Hi,
We are using multiple remote parameters in order to switch to a second
OpenVPN instance in case the first one isn't reachable:
remote server1 8080 tcp
remote server1 1194 udp
By using just one of the above mentioned remote paramters everything
works perfectly.
However while testing the connection with the above order of remote
parameters and blocking access to tcp/8080 the following happens:
- OpenVPN tries to connect to server1:8080 via TCP which fails (as expected)
- after a few seconds OpenVPN tries to connect to server1:1194 via UDP
(as expected)
- the OpenVPN connection is established sucessfully, the remote network
is reachable, everything works just fine.
- after a little while (a few seconds to about one minute) the message
Authenticate/Decrypt packet error: bad packet ID (may be a replay): [
#<number> ]
appears and the tunnel stops working.
This strange error happens reproducible if both remote directives are
used, using just one _never_ caused any problems.
Further details:
- the client (Windows XP SP3) is using OpenVPN version 2.1_rc15
downloaded from openvpn.net
- the server (Linux 2.6.22) is using OpenVPN version 2.0.6.
- the server is configured with 2 OpenVPN instances, one listening at
the respective TCP/UDP ports, so the only difference between the two
server instances is the port, proto and server and status parameter.
~~~~~~~~~~~~~~~~~~~~~~
Server configuration:
~~~~~~~~~~~~~~~~~~~~~~
local <ip address>
port 1194
proto udp
dev tap
ca ca.pem
cert certs/CServer.pem
key keys/KServer.pem
crl-verify crl/crl.pem
tls-auth ta.key 0
comp-lzo
dh dh2048.pem
server 10.162.0.0 255.255.0.0
keepalive 5 60
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
max-clients 100
user nobody
group nogroup
persist-key
persist-tun
status /etc/openvpn/status.log 1
verb 3
push "dhcp-option DNS <dns ip address>"
~~~~~~~~~~~~~~~~~~~~~~
Client configuration:
~~~~~~~~~~~~~~~~~~~~~~
client
dev tap
remote server1 8080 tcp
remote server1 1194 udp
tls-client
tls-remote <remote CN>
ca ca.pem
cert cert.pem
key key.pem
tls-auth ta.key 1
redirect-gateway
ns-cert-type server
comp-lzo
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
verb 3
route-method exe
route-delay 2
So my question would be if there are any known issues using multiple
remote statements (or the recently introduced "<connection>" blocks -
for which the same problem occurs).
Searching through the mailing list showed nothing related.
If you need any further details or debugging output, please let me know.
Thanks in advance,
Robert
mit freundlichen Grüßen
Robert Fischer
