_script = '[UNDEF]'
Tue Sep 07 22:59:16 2004 us=591183   route_default_gateway = '[UNDEF]'
Tue Sep 07 22:59:16 2004 us=591313   route_noexec = DISABLED
Tue Sep 07 22:59:16 2004 us=591441   route_delay = 0
Tue Sep 07 22:59:16 2004 us=591567   route_delay_window = 30
Tue Sep 07 22:59:16 2004 us=591696   route_delay_defined = ENABLED
Tue Sep 07 22:59:16 2004 us=591826   shared_secret_file = '[UNDEF]'
Tue Sep 07 22:59:16 2004 us=591957   key_direction = 0
Tue Sep 07 22:59:16 2004 us=592084   ciphername_defined = ENABLED
Tue Sep 07 22:59:16 2004 us=592240   ciphername = 'BF-CBC'
Tue Sep 07 22:59:16 2004 us=592371   authname_defined = ENABLED
Tue Sep 07 22:59:16 2004 us=592501   authname = 'SHA1'
Tue Sep 07 22:59:16 2004 us=592628   keysize = 0
Tue Sep 07 22:59:16 2004 us=592753   engine = DISABLED
Tue Sep 07 22:59:16 2004 us=592880   replay = ENABLED
Tue Sep 07 22:59:16 2004 us=593008   mute_replay_warnings = DISABLED
Tue Sep 07 22:59:16 2004 us=593139   replay_window = 0
Tue Sep 07 22:59:16 2004 us=593266   replay_time = 0
Tue Sep 07 22:59:16 2004 us=593393   packet_id_file = '[UNDEF]'
Tue Sep 07 22:59:16 2004 us=593521   use_iv = ENABLED
Tue Sep 07 22:59:16 2004 us=593648   test_crypto = DISABLED
Tue Sep 07 22:59:16 2004 us=593777   tls_server = DISABLED
Tue Sep 07 22:59:16 2004 us=593904   tls_client = ENABLED
Tue Sep 07 22:59:16 2004 us=594032   key_method = 2
Tue Sep 07 22:59:16 2004 us=594159   ca_file = 'C:\Program Files\OpenVPN\config\
keys\ca.crt'
Tue Sep 07 22:59:16 2004 us=594328   dh_file = '[UNDEF]'
Tue Sep 07 22:59:16 2004 us=594457   cert_file = 'C:\Program Files\OpenVPN\confi
g\keys\client.crt'
Tue Sep 07 22:59:16 2004 us=594684   priv_key_file = 'C:\Program Files\OpenVPN\c
onfig\keys\client.key'
Tue Sep 07 22:59:16 2004 us=594856   pkcs12_file = '[UNDEF]'
Tue Sep 07 22:59:16 2004 us=594987   cipher_list = '[UNDEF]'
Tue Sep 07 22:59:16 2004 us=595116   tls_verify = '[UNDEF]'
Tue Sep 07 22:59:16 2004 us=595244   tls_remote = '[UNDEF]'
Tue Sep 07 22:59:16 2004 us=595371   crl_file = '[UNDEF]'
Tue Sep 07 22:59:16 2004 us=595498   tls_timeout = 2
Tue Sep 07 22:59:16 2004 us=595624   renegotiate_bytes = 0
Tue Sep 07 22:59:16 2004 us=595751   renegotiate_packets = 0
Tue Sep 07 22:59:16 2004 us=595880   renegotiate_seconds = 3600
Tue Sep 07 22:59:16 2004 us=596009   handshake_window = 60
Tue Sep 07 22:59:16 2004 us=596137   transition_window = 3600
Tue Sep 07 22:59:16 2004 us=596265   single_session = DISABLED
Tue Sep 07 22:59:16 2004 us=596393   tls_auth_file = '[UNDEF]'
Tue Sep 07 22:59:16 2004 us=596536   server_network = 0.0.0.0
Tue Sep 07 22:59:16 2004 us=596670   server_netmask = 0.0.0.0
Tue Sep 07 22:59:16 2004 us=596801   server_bridge_ip = 0.0.0.0
Tue Sep 07 22:59:16 2004 us=596933   server_bridge_netmask = 0.0.0.0
Tue Sep 07 22:59:16 2004 us=597092   server_bridge_pool_start = 0.0.0.0
Tue Sep 07 22:59:16 2004 us=597227   server_bridge_pool_end = 0.0.0.0
Tue Sep 07 22:59:16 2004 us=597357   client = ENABLED
Tue Sep 07 22:59:16 2004 us=597484   pull = ENABLED
Tue Sep 07 22:59:16 2004 us=597611   ifconfig_pool_defined = DISABLED
