Community discussions

MikroTik App
 
gotchagomez
just joined
Topic Author
Posts: 5
Joined: Tue Jun 02, 2020 3:16 pm

Ovpn unsupported auth digest

Fri Mar 24, 2023 4:40 pm

Hello,
i'm trying to connect a hAP ac^3 to an OpenVPN. I can see the client authenticated at the server but the automatically get disconnected showing this at the log:
ovpn-IMDPruebas: initializing...
ovpn-IMDPruebas: connecting...
ovpn-IMDPruebas: disconnected <unsupported auth digest>
ovpn-IMDPruebas: terminating... - unsupported auth digest
I tried with tcp and udp, with the same result.

The Ovpn server config is:
local 192.168.1.250
port 1194
proto tcp
dev tun
ca "C:\\Program Files\\OpenVPN\\config-auto\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config-auto\\servidor.crt"
key "C:\\Program Files\\OpenVPN\\config-auto\\servidor.key"  # This file should be kept secret
dh "C:\\Program Files\\OpenVPN\\config-auto\\dh.pem"
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.1.0 255.255.255.0"
script-security 3
auth-user-pass-verify 'C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -ExecutionPolicy Bypass -File "C:\\Program Files\\OpenVPN\\config-auto\\adauth.ps1"' via-file
username-as-common-name
push "dhcp-option DNS 192.168.1.250"
keepalive 10 120
cipher AES-256-GCM
data-ciphers AES-256-GCM
auth SHA256
persist-key
persist-tun
log         "C:\\Program Files\\OpenVPN\\log\\openvpn.log"
verb 6
mute 20
explicit-exit-notify 1
the mikrotik ovpn client is:
 0 X   name="ovpn-IMDPruebas" mac-address=02:1F:8E:9F:DA:CD max-mtu=1500 
       connect-to=192.168.0.3 port=1194 mode=ip protocol=tcp 
       user="XXXXXX" password="XXXXXX" profile=default-encryption 
       certificate=imdoficina verify-server-certificate=yes tls-version=any 
       auth=sha256 cipher=aes256-gcm use-peer-dns=yes add-default-route=no 
       route-nopull=yes 
The Ovpn Server says:
OpenVPN CLIENT LIST
Updated,2023-03-24 13:32:09
Common Name,Real Address,Bytes Received,Bytes Sent,Connected Since
imdoficina,192.168.1.1:32835,2969,2614,2023-03-24 13:31:58
ROUTING TABLE
Virtual Address,Common Name,Real Address,Last Ref
10.8.0.3,imdoficina,192.168.1.1:32835,2023-03-24 13:31:59
GLOBAL STATS
Max bcast/mcast queue length,2
END
OpenVPN Server Log:
2023-03-24 14:09:15 us=812000 MULTI: multi_create_instance called
2023-03-24 14:09:15 us=812000 Re-using SSL/TLS context
2023-03-24 14:09:15 us=812000 Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
2023-03-24 14:09:15 us=812000 Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
2023-03-24 14:09:15 us=812000 TCP connection established with [AF_INET]192.168.1.1:39930
2023-03-24 14:09:15 us=812000 TCPv4_SERVER link local: (not bound)
2023-03-24 14:09:15 us=812000 TCPv4_SERVER link remote: [AF_INET]192.168.1.1:39930
2023-03-24 14:09:15 us=812000 192.168.1.1:39930 TCPv4_SERVER READ [14] from [AF_INET]192.168.1.1:39930: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
2023-03-24 14:09:15 us=812000 192.168.1.1:39930 TLS: Initial packet from [AF_INET]192.168.1.1:39930, sid=7a36cabe 4d0ec405
2023-03-24 14:09:15 us=812000 192.168.1.1:39930 TCPv4_SERVER WRITE [26] to [AF_INET]192.168.1.1:39930: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 0 ] pid=0 DATA len=0
2023-03-24 14:09:15 us=828000 192.168.1.1:39930 TCPv4_SERVER READ [22] from [AF_INET]192.168.1.1:39930: P_ACK_V1 kid=0 [ 0 ] DATA len=0
2023-03-24 14:09:15 us=843000 192.168.1.1:39930 TCPv4_SERVER READ [150] from [AF_INET]192.168.1.1:39930: P_CONTROL_V1 kid=0 [ ] pid=1 DATA len=136
2023-03-24 14:09:15 us=843000 192.168.1.1:39930 TCPv4_SERVER WRITE [1222] to [AF_INET]192.168.1.1:39930: P_CONTROL_V1 kid=0 [ 1 0 ] pid=1 DATA len=1192
2023-03-24 14:09:15 us=843000 192.168.1.1:39930 TCPv4_SERVER WRITE [982] to [AF_INET]192.168.1.1:39930: P_CONTROL_V1 kid=0 [ 1 0 ] pid=2 DATA len=952
