+ Post New Thread
Results 1 to 4 of 4
Internet Related/Filtering/Firewall Thread, Smoothwall VPN Problems TLS/Auth error after authentication changes in Technical; I've got a smoothguardian and am using the SSL openVPN connections. At some point over the last couple of days ...
  1. #1
    Tom
    Tom is offline

    Join Date
    Feb 2009
    Posts
    18
    Thank Post
    3
    Thanked 3 Times in 3 Posts
    Rep Power
    12

    Smoothwall VPN Problems TLS/Auth error after authentication changes

    I've got a smoothguardian and am using the SSL openVPN connections.

    At some point over the last couple of days (not sure exactly when) it has stopped working.

    When I try and connect from my client PC, openvpn fails on authentication, and doenst let anybody on anymore.
    There are also errors showing in the log on the server.

    Can anybody offer any advice as to if this is a server issue or a problem with the broadband connection into the smoothwall? It goes through various LEA routers and NAT stuff to get into the school.

    Yesterday I changed some authentication settings on the smoothwall (but no other settings) to point to a new windows DC rather than an old one which is being retired (it is authenticating from an active directory, and i changed the primary servername in smoothwall)
    It is authenticating fine internally for web browsing after my changes, and the tests run through fine. Do i need to do something to the VPN settings to make it resync with the new DC?
    I didnt change any AD structures about just pointed it to another DC. It still has all the correct VPN groups showing on the smootwall. The VPN users can still browse the net internally in school without auth errors.



    The client openvpn log shows
    Wed Jul 29 18:16:51 2009 OpenVPN 2.1_rc4 Win32-MinGW [SSL] [LZO2] built on Apr 25 2007
    Wed Jul 29 18:16:54 2009 LZO compression initialized
    Wed Jul 29 18:16:54 2009 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Wed Jul 29 18:16:54 2009 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
    Wed Jul 29 18:16:54 2009 Local Options hash (VER=V4): '22188c5b'
    Wed Jul 29 18:16:54 2009 Expected Remote Options hash (VER=V4): 'a8f55717'
    Wed Jul 29 18:16:54 2009 Socket Buffers: R=[8192->8192] S=[8192->8192]
    Wed Jul 29 18:16:54 2009 UDPv4 link local: [undef]
    Wed Jul 29 18:16:54 2009 UDPv4 link remote: <smooth IP>:1194
    Wed Jul 29 18:16:54 2009 TLS: Initial packet from <smooth IP>:1194, sid=30840c0b 4f80c0bf
    Wed Jul 29 18:16:54 2009 VERIFY OK: depth=1, /CN=www.<schoolname>.sch.uk/O=<school_name>/ST=cheshire/C=UK/L=crewe
    Wed Jul 29 18:16:54 2009 VERIFY X509NAME OK: /C=UK/O=<school_name>/CN=www.<schoolname>.sch.uk
    Wed Jul 29 18:16:54 2009 VERIFY OK: depth=0, /C=UK/O=<school_name>/CN=www.<schoolname>.sch.uk
    Wed Jul 29 18:16:55 2009 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Wed Jul 29 18:16:55 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Wed Jul 29 18:16:55 2009 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Wed Jul 29 18:16:55 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Wed Jul 29 18:16:55 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    Wed Jul 29 18:16:55 2009 [www.<schoolname>.sch.uk] Peer Connection Initiated with <smooth IP>:1194
    Wed Jul 29 18:16:56 2009 SENT CONTROL [www.<schoolname>.sch.uk]: 'PUSH_REQUEST' (status=1)
    Wed Jul 29 18:16:56 2009 AUTH: Received AUTH_FAILED control message
    Wed Jul 29 18:16:56 2009 SIGTERM received, sending exit notification to peer
    Wed Jul 29 18:16:59 2009 TCP/UDP: Closing socket
    Wed Jul 29 18:16:59 2009 SIGTERM[soft,exit-with-notification] received, process exiting
    Wed Jul 29 18:17:00 2009 OpenVPN 2.1_rc4 Win32-MinGW [SSL] [LZO2] built on Apr 25 2007
    Wed Jul 29 18:17:05 2009 LZO compression initialized
    Wed Jul 29 18:17:05 2009 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Wed Jul 29 18:17:05 2009 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
    Wed Jul 29 18:17:05 2009 Local Options hash (VER=V4): '22188c5b'
    Wed Jul 29 18:17:05 2009 Expected Remote Options hash (VER=V4): 'a8f55717'
    Wed Jul 29 18:17:05 2009 Socket Buffers: R=[8192->8192] S=[8192->8192]
    Wed Jul 29 18:17:05 2009 UDPv4 link local: [undef]
    Wed Jul 29 18:17:05 2009 UDPv4 link remote: <smooth IP>:1194
    Wed Jul 29 18:17:08 2009 TLS: Initial packet from <smooth IP>:1194, sid=a36eed89 d4718734
    Wed Jul 29 18:17:08 2009 VERIFY OK: depth=1, /CN=www.<schoolname>.sch.uk/O=<school_name>/ST=cheshire/C=UK/L=crewe
    Wed Jul 29 18:17:08 2009 VERIFY X509NAME OK: /C=UK/O=<school_name>/CN=www.<schoolname>.sch.uk
    Wed Jul 29 18:17:08 2009 VERIFY OK: depth=0, /C=UK/O=<school_name>/CN=www.<schoolname>.sch.uk
    Wed Jul 29 18:17:09 2009 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Wed Jul 29 18:17:09 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Wed Jul 29 18:17:09 2009 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
    Wed Jul 29 18:17:09 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Wed Jul 29 18:17:09 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    Wed Jul 29 18:17:09 2009 [www.<schoolname>.sch.uk] Peer Connection Initiated with <smooth IP>:1194
    Wed Jul 29 18:17:10 2009 SENT CONTROL [www.<schoolname>.sch.uk]: 'PUSH_REQUEST' (status=1)
    Wed Jul 29 18:17:10 2009 AUTH: Received AUTH_FAILED control message
    Wed Jul 29 18:17:10 2009 SIGTERM received, sending exit notification to peer