Tue Sep 07 22:59:16 2004 us=597744   ifconfig_pool_start = 0.0.0.0
Tue Sep 07 22:59:16 2004 us=597876   ifconfig_pool_end = 0.0.0.0
Tue Sep 07 22:59:16 2004 us=598007   ifconfig_pool_netmask = 0.0.0.0
Tue Sep 07 22:59:16 2004 us=598137   n_bcast_buf = 256
Tue Sep 07 22:59:16 2004 us=598264   tcp_queue_limit = 64
Tue Sep 07 22:59:16 2004 us=598391   real_hash_size = 256
Tue Sep 07 22:59:16 2004 us=598519   virtual_hash_size = 256
Tue Sep 07 22:59:16 2004 us=598647   client_connect_script = '[UNDEF]'
Tue Sep 07 22:59:16 2004 us=598777   learn_address_script = '[UNDEF]'
Tue Sep 07 22:59:16 2004 us=598908   client_disconnect_script = '[UNDEF]'
Tue Sep 07 22:59:16 2004 us=599061   client_config_dir = '[UNDEF]'
Tue Sep 07 22:59:16 2004 us=599194   tmp_dir = '[UNDEF]'
Tue Sep 07 22:59:16 2004 us=599322   push_ifconfig_defined = DISABLED
Tue Sep 07 22:59:16 2004 us=599456   push_ifconfig_local = 0.0.0.0
Tue Sep 07 22:59:16 2004 us=599588   push_ifconfig_remote_netmask = 0.0.0.0
Tue Sep 07 22:59:16 2004 us=599719   enable_c2c = DISABLED
Tue Sep 07 22:59:16 2004 us=599846   duplicate_cn = DISABLED
Tue Sep 07 22:59:16 2004 us=599973   cf_max = 0
Tue Sep 07 22:59:16 2004 us=600098   cf_per = 0
Tue Sep 07 22:59:16 2004 us=600224   max_clients = 1024
Tue Sep 07 22:59:16 2004 us=600356   show_net_up = DISABLED
Tue Sep 07 22:59:16 2004 us=600484   route_method = 0
Tue Sep 07 22:59:16 2004 us=600611   ip_win32_defined = DISABLED
Tue Sep 07 22:59:16 2004 us=600739   ip_win32_type = 3
Tue Sep 07 22:59:16 2004 us=600865   dhcp_masq_offset = 0
Tue Sep 07 22:59:16 2004 us=600993   dhcp_lease_time = 31536000
Tue Sep 07 22:59:16 2004 us=601121   tap_sleep = 0
Tue Sep 07 22:59:16 2004 us=601247   dhcp_options = DISABLED
Tue Sep 07 22:59:16 2004 us=601400   dhcp_renew = DISABLED
Tue Sep 07 22:59:16 2004 us=601530   dhcp_release = DISABLED
Tue Sep 07 22:59:16 2004 us=601659   domain = '[UNDEF]'
Tue Sep 07 22:59:16 2004 us=601786   netbios_scope = '[UNDEF]'
Tue Sep 07 22:59:16 2004 us=601915   netbios_node_type = 0
Tue Sep 07 22:59:16 2004 us=602292 OpenVPN 2.0_beta11 Win32-MinGW [SSL] [LZO] bu
ilt on Aug 18 2004
Tue Sep 07 22:59:16 2004 us=608431 LZO compression initialized
Tue Sep 07 22:59:16 2004 us=608836 Control Channel MTU parms [ L:1544 D:140 EF:4
0 EB:0 ET:0 EL:0 ]
Tue Sep 07 22:59:16 2004 us=612509 Data Channel MTU parms [ L:1544 D:1450 EF:44
EB:19 ET:0 EL:0 ]
Tue Sep 07 22:59:16 2004 us=612818 Local Options String: 'V4,dev-type tun,link-m
tu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize
 128,key-method 2,tls-client'
Tue Sep 07 22:59:16 2004 us=613044 Expected Remote Options String: 'V4,dev-type
tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SH
A1,keysize 128,key-method 2,tls-server'
Tue Sep 07 22:59:16 2004 us=613300 Local Options hash (VER=V4): '69109d17'
Tue Sep 07 22:59:16 2004 us=613466 Expected Remote Options hash (VER=V4): 'c0103
fa8'
Tue Sep 07 22:59:16 2004 us=613680 Attempting to establish TCP connection with 1
0.136.151.199:21
Tue Sep 07 22:59:16 2004 us=615551 TCP connection established with 10.136.151.19
9:21
Tue Sep 07 22:59:16 2004 us=615791 Socket Buffers: R=[8192->8192] S=[8192->8192]