2023-03-24 14:09:15 us=843000 192.168.1.1:39930 TCPv4_SERVER READ [22] from [AF_INET]192.168.1.1:39930: P_ACK_V1 kid=0 [ 1 ] DATA len=0
2023-03-24 14:09:15 us=875000 192.168.1.1:39930 NOTE: --mute triggered...
2023-03-24 14:09:16 us=109000 192.168.1.1:39930 4 variation(s) on previous 20 message(s) suppressed by --mute
2023-03-24 14:09:16 us=109000 192.168.1.1:39930 VERIFY OK: depth=1, CN=CA
2023-03-24 14:09:16 us=109000 192.168.1.1:39930 VERIFY OK: depth=0, CN=imdoficina
2023-03-24 14:09:16 us=109000 192.168.1.1:39930 TCPv4_SERVER WRITE [89] to [AF_INET]192.168.1.1:39930: P_CONTROL_V1 kid=0 [ 3 2 1 0 ] pid=3 DATA len=51
2023-03-24 14:09:16 us=109000 192.168.1.1:39930 TCPv4_SERVER READ [22] from [AF_INET]192.168.1.1:39930: P_ACK_V1 kid=0 [ 3 ] DATA len=0
2023-03-24 14:09:16 us=140000 192.168.1.1:39930 TCPv4_SERVER READ [319] from [AF_INET]192.168.1.1:39930: P_CONTROL_V1 kid=0 [ ] pid=4 DATA len=305
2023-03-24 14:09:16 us=140000 192.168.1.1:39930 env_block: add PATH=C:\WINDOWS\System32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
2023-03-24 14:09:17 us=312000 192.168.1.1:39930 TLS: Username/Password authentication succeeded for username 'imdoficina' 
2023-03-24 14:09:17 us=312000 192.168.1.1:39930 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2023-03-24 14:09:17 us=312000 192.168.1.1:39930 TLS: tls_multi_process: initial untrusted session promoted to trusted
2023-03-24 14:09:17 us=312000 192.168.1.1:39930 TCPv4_SERVER WRITE [280] to [AF_INET]192.168.1.1:39930: P_CONTROL_V1 kid=0 [ 4 3 2 1 ] pid=4 DATA len=242
2023-03-24 14:09:17 us=312000 192.168.1.1:39930 TCPv4_SERVER READ [319] from [AF_INET]192.168.1.1:39930: P_CONTROL_V1 kid=0 [ ] pid=4 DATA len=305
2023-03-24 14:09:17 us=312000 192.168.1.1:39930 TCPv4_SERVER WRITE [38] to [AF_INET]192.168.1.1:39930: P_ACK_V1 kid=0 [ 4 3 2 1 0 ] DATA len=0
2023-03-24 14:09:17 us=312000 192.168.1.1:39930 TCPv4_SERVER READ [22] from [AF_INET]192.168.1.1:39930: P_ACK_V1 kid=0 [ 4 ] DATA len=0
2023-03-24 14:09:17 us=312000 192.168.1.1:39930 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256
2023-03-24 14:09:17 us=312000 192.168.1.1:39930 [imdoficina] Peer Connection Initiated with [AF_INET]192.168.1.1:39930
2023-03-24 14:09:17 us=312000 imdoficina/192.168.1.1:39930 MULTI_sva: pool returned IPv4=10.8.0.3, IPv6=(Not enabled)
2023-03-24 14:09:17 us=312000 imdoficina/192.168.1.1:39930 MULTI: Learn: 10.8.0.3 -> imdoficina/192.168.1.1:39930
2023-03-24 14:09:17 us=312000 imdoficina/192.168.1.1:39930 MULTI: primary virtual IP for imdoficina/192.168.1.1:39930: 10.8.0.3
2023-03-24 14:09:17 us=312000 imdoficina/192.168.1.1:39930 Data Channel MTU parms [ mss_fix:1389 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
2023-03-24 14:09:17 us=312000 imdoficina/192.168.1.1:39930 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-03-24 14:09:17 us=312000 imdoficina/192.168.1.1:39930 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-03-24 14:09:17 us=312000 imdoficina/192.168.1.1:39930 Connection reset, restarting [0]
2023-03-24 14:09:17 us=312000 imdoficina/192.168.1.1:39930 SIGUSR1[soft,connection-reset] received, client-instance restarting
2023-03-24 14:09:17 us=312000 TCP/UDP: Closing socket
A windows Client connect without problems. I also tried with a custom profile at PPP but the result is the same.
The Script at the Ovpn server is for authenticate users from the AD. Also the script log show the client authenticate correctly.
[03/24/2023 02:09:17 ] [info ] [imdoficina] Authentication successful
[03/24/2023 02:09:05 ] [info ] [imdoficina] Authentication successful
[03/24/2023 02:08:54 ] [info ] [imdoficina] Authentication successful
[03/24/2023 02:08:42 ] [info ] [imdoficina] Authentication successful

