Community discussions

MikroTik App
 
Kraken2k
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 58
Joined: Wed Oct 01, 2014 1:50 pm
Location: Prague

OpenVPN server and duplicate packets

Mon Sep 14, 2015 12:21 pm

I try to setup OpenVPN server at RB1100AHx2 with RouterOS v 6.32.1 (with public IPv4 address). I followed the wiki tutorial, but it still disconnects the client - on the other side, there is Synology NAS RS812. Certificates imported, trusted and all the stuff, but RB keep dropping the connection because of duplicate packets...

Any ideas, where is the problem?
Sep/14/2015 10:50:21 ovpn,info TCP connection established from <ip_hidden>
Sep/14/2015 10:50:21 ovpn,debug,packet sent P_CONTROL_HARD_RESET_SERVER_V2 kid=0 sid=a09ef5e2cdb2f6 pid=0 DATA len=0
Sep/14/2015 10:50:22 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=14b65c26dabdb693 pid=0 DATA len=0
Sep/14/2015 10:50:22 ovpn,debug,packet sent P_ACK kid=0 sid=a09ef5e2cdb2f6 [0 sid=14b65c26dabdb693] DATA len=0
Sep/14/2015 10:50:22 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=14b65c26dabdb693 [0 sid=a09ef5e2cdb2f6] pid=0 DATA len=0
Sep/14/2015 10:50:22 ovpn,debug,error,,,,debug,l2tp,,warning,,,,,firewall,,,,debug duplicate packet, dropping
Sep/14/2015 10:50:22 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=14b65c26dabdb693 pid=1 DATA len=100
Sep/14/2015 10:50:22 ovpn,debug,packet sent P_ACK kid=0 sid=a09ef5e2cdb2f6 [1 sid=14b65c26dabdb693] DATA len=0
Sep/14/2015 10:50:22 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=14b65c26dabdb693 pid=2 DATA len=100
Sep/14/2015 10:50:22 ovpn,debug,packet sent P_ACK kid=0 sid=a09ef5e2cdb2f6 [2 sid=14b65c26dabdb693] DATA len=0
Sep/14/2015 10:50:22 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=14b65c26dabdb693 pid=3 DATA len=1
Sep/14/2015 10:50:22 ovpn,debug,packet sent P_ACK kid=0 sid=a09ef5e2cdb2f6 [3 sid=14b65c26dabdb693] DATA len=0
Sep/14/2015 10:50:22 ovpn,debug,packet sent P_CONTROL kid=0 sid=a09ef5e2cdb2f6 pid=1 DATA len=1400
Sep/14/2015 10:50:22 ovpn,debug,packet sent P_CONTROL kid=0 sid=a09ef5e2cdb2f6 pid=2 DATA len=1400
Sep/14/2015 10:50:22 ovpn,debug,packet sent P_CONTROL kid=0 sid=a09ef5e2cdb2f6 pid=3 DATA len=547
Sep/14/2015 10:50:22 ovpn,debug,packet rcvd P_ACK kid=0 sid=14b65c26dabdb693 [1 sid=a09ef5e2cdb2f6] DATA len=0
Sep/14/2015 10:50:22 ovpn,debug,packet rcvd P_ACK kid=0 sid=14b65c26dabdb693 [2 sid=a09ef5e2cdb2f6] DATA len=0
Sep/14/2015 10:50:22 ovpn,debug <ip_hidden>: disconnected <peer disconnected>
Last edited by Kraken2k on Fri Oct 23, 2015 10:59 am, edited 1 time in total.
 
4artur
just joined
Posts: 2
Joined: Fri Oct 02, 2015 3:05 pm

Re: OpenVPN server and duplicate packets

Fri Oct 02, 2015 3:08 pm

I've got same problem, may be someone has a solution?
 
pmurdock
newbie
Posts: 33
Joined: Sun Jul 03, 2005 7:39 am
Location: Herriman, Utah
Contact:

Re: OpenVPN server and duplicate packets

Fri Oct 02, 2015 4:29 pm

I got Open VPN working

Couple things just to double check.

1) LZO compression off

2) tls-cipher DEFAULT option had to be set for my android clients
 
4artur
just joined
Posts: 2
Joined: Fri Oct 02, 2015 3:05 pm

Re: OpenVPN server and duplicate packets

Tue Oct 06, 2015 9:26 am

Nope, it doesn't help. Funny thing is it absolutely workable on android, but when i use same config file in windows 8.1 (just change tun/tap adapter type) is not working. May be some other ideas?
 
Kraken2k
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 58
Joined: Wed Oct 01, 2014 1:50 pm
Location: Prague

Re: OpenVPN server and duplicate packets

Thu Oct 15, 2015 6:52 pm

After days of testing... I made it working!

The problem was not in the MikroTIK configuration, but on the Synology NAS ... and the "duplicate packet" error was not the blocking issue. So how to find out what's wrong...

Enabled SSH on Synology
logging in as a user root (with tha same password as admin) - I used WinSCP for this
navigate to OpenVPN config file in /usr/syno/etc/synovpnclient/openvpn directory
open config file "client_o*******" (stars stands for numbes that may vary)
adding "log openvpn.log" to the end of this file

after failed attempt to connect, there was an error line:
VERIFY ERROR: self signed certificate in certificate chain
Certificates issued by company CA, which use 3 tier PKI, so not only the OpenVPN server certificate need to be trusted but also the others in the trust chain - imported server certificate is trusted automatically and that's the reason why self-signed certificates works in this case, but certificates from multiple tier PKI are in trouble.

So... how to import those if there is no GUI for that in NAS? Fortunately, there is a way, which I had to use few weeks ago, when configuring VMware vCenter server certificates: all certificates need to be in a single file you import, so they are marked as trusted.

Synology uses Base64 encoded x.509 certificates by default. If you open the server/authority .cer file with certificate, you see:
-----BEGIN CERTIFICATE-----
(encoded certificate data)
-----END CERTIFICATE-----
I had three of those files: Root CA, Intermediate/Issuing CA and OpenVPN server certificates. The trick is that the engine will process all the certificates in one file, so just copy all the files into one and you have:
-----BEGIN CERTIFICATE-----
(encoded Root CA certificate data)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(encoded Intermediate/Issuing CA certificate data)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(encoded OpenVPN server certificate data)
-----END CERTIFICATE-----
Once imported into Synology NAS in OpenVPN client configuration, the verification error vanished from Synology openvpn.log and the OpenVPN client connects to MikroTIK router, even if the "duplicate packet dropping" error still stays in the log.
 
ibrahimzaaidh
just joined
Posts: 9
Joined: Wed Oct 21, 2015 11:54 pm

Re: OpenVPN server and duplicate packets

Wed Oct 21, 2015 11:58 pm

I want connect D-Link NAS to Mikrotik routerboard.
If you're technical team provide any solution or any link to a tutorial
that will help this problem it would be very helpful.
Thank You!
 
