Smoothwall VPN Problems TLS/Auth error after authentication changes

[Tom]

I've got a smoothguardian and am using the SSL openVPN connections.

At some point over the last couple of days (not sure exactly when) it has stopped working.

When I try and connect from my client PC, openvpn fails on authentication, and doenst let anybody on anymore.
There are also errors showing in the log on the server.

Can anybody offer any advice as to if this is a server issue or a problem with the broadband connection into the smoothwall? It goes through various LEA routers and NAT stuff to get into the school.

Yesterday I changed some authentication settings on the smoothwall (but no other settings) to point to a new windows DC rather than an old one which is being retired (it is authenticating from an active directory, and i changed the primary servername in smoothwall)
It is authenticating fine internally for web browsing after my changes, and the tests run through fine. Do i need to do something to the VPN settings to make it resync with the new DC?
I didnt change any AD structures about just pointed it to another DC. It still has all the correct VPN groups showing on the smootwall. The VPN users can still browse the net internally in school without auth errors.



The client openvpn log shows
Wed Jul 29 18:16:51 2009 OpenVPN 2.1_rc4 Win32-MinGW [SSL] [LZO2] built on Apr 25 2007
Wed Jul 29 18:16:54 2009 LZO compression initialized
Wed Jul 29 18:16:54 2009 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Jul 29 18:16:54 2009 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Jul 29 18:16:54 2009 Local Options hash (VER=V4): '22188c5b'
Wed Jul 29 18:16:54 2009 Expected Remote Options hash (VER=V4): 'a8f55717'
Wed Jul 29 18:16:54 2009 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed Jul 29 18:16:54 2009 UDPv4 link local: [undef]
Wed Jul 29 18:16:54 2009 UDPv4 link remote: <smooth IP>:1194
Wed Jul 29 18:16:54 2009 TLS: Initial packet from <smooth IP>:1194, sid=30840c0b 4f80c0bf
Wed Jul 29 18:16:54 2009 VERIFY OK: depth=1, /CN=www.<schoolname>.sch.uk/O=<school_name>/ST=cheshire/C=UK/L=crewe
Wed Jul 29 18:16:54 2009 VERIFY X509NAME OK: /C=UK/O=<school_name>/CN=www.<schoolname>.sch.uk
Wed Jul 29 18:16:54 2009 VERIFY OK: depth=0, /C=UK/O=<school_name>/CN=www.<schoolname>.sch.uk
Wed Jul 29 18:16:55 2009 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Wed Jul 29 18:16:55 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jul 29 18:16:55 2009 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Wed Jul 29 18:16:55 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jul 29 18:16:55 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Jul 29 18:16:55 2009 [www.<schoolname>.sch.uk] Peer Connection Initiated with <smooth IP>:1194
Wed Jul 29 18:16:56 2009 SENT CONTROL [www.<schoolname>.sch.uk]: 'PUSH_REQUEST' (status=1)
Wed Jul 29 18:16:56 2009 AUTH: Received AUTH_FAILED control message
Wed Jul 29 18:16:56 2009 SIGTERM received, sending exit notification to peer
Wed Jul 29 18:16:59 2009 TCP/UDP: Closing socket
Wed Jul 29 18:16:59 2009 SIGTERM[soft,exit-with-notification] received, process exiting
Wed Jul 29 18:17:00 2009 OpenVPN 2.1_rc4 Win32-MinGW [SSL] [LZO2] built on Apr 25 2007
Wed Jul 29 18:17:05 2009 LZO compression initialized
Wed Jul 29 18:17:05 2009 Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Jul 29 18:17:05 2009 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Jul 29 18:17:05 2009 Local Options hash (VER=V4): '22188c5b'
Wed Jul 29 18:17:05 2009 Expected Remote Options hash (VER=V4): 'a8f55717'
Wed Jul 29 18:17:05 2009 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed Jul 29 18:17:05 2009 UDPv4 link local: [undef]
Wed Jul 29 18:17:05 2009 UDPv4 link remote: <smooth IP>:1194
Wed Jul 29 18:17:08 2009 TLS: Initial packet from <smooth IP>:1194, sid=a36eed89 d4718734
Wed Jul 29 18:17:08 2009 VERIFY OK: depth=1, /CN=www.<schoolname>.sch.uk/O=<school_name>/ST=cheshire/C=UK/L=crewe
Wed Jul 29 18:17:08 2009 VERIFY X509NAME OK: /C=UK/O=<school_name>/CN=www.<schoolname>.sch.uk
Wed Jul 29 18:17:08 2009 VERIFY OK: depth=0, /C=UK/O=<school_name>/CN=www.<schoolname>.sch.uk
Wed Jul 29 18:17:09 2009 Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Wed Jul 29 18:17:09 2009 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jul 29 18:17:09 2009 Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key
Wed Jul 29 18:17:09 2009 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jul 29 18:17:09 2009 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Jul 29 18:17:09 2009 [www.<schoolname>.sch.uk] Peer Connection Initiated with <smooth IP>:1194
Wed Jul 29 18:17:10 2009 SENT CONTROL [www.<schoolname>.sch.uk]: 'PUSH_REQUEST' (status=1)
Wed Jul 29 18:17:10 2009 AUTH: Received AUTH_FAILED control message
Wed Jul 29 18:17:10 2009 SIGTERM received, sending exit notification to peer


