Hi
we use OpenVPN 2.3.2 without client certificate and with auth-user-pass
instead. What we observe is that the connection always drops pretty much
exactly after 1 hour, regardless of whether any traffic flows through or
not. It's perfectly reproducible - I've just set up a test server and
test client (both Windows and Linux) and it behaves the same. 1 hour and
it drops:
_Client:__
_Tue Oct 8 23:07:04 2013 OpenVPN 2.3.2 x86_64-suse-linux-gnu [SSL
(OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on May 31 2013
Enter Auth Username:vpn1
Enter Auth Password:
Tue Oct 8 23:08:37 2013 WARNING: No server certificate verification
method has been enabled. See http://openvpn.net/howto.html#mitm for
more info.
[...]
Tue Oct 8 23:08:40 2013 PUSH: Received control message:
'PUSH_REPLY,ifconfig-ipv6 2001:...::1001/64
2001:...::1,tun-ipv6,route-gateway 172.31.173.129,topology subnet,ping
10,ping-restart 60,ifconfig 172.31.173.131 255.255.255.128'
Tue Oct 8 23:08:40 2013 OPTIONS IMPORT: timers and/or timeouts modified
Tue Oct 8 23:08:40 2013 OPTIONS IMPORT: --ifconfig/up options modified
Tue Oct 8 23:08:40 2013 OPTIONS IMPORT: route-related options modified
[...]
Tue Oct 8 23:08:40 2013 Initialization Sequence Completed
Wed Oct 9 00:08:38 2013 TLS: soft reset sec=0 bytes=38258/0 pkts=718/0
Enter Auth Username:^C
_Server:__
_Oct 8 23:08:38 localhost openvpn[3194]: ::ffff:172.31.172.123 [vpn1]
Peer Connection Initiated with [AF_INET6]::ffff:172.31.172.123:43346
Oct 8 23:08:38 localhost openvpn[3194]: vpn1/::ffff:172.31.172.123
MULTI_sva: pool returned IPv4=172.31.173.131, IPv6=2001:...::1001
Oct 8 23:08:40 localhost openvpn[3194]: vpn1/::ffff:172.31.172.123
send_push_reply(): safe_cap=940
Oct 9 00:09:38 localhost openvpn[3194]: vpn1/::ffff:172.31.172.123 TLS
Error: TLS key negotiation failed to occur within 60 seconds (check your
network connectivity)
Oct 9 00:09:38 localhost openvpn[3194]: vpn1/::ffff:172.31.172.123 TLS
Error: TLS handshake failed
Oct 9 00:10:38 localhost openvpn[3194]: vpn1/::ffff:172.31.172.123
[UNDEF] Inactivity timeout (--ping-restart), restarting
Why is it happening? There is no firewall in between the hosts, nothing
on the network level that should cause it.
_The server config is here:__
_lport 1194
proto udp6
dev tunTrUDP
tun-ipv6
status /var/log/openvpn-status.log
server 172.31.173.128 255.255.255.128
server-ipv6 2001:...::/64
client-cert-not-required
username-as-common-name
plugin /usr/lib/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
float
keepalive 10 60
topology subnet
key /etc/openvpn/trimslice.pem
cert /etc/openvpn/trimslice.pem
ca /etc/openvpn/logixCA.pem
dh /etc/openvpn/dh2048.pem
_The client config is here:_
remote 172.31.172.125 1194
dev tunTrimslice
tun-ipv6
pull
ping-exit 60
auth-nocache
auth-user-pass
auth-retry none
ca /etc/openvpn/logix-ca.pem
verb 3
client
float
nobind
In the prod setup we use a one-time-password hence the "auth-nocache"
and "auth-retry none" directives. But for the test OTP is not needed,
this connection drop after 1 hour happens just as well with system
username and password.
Any idea why is it happening? Especially with OTP it's very annoying.
Thanks!
Michael
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