Kraken2k
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 58
Joined: Wed Oct 01, 2014 1:50 pm
Location: Prague

Re: OpenVPN server and duplicate packets

Fri Oct 23, 2015 11:03 am

The OpenVPN settings for MikroTik is described on wiki page. It's not exactly easy to understand all steps, but in fact the settings itself is not that complicated.

IMHO the biggest problem with OpenVPN settings is handling keys and certificates, because the concept of this is often misunderstood.
 
suharich
just joined
Posts: 1
Joined: Thu Nov 26, 2015 10:18 am

Re: OpenVPN server and duplicate packets

Thu Nov 26, 2015 10:22 am

I had the same duplicate packet I figured out that is due to I have the same active connection in ovpn server. When I dropped it I was successfully connected to ovpn.

Hope it helps.
 
nezdeshniy
just joined
Posts: 3
Joined: Thu Jul 17, 2014 2:32 pm

Re: OpenVPN server and duplicate packets

Mon Dec 14, 2015 4:03 pm

We have CCR1016, after upgrade from 6.29 to 6.33.3 we have this error:
16:43:26 ovpn,info TCP connection established from xx.xx.xxx.x 
16:43:26 ovpn,debug,packet sent P_CONTROL_HARD_RESET_SERVER_V2 kid=0 sid=0b7ef2d0ca5a23d
0 pid=0 DATA len=0 
16:43:27 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=c9f147fa5b02c86
 pid=0 DATA len=0 
16:43:27 ovpn,debug,packet sent P_ACK kid=0 sid=0b7ef2d0ca5a23d0 [0 sid=c9f147fa5b02c86]
 DATA len=0 
16:43:27 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=c9f147fa5b02c86
 [0 sid=0b7ef2d0ca5a23d0] pid=0 DATA len=0 
[color=#FF0000]16:43:27 ovpn,debug,error duplicate packet, dropping[/color] 
16:43:27 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=c9f147fa5b02c86 pid=1 DATA len=100 
16:43:27 ovpn,debug,packet sent P_ACK kid=0 sid=0b7ef2d0ca5a23d0 [1 sid=c9f147fa5b02c86]
 DATA len=0 
16:43:27 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=c9f147fa5b02c86 pid=2 DATA len=100 
16:43:27 ovpn,debug,packet sent P_ACK kid=0 sid=0b7ef2d0ca5a23d0 [2 sid=c9f147fa5b02c86]
 DATA len=0 
16:43:27 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=c9f147fa5b02c86 pid=3 DATA len=93 
16:43:27 ovpn,debug,packet sent P_ACK kid=0 sid=0b7ef2d0ca5a23d0 [3 sid=c9f147fa5b02c86]
 DATA len=0 
16:43:27 ovpn,debug,packet sent P_CONTROL kid=0 sid=0b7ef2d0ca5a23d0 pid=1 DATA len=1400
 
16:43:27 ovpn,debug,packet sent P_CONTROL kid=0 sid=0b7ef2d0ca5a23d0 pid=2 DATA len=1116
 
16:43:27 ovpn,debug,packet rcvd P_ACK kid=0 sid=c9f147fa5b02c86 [1 sid=0b7ef2d0ca5a23d0]
 DATA len=0 
16:43:27 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=c9f147fa5b02c86 [2 sid=0b7ef2d0ca5a2
3d0] pid=4 DATA len=100 
16:43:27 ovpn,debug,packet sent P_ACK kid=0 sid=0b7ef2d0ca5a23d0 [4 sid=c9f147fa5b02c86]
 DATA len=0 
16:43:27 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=c9f147fa5b02c86 pid=5 DATA len=100 
16:43:27 ovpn,debug,packet sent P_ACK kid=0 sid=0b7ef2d0ca5a23d0 [5 sid=c9f147fa5b02c86]
 DATA len=0 
16:43:27 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=c9f147fa5b02c86 pid=6 DATA len=100 
16:43:27 ovpn,debug,packet sent P_ACK kid=0 sid=0b7ef2d0ca5a23d0 [6 sid=c9f147fa5b02c86]
 DATA len=0 
16:43:27 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=c9f147fa5b02c86 pid=7 DATA len=18 
16:43:27 ovpn,debug,packet sent P_ACK kid=0 sid=0b7ef2d0ca5a23d0 [7 sid=c9f147fa5b02c86]
 DATA len=0 
16:43:27 ovpn,debug,packet sent P_CONTROL kid=0 sid=0b7ef2d0ca5a23d0 pid=3 DATA len=51 
16:43:27 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=c9f147fa5b02c86 [3 sid=0b7ef2d0ca5a2
3d0] pid=8 DATA len=100 
16:43:27 ovpn,debug,packet sent P_ACK kid=0 sid=0b7ef2d0ca5a23d0 [8 sid=c9f147fa5b02c86]
 DATA len=0 
16:43:27 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=c9f147fa5b02c86 pid=9 DATA len=100 
16:43:27 ovpn,debug,packet sent P_ACK kid=0 sid=0b7ef2d0ca5a23d0 [9 sid=c9f147fa5b02c86]
 DATA len=0 
16:43:27 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=c9f147fa5b02c86 pid=10 DATA len=100 
16:43:27 ovpn,debug,packet sent P_ACK kid=0 sid=0b7ef2d0ca5a23d0 [10 sid=c9f147fa5b02c86
] DATA len=0 
16:43:27 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=c9f147fa5b02c86 pid=11 DATA len=76 
16:43:27 ovpn,debug,packet sent P_ACK kid=0 sid=0b7ef2d0ca5a23d0 [11 sid=c9f147fa5b02c86
] DATA len=0 
16:43:27 ovpn,info : using encoding - AES-256-CBC/SHA1 
16:43:27 ovpn,info,account X@X logged in, 192.168.83.50 
16:43:27 ovpn,debug,packet sent P_CONTROL kid=0 sid=0b7ef2d0ca5a23d0 pid=4 DATA len=227 
16:43:27 ovpn,debug,packet rcvd P_ACK kid=0 sid=c9f147fa5b02c86 [4 sid=0b7ef2d0ca5a23d0]
 DATA len=0 
16:43:27 ovpn,info <X@X>: connected
we dont see any trouble in ovpn, but we have a lot of this "ovpn,debug,error duplicate packet, dropping" in log.