Can anyone give me a clue of the issue?
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Ovpn unsupported auth digest

Fri Mar 24, 2023 5:00 pm

MikroTik "ovpn" is not the same as "OpenVPN"... sometimes the two can connect to eachother, but often not. It depends on exact settings.
 
optio
Long time Member
Long time Member
Posts: 655
Joined: Mon Dec 26, 2022 2:57 pm

Re: Ovpn unsupported auth digest

Fri Mar 24, 2023 5:12 pm

Did you try with duplicate-cn in OpenVPN client configuration?
 
gotchagomez
just joined
Topic Author
Posts: 5
Joined: Tue Jun 02, 2020 3:16 pm

Re: Ovpn unsupported auth digest

Fri Mar 24, 2023 6:48 pm

Did you try with duplicate-cn in OpenVPN client configuration?
Duplicate-cn is to allow more than one client with the same certificate.
I have just tried it anyway but I get the same error.
 
optio
Long time Member
Long time Member
Posts: 655
Joined: Mon Dec 26, 2022 2:57 pm

Re: Ovpn unsupported auth digest

Fri Mar 24, 2023 6:58 pm

Hard to tell then, try to enable log debug topic for ovpn on ROS and see what it shows.
 
gotchagomez
just joined
Topic Author
Posts: 5
Joined: Tue Jun 02, 2020 3:16 pm

Re: Ovpn unsupported auth digest

Mon Mar 27, 2023 9:11 pm

For me, nonsense:
 20:09:09 ovpn,info ovpn-IMDPruebas: initializing...
 20:09:09 ovpn,info ovpn-IMDPruebas: connecting...
 20:09:09 ovpn,debug,packet sent P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=ca9a9edc29df42e pid=0 DATA len=0
 20:09:09 ovpn,debug,packet rcvd P_CONTROL_HARD_RESET_SERVER_V2 kid=0 sid=f88ff89db79bdd92 [0 sid=ca9a9edc29df42e] pid=0 DATA len=0
 20:09:09 ovpn,debug,packet sent P_ACK kid=0 sid=ca9a9edc29df42e [0 sid=f88ff89db79bdd92] DATA len=0
 20:09:09 ovpn,debug,packet sent P_CONTROL kid=0 sid=ca9a9edc29df42e pid=1 DATA len=136
 20:09:09 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=f88ff89db79bdd92 [1 sid=ca9a9edc29df42e] pid=1 DATA len=1196
 20:09:09 ovpn,debug,packet sent P_ACK kid=0 sid=ca9a9edc29df42e [1 sid=f88ff89db79bdd92] DATA len=0
 20:09:09 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=f88ff89db79bdd92 [1 sid=ca9a9edc29df42e] pid=2 DATA len=948
 20:09:09 ovpn,debug,packet sent P_ACK kid=0 sid=ca9a9edc29df42e [2 sid=f88ff89db79bdd92] DATA len=0
 20:09:09 ovpn,debug,packet sent P_CONTROL kid=0 sid=ca9a9edc29df42e pid=2 DATA len=1400
