Author Topic: [SOLVED] Zentyal to Zentyal VPN constantly dropping  (Read 2428 times)

acon

  • Board Moderator
  • Zen Samurai
  • *****
  • Posts: 454
  • Karma: +18/-0
    • View Profile
[SOLVED] Zentyal to Zentyal VPN constantly dropping
« on: January 26, 2021, 12:48:50 pm »
Hi, i have built 2 Zentyal 6.2 servers to connect to sites. I have configured one side as server and other side as client.
I have imported the config from server to client and the VPN is established, but is dropping in 2 minutes and reconecting after 2 more minutes time out.
The VPN is closed by the server side and client restart the connection after 2m time out and so on.
When the VPN is working, when it drops, the logs in server side /var/log/openvpn/zen2zen.log shows:
Code: [Select]
Tue Jan 26 11:56:47 2021 10.0.0.1:43309 TLS: Initial packet from [AF_INET]10.0.0.1:43309, sid=b9f340d3 2dad0449
Tue Jan 26 11:56:47 2021 10.0.0.1:43309 VERIFY OK: depth=1, C=ES, ST=.....
Tue Jan 26 11:56:47 2021 10.0.0.1:43309 VERIFY OK: depth=0, C=ES, ST=.....
Tue Jan 26 11:56:47 2021 10.0.0.1:43309 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1590', remote='link-mtu 1574'
Tue Jan 26 11:56:47 2021 10.0.0.1:43309 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
Tue Jan 26 11:56:47 2021 10.0.0.1:43309 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Tue Jan 26 11:56:47 2021 10.0.0.1:43309 Control Channel: TLSv1, cipher TLSv1.0 ECDHE-RSA-AES256-SHA, 2048 bit RSA
Tue Jan 26 11:56:47 2021 10.0.0.1:43309 [Z2ZClient] Peer Connection Initiated with [AF_INET]10.0.0.1:43309
Tue Jan 26 11:56:47 2021 MULTI: new connection by client 'Z2ZClient' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Tue Jan 26 11:56:47 2021 MULTI_sva: pool returned IPv4=192.168.161.2, IPv6=(Not enabled)
Tue Jan 26 11:56:49 2021 Z2ZClient/10.0.0.1:43309 PUSH: Received control message: 'PUSH_REQUEST'
Tue Jan 26 11:56:49 2021 Z2ZClient/10.0.0.1:43309 SENT CONTROL [Z2ZClient]: 'PUSH_REPLY,route 10.0.0.0 255.255.255.0,route-gateway 192.168.161.1,ping 10,ping-restart 120,ifconfig 192.168.161.2 255.255.255.0' (status=1)
Tue Jan 26 11:56:49 2021 Z2ZClient/10.0.0.1:43309 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Tue Jan 26 11:56:49 2021 Z2ZClient/10.0.0.1:43309 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jan 26 11:56:49 2021 Z2ZClient/10.0.0.1:43309 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Tue Jan 26 11:56:49 2021 Z2ZClient/10.0.0.1:43309 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jan 26 11:56:53 2021 Z2ZClient/10.0.0.1:43309 Authenticate/Decrypt packet error: cipher final failed
Tue Jan 26 11:57:03 2021 Z2ZClient/10.0.0.1:43309 Authenticate/Decrypt packet error: cipher final failed
Tue Jan 26 11:57:14 2021 Z2ZClient/10.0.0.1:43309 Authenticate/Decrypt packet error: cipher final failed
Tue Jan 26 11:57:19 2021 Z2ZClient/10.0.0.1:43309 Authenticate/Decrypt packet error: cipher final failed
Tue Jan 26 11:57:30 2021 Z2ZClient/10.0.0.1:43309 Authenticate/Decrypt packet error: cipher final failed
Tue Jan 26 11:57:40 2021 Z2ZClient/10.0.0.1:43309 Authenticate/Decrypt packet error: cipher final failed
Tue Jan 26 11:57:47 2021 Z2ZClient/10.0.0.1:43309 Authenticate/Decrypt packet error: cipher final failed
Tue Jan 26 11:57:57 2021 Z2ZClient/10.0.0.1:43309 Authenticate/Decrypt packet error: cipher final failed
Tue Jan 26 11:58:07 2021 Z2ZClient/10.0.0.1:43309 Authenticate/Decrypt packet error: cipher final failed
Tue Jan 26 11:58:15 2021 Z2ZClient/10.0.0.1:43309 Authenticate/Decrypt packet error: cipher final failed
Tue Jan 26 11:58:25 2021 Z2ZClient/10.0.0.1:43309 Authenticate/Decrypt packet error: cipher final failed
Tue Jan 26 11:58:35 2021 Z2ZClient/10.0.0.1:43309 Authenticate/Decrypt packet error: cipher final failed
Tue Jan 26 11:58:46 2021 Z2ZClient/10.0.0.1:43309 Authenticate/Decrypt packet error: cipher final failed
Tue Jan 26 11:58:46 2021 Z2ZClient/10.0.0.1:43309 Authenticate/Decrypt packet error: cipher final failed

2 minutes afted the link goes down, the client side restart the connection:
Code: [Select]
Tue Jan 26 12:02:54 2021 [vpn-ZenToZen] Inactivity timeout (--ping-restart), restarting
Tue Jan 26 12:02:54 2021 SIGUSR1[soft,ping-restart] received, process restarting
Tue Jan 26 12:02:54 2021 Restart pause, 5 second(s)
Tue Jan 26 12:02:59 2021 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Tue Jan 26 12:02:59 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:11194
Tue Jan 26 12:02:59 2021 Socket Buffers: R=[212992->212992] S=[212992->212992]
Tue Jan 26 12:02:59 2021 UDP link local: (not bound)
Tue Jan 26 12:02:59 2021 UDP link remote: [AF_INET]x.x.x.x:11194
Tue Jan 26 12:02:59 2021 TLS: Initial packet from [AF_INET]x.x.x.x:11194, sid=b3d4d95a b01dcf8d
Tue Jan 26 12:02:59 2021 VERIFY OK: depth=1, C=ES, ST=....
Tue Jan 26 12:02:59 2021 VERIFY OK: depth=0, C=ES, ST=....
Tue Jan 26 12:02:59 2021 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Tue Jan 26 12:02:59 2021 [vpn-ZenToZen] Peer Connection Initiated with [AF_INET]195.235.235.210:11194
Tue Jan 26 12:03:00 2021 SENT CONTROL [vpn-ZenToZen]: 'PUSH_REQUEST' (status=1)
Tue Jan 26 12:03:00 2021 PUSH: Received control message: 'PUSH_REPLY,route 10.0.0.0 255.255.255.0,route-gateway 192.168.161.1,ping 10,ping-restart 120,ifconfig 192.168.161.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Tue Jan 26 12:03:00 2021 OPTIONS IMPORT: timers and/or timeouts modified
Tue Jan 26 12:03:00 2021 OPTIONS IMPORT: --ifconfig/up options modified
Tue Jan 26 12:03:00 2021 OPTIONS IMPORT: route options modified
Tue Jan 26 12:03:00 2021 OPTIONS IMPORT: route-related options modified
Tue Jan 26 12:03:00 2021 OPTIONS IMPORT: peer-id set
Tue Jan 26 12:03:00 2021 OPTIONS IMPORT: adjusting link_mtu to 1657
Tue Jan 26 12:03:00 2021 OPTIONS IMPORT: data channel crypto options modified
Tue Jan 26 12:03:00 2021 Data Channel: using negotiated cipher 'AES-256-GCM'
Tue Jan 26 12:03:00 2021 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Jan 26 12:03:00 2021 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Jan 26 12:03:00 2021 Preserving previous TUN/TAP instance: tap0
Tue Jan 26 12:03:00 2021 Initialization Sequence Completed

Btw, normal VPN from windows workstation to Zentyal server is stable, so the problem is when "Allow Zentyal to Zentyal" is selected.
Any one has dealed with this issue?

« Last Edit: February 02, 2021, 01:51:02 pm by acon »

doncamilo

  • Zen Samurai
  • ****
  • Posts: 478
  • Karma: +165/-1
    • View Profile
Re: Zentyal to Zentyal VPN constantly dropping
« Reply #1 on: January 27, 2021, 06:29:38 pm »
 :)

Your remote and local servers don't use the same cipher nor the same key size. Did you use the server bundle to configure the client-side? Are the two servers from different versions?

In a standard deployment:

Code: [Select]
Wed Jan 27 16:53:44 2021 192.168.1.200:36235 TLS: Initial packet from [AF_INET]192.168.1.200:36235, sid=b8748dd1 f64cb113
Wed Jan 27 16:53:44 2021 192.168.1.200:36235 VERIFY OK: depth=1, C=ES, ST=ARDA, L=ALQUALONDE, O=VALINOR, CN=VALINOR Authority Certificate
Wed Jan 27 16:53:44 2021 192.168.1.200:36235 VERIFY OK: depth=0, C=ES, ST=ARDA, L=ALQUALONDE, O=VALINOR, CN=client
Wed Jan 27 16:53:44 2021 192.168.1.200:36235 peer info: IV_VER=2.4.7
Wed Jan 27 16:53:44 2021 192.168.1.200:36235 peer info: IV_PLAT=linux
Wed Jan 27 16:53:44 2021 192.168.1.200:36235 peer info: IV_PROTO=2
Wed Jan 27 16:53:44 2021 192.168.1.200:36235 peer info: IV_NCP=2
Wed Jan 27 16:53:44 2021 192.168.1.200:36235 peer info: IV_LZ4=1
Wed Jan 27 16:53:44 2021 192.168.1.200:36235 peer info: IV_LZ4v2=1
Wed Jan 27 16:53:44 2021 192.168.1.200:36235 peer info: IV_LZO=1
Wed Jan 27 16:53:44 2021 192.168.1.200:36235 peer info: IV_COMP_STUB=1
Wed Jan 27 16:53:44 2021 192.168.1.200:36235 peer info: IV_COMP_STUBv2=1
Wed Jan 27 16:53:44 2021 192.168.1.200:36235 peer info: IV_TCPNL=1
Wed Jan 27 16:53:44 2021 192.168.1.200:36235 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Wed Jan 27 16:53:44 2021 192.168.1.200:36235 [client] Peer Connection Initiated with [AF_INET]192.168.1.200:36235
Wed Jan 27 16:53:44 2021 client/192.168.1.200:36235 MULTI_sva: pool returned IPv4=192.168.160.2, IPv6=(Not enabled)
Wed Jan 27 16:53:46 2021 client/192.168.1.200:36235 PUSH: Received control message: 'PUSH_REQUEST'
Wed Jan 27 16:53:46 2021 client/192.168.1.200:36235 SENT CONTROL [client]: 'PUSH_REPLY,route 192.168.2.0 255.255.255.0,route-gateway 192.168.160.1,ping 10,ping-restart 120,ifconfig 192.168.160.2 255.255.255.0,peer-id 0,cipher AES-256-GCM' (status=1)
Wed Jan 27 16:53:46 2021 client/192.168.1.200:36235 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Jan 27 16:53:46 2021 client/192.168.1.200:36235 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Jan 27 16:53:46 2021 client/192.168.1.200:36235 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
...

cheers!
« Last Edit: January 27, 2021, 06:31:18 pm by doncamilo »
- Do my pigeons bother you passing over your land?
- They block the sun!

G. Guareschi., Don Camillo.,

acon

  • Board Moderator
  • Zen Samurai
  • *****
  • Posts: 454
  • Karma: +18/-0
    • View Profile
Re: Zentyal to Zentyal VPN constantly dropping
« Reply #2 on: January 28, 2021, 07:42:23 am »
To configure client side, i have used the bundle downloaded from the server side and both servers are 6.2.6.
I will delete both server side and client side, apply updates to both servers, reboot and create a new link and report back the results.
Thanks

acon

  • Board Moderator
  • Zen Samurai
  • *****
  • Posts: 454
  • Karma: +18/-0
    • View Profile
Re: Zentyal to Zentyal VPN constantly dropping
« Reply #3 on: February 02, 2021, 01:50:47 pm »
Must be some problem related to certificates used in the VPN.
Anyway, i have deleted both server an client VPN, revoked certificates, generated news and created VPN and now it is stable and working as expected.