Bug#910937: openvpn: AED decrypt error between 2 Debian stretch server when client server was restarted

Sat, 13 Oct 2018 08:31:02 -0700 

Package: openvpn
Version: 2.4.0-6+deb9u2
Severity: normal

Dear Maintainer,

    2 servers are connected in tun mode, both running stable version. After a 
kernel upgrade
    we reboot the master server, 1/2 hour or more after the client one when the 
master already
    rebooted and the client correctly reopened the VPN link. Here raise the 
problem.

    To solve the problem we have to restart master openvpn daemon.

    On the client side we have in logs:

Sat Oct 13 17:17:17 2018 Initialization Sequence Completed
Sat Oct 13 17:17:21 2018 Authenticate/Decrypt packet error: packet HMAC 
authentication failed
Sat Oct 13 17:17:22 2018 Authenticate/Decrypt packet error: packet HMAC 
authentication failed
Sat Oct 13 17:17:23 2018 Authenticate/Decrypt packet error: packet HMAC 
authentication failed
Sat Oct 13 17:17:24 2018 Authenticate/Decrypt packet error: packet HMAC 
authentication failed
Sat Oct 13 17:17:25 2018 Authenticate/Decrypt packet error: packet HMAC 
authentication failed
Sat Oct 