Tue Sep 07 22:59:16 2004 us=615965 TCPv4_CLIENT link local: [undef]
Tue Sep 07 22:59:16 2004 us=616104 TCPv4_CLIENT link remote: 10.136.151.199:21
Tue Sep 07 22:59:16 2004 us=616387 TCPv4_CLIENT WRITE [14] to 10.136.151.199:21:
 P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Tue Sep 07 22:59:16 2004 us=643016 Connection reset, restarting [0]
Tue Sep 07 22:59:16 2004 us=890251 TCP/UDP: Closing socket
Tue Sep 07 22:59:16 2004 us=890434 SIGUSR1[soft,connection-reset] received, proc
ess restarting

RE: [Openvpn-users] Signal 1 received during initialisation stops OpenVPN

From: Simon Ironside <sironside@in...> - 2004-09-07 15:26

Attachments: Message as HTML

Hi Doug,
=20
Config file - FreeBSD end (starts and runs ok manually, dies when trying =
to start automatically on reboot)
=20
<snip>
=20
float
dev tun
ifconfig 10.255.0.1 10.255.0.2
=20
user nobody
group nobody
=20
tls-server
ca /usr/local/openvpn/fpgmvpn01-ca.crt
dh /usr/local/openvpn/dh2048.pem
cert /usr/local/openvpn/fpgmvpn01.crt
key /usr/local/openvpn/fpgmvpn01.key
reneg-sec 900
=20
comp-lzo
=20
tun-mtu 1500
=20
ping 3
=20
verb 3
log /usr/local/openvpn/ironss.log
=20
=20
<snip>
=20
Config file - Windows 2003 end (this is left running throughout - I =
doubt this affects the FreeBSD end not starting, though I have not tried =
rebooting this machine to see if the service starts ok or dies like the =
FreeBSD one.)
=20
<snip>
=20
remote some.host.name
dev tun
ifconfig 10.255.0.2 10.255.0.1
up-delay
=20
tls-client=20
ca fpgmvpn01-ca.crt=20
cert ironss.crt  =20
key ironss.key  =20
reneg-sec 900  =20
comp-lzo  =20
tun-mtu 1500  =20
=20
ping 3                =20
ping-restart 5        =20
ping-timer-rem        =20
persist-tun            =20
persist-key            =20
=20
verb 3
=20
route 10.0.0.0 255.255.0.0 10.255.0.1 =20
route 10.1.0.0 255.255.0.0 10.255.0.1 =20
route 10.2.0.0 255.255.0.0 10.255.0.1 =20
route 10.3.0.0 255.255.0.0 10.255.0.1 =20
route 10.4.0.0 255.255.0.0 10.255.0.1 =20
route 10.5.0.0 255.255.0.0 10.255.0.1 =20
route 10.6.0.0 255.255.0.0 10.255.0.1 =20
route 10.7.0.0 255.255.0.0 10.255.0.1 =20
route 10.8.0.0 255.255.0.0 10.255.0.1 =20
route 10.10.0.0 255.255.0.0 10.255.0.1 =20
route 155.155.0.0 255.255.0.0 10.255.0.1=20
=20
route 192.168.10.0 255.255.255.0 10.255.0.1=20
route 192.168.11.0 255.255.255.0 10.255.0.1=20
route 192.168.12.0 255.255.255.0 10.255.0.1=20
route 192.168.13.0 255.255.255.0 10.255.0.1=20
=20
<snip>
=20
Startup script
=20
<snip>
=20
#!/bin/sh
# OpenVPN daemons startup & shutdown script
echo -n ' openvpn'
case "$1" in
        start)
                # Start commands
                /usr/local/sbin/openvpn --daemon openvpn-ironss --config =
/usr/lo
cal/openvpn/ironss.ovpn
                ;;
        stop)
                # Stop commands
                killall openvpn
                ;;
        *)
                echo ""
                echo "Usage: `basename $0` { start | stop }"
                echo ""
                exit 64
                ;;
esac
exit 0

<snip>
=20
Thanks,
Simon

________________________________

From: openvpn-users-admin@... on behalf of Doug Lytle
Sent: Tue 07/09/2004 15:02
To: openvpn-users@...
Subject: Re: [Openvpn-users] Signal 1 received during initialisation =
stops OpenVPN



Simon,

Without seeing your config files we won't be able to help you.

Doug

RE: [Openvpn-users] Signal 1 received during initialisation stops OpenVPN

From: Simon Ironside <sironside@in...> - 2004-09-07 16:28

Attachments: Message as HTML

Hi Doug,
=20
Sorry about the direct reply - I reposted to the list after I realised =
that mail had gone to you, I'm used to yahoogroups - hitting reply =
always goes to the list address there.
=20
Startup script is there along with the config files - pasted again =
below:
=20
 #!/bin/sh
 # OpenVPN daemons startup & shutdown script
 echo -n ' openvpn'
 case "$1" in
         start)
                 # Start commands
                 /usr/local/sbin/openvpn --daemon openvpn-ironss =
--config /usr/local/openvpn/ironss.ovpn
                 ;;
         stop)
                 # Stop commands
                 killall openvpn
                 ;;
         *)
                 echo ""
                 echo "Usage: `basename $0` { start | stop }"
                 echo ""
                 exit 64
                 ;;
 esac
 exit 0

Cheers,
Simon

________________________________

From: openvpn-users-admin@... on behalf of Doug Lytle
Sent: Tue 07/09/2004 17:12
To: openvpn-users@...
Subject: Re: [Openvpn-users] Signal 1 received during initialisation =
stops OpenVPN



Simon,

What does your startup script look like?

Also, please reply to the list, so others can help too.

Doug

Re: [Openvpn-users] Signal 1 received during initialisation stops OpenVPN

From: Doug Lytle <support@dr...> - 2004-09-07 18:04

Simon,

Not being a FreeBSD guru, I'm only guessing that it's an authorities 
issue.  You may want to also turn your verb up from 3 to maybe 6 see if 
what gets logged by openvpn. 

Doug

Simon Ironside wrote:

> Hi Doug,
>  
> Sorry about the direct reply - I reposted to the list after I realised 
> that mail had gone to you, I'm used to yahoogroups - hitting reply 
> always goes to the list address there.
>  
> Startup script is there along with the config files - pasted again below:
>  
>  #!/bin/sh
>  # OpenVPN daemons startup & shutdown script
>  echo -n ' openvpn'
>  case "$1" in
>          start)
>                  # Start commands
>                  /usr/local/sbin/openvpn --daemon 
> openvpn-ironss --config /usr/local/openvpn/ironss.ovpn
>                  ;;
>          stop)
>                  # Stop commands
>                  killall openvpn
>                  ;;
>          *)
>                  echo ""
>                  echo "Usage: `basename $0` { start | stop }"
>                  echo ""
>                  exit 64
>                  ;;
>  esac
>  exit 0
> Cheers,
> Simon
>
> ------------------------------------------------------------------------
> *From:* openvpn-users-admin@... on behalf of Doug Lytle
> *Sent:* Tue 07/09/2004 17:12
> *To:* openvpn-users@...
> *Subject:* Re: [Openvpn-users] Signal 1 received during initialisation 
> stops OpenVPN
>
> Simon,
>
> What does your startup script look like?
>
> Also, please reply to the list, so others can help too.
>
> Doug
>

Re: [Openvpn-users] Secret Key Question

From: James Yonan <jim@yo...> - 2004-09-07 15:45

On Sat, 4 Sep 2004, Anthony Ewell wrote:

> Hi All,
> 
>      If I am to use the "secret.key" option that puts the
> same secret key at both ends, would I not be making the same
> mistake as the Germans made in WWII, were they used "HIT" in the
> clear and "LER" in the cypher on their Enigma machines?
> 
>     If I use the same starting point every time I start the tunnel
> (every morning), would that not have the same effect?
> Would the bad guys not be able to use the starting sequence
> against the cypher stream to calculate the key?

