Re: openvpn

To: dilceu@linuxservers.com.br
Cc: debian <debian-user-portuguese@lists.debian.org>
Subject: Re: openvpn
From: "Raphael Bittencourt S. Costa" <raphaelbscosta@yahoo.com.br>
Date: Wed, 01 Dec 2004 17:31:36 -0300
Message-id: <[🔎] 41AE2A28.30202@yahoo.com.br>
In-reply-to: <[🔎] 008101c4d7b5$4375c2e0$401fa8c0@dilceuxp>
References: <[🔎] 008101c4d7b5$4375c2e0$401fa8c0@dilceuxp>

Eu tenho instalado a algum tempo e ate agora nao me apresentou problemas...

Mas da uma olhada no FAQ do OPENVPN.. "*remember that UDP isconnectionless"*



   I'm using TLS mode with no --remote option on the server. When I
   start the server then the client it works ok. I can restart the
   client with no problem, but if I restart the server and the client
   is connected I get the following problem: "TLS Error: Unknown data
   channel key ID or IP address received from 111.222.333.444:10203".
   In this case I need to restart the client again to make it work. Do
   you know what the problem is?

This problem occurs because when you restart the server, there isnothing to trigger a new TLS key exchange. The server can't trigger itbecause it doesn't have a *--remote* option giving it the address of itspeer, so it wants to sit and wait for a client to connect. The clientdoesn't trigger it because it doesn't know the server was restarted(remember that UDP is connectionless).

There are several ways to fix this problem, listed in the order ofpreference:


   * Add a *--remote* option to the server which points to the client,
     making the connection peer-to-peer rather than client/server. When
     one peer restarts, it will force a new key exchange with the other
     peer.
   * Use the *--ping* and *--ping-restart* options to force a key
     negotiation any time that packets are not getting through the
     tunnel. Restarts always trigger a new key exchange.
   * Use static keys which allow OpenVPN to run in an essentially
     stateless manner.
   * Use TCP rather than UDP as your tunnel transport (available
     currently in the 1.5.x and higher with the *--proto* option). TCP
     is a connection-oriented protocol, and as such, either side of the
     connection knows immediately when the other side has disconnected.





dilceu@linuxservers.com.br wrote:

Olá pessoal,
Instalei o openvpn no debian tem mais ou menos 3 meses e até agora nãoconsegui resolver um problema.Quando não tem dados trafegando a vpn fica fincionando normamalmente,porém quando começa trafegar dados (qualquer tipo, http, ssh, dns...)a vpn simplesmente cai.A principio achei que fosse problema no modem adsl da matriz, poisestava fazendo NAT (direcionando a porta 5000 para o ip do servidor)ai então mudei, deixei o modem (alcatel) em pptp e agora o ip válido200....... esta chegando diretamente na placa de rede do linux (ppp0),porém o problema continua. Alguém tem alguma sugestão?Obs: nessa vpn esta a matriz e mais seis filiais e todas acontecem omesmo problema.Segue abaixo a saida do log na hora em que a vpn (de uma filial) caiu.Dec 1 11:53:20 liguecom last message repeated 3 timesDec 1 11:53:20 liguecom openvpn[114]: TLS Error: Unknown data channelkey ID or IP address received from 201.14.157.55:50465: 4 (see FAQ formore info on this error)
Dec  1 11:53:35 liguecom last message repeated 3 times
Dec 1 13:05:20 liguecom openvpn[20684]: TLS: soft reset sec=-982bytes=13636/0 pkts=102/0Dec 1 11:53:49 liguecom openvpn[20684]: VERIFY OK: depth=1,/C=BR/ST=SANTA.CATARINA/L=LAGES/O=LIGUECOM/OU=VPN/CN=CA/Email=FOO@BLE.COMDec 1 11:53:49 liguecom openvpn[20684]: VERIFY OK: depth=0,/C=BR/ST=SANTA.CATARINA/O=LIGUECOM/OU=VPN/CN=FILIAL8/Email=FOO@BLEDec 1 11:53:50 liguecom openvpn[20684]: Data Channel Decrypt: Cipher'BF-CBC' initialized with 128 bit keyDec 1 11:53:50 liguecom openvpn[20684]: Data Channel Decrypt: Using160 bit message hash 'SHA1' for HMAC authenticationDec 1 11:53:50 liguecom openvpn[20684]: Data Channel Encrypt: Cipher'BF-CBC' initialized with 128 bit keyDec 1 11:53:50 liguecom openvpn[20684]: Data Channel Encrypt: Using160 bit message hash 'SHA1' for HMAC authenticationDec 1 11:53:50 liguecom openvpn[20684]: Control Channel: TLSv1,cipher TLSv1/SSLv3 EDH-RSA-DES-CBC3-SHA, 1024 bit RSADec 1 11:53:50 liguecom openvpn[114]: TLS Error: Unknown data channelkey ID or IP address received from 201.14.157.55:50465: 4 (see FAQ formore info on this error)Alguém pode me dar alguma luz???Dilceu Luiz Pazinatto
Adm. de sistemas
LinuxServers
Voice 49 2237788
Mobile 49 84029393
Registred Linux ID 369936

Reply to:

References:
- openvpn
  - From: <dilceu@linuxservers.com.br>

Prev by Date: OFF: MS Project
Next by Date: Problemas com Som (AC97)
Previous by thread: openvpn
Next by thread: RES: FTP!
Index(es):
- Date
- Thread