Hi, i have built 2 Zentyal 6.2 servers to connect to sites. I have configured one side as server and other side as client.
I have imported the config from server to client and the VPN is established, but is dropping in 2 minutes and reconecting after 2 more minutes time out.
The VPN is closed by the server side and client restart the connection after 2m time out and so on.
When the VPN is working, when it drops, the logs in server side /var/log/openvpn/zen2zen.log shows:
Tue Jan 26 11:56:47 2021 10.0.0.1:43309 TLS: Initial packet from [AF_INET]10.0.0.1:43309, sid=b9f340d3 2dad0449
Tue Jan 26 11:56:47 2021 10.0.0.1:43309 VERIFY OK: depth=1, C=ES, ST=.....
Tue Jan 26 11:56:47 2021 10.0.0.1:43309 VERIFY OK: depth=0, C=ES, ST=.....
Tue Jan 26 11:56:47 2021 10.0.0.1:43309 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1590', remote='link-mtu 1574'
Tue Jan 26 11:56:47 2021 10.0.0.1:43309 WARNING: 'cipher' is used inconsistently, local='cipher AES-256-CBC', remote='cipher BF-CBC'
Tue Jan 26 11:56:47 2021 10.0.0.1:43309 WARNING: 'keysize' is used inconsistently, local='keysize 256', remote='keysize 128'
Tue Jan 26 11:56:47 2021 10.0.0.1:43309 Control Channel: TLSv1, cipher TLSv1.0 ECDHE-RSA-AES256-SHA, 2048 bit RSA
Tue Jan 26 11:56:47 2021 10.0.0.1:43309 [Z2ZClient] Peer Connection Initiated with [AF_INET]10.0.0.1:43309
Tue Jan 26 11:56:47 2021 MULTI: new connection by client 'Z2ZClient' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Tue Jan 26 11:56:47 2021 MULTI_sva: pool returned IPv4=192.168.161.2, IPv6=(Not enabled)
Tue Jan 26 11:56:49 2021 Z2ZClient/10.0.0.1:43309 PUSH: Received control message: 'PUSH_REQUEST'
Tue Jan 26 11:56:49 2021 Z2ZClient/10.0.0.1:43309 SENT CONTROL [Z2ZClient]: 'PUSH_REPLY,route 10.0.0.0 255.255.255.0,route-gateway 192.168.161.1,ping 10,ping-restart 120,ifconfig 192.168.161.2 255.255.255.0' (status=1)
Tue Jan 26 11:56:49 2021 Z2ZClient/10.0.0.1:43309 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Tue Jan 26 11:56:49 2021 Z2ZClient/10.0.0.1:43309 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jan 26 11:56:49 2021 Z2ZClient/10.0.0.1:43309 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Tue Jan 26 11:56:49 2021 Z2ZClient/10.0.0.1:43309 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Jan 26 11:56:53 2021 Z2ZClient/10.0.0.1:43309 Authenticate/Decrypt packet error: cipher final failed
Tue Jan 26 11:57:03 2021 Z2ZClient/10.0.0.1:43309 Authenticate/Decrypt packet error: cipher final failed
Tue Jan 26 11:57:14 2021 Z2ZClient/10.0.0.1:43309 Authenticate/Decrypt packet error: cipher final failed
Tue Jan 26 11:57:19 2021 Z2ZClient/10.0.0.1:43309 Authenticate/Decrypt packet error: cipher final failed
Tue Jan 26 11:57:30 2021 Z2ZClient/10.0.0.1:43309 Authenticate/Decrypt packet error: cipher final failed
Tue Jan 26 11:57:40 2021 Z2ZClient/10.0.0.1:43309 Authenticate/Decrypt packet error: cipher final failed
Tue Jan 26 11:57:47 2021 Z2ZClient/10.0.0.1:43309 Authenticate/Decrypt packet error: cipher final failed
Tue Jan 26 11:57:57 2021 Z2ZClient/10.0.0.1:43309 Authenticate/Decrypt packet error: cipher final failed
Tue Jan 26 11:58:07 2021 Z2ZClient/10.0.0.1:43309 Authenticate/Decrypt packet error: cipher final failed
Tue Jan 26 11:58:15 2021 Z2ZClient/10.0.0.1:43309 Authenticate/Decrypt packet error: cipher final failed
Tue Jan 26 11:58:25 2021 Z2ZClient/10.0.0.1:43309 Authenticate/Decrypt packet error: cipher final failed
Tue Jan 26 11:58:35 2021 Z2ZClient/10.0.0.1:43309 Authenticate/Decrypt packet error: cipher final failed
Tue Jan 26 11:58:46 2021 Z2ZClient/10.0.0.1:43309 Authenticate/Decrypt packet error: cipher final failed
Tue Jan 26 11:58:46 2021 Z2ZClient/10.0.0.1:43309 Authenticate/Decrypt packet error: cipher final failed
2 minutes afted the link goes down, the client side restart the connection:
Tue Jan 26 12:02:54 2021 [vpn-ZenToZen] Inactivity timeout (--ping-restart), restarting
Tue Jan 26 12:02:54 2021 SIGUSR1[soft,ping-restart] received, process restarting
Tue Jan 26 12:02:54 2021 Restart pause, 5 second(s)
Tue Jan 26 12:02:59 2021 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Tue Jan 26 12:02:59 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:11194
Tue Jan 26 12:02:59 2021 Socket Buffers: R=[212992->212992] S=[212992->212992]
Tue Jan 26 12:02:59 2021 UDP link local: (not bound)
Tue Jan 26 12:02:59 2021 UDP link remote: [AF_INET]x.x.x.x:11194
Tue Jan 26 12:02:59 2021 TLS: Initial packet from [AF_INET]x.x.x.x:11194, sid=b3d4d95a b01dcf8d
Tue Jan 26 12:02:59 2021 VERIFY OK: depth=1, C=ES, ST=....
Tue Jan 26 12:02:59 2021 VERIFY OK: depth=0, C=ES, ST=....
Tue Jan 26 12:02:59 2021 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Tue Jan 26 12:02:59 2021 [vpn-ZenToZen] Peer Connection Initiated with [AF_INET]195.235.235.210:11194
Tue Jan 26 12:03:00 2021 SENT CONTROL [vpn-ZenToZen]: 'PUSH_REQUEST' (status=1)
Tue Jan 26 12:03:00 2021 PUSH: Received control message: 'PUSH_REPLY,route 10.0.0.0 255.255.255.0,route-gateway 192.168.161.1,ping 10,ping-restart 120,ifconfig 192.168.161.2 255.255.255.0,peer-id 0,cipher AES-256-GCM'
Tue Jan 26 12:03:00 2021 OPTIONS IMPORT: timers and/or timeouts modified
Tue Jan 26 12:03:00 2021 OPTIONS IMPORT: --ifconfig/up options modified
Tue Jan 26 12:03:00 2021 OPTIONS IMPORT: route options modified
Tue Jan 26 12:03:00 2021 OPTIONS IMPORT: route-related options modified
Tue Jan 26 12:03:00 2021 OPTIONS IMPORT: peer-id set
Tue Jan 26 12:03:00 2021 OPTIONS IMPORT: adjusting link_mtu to 1657
Tue Jan 26 12:03:00 2021 OPTIONS IMPORT: data channel crypto options modified
Tue Jan 26 12:03:00 2021 Data Channel: using negotiated cipher 'AES-256-GCM'
Tue Jan 26 12:03:00 2021 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Jan 26 12:03:00 2021 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue Jan 26 12:03:00 2021 Preserving previous TUN/TAP instance: tap0
Tue Jan 26 12:03:00 2021 Initialization Sequence Completed
Btw, normal VPN from windows workstation to Zentyal server is stable, so the problem is when "Allow Zentyal to Zentyal" is selected.
Any one has dealed with this issue?