 20:09:09 ovpn,debug,packet sent P_CONTROL kid=0 sid=ca9a9edc29df42e pid=3 DATA len=643
 20:09:09 ovpn,debug,packet rcvd P_ACK kid=0 sid=f88ff89db79bdd92 [2,1 sid=ca9a9edc29df42e] DATA len=0
 20:09:09 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=f88ff89db79bdd92 [3,2,1 sid=ca9a9edc29df42e] pid=3 DATA len=51
 20:09:09 ovpn,debug,packet sent P_ACK kid=0 sid=ca9a9edc29df42e [3 sid=f88ff89db79bdd92] DATA len=0
 20:09:09 ovpn,debug,packet sent P_CONTROL kid=0 sid=ca9a9edc29df42e pid=4 DATA len=305
 20:09:10 ovpn,debug,packet re-sent P_CONTROL kid=0 sid=ca9a9edc29df42e pid=4 DATA len=305
 20:09:10 ovpn,debug,packet rcvd P_CONTROL kid=0 sid=f88ff89db79bdd92 [4,3,2,1 sid=ca9a9edc29df42e] pid=4 DATA len=235
 20:09:10 ovpn,debug,packet sent P_ACK kid=0 sid=ca9a9edc29df42e [4 sid=f88ff89db79bdd92] DATA len=0
 20:09:10 ovpn,debug,packet rcvd P_ACK kid=0 sid=f88ff89db79bdd92 [4,3,2,1 sid=ca9a9edc29df42e] DATA len=0
 20:09:10 ovpn,info ovpn-IMDPruebas: disconnected <unsupported auth digest>
 20:09:10 ovpn,info ovpn-IMDPruebas: terminating... - unsupported auth digest
 20:09:10 ovpn,info ovpn-IMDPruebas: disconnected
 
optio
Long time Member
Long time Member
Posts: 655
Joined: Mon Dec 26, 2022 2:57 pm

Re: Ovpn unsupported auth digest  [SOLVED]

Mon Mar 27, 2023 9:47 pm

From documentation https://help.mikrotik.com/docs/display/ROS/OpenVPN:
cipher (null | aes128-cbc | aes128-gcm | aes192-cbc | aes192-gcm | aes256-cbc | aes256-gcm | blowfish128; Default: blowfish128)
Allowed ciphers. In order to use GCM type ciphers, the "auth" parameter must be set to "null", because GCM cipher is also responsible for "auth", if used.
You have in config:
auth=sha256
which is causing problem for cipher you have set (aes256-gcm), check also if other config and client parameters are aligned with doc...
 
gotchagomez
just joined
Topic Author
Posts: 5
Joined: Tue Jun 02, 2020 3:16 pm

Re: Ovpn unsupported auth digest

Tue Mar 28, 2023 12:50 am

Thanks so much Optio.
That was the problem. I have just tested and now is conected.
I can't remember how many times I had read the documentation and I didnt take notice of this line. I just asumed that auth is auth.

Who is online

Users browsing this forum: baragoon, rplant, Shylie and 80 guests