Any idea?
 
nedeleav
just joined
Posts: 3
Joined: Sun Jan 17, 2016 1:45 am

Re: OpenVPN server and duplicate packets

Sun Jan 17, 2016 1:56 am

Hi all.

OpenVPN Error:
ovpn,debug,error,,,,,,,,,l2tp,info,,debug,,,critical,,,,,,,,,,,,,warning: duplicate packet, dropping

V 6.33.5

and openvpn client shows only:
Sun Jan 17 01:39:38 2016 OpenVPN 2.3.10 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Jan 4 2016
Sun Jan 17 01:39:38 2016 Windows version 6.1 (Windows 7)
Sun Jan 17 01:39:38 2016 library versions: OpenSSL 1.0.1q 3 Dec 2015, LZO 2.09
Enter Management Password:
Sun Jan 17 01:39:38 2016 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
Sun Jan 17 01:39:38 2016 Need hold release from management interface, waiting...
Sun Jan 17 01:39:38 2016 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
Sun Jan 17 01:39:38 2016 MANAGEMENT: CMD 'state on'
Sun Jan 17 01:39:38 2016 MANAGEMENT: CMD 'log all on'
Sun Jan 17 01:39:38 2016 MANAGEMENT: CMD 'hold off'
Sun Jan 17 01:39:38 2016 MANAGEMENT: CMD 'hold release'
Sun Jan 17 01:39:38 2016 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Sun Jan 17 01:39:38 2016 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun Jan 17 01:39:38 2016 Attempting to establish TCP connection with [AF_INET]xxx.x.x.x.x.x.:x [nonblock]
Sun Jan 17 01:39:38 2016 MANAGEMENT: >STATE:1452987578,TCP_CONNECT,,,
Sun Jan 17 01:39:39 2016 TCP connection established with [AF_INET]xxx.x.x.x.x.x.:x
Sun Jan 17 01:39:39 2016 TCPv4_CLIENT link local: [undef]
Sun Jan 17 01:39:39 2016 TCPv4_CLIENT link remote: [AF_INET]xxx.x.x.x.x.x.:x
Sun Jan 17 01:39:39 2016 MANAGEMENT: >STATE:1452987579,WAIT,,,
Sun Jan 17 01:39:39 2016 MANAGEMENT: >STATE:1452987579,AUTH,,,
Sun Jan 17 01:39:39 2016 TLS: Initial packet from [AF_INET]xxx.x.x.x.x.x.:x, sid=6c910a9b 3d91168d
Sun Jan 17 01:39:45 2016 Connection reset, restarting [0]
Sun Jan 17 01:39:45 2016 SIGUSR1[soft,connection-reset] received, process restarting
Sun Jan 17 01:39:45 2016 MANAGEMENT: >STATE:1452987585,RECONNECTING,connection-reset,,
Sun Jan 17 01:39:45 2016 Restart pause, 5 second(s)
Sun Jan 17 01:39:50 2016 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Sun Jan 17 01:39:50 2016 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun Jan 17 01:39:50 2016 Attempting to establish TCP connection with [AF_INET]xxx.x.x.x.x.x.:x [nonblock]
Sun Jan 17 01:39:50 2016 MANAGEMENT: >STATE:1452987590,TCP_CONNECT,,,
Sun Jan 17 01:39:51 2016 TCP connection established with [AF_INET]xxx.x.x.x.x.x.:x
Sun Jan 17 01:39:51 2016 TCPv4_CLIENT link local: [undef]
Sun Jan 17 01:39:51 2016 TCPv4_CLIENT link remote: [AF_INET]xxx.x.x.x.x.x.:x
Sun Jan 17 01:39:51 2016 MANAGEMENT: >STATE:1452987591,WAIT,,,
Sun Jan 17 01:39:51 2016 MANAGEMENT: >STATE:1452987591,AUTH,,,
Sun Jan 17 01:39:51 2016 TLS: Initial packet from [AF_INET]xxx.x.x.x.x.x.:x, sid=3158d1da 23fa6449
Sun Jan 17 01:39:51 2016 Connection reset, restarting [0]
Sun Jan 17 01:39:51 2016 SIGUSR1[soft,connection-reset] received, process restarting
Sun Jan 17 01:39:51 2016 MANAGEMENT: >STATE:1452987591,RECONNECTING,connection-reset,,
Sun Jan 17 01:39:51 2016 Restart pause, 5 second(s)
Sun Jan 17 01:39:56 2016 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Sun Jan 17 01:39:56 2016 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun Jan 17 01:39:56 2016 Attempting to establish TCP connection with [AF_INET]xxx.x.x.x.x.x.:x [nonblock]
Sun Jan 17 01:39:56 2016 MANAGEMENT: >STATE:1452987596,TCP_CONNECT,,,
Sun Jan 17 01:39:57 2016 TCP connection established with [AF_INET]xxx.x.x.x.x.x.:x
Sun Jan 17 01:39:57 2016 TCPv4_CLIENT link local: [undef]
Sun Jan 17 01:39:57 2016 TCPv4_CLIENT link remote: [AF_INET]xxx.x.x.x.x.x.:x
Sun Jan 17 01:39:57 2016 MANAGEMENT: >STATE:1452987597,WAIT,,,
Sun Jan 17 01:39:57 2016 MANAGEMENT: >STATE:1452987597,AUTH,,,
Sun Jan 17 01:39:57 2016 TLS: Initial packet from [AF_INET]xxx.x.x.x.x.x.:x, sid=6ed3308f 8d22dedb
Sun Jan 17 01:39:58 2016 Connection reset, restarting [0]
Sun Jan 17 01:39:58 2016 SIGUSR1[soft,connection-reset] received, process restarting
Sun Jan 17 01:39:58 2016 MANAGEMENT: >STATE:1452987598,RECONNECTING,connection-reset,,
Sun Jan 17 01:39:58 2016 Restart pause, 5 second(s)
Sun Jan 17 01:40:03 2016 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Sun Jan 17 01:40:03 2016 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun Jan 17 01:40:03 2016 Attempting to establish TCP connection with [AF_INET]xxx.x.x.x.x.x.:x [nonblock]
Sun Jan 17 01:40:03 2016 MANAGEMENT: >STATE:1452987603,TCP_CONNECT,,,
Sun Jan 17 01:40:04 2016 TCP connection established with [AF_INET]xxx.x.x.x.x.x.:x
Sun Jan 17 01:40:04 2016 TCPv4_CLIENT link local: [undef]
Sun Jan 17 01:40:04 2016 TCPv4_CLIENT link remote: [AF_INET]xxx.x.x.x.x.x.:x
Sun Jan 17 01:40:04 2016 MANAGEMENT: >STATE:1452987604,WAIT,,,
Sun Jan 17 01:40:04 2016 MANAGEMENT: >STATE:1452987604,AUTH,,,
Sun Jan 17 01:40:05 2016 TLS: Initial packet from [AF_INET]xxx.x.x.x.x.x.:x, sid=849563e1 27d2ab93
Sun Jan 17 01:40:05 2016 Connection reset, restarting [0]
Sun Jan 17 01:40:05 2016 SIGUSR1[soft,connection-reset] received, process restarting
Sun Jan 17 01:40:05 2016 MANAGEMENT: >STATE:1452987605,RECONNECTING,connection-reset,,
Sun Jan 17 01:40:05 2016 Restart pause, 5 second(s)
Sun Jan 17 01:40:10 2016 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Sun Jan 17 01:40:10 2016 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun Jan 17 01:40:10 2016 Attempting to establish TCP connection with [AF_INET]xxx.x.x.x.x.x.:x [nonblock]