    on the server, the SSL VPN log is showing the following:
    System Logs
    17:42:33 openvpn event_wait : Interrupted system call (code=4)
    17:42:33 openvpn SIGTERM[hard,] received, process exiting
    17:42:37 openvpn OpenVPN 2.1_rc4 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Nov 19 2008
    17:42:37 openvpn WARNING: file '/modules/tunnel/settings//vpn/pemkey' is group or others accessible
    17:42:37 openvpn WARNING: file '/modules/tunnel/settings//vpn/ipsec.d/host1key.pem' is group or others accessible
    17:42:37 openvpn WARNING: This configuration may accept clients which do not present a certificate
    17:42:37 openvpn TUN/TAP device tun0 opened
    17:42:37 openvpn /sbin/ifconfig tun0 10.1.0.1 pointopoint 10.1.0.2 mtu 1500
    17:42:37 openvpn UDPv4 link local (bound): [undef]:1194
    17:42:37 openvpn UDPv4 link remote: [undef]
    17:42:37 openvpn Initialization Sequence Completed
    17:43:09 openvpn event_wait : Interrupted system call (code=4)
    17:43:09 openvpn SIGTERM[hard,] received, process exiting
    17:43:10 openvpn OpenVPN 2.1_rc4 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Nov 19 2008
    17:43:10 openvpn WARNING: file '/modules/tunnel/settings//vpn/pemkey' is group or others accessible
    17:43:10 openvpn WARNING: file '/modules/tunnel/settings//vpn/ipsec.d/host1key.pem' is group or others accessible
    17:43:10 openvpn WARNING: This configuration may accept clients which do not present a certificate
    17:43:10 openvpn TUN/TAP device tun0 opened
    17:43:10 openvpn /sbin/ifconfig tun0 10.1.0.1 pointopoint 10.1.0.2 mtu 1500
    17:43:10 openvpn UDPv4 link local (bound): [undef]:1194
    17:43:10 openvpn UDPv4 link remote: [undef]
    17:43:10 openvpn Initialization Sequence Completed
    17:43:14 openvpn <client IP>:3054 Re-using SSL/TLS context
    17:43:14 openvpn <client IP>:3054 LZO compression initialized
    17:43:15 openvpn <client IP>:3054 TLS Auth Error: Auth Username/Password verification failed for peer
    17:43:15 openvpn <client IP>:3054 [] Peer Connection Initiated with <client IP>:3054
    17:43:16 openvpn <client IP>:3054 TLS Error: local/remote TLS keys are out of sync: <client IP>:3054 [0]
    17:43:17 openvpn <client IP>:3054 TLS Error: local/remote TLS keys are out of sync: <client IP>:3054 [0]
    17:43:18 openvpn <client IP>:3054 TLS Error: local/remote TLS keys are out of sync: <client IP>:3054 [0]

  2. #2
    Tom
    Tom is offline

    Join Date
    Feb 2009
    Posts
    18
    Thank Post
    3
    Thanked 3 Times in 3 Posts
    Rep Power
    12
    I have now been told that it hasnt been working properly since sometime last week, so it isnt going to be the authentication settings i changed!

  3. #3


    tom_newton's Avatar
    Join Date
    Sep 2006
    Location
    Leeds
    Posts
    4,485
    Thank Post
    867
    Thanked 854 Times in 675 Posts
    Rep Power
    197
    Does look auth-y - would suggest the first port of call is to put in a reboot to ensure auth and VPN are in sync. Second up - try our support folk

  4. Thanks to tom_newton from:

    Tom (4th August 2009)

  5. #4
    Tom
    Tom is offline

    Join Date
    Feb 2009
    Posts
    18
    Thank Post
    3
    Thanked 3 Times in 3 Posts
    Rep Power
    12
    Cheers Tom, The support guy i spoke to was great!

    It turned out that it was an authentication issue, and either the people reporting it broken before i changed that were lying, or something else had happened to refresh the user accounts on my smoothwall before i added the new DC.

    I had got the VPN users in my domain in 2 AD groups which the smoothwall knew about, a std proxy one and a VPN allowed one.
    It used to pick up the VPN one in preference to the normal one, and thus auth them for the VPN connection. It was now picking them up as the normal group and failing them when they tried to VPN in.

    Have created some local user accounts for them to use just for VPN access and these work.



SHARE:
+ Post New Thread

Similar Threads

  1. Smoothwall VPN
    By karldenton in forum Internet Related/Filtering/Firewall
    Replies: 4
    Last Post: 29th May 2009, 03:08 PM
  2. Smoothwall - Mac's NTLM Authentication
    By linkazoid in forum Mac
    Replies: 7
    Last Post: 20th May 2009, 10:54 AM
  3. OWA Authentication Problems HELP!!
    By mmoseley in forum Wireless Networks
    Replies: 3
    Last Post: 21st September 2008, 07:02 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •