Hello,
I’m trying to connect a Windows XP client using OpenVPN/OpenVPN GUI to a Mikrotik OpenVPN server. I’m using certificates for both the server (ca.crt, server.crt and server.key) and the client (ca.crt, client.crt and client.key). I can import the certs correctly into Mikrotik, setup the server, etc… I don’t get any error related to the certificates. But when I start the connection I get these errors:
- Mikrotik log:
19:05:07 ovpn,info TCP connection established from [CLIENT_IP]
19:05:07 ovpn,info : dialing…
19:05:11 ovpn,info : using encoding - BF-128-CBC/SHA1
19:06:07 ovpn,debug <213.0.31.132>: disconnected
19:06:07 ovpn,info : terminating… - peer disconnected
19:06:07 ovpn,info : disconnected
- OpenVPN log (verbosity 5)
Mon Apr 20 19:05:07 2009 us=473049 IMPORTANT: OpenVPN’s default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Mon Apr 20 19:05:07 2009 us=473077 WARNING: No server certificate verification method has been enabled. See > http://openvpn.net/howto.html#mitm > for more info.
Mon Apr 20 19:05:07 2009 us=473100 Re-using SSL/TLS context
Mon Apr 20 19:05:07 2009 us=473165 Control Channel MTU parms [ L:1543 D:140 EF:40 EB:0 ET:0 EL:0 ]
Mon Apr 20 19:05:07 2009 us=473284 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ]
Mon Apr 20 19:05:07 2009 us=473327 Local Options String: ‘V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_CLIENT,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client’
Mon Apr 20 19:05:07 2009 us=473334 Expected Remote Options String: ‘V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_SERVER,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server’
Mon Apr 20 19:05:07 2009 us=473349 Local Options hash (VER=V4): ‘db02a8f8’
Mon Apr 20 19:05:07 2009 us=473359 Expected Remote Options hash (VER=V4): ‘7e068940’
Mon Apr 20 19:05:07 2009 us=473376 Attempting to establish TCP connection with [SERVER_IP]:1194
Mon Apr 20 19:05:07 2009 us=513384 TCP connection established with [SERVER_IP]:1194
Mon Apr 20 19:05:07 2009 us=513400 Socket Buffers: R=[8192->8192] S=[8192->8192]
Mon Apr 20 19:05:07 2009 us=513408 TCPv4_CLIENT link local: [undef]
Mon Apr 20 19:05:07 2009 us=513415 TCPv4_CLIENT link remote: [SERVER_IP]:1194
Mon Apr 20 19:05:07 2009 us=519448 TLS: Initial packet from [SERVER_IP]:1194, sid=cca13b64 d6f0c301
Mon Apr 20 19:05:09 2009 us=571170 VERIFY OK: depth=1, /C=ES/ST=Place/L=AnotherPlace/O=cor /CN=CertAuth.corp.com/emailAddress=> sysadmin@corp.com
Mon Apr 20 19:05:09 2009 us=572125 VERIFY OK: depth=0, /C=ES/ST=Place/O=AnotherPlace/CN=vpnhub.corp.com emailAddress=> sysadmin@corp.com
Mon Apr 20 19:06:07 2009 us=551010 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Apr 20 19:06:07 2009 us=551035 TLS Error: TLS handshake failed
Mon Apr 20 19:06:07 2009 us=551212 Fatal TLS error (check_tls_errors_co), restarting
Mon Apr 20 19:06:07 2009 us=551293 TCP/UDP: Closing socket
Mon Apr 20 19:06:07 2009 us=551354 SIGUSR1[soft,tls-error] received, process restarting
Mon Apr 20 19:06:07 2009 us=551363 Restart pause, 5 second(s)
The config options that I’m using on the client are:
client
dev tun
proto tcp
remote [SERVER_IP] 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca CA.crt
cert client.crt
key client.key
verb 5
A lot of people say that the “TLS key negotiation failed to occur within 60 seconds” error is caused by a firewall on either side of the tunnel, but I have NO firewall on either side. I have tested with OpenVPN 2.0Beta15 and OpenVPN 1.6. I’ve also used RouterOS v3.10, v3.21 and v3.22… with a RB450 and a RB433AH…
I made it work using just the CA and a user name and password (with the auth-user-pass option in the client config)…
Why I can’t connect to my VPN hub?
Any hint would be greatly appreciated!
Thank you.