Sun Jan 17 01:40:10 2016 MANAGEMENT: >STATE:1452987610,TCP_CONNECT,,,
Sun Jan 17 01:40:11 2016 TCP connection established with [AF_INET]xxx.x.x.x.x.x.:x
Sun Jan 17 01:40:11 2016 TCPv4_CLIENT link local: [undef]
Sun Jan 17 01:40:11 2016 TCPv4_CLIENT link remote: [AF_INET]xxx.x.x.x.x.x.:x
Sun Jan 17 01:40:11 2016 MANAGEMENT: >STATE:1452987611,WAIT,,,
Sun Jan 17 01:40:11 2016 MANAGEMENT: >STATE:1452987611,AUTH,,,
Sun Jan 17 01:40:11 2016 TLS: Initial packet from [AF_INET]xxx.x.x.x.x.x.:x, sid=63b52ea0 46442d78
Sun Jan 17 01:40:11 2016 Connection reset, restarting [0]
Sun Jan 17 01:40:11 2016 SIGUSR1[soft,connection-reset] received, process restarting
Sun Jan 17 01:40:11 2016 MANAGEMENT: >STATE:1452987611,RECONNECTING,connection-reset,,
Sun Jan 17 01:40:11 2016 Restart pause, 5 second(s)
Sun Jan 17 01:40:16 2016 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Sun Jan 17 01:40:16 2016 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun Jan 17 01:40:16 2016 Attempting to establish TCP connection with [AF_INET]xxx.x.x.x.x.x.:x [nonblock]
Sun Jan 17 01:40:16 2016 MANAGEMENT: >STATE:1452987616,TCP_CONNECT,,,
Sun Jan 17 01:40:17 2016 TCP connection established with [AF_INET]xxx.x.x.x.x.x.:x
Sun Jan 17 01:40:17 2016 TCPv4_CLIENT link local: [undef]
Sun Jan 17 01:40:17 2016 TCPv4_CLIENT link remote: [AF_INET]xxx.x.x.x.x.x.:x
Sun Jan 17 01:40:17 2016 MANAGEMENT: >STATE:1452987617,WAIT,,,
Sun Jan 17 01:40:17 2016 MANAGEMENT: >STATE:1452987617,AUTH,,,
Sun Jan 17 01:40:17 2016 TLS: Initial packet from [AF_INET]xxx.x.x.x.x.x.:x, sid=9cfe52bf f9b60867
Sun Jan 17 01:40:17 2016 Connection reset, restarting [0]
Sun Jan 17 01:40:17 2016 SIGUSR1[soft,connection-reset] received, process restarting
Sun Jan 17 01:40:17 2016 MANAGEMENT: >STATE:1452987617,RECONNECTING,connection-reset,,
Sun Jan 17 01:40:17 2016 Restart pause, 5 second(s)
Sun Jan 17 01:40:22 2016 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Sun Jan 17 01:40:22 2016 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun Jan 17 01:40:22 2016 Attempting to establish TCP connection with [AF_INET]xxx.x.x.x.x.x.:x [nonblock]
Sun Jan 17 01:40:22 2016 MANAGEMENT: >STATE:1452987622,TCP_CONNECT,,,
Sun Jan 17 01:40:23 2016 TCP connection established with [AF_INET]xxx.x.x.x.x.x.:x
Sun Jan 17 01:40:23 2016 TCPv4_CLIENT link local: [undef]
Sun Jan 17 01:40:23 2016 TCPv4_CLIENT link remote: [AF_INET]xxx.x.x.x.x.x.:x
Sun Jan 17 01:40:23 2016 MANAGEMENT: >STATE:1452987623,WAIT,,,
Sun Jan 17 01:40:23 2016 MANAGEMENT: >STATE:1452987623,AUTH,,,
Sun Jan 17 01:40:23 2016 TLS: Initial packet from [AF_INET]xxx.x.x.x.x.x.:x, sid=8938f616 5ad4f1de
Sun Jan 17 01:40:23 2016 Connection reset, restarting [0]
Sun Jan 17 01:40:23 2016 SIGUSR1[soft,connection-reset] received, process restarting
Sun Jan 17 01:40:23 2016 MANAGEMENT: >STATE:1452987623,RECONNECTING,connection-reset,,
Sun Jan 17 01:40:23 2016 Restart pause, 5 second(s)
Sun Jan 17 01:40:29 2016 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Sun Jan 17 01:40:29 2016 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun Jan 17 01:40:29 2016 Attempting to establish TCP connection with [AF_INET]xxx.x.x.x.x.x.:x [nonblock]
Sun Jan 17 01:40:29 2016 MANAGEMENT: >STATE:1452987629,TCP_CONNECT,,,
Sun Jan 17 01:40:30 2016 TCP connection established with [AF_INET]xxx.x.x.x.x.x.:x
Sun Jan 17 01:40:30 2016 TCPv4_CLIENT link local: [undef]
Sun Jan 17 01:40:30 2016 TCPv4_CLIENT link remote: [AF_INET]xxx.x.x.x.x.x.:x
Sun Jan 17 01:40:30 2016 MANAGEMENT: >STATE:1452987630,WAIT,,,
Sun Jan 17 01:40:30 2016 MANAGEMENT: >STATE:1452987630,AUTH,,,
Sun Jan 17 01:40:30 2016 TLS: Initial packet from [AF_INET]xxx.x.x.x.x.x.:x, sid=6954bf90 266a238a
Sun Jan 17 01:40:30 2016 Connection reset, restarting [0]
Sun Jan 17 01:40:30 2016 SIGUSR1[soft,connection-reset] received, process restarting
Sun Jan 17 01:40:30 2016 MANAGEMENT: >STATE:1452987630,RECONNECTING,connection-reset,,
Sun Jan 17 01:40:30 2016 Restart pause, 5 second(s)
Sun Jan 17 01:40:35 2016 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Sun Jan 17 01:40:35 2016 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun Jan 17 01:40:35 2016 Attempting to establish TCP connection with [AF_INET]xxx.x.x.x.x.x.:x [nonblock]
Sun Jan 17 01:40:35 2016 MANAGEMENT: >STATE:1452987635,TCP_CONNECT,,,
Sun Jan 17 01:40:36 2016 TCP connection established with [AF_INET]xxx.x.x.x.x.x.:x
Sun Jan 17 01:40:36 2016 TCPv4_CLIENT link local: [undef]
Sun Jan 17 01:40:36 2016 TCPv4_CLIENT link remote: [AF_INET]xxx.x.x.x.x.x.:x
Sun Jan 17 01:40:36 2016 MANAGEMENT: >STATE:1452987636,WAIT,,,
Sun Jan 17 01:40:36 2016 MANAGEMENT: >STATE:1452987636,AUTH,,,
Sun Jan 17 01:40:36 2016 TLS: Initial packet from [AF_INET]xxx.x.x.x.x.x.:x, sid=1f512a66 9558de31
Sun Jan 17 01:40:36 2016 Connection reset, restarting [0]
Sun Jan 17 01:40:36 2016 SIGUSR1[soft,connection-reset] received, process restarting
Sun Jan 17 01:40:36 2016 MANAGEMENT: >STATE:1452987636,RECONNECTING,connection-reset,,
Sun Jan 17 01:40:36 2016 Restart pause, 5 second(s)
Sun Jan 17 01:40:41 2016 WARNING: --ping should normally be used with --ping-restart or --ping-exit
Sun Jan 17 01:40:41 2016 Socket Buffers: R=[8192->8192] S=[8192->8192]
Sun Jan 17 01:40:41 2016 Attempting to establish TCP connection with [AF_INET]xxx.x.x.x.x.x.:x [nonblock]
Sun Jan 17 01:40:41 2016 MANAGEMENT: >STATE:1452987641,TCP_CONNECT,,,
Sun Jan 17 01:40:42 2016 SIGTERM[hard,init_instance] received, process exiting
Sun Jan 17 01:40:42 2016 MANAGEMENT: >STATE:1452987642,EXITING,init_instance,,