Fortunately for us, cryptography has advanced somewhat since WWII :)

Try reading up on Cipher Modes (OpenVPN uses CBC mode) and Explicit
Initialization Vectors (or Explicit IV).  Both of these techniques will
tend to eliminate any kind of sequence predictability in the ciphertext,
even with static keys, and even in cases where the plaintext is repeating
or is otherwise very predictable.

James

Re: [Openvpn-users] Secret Key Question

From: James Yonan <jim@yo...> - 2004-09-07 15:56

On Sat, 4 Sep 2004, Doug Lytle wrote:

> Anthony,
> 
> I use a script to re-key every morning, copy the new keys across the 
> tunnel and restart.

You are sort of doing manually what SSL/TLS will do automatically.  For 
example if you ran OpenVPN in TLS mode and added --reneg-sec 86400, you 
would get a daily rekeying.

The only problem with your approach is that if you copy the new key over 
the old connection, i.e. if the new key is encrypted with the old key then 
sent to the remote peer, you lose "Perfect Forward Secrecy".  In other 
words, someone could conceivably derive your current key from your old key 
if they had recorded your prior encrypted communications.

If you use SSL/TLS mode or ssh to copy the keys, then you would have 
perfect forward secrecy.

James

Re: [Openvpn-users] Secret Key Question

From: Doug Lytle <support@dr...> - 2004-09-07 16:14

Understood.  I am getting to the point where I'll be looking into this, 
but at this moment, everything is automated. 

I keep adding more road warriors and it's getting to be a pain.  Just 
finding the time to try a new setup on a seperate system.  I will though.

Doug

James Yonan wrote:

>On Sat, 4 Sep 2004, Doug Lytle wrote:
>
>  
>
>>Anthony,
>>
>>I use a script to re-key every morning, copy the new keys across the 
>>tunnel and restart.
>>    
>>
>
>You are sort of doing manually what SSL/TLS will do automatically.  For 
>example if you ran OpenVPN in TLS mode and added --reneg-sec 86400, you 
>would get a daily rekeying.
>
>The only problem with your approach is that if you copy the new key over 
>the old connection, i.e. if the new key is encrypted with the old key then 
>sent to the remote peer, you lose "Perfect Forward Secrecy".  In other 
>words, someone could conceivably derive your current key from your old key 
>if they had recorded your prior encrypted communications.
>
>If you use SSL/TLS mode or ssh to copy the keys, then you would have 
>perfect forward secrecy.
>
>James
>
>  
>

Re: [Openvpn-users] Signal 1 received during initialisation stops OpenVPN

From: Doug Lytle <support@dr...> - 2004-09-07 16:12

Simon,

What does your startup script look like?

Also, please reply to the list, so others can help too.

Doug

Simon Ironside wrote:

> Hi Doug,
>  
> Config file - FreeBSD end (starts and runs ok manually, dies when 
> trying to start automatically on reboot)
>  
> <snip>
>  
> float
> dev tun
> ifconfig 10.255.0.1 10.255.0.2
>  
> user nobody
> group nobody
>  
> tls-server
> ca /usr/local/openvpn/fpgmvpn01-ca.crt
> dh /usr/local/openvpn/dh2048.pem
> cert /usr/local/openvpn/fpgmvpn01.crt
> key /usr/local/openvpn/fpgmvpn01.key
> reneg-sec 900
>  
> comp-lzo
>  
> tun-mtu 1500
>  
> ping 3
>  
> verb 3
> log /usr/local/openvpn/ironss.log
>  
>  
> <snip>
>  
> Config file - Windows 2003 end (this is left running throughout - I 
> doubt this affects the FreeBSD end not starting, though I have not 
> tried rebooting this machine to see if the service starts ok or dies 
> like the FreeBSD one.)
>  
> <snip>
>  
> remote some.host.name
> dev tun
> ifconfig 10.255.0.2 10.255.0.1
> up-delay
>  
> tls-client 
> ca fpgmvpn01-ca.crt 
> cert ironss.crt   
> key ironss.key   
> reneg-sec 900   
> comp-lzo   
> tun-mtu 1500   
>  
> ping 3                
> ping-restart 5        
> ping-timer-rem         
> persist-tun            
> persist-key            
>  
> verb 3
>  
> route 10.0.0.0 255.255.0.0 10.255.0.1  
> route 10.1.0.0 255.255.0.0 10.255.0.1  
> route 10.2.0.0 255.255.0.0 10.255.0.1  
> route 10.3.0.0 255.255.0.0 10.255.0.1  
> route 10.4.0.0 255.255.0.0 10.255.0.1  
> route 10.5.0.0 255.255.0.0 10.255.0.1  
> route 10.6.0.0 255.255.0.0 10.255.0.1  
> route 10.7.0.0 255.255.0.0 10.255.0.1  
> route 10.8.0.0 255.255.0.0 10.255.0.1  
> route 10.10.0.0 255.255.0.0 10.255.0.1  
> route 155.155.0.0 255.255.0.0 10.255.0.1 
>  
> route 192.168.10.0 255.255.255.0 10.255.0.1 
> route 192.168.11.0 255.255.255.0 10.255.0.1 
> route 192.168.12.0 255.255.255.0 10.255.0.1 
> route 192.168.13.0 255.255.255.0 10.255.0.1 
>  
> <snip>
>  
> Startup script
>  
> <snip>
>  
> #!/bin/sh
> # OpenVPN daemons startup & shutdown script
> echo -n ' openvpn'
> case "$1" in
>         start)
>                 # Start commands
>                 /usr/local/sbin/openvpn --daemon openvpn-ironss 
> --config /usr/lo
> cal/openvpn/ironss.ovpn
>                 ;;
>         stop)
>                 # Stop commands
>                 killall openvpn
>                 ;;
>         *)
>                 echo ""
>                 echo "Usage: `basename $0` { start | stop }"
>                 echo ""
>                 exit 64
>                 ;;
> esac
> exit 0
> <snip>
>  
> Thanks,
> Simon
>
> ------------------------------------------------------------------------
> *From:* openvpn-users-admin@... on behalf of Doug Lytle
> *Sent:* Tue 07/09/2004 15:02
> *To:* openvpn-users@...
> *Subject:* Re: [Openvpn-users] Signal 1 received during initialisation 
> stops OpenVPN
>
> Simon,
>
> Without seeing your config files we won't be able to help you.
>
> Doug
>

[Openvpn-users] 2048 RSA Certs

From: Paulo Andre <pandre@da...> - 2004-09-07 07:35

Probably not the right forum, but could someone perhaps explain if 2048 bit 
RSA certs would slow down the OpenVPN connection, and if so how much compared 
to 1024 bit

Paulo

Re: [Openvpn-users] 2048 RSA Certs

From: James Yonan <jim@yo...> - 2004-09-07 15:32

On Tue, 7 Sep 2004, Paulo Andre wrote:

> Probably not the right forum, but could someone perhaps explain if 2048 bit 
> RSA certs would slow down the OpenVPN connection, and if so how much compared 
> to 1024 bit

The size of the RSA cert affects the speed of TLS negotiation, but has no 
effect on tunnel speed.

The TLS negotiations happen once per client per hour by default.  You can 
change the default with the --reneg-sec option.

James

[Openvpn-users] Signal 1 received during initialisation stops OpenVPN

From: Simon Ironside <sironside@in...> - 2004-09-07 13:14

Attachments: Message as HTML

Hello all,
=20
I'm running OpenVPN 1.6.0 on FreeBSD 4.10. I have a simple shell script =
that runs at startup to call the openvpn daemon with the appropriate =
config file and start services. This works just fine for static keys =
encryption but not for SSL/TLS. All I have changed is the configuration =
file - the startup script remains the same.
=20
The logfile shows:
=20
Mon Aug 30 17:38:23 2004 11[0]: Signal 1 (sighup) received during =
initialization, exiting
Mon Aug 30 17:38:23 2004 12[0]: Exiting

The funny thing is, once I am logged in if I run the startup script =
manually it works fine.

Does anyone have any suggestions?

TIA,

Simon

Re: [Openvpn-users] Signal 1 received during initialisation stops OpenVPN

From: Doug Lytle <support@dr...> - 2004-09-07 14:14

Simon,

Without seeing your config files we won't be able to help you.

