Hi all,
I've a _working_ server-client setup (tap + L2 bridge; server-bridge with
on-lan DHCP), where the pam-auth plugin does the authentication (OTP with
static-challenge, works OK). However, if I disable the plugin authentication
and enable 'management-client-auth' (nothing else chages in either of the
configs), the client fails to establish the data channel (authentication
works, control channel is ok).
In the server logs I see the following (with mgmt auth):
mysecretuser/CLIENT_PUBLIC_IP:63979 TLS Warning: no data channel send key
available: [key#0 state=S_ACTIVE id=0 sid=f1576b13 7324afbe] [key#1
state=S_UNDEF id=0 sid=00000000 00000000] [key#2 state=S_UNDEF id=0
sid=00000000 00000000]
mysecretuser/CLIENT_PUBLIC_IP:63979 MULTI: C2C/MCAST/BCAST
and a lot of these:
mysecretuser/CLIENT_PUBLIC_IP:63808 TCPv4_SERVER READ [172] from
[AF_INET]CLIENT_PUBLIC_IP:63808: P_DATA_V2 kid=0 DATA len=171
mysecretuser/CLIENT_PUBLIC_IP:63808 Key [AF_INET]CLIENT_PUBLIC_IP:63808 [0]
not initialized (yet), dropping packet.
mysecretuser/CLIENT_PUBLIC_IP:63808 TCPv4_SERVER READ [347] from
[AF_INET]CLIENT_PUBLIC_IP:63808: P_DATA_V2 kid=0 DATA len=346
mysecretuser/CLIENT_PUBLIC_IP:63808 Key [AF_INET]CLIENT_PUBLIC_IP:63808 [0]
not initialized (yet), dropping packet.
mysecretuser/CLIENT_PUBLIC_IP:63808 TCPv4_SERVER READ [108] from
[AF_INET]CLIENT_PUBLIC_IP:63808: P_DATA_V2 kid=0 DATA len=107
mysecretuser/CLIENT_PUBLIC_IP:63808 Key [AF_INET]CLIENT_PUBLIC_IP:63808 [0]
not initialized (yet), dropping packet.
In the client log I see the following (nothing special):
Wed Apr 01 15:13:15 2020 us=17924 SENT CONTROL [myserver.server.com]:
'PUSH_REQUEST' (status=1)
Wed Apr 01 15:13:16 2020 us=224155 PUSH: Received control message:
'PUSH_REPLY,echo,route-gateway dhcp,route-gateway dhcp,peer-id 0,cipher
AES-256-GCM,auth-token'
Wed Apr 01 15:13:16 2020 us=225028 OPTIONS IMPORT: route-related options
modified
Wed Apr 01 15:13:16 2020 us=225028 OPTIONS IMPORT: peer-id set
Wed Apr 01 15:13:16 2020 us=225028 OPTIONS IMPORT: adjusting link_mtu to
1658
Wed Apr 01 15:13:16 2020 us=225028 OPTIONS IMPORT: data channel crypto
options modified
Wed Apr 01 15:13:16 2020 us=226023 Data Channel MTU parms [ L:1586 D:1450
EF:54 EB:411 ET:32 EL:3 ]
Wed Apr 01 15:13:16 2020 us=226023 Outgoing Data Channel: Cipher
'AES-256-GCM' initialized with 256 bit key
Wed Apr 01 15:13:16 2020 us=226023 Incoming Data Channel: Cipher
'AES-256-GCM' initialized with 256 bit key
Wed Apr 01 15:13:16 2020 us=227019 interactive service msg_channel=704
Wed Apr 01 15:13:16 2020 us=227019 open_tun
What can be the matter? Do I need to supply anything else via mgmt@server
other than 'client-auth ID ID' upon successful authentication?
(authentication script is a python script written by me, based on
selvanair's CR demo)
Thanks,
Tom
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
