[Openvpn-users] question on TLS mode and IP assignment

[Leonardo R. M. <leo...@so...>]

    Hello,

    i have OpenVPN running in TLS-mode with the following config 
parameters. among others:

dev tun
server 172.18.0.0 255.255.0.0
ifconfig-pool-persist /etc/openvpn/ipp.txt

    but, altough a CN is correctly recorded on ipp.txt with it's 
according network, i got the following situation:

1) OpenVPN server got rebooted:

Nov 11 07:55:13 correio kernel: klogd 1.4.1, log source = /proc/kmsg 
started.
Nov 11 07:55:13 correio kernel: Linux version 2.6.19.2-grsec-Solutti 
(ro...@my...) (gcc version 4.0.2 20051125 (Red
[.......]

2) OpenVPN started and read ipp.txt

Nov 11 07:55:45 correio openvpn-clientes[2707]: OpenVPN 2.0.9 
i686-pc-linux [SSL] [LZO] [EPOLL] built on Sep 17 2008
Nov 11 07:55:45 correio openvpn-clientes[2707]: Diffie-Hellman 
initialized with 2048 bit key
[ .....]
Nov 11 07:55:46 correio openvpn-clientes[2727]: 
cliente-hertz-brasilia-aeroporto-01,172.18.0.8


3) cliente-hertz-brasilia-aeroporto-01 connected and received his 
correct IP address according to ipp.txt

Nov 11 07:55:53 correio openvpn-clientes[2727]: 
cliente-hertz-brasilia-aeroporto-01/201.41.104.62:43956 MULTI: Learn: 
172.18.0.10 ->
 cliente-hertz-brasilia-aeroporto-01/201.41.xx.xx:43956
Nov 11 07:55:53 correio openvpn-clientes[2727]: 
cliente-hertz-brasilia-aeroporto-01/201.41.104.62:43956 MULTI: primary 
virtual IP fo
r cliente-hertz-brasilia-aeroporto-01/201.41.xx.xx:43956: 172.18.0.10


4) but some seconds later, OpenVPN gives lots of errors regarding 
cliente-hertz-brasilia-aeroporto-01 connection:

Nov 11 08:57:22 correio openvpn-clientes[2727]: 
cliente-hertz-brasilia-aeroporto-01/201.41.104.62:43956 TLS Error: TLS 
key negotiati
on failed to occur within 60 seconds (check your network connectivity)
Nov 11 08:57:22 correio openvpn-clientes[2727]: 
cliente-hertz-brasilia-aeroporto-01/201.41.104.62:43956 TLS Error: TLS 
handshake fai
led
Nov 11 08:57:23 correio openvpn-clientes[2727]: 
cliente-hertz-brasilia-aeroporto-01/201.41.104.62:43956 TLS: 
move_session: dest=TM_L
AME_DUCK src=TM_ACTIVE reinit_src=1
Nov 11 08:57:23 correio openvpn-clientes[2727]: 
cliente-hertz-brasilia-aeroporto-01/201.41.104.62:43956 TLS ERROR: 
received control
packet with stale session-id=1ce51a80 24634822
(LOTS of this last message, about 20 in 11 seconds)

5) some more seconds later, cliente-hertz-brasilia-aeroporto-01 
connected again, but received a IP address different than what's on 
ipp.txt !!!

Nov 11 08:58:10 correio openvpn-clientes[2727]: 
cliente-hertz-brasilia-aeroporto-01/201.41.104.62:55242 MULTI: Learn: 
172.18.0.46 ->
 cliente-hertz-brasilia-aeroporto-01/201.41.xx.xx:55242
Nov 11 08:58:10 correio openvpn-clientes[2727]: 
cliente-hertz-brasilia-aeroporto-01/201.41.104.62:55242 MULTI: primary 
virtual IP fo
r cliente-hertz-brasilia-aeroporto-01/201.41.xx.xx:55242: 172.18.0.46

(it should be 172.18.0.10 not 172.18.0.46)

Nov 11 07:55:53 correio openvpn-clientes[2727]: 
cliente-hertz-brasilia-aeroporto-01/201.41.104.62:43956 MULTI: primary 
virtual IP fo
r cliente-hertz-brasilia-aeroporto-01/201.41.104.62:43956: 172.18.0.10



    question is ..... should ipp.txt be ALWAYS respected or there are 
some situations in which OpenVPN would choose another ip subnetwork and 
give to the client ??


    Just in case ... this client cert is used in a single place, i do 
NOT have two machines using the same certificate.


-- 


	Atenciosamente / Sincerily,
	Leonardo Rodrigues
	Solutti Tecnologia
	http://www.solutti.com.br

	Minha armadilha de SPAM, NÃO mandem email
	ger...@so...
	My SPAMTRAP, do not email it