Doug

Simon Ironside wrote:

> Hello all,
>  
> I'm running OpenVPN 1.6.0 on FreeBSD 4.10. I have a simple shell 
> script that runs at startup to call the openvpn daemon with the 
> appropriate config file and start services. This works just fine for 
> static keys encryption but not for SSL/TLS. All I have changed is the 
> configuration file - the startup script remains the same.
>  
> The logfile shows:
>  
> Mon Aug 30 17:38:23 2004 11[0]: Signal 1 (sighup) received during 
> initialization, exiting
> Mon Aug 30 17:38:23 2004 12[0]: Exiting
>
> The funny thing is, once I am logged in if I run the startup script 
> manually it works fine.
>
> Does anyone have any suggestions?
>
> TIA,
>
> Simon
>
>

[Openvpn-users] getting secure sites to load over VPN with redirect-gateway

From: wha wha <cit403@ya...> - 2004-09-07 10:07

Attachments: Message as HTML

I am running openvpn-1.6.0 on FreeBSD and is running NAT. Local workstations on the LAN can access all websites ie secure banking  sites fine.
 
I have WIN XP machines connected over the VPN with --redirect-gateway and all traffic is getting routed over the tunnel  exactly the way I want, except one thing. When it comes to connecting to  secure sites like banking sites the pages never are able to fully load over the VPN.
 
Any help on what could be causing this or how to correct it would be great
 
Thanks


		
---------------------------------
Do you Yahoo!?
Win 1 of 4,000 free domain names from Yahoo! Enter now.

Re: [Openvpn-users] Unroutable control packet received from ...

From: suela <suela@ka...> - 2004-09-07 09:20

Check the time in both computers.

-- 
suela <suela@...>

[Openvpn-users] Routing issue

From: Peter Bako <pbako@2a...> - 2004-09-07 05:03

I've just setup an OpenVPN server (2.0 Beta 11) on an OpenBSD 3.4 =
system.
The client is a Windows 2000 machine running the GUI version of the same
software.  The tunnel is of type TUN.

So far I have been able to get the client to connect to the server, and =
ping
both ends of the tunnel.  Once I add a route command on the client, I =
can
also ping the inside interface of the VPN server, but I cannot get any =
ping
traffic back from any systems from inside the network.  Using TCPDUMP I =
was
able to verify that my ping packets do get to their destinations but the
return messages are not being routed correctly.  A quick diagram:

               ----------
            |-B- Server =
-A-------=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
            |  ----------        =3D    Internal   =3D
            |                    =3D    network    =3D
            |                    =3D 192.168.124.x =3D
            |                    =
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
            C
            |
        ---------- =20
        - Client -
        ----------
       =20
IP Address at Point A:  192.168.124.23
IP Address at Point B:  10.2.3.1
IP Address at Point C:  10.2.3.2

The tunnel uses the address of 10.5.5.1 on the server side (aka point B) =
and
10.5.5.2 on the client side (aka point C).  Once the tunnel is up I use =
the
following route command on the client:
 =20
  route add 192.168.124.0 mask 255.255.255.0 10.5.5.1

My guess is that once the ping packet makes it to any client on the =
internal
network, when it replies it tries to send the reply to 10.5.5.1, which =
is
where according to TCPDUMP it is coming from.  Short of having to put a
custom route at each member of my internal network, how can I get the
packets to route correctly back to the VPN client?  Is there any way to =
have
the VPN server mask the source address and replace it with its own =
internal
address?

Thanks,
Peter

Re: [Openvpn-users] Routing issue

From: Jean-Pierre Schwickerath <lists@sc...> - 2004-09-07 07:59

Hi Peter, 


> Short of having to put a custom route at each member of my internal
> network, how can I get the packets to route correctly back to the VPN
> client?  Is there any way to have the VPN server mask the source
> address and replace it with its own internal address?


You could use NAT to masquerade all your connections coming from behind
a vpn-tunnel (so that all machines on the local network believe they're
talking to 192.168.124.23) or you could set a route on the default
gateway of your local network which redirects all packets headed to
10.5.5.0/24 to 192.168.124.23. 


Jean-Pierre

-- 
Powered by Linux From Scratch - http://schwicky.net/
PGP Key ID: 0xEE6F49B4 - AIM/Jabber: Schwicky - ICQ: 4690141

Nothing is impossible... Everything is relative!