on the server, the SSL VPN log is showing the following:
System Logs
17:42:33 openvpn event_wait : Interrupted system call (code=4)
17:42:33 openvpn SIGTERM[hard,] received, process exiting
17:42:37 openvpn OpenVPN 2.1_rc4 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Nov 19 2008
17:42:37 openvpn WARNING: file '/modules/tunnel/settings//vpn/pemkey' is group or others accessible
17:42:37 openvpn WARNING: file '/modules/tunnel/settings//vpn/ipsec.d/host1key.pem' is group or others accessible
17:42:37 openvpn WARNING: This configuration may accept clients which do not present a certificate
17:42:37 openvpn TUN/TAP device tun0 opened
17:42:37 openvpn /sbin/ifconfig tun0 10.1.0.1 pointopoint 10.1.0.2 mtu 1500
17:42:37 openvpn UDPv4 link local (bound): [undef]:1194
17:42:37 openvpn UDPv4 link remote: [undef]
17:42:37 openvpn Initialization Sequence Completed
17:43:09 openvpn event_wait : Interrupted system call (code=4)
17:43:09 openvpn SIGTERM[hard,] received, process exiting
17:43:10 openvpn OpenVPN 2.1_rc4 i686-pc-linux-gnu [SSL] [LZO2] [EPOLL] built on Nov 19 2008
17:43:10 openvpn WARNING: file '/modules/tunnel/settings//vpn/pemkey' is group or others accessible
17:43:10 openvpn WARNING: file '/modules/tunnel/settings//vpn/ipsec.d/host1key.pem' is group or others accessible
17:43:10 openvpn WARNING: This configuration may accept clients which do not present a certificate
17:43:10 openvpn TUN/TAP device tun0 opened
17:43:10 openvpn /sbin/ifconfig tun0 10.1.0.1 pointopoint 10.1.0.2 mtu 1500
17:43:10 openvpn UDPv4 link local (bound): [undef]:1194
17:43:10 openvpn UDPv4 link remote: [undef]
17:43:10 openvpn Initialization Sequence Completed
17:43:14 openvpn <client IP>:3054 Re-using SSL/TLS context
17:43:14 openvpn <client IP>:3054 LZO compression initialized
17:43:15 openvpn <client IP>:3054 TLS Auth Error: Auth Username/Password verification failed for peer
17:43:15 openvpn <client IP>:3054 [] Peer Connection Initiated with <client IP>:3054
17:43:16 openvpn <client IP>:3054 TLS Error: local/remote TLS keys are out of sync: <client IP>:3054 [0]
17:43:17 openvpn <client IP>:3054 TLS Error: local/remote TLS keys are out of sync: <client IP>:3054 [0]
17:43:18 openvpn <client IP>:3054 TLS Error: local/remote TLS keys are out of sync: <client IP>:3054 [0]

[Tom]

I have now been told that it hasnt been working properly since sometime last week, so it isnt going to be the authentication settings i changed!

[tom_newton]

Does look auth-y - would suggest the first port of call is to put in a reboot to ensure auth and VPN are in sync. Second up - try our support folk

[Tom]

Cheers Tom, The support guy i spoke to was great!

It turned out that it was an authentication issue, and either the people reporting it broken before i changed that were lying, or something else had happened to refresh the user accounts on my smoothwall before i added the new DC.

I had got the VPN users in my domain in 2 AD groups which the smoothwall knew about, a std proxy one and a VPN allowed one.
It used to pick up the VPN one in preference to the normal one, and thus auth them for the VPN connection. It was now picking them up as the normal group and failing them when they tried to VPN in.

Have created some local user accounts for them to use just for VPN access and these work.