We have CCR1016, after upgrade from 6.29 to 6.33.3 we have this error:
16:43:26 ovpn,info TCP connection established from xx.xx.xxx.x 
16:43:26 ovpn,debug,packet sent P_CONTROL_HARD_RESET_SERVER_V2 kid=0 sid=0b7ef2d0ca5a23d
0 pid=0 DATA len=0 
16:43:27 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=c9f147fa5b02c86
 pid=0 DATA len=0 
16:43:27 ovpn,debug,packet sent P_ACK kid=0 sid=0b7ef2d0ca5a23d0 [0 sid=c9f147fa5b02c86]
 DATA len=0 
16:43:27 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=c9f147fa5b02c86
 [0 sid=0b7ef2d0ca5a23d0] pid=0 DATA len=0 
[color=#FF0000]16:43:27 ovpn,debug,error duplicate packet, dropping[/color] 
16:43:27 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=c9f147fa5b02c86 pid=1 DATA len=100 
16:43:27 ovpn,debug,packet sent P_ACK kid=0 sid=0b7ef2d0ca5a23d0 [1 sid=c9f147fa5b02c86]
 DATA len=0 
16:43:27 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=c9f147fa5b02c86 pid=2 DATA len=100 
16:43:27 ovpn,debug,packet sent P_ACK kid=0 sid=0b7ef2d0ca5a23d0 [2 sid=c9f147fa5b02c86]
 DATA len=0 
16:43:27 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=c9f147fa5b02c86 pid=3 DATA len=93 
16:43:27 ovpn,debug,packet sent P_ACK kid=0 sid=0b7ef2d0ca5a23d0 [3 sid=c9f147fa5b02c86]
 DATA len=0 
16:43:27 ovpn,debug,packet sent P_CONTROL kid=0 sid=0b7ef2d0ca5a23d0 pid=1 DATA len=1400
 
16:43:27 ovpn,debug,packet sent P_CONTROL kid=0 sid=0b7ef2d0ca5a23d0 pid=2 DATA len=1116
 
16:43:27 ovpn,debug,packet rcvd P_ACK kid=0 sid=c9f147fa5b02c86 [1 sid=0b7ef2d0ca5a23d0]
 DATA len=0 
16:43:27 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=c9f147fa5b02c86 [2 sid=0b7ef2d0ca5a2
3d0] pid=4 DATA len=100 
16:43:27 ovpn,debug,packet sent P_ACK kid=0 sid=0b7ef2d0ca5a23d0 [4 sid=c9f147fa5b02c86]
 DATA len=0 
16:43:27 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=c9f147fa5b02c86 pid=5 DATA len=100 
16:43:27 ovpn,debug,packet sent P_ACK kid=0 sid=0b7ef2d0ca5a23d0 [5 sid=c9f147fa5b02c86]
 DATA len=0 
16:43:27 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=c9f147fa5b02c86 pid=6 DATA len=100 
16:43:27 ovpn,debug,packet sent P_ACK kid=0 sid=0b7ef2d0ca5a23d0 [6 sid=c9f147fa5b02c86]
 DATA len=0 
16:43:27 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=c9f147fa5b02c86 pid=7 DATA len=18 
16:43:27 ovpn,debug,packet sent P_ACK kid=0 sid=0b7ef2d0ca5a23d0 [7 sid=c9f147fa5b02c86]
 DATA len=0 
16:43:27 ovpn,debug,packet sent P_CONTROL kid=0 sid=0b7ef2d0ca5a23d0 pid=3 DATA len=51 
16:43:27 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=c9f147fa5b02c86 [3 sid=0b7ef2d0ca5a2
3d0] pid=8 DATA len=100 
16:43:27 ovpn,debug,packet sent P_ACK kid=0 sid=0b7ef2d0ca5a23d0 [8 sid=c9f147fa5b02c86]
 DATA len=0 
16:43:27 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=c9f147fa5b02c86 pid=9 DATA len=100 
16:43:27 ovpn,debug,packet sent P_ACK kid=0 sid=0b7ef2d0ca5a23d0 [9 sid=c9f147fa5b02c86]
 DATA len=0 
16:43:27 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=c9f147fa5b02c86 pid=10 DATA len=100 
16:43:27 ovpn,debug,packet sent P_ACK kid=0 sid=0b7ef2d0ca5a23d0 [10 sid=c9f147fa5b02c86
] DATA len=0 
16:43:27 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=c9f147fa5b02c86 pid=11 DATA len=76 
16:43:27 ovpn,debug,packet sent P_ACK kid=0 sid=0b7ef2d0ca5a23d0 [11 sid=c9f147fa5b02c86
] DATA len=0 
16:43:27 ovpn,info : using encoding - AES-256-CBC/SHA1 
16:43:27 ovpn,info,account X@X logged in, 192.168.83.50 
16:43:27 ovpn,debug,packet sent P_CONTROL kid=0 sid=0b7ef2d0ca5a23d0 pid=4 DATA len=227 
16:43:27 ovpn,debug,packet rcvd P_ACK kid=0 sid=c9f147fa5b02c86 [4 sid=0b7ef2d0ca5a23d0]
 DATA len=0 
16:43:27 ovpn,info <X@X>: connected
we dont see any trouble in ovpn, but we have a lot of this "ovpn,debug,error duplicate packet, dropping" in log.

Any idea?
 
User avatar
matiaszon
Member
Member
Posts: 314
Joined: Mon Jul 09, 2012 9:26 am

Re: OpenVPN server and duplicate packets

Wed Dec 28, 2016 2:58 pm

I don't think that duplicating packets has anything with disconnecting. However, I can't connect using OpenVPN running on RouterOS. On client's side it keeps saying:
Connection reset, restarting [0]
SIGUSR1[soft,connection-reset] received, process restarting
I tried to sign certificate with crl-host and without, 4096 and 2048 key size and no difference.I am using RB433 and 6.37.3 (tried on 6.37.2 firstly). On client side I tried 2.4.0 and 2.3.10 on Windows 10 and other client based on linux OS.

I tried AES 256 but 192 or 128 neither do work.

Anybody?
 
mosesjohann
just joined
Posts: 5
Joined: Mon May 30, 2016 9:50 am

Re: OpenVPN server and duplicate packets

Tue Feb 07, 2017 2:01 pm

Has anybody resolved this? Still have the error in v6.38.1 - doesn't work with the Ubuntu nor the Windows Client. Thanks!
 
jr0dd
just joined
Posts: 2
Joined: Fri Feb 10, 2017 4:46 am

Re: OpenVPN server and duplicate packets

Fri Feb 10, 2017 3:44 pm

I'm having the same issue on my RB3011. My iphone connects fine. My MacBook will not at all. just get the duplicate packet errors flooding the log file. Frustrating. This is also with multiple client software to connect.
 
martinii
just joined
Posts: 1
Joined: Tue Feb 14, 2017 4:14 pm

Re: OpenVPN server and duplicate packets

Tue Feb 14, 2017 4:21 pm

I have the same problem. On Windows client it works but on Android clients (I tried 3 of them) I get
ovpn,debug,error,,,,debug,l2tp,,warning,,,,,firewall,,,,debug duplicate packet, dropping
 
mosesjohann
just joined
Posts: 5
Joined: Mon May 30, 2016 9:50 am

Re: OpenVPN server and duplicate packets

Thu Mar 30, 2017 12:48 pm

Hi there. I could solve the error but didn't know what I did. Just changed the userpassword and edited some configuration in there. After that it worked without the duplicate packet error. But now I have it again and tryed again to edit the user info but I dint't found out the point. Maybe thats a hint for somebody....
 
User avatar
matiaszon
Member
Member
Posts: 314
Joined: Mon Jul 09, 2012 9:26 am

Re: OpenVPN server and duplicate packets

Thu Mar 30, 2017 12:50 pm

I thought that was the problem in my case too, but now I can connect and these messages are popping up again. I stopped bothering...
 
spaxton
Member Candidate
Member Candidate
Posts: 181
Joined: Fri Jan 01, 2010 12:18 pm

Re: OpenVPN server and duplicate packets

Sat May 06, 2017 11:08 pm

I have the same problem with windows and android... Completely the same messages for both... Is this solved yet?


Best Regards!
 
gliepins
just joined
Posts: 5
Joined: Thu Mar 02, 2017 1:16 am

Re: OpenVPN server and duplicate packets

Thu Nov 02, 2017 7:45 pm

Yes, guys. problem was that under "secrets" there were duplicate entries of same username. Even being disabled at the time it had to be deleted for connection to succeed.
 
jimint
just joined
Posts: 10
Joined: Fri Aug 11, 2017 12:58 am

Re: OpenVPN server and duplicate packets

Sun Jan 21, 2018 8:32 am

Yes, guys. problem was that under "secrets" there were duplicate entries of same username. Even being disabled at the time it had to be deleted for connection to succeed.
It's not this solution for me. I have the same error. I connected with my android and everything ok but i get the same error to my log file.
 
sutrus
newbie
Posts: 41
Joined: Fri Jun 30, 2017 11:27 pm

Re: OpenVPN server and duplicate packets

Sun Jan 21, 2018 12:23 pm

# Silence  the output of replay warnings, which are a common false
# alarm on WiFi networks.  This option preserves the  security  of
# the replay protection code without the verbosity associated with
# warnings about duplicate packets.
mute-replay-warnings
 
ashoshin
just joined
Posts: 1
Joined: Wed Dec 11, 2013 12:43 pm

Re: OpenVPN server and duplicate packets

Wed Jun 06, 2018 1:21 pm

Check the only-one property in PPP Profile menu for the profile releated to your PPP Secret.
If you use Yes value change it to Default.

After that there will be second short OVPN connection and only one error string.
 
HeinoHomm
just joined
Posts: 1
Joined: Mon Nov 12, 2018 1:50 pm

Re: OpenVPN server and duplicate packets

Mon Jan 07, 2019 4:36 pm

Mikrotik log gives error:
ovpn,debug,error,l2tp,25032,54552,25032,27308,54212,25584,l2tp,info,25588,debug duplicate packet, dropping

I found solution for myself.
windows notepad mades OpenVPN files encoded UTF-8 BOM format.

OpenVPN config files should be encoded in UTF-8.
UTF-8 with BOM not working.
 
venomtver
just joined
Posts: 1
Joined: Fri Oct 18, 2019 12:23 pm

Re: OpenVPN server and duplicate packets

Fri Oct 18, 2019 12:32 pm

It seems i found the solution. First of all there was a problem
<remote peer uses tap encapsulation while we- tun> - so here you should change OVPN config file like
client
dev tun - here is that field
proto tcp/udp "and so on"
Then there was <unsupported cipher>
I googled that problem and found that it's here -> PPP/OVPN Server/cipher -> i marked all the kind of encryptions, even null.
After that, it started working. Not sure, if it's secure to use null, but it helped.
 
User avatar
plam40
newbie
Posts: 29
Joined: Tue Feb 21, 2006 1:27 pm
Location: Greece

Re: OpenVPN server and duplicate packets

Mon Oct 28, 2019 12:43 pm

SOLUTION : In my case issue was cause due to MTU being too big for the line ( the line had limit set ) - Try and lower the MTU on the client side :

tun-mtu 1300 ( you can go even lower depends on your case)

I suspect that with the MAX MTU there was packet fragmentation happening !

BR,
Plamen
 
tmaamt
just joined
Posts: 1
Joined: Fri Jun 19, 2020 5:00 pm

Re: OpenVPN server and duplicate packets

Fri Jun 19, 2020 5:50 pm

i had same problem till i set the Common Name (CN) when adding certificate. The Common Name must be as your public IP or your ddns domain if you use mikrotik cloud for both ca and server.
 
SEJohnsen
newbie
Posts: 39
Joined: Wed Aug 26, 2020 11:50 pm

Re: OpenVPN server and duplicate packets

Thu Sep 10, 2020 8:25 pm

This is an old thread but from the posts appears to be an ongoing issue. I appear to be having the exact same problem that Kraken described. I set up OpenVPN Server on my RouterBoard 750G r2 running RouterOS v6.47.3 (current version as of 10 Sept 2020), and I am connecting to it with a Windows 7 Professional laptop running the latest version of the OpenVPN Windows client. I can connect just fine, without any errors on the client or server side, but immediately after connecting the RB logs two "duplicate packet" errors and disconnects me.

I've tried a number of the troubleshooting steps posted above.
  • Combining the key files did not work; however, I installed my CA as a trusted cert on my laptop.
  • The L2TP server is not enabled, even though it shows up in my config export; only OpenVPN server is enabled.
  • The certificates are all recognized.
  • There is no duplicate user in PPP->Secret
  • In the PPP Profile, "Only One" is set to "default"
  • My Windows config file is UTF-8 not BOM
  • I tried setting tun-mtu 1300 on the client side. This did not fix the problem, and instead generated errors: WARNING: normally if you use --mssfix and/or --fragment, you should also set --tun-mtu 1500 (currently it is 1300)
  • I have no interfaces with a conflicting IP address
  • I've currently enabled all the ciphers in PPP-->OpenVPN Server even though I don't need them
  • There is only one PPP Profile with IP address 192.168.8.1
  • Interface-->OpenVPN Server is associated with my OpenVPNuser.
  • I have the latest firmware
I am using a self-signed CA cert generated by the RB, and a server cert and client cert signed by my CA. Both my CA and server cert are trusted. I have a static IP address with a FQDN.

I am posting my RB config and OpenVPN client config in case anyone has any further suggestions for me, or in case it helps someone else with troubleshooting in the future.

RB config:
# sep/10/2020 10:11:50 by RouterOS 6.47.3
# software id = L773-USV1
# model = RouterBOARD 750G r2

/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway speed=100Mbps
set [ find default-name=ether2 ] arp=proxy-arp name=ether2-vlan speed=100Mbps
set [ find default-name=ether3 ] name=ether3-subnet3 speed=100Mbps
set [ find default-name=ether4 ] name=ether4-admin speed=100Mbps
set [ find default-name=ether5 ] disabled=yes name=ether5-subnet2 speed=100Mbps

/interface vlan
add interface=ether2-vlan name="vlan13 Work" vlan-id=13
add interface=ether2-vlan name="vlan14 Family" vlan-id=14

/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN

/ip pool
add name=dhcp_vpn ranges=192.168.8.90-192.168.8.254
add name=dhcp_pool3 ranges=192.168.3.151-192.168.3.180
add name=dhcp_pool4 ranges=192.168.4.151-192.168.4.180

/ip dhcp-server
add address-pool=dhcp_pool3 authoritative=after-10sec-delay interface="vlan13 Work" lease-time=6h name=dhcp3
add address-pool=dhcp_pool4 authoritative=after-2sec-delay disabled=no interface="vlan14 Family" lease-time=6h name=dhcp4
add address-pool=dhcp_vpn disabled=no lease-time=6h name=dhcp18

/ppp profile
add local-address=192.168.8.1 name=OpenVPNuser remote-address=dhcp_vpn

/ip neighbor discovery-settings
set discover-interface-list=discover

/interface l2tp-server server
set authentication=mschap1,mschap2 ipsec-secret=asdfghjkl; use-ipsec=yes

/interface ovpn-server server
set auth=sha1 certificate=cmmoffice cipher=blowfish128,aes128,aes192,aes256 default-profile=OpenVPNuser enabled=yes require-client-certificate=yes

/interface sstp-server server
set default-profile=default-encryption

/interface list member
add interface=ether1-gateway list=WAN
add interface=ether2-vlan list=discover
add interface=ether3-subnet3 list=discover
add interface=ether4-admin list=discover
add interface=ether5-subnet2 list=discover
add interface="vlan13 Work" list=discover
add interface="vlan14 Family" list=discover
add interface=ether2-vlan list=mactel
add interface=ether2-vlan list=mac-winbox
add interface=ether3-subnet3 list=mactel
add interface=ether3-subnet3 list=mac-winbox
add interface=ether4-admin list=mactel
add interface=ether4-admin list=mac-winbox
add interface=ether5-subnet2 list=mactel
add interface=ether5-subnet2 list=mac-winbox
add list=mactel
add list=discover

/ip address
add address=192.168.3.1/24 interface="vlan13 Work" network=192.168.3.0
add address=192.168.4.1/24 interface="vlan14 Family" network=192.168.4.0
add address=192.168.1.1/24 comment="Management port" interface=ether2-vlan network=192.168.1.0

/ip dhcp-server network
add address=192.168.3.0/24 dns-server=192.168.3.10,75.75.75.75,75.75.76.76 domain=cmmoffice.net gateway=192.168.3.1
add address=192.168.4.0/24 dns-server=192.168.4.10,75.75.75.75 domain=cmmoffice.net gateway=192.168.4.1 netmask=24
add address=192.168.8.0/24 dns-server=192.168.8.10 gateway=192.168.8.1

/ip firewall filter
add action=accept chain=input comment="default configuration - related established input" connection-state=established,related
add action=accept chain=input comment="default configuration - allow ping etc." protocol=icmp
add action=accept chain=input comment="Allow OpenVPN" dst-port=1194 log=yes log-prefix="OVPN " protocol=tcp
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
add action=accept chain=forward comment="default configuration - forward established related" connection-state=established,related
add action=accept chain=forward comment="Allow LinkStation on VLAN13 to be accessed by family" dst-address=192.168.3.25 in-interface="vlan14 Family" out-interface="vlan13 Work"
add action=accept chain=forward comment="Allow printer to be accessed by family" dst-address=192.168.3.22 in-interface="vlan14 Family"
add action=reject chain=forward comment="Block intra-VLAN traffic" in-interface=all-vlan out-interface=all-vlan reject-with=icmp-host-prohibited
add action=drop chain=forward comment="default configuration - drop invalid forward" connection-state=invalid
add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=new in-interface=ether1-gateway

/ip firewall nat
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.8.0/24
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway

/ppp secret
add local-address=192.168.8.1 name=Steve password="xxxxxxxxxxxxx" profile=OpenVPNuser service=ovpn

/system logging
add prefix="L2TPDBG===>" topics=l2tp
add prefix="IPSECDBG===>" topics=ipsec

/tool mac-server
set allowed-interface-list=mactel

/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
Windows OpenVPN client config:
#Template client.ovpnclient
client
dev tun
#added this line to try to fix errors; does not help:
#tun-mtu 1300
proto tcp-client
remote my.fqdn.com
port 1194
nobind
persist-key
persist-tun
tls-client
remote-cert-tls server
ca workca2.crt
cert mylaptopovpn.crt
key mylaptopovpn.key
verb 4
mute 10
#cipher AES-256-CBC
#upgrade the cipher
cipher AES-256-GCM
#My server uses sha1, not md5
auth SHA1
auth-user-pass pppuser.txt
auth-nocache
In the OpenVPN client, the log file shows these lines over and over again:
Sun Sep 06 15:24:25 2020 Re-using SSL/TLS context
Sun Sep 06 15:24:25 2020 Control Channel MTU parms ( L:1623 D:1210 EF:40 EB:0 ET:0 EL:3 )
Sun Sep 06 15:24:25 2020 MANAGEMENT: >STATE:1599427465,RESOLVE,,,,,,
Sun Sep 06 15:24:25 2020 Data Channel MTU parms ( L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 )
Sun Sep 06 15:24:25 2020 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1551,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-GCM,auth (null-digest),keysize 256,key-method 2,tls-client'
Sun Sep 06 15:24:25 2020 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1551,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-GCM,auth (null-digest),keysize 256,key-method 2,tls-server'
Sun Sep 06 15:24:25 2020 TCP/UDP: Preserving recently used remote address: (AF_INET)50.250.27.111:1194
Sun Sep 06 15:24:25 2020 Socket Buffers: R=(8192->8192) S=(8192->8192)
Sun Sep 06 15:24:25 2020 Attempting to establish TCP connection with (AF_INET)50.250.27.111:1194 (nonblock)
Sun Sep 06 15:24:25 2020 MANAGEMENT: >STATE:1599427465,TCP_CONNECT,,,,,,
Sun Sep 06 15:24:26 2020 TCP connection established with (AF_INET)50.250.27.111:1194
Sun Sep 06 15:24:26 2020 TCP_CLIENT link local: (not bound)
Sun Sep 06 15:24:26 2020 TCP_CLIENT link remote: (AF_INET)50.250.27.111:1194
Sun Sep 06 15:24:26 2020 MANAGEMENT: >STATE:1599427466,WAIT,,,,,,
Sun Sep 06 15:24:26 2020 MANAGEMENT: >STATE:1599427466,AUTH,,,,,,
Sun Sep 06 15:24:26 2020 TLS: Initial packet from (AF_INET)50.250.27.111:1194, sid=d31f162a 6dbdeb1b
Sun Sep 06 15:24:27 2020 VERIFY OK: depth=1, C=US, ST=Colorado, L=Arvada, O=CMMLLC, CN=CMMLLC
Sun Sep 06 15:24:27 2020 VERIFY KU OK
Sun Sep 06 15:24:27 2020 Validating certificate extended key usage
Sun Sep 06 15:24:27 2020 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Sun Sep 06 15:24:27 2020 VERIFY EKU OK
Sun Sep 06 15:24:27 2020 VERIFY OK: depth=0, C=US, ST=Colorado, L=Arvada, O=CMMLLC, CN=CMM
Sun Sep 06 15:24:28 2020 Connection reset, restarting (0)
Sun Sep 06 15:24:28 2020 TCP/UDP: Closing socket
Sun Sep 06 15:24:28 2020 SIGUSR1(soft,connection-reset) received, process restarting
Sun Sep 06 15:24:28 2020 MANAGEMENT: >STATE:1599427468,RECONNECTING,connection-reset,,,,,
Sun Sep 06 15:24:28 2020 Restart pause, 5 second(s)
and on the server side, I see this in the log, over and over again:
975 Sep/06/2020 15:24:03 memory ovpn, info TCP connection established from 65.114.202.254
976 Sep/06/2020 15:24:03 memory firewall, info OVPN input: in:ether1-gateway out:(unknown 0), src-mac 00:x8:xx:xx:xx:3x, proto TCP (SYN), 65.114.202.254:49368->50.250.27.111:1194, len 52
977 Sep/06/2020 15:24:04 memory ovpn, debug, error, unknown, unknown, unknown, unknown, unknown, unknown, unknown, unknown, l2tp, info, unknown, debug, unknown, unknown, critical, unknown, unknown, unknown, unknown, unknown, unknown, unknown, unknown, unknown, unknown, unknown, unknown, error duplicate packet, dropping
978 Sep/06/2020 15:24:04 memory ovpn, debug, error, unknown, unknown, unknown, unknown, unknown, unknown, unknown, unknown, l2tp, info, unknown, debug, unknown, unknown, critical, unknown, unknown, unknown, unknown, unknown, unknown, unknown, unknown, unknown, unknown, unknown, unknown, error L2TPDBG===>: duplicate packet, dropping
Thanks for any suggestions you can provide!

Who is online

Users browsing this forum: normis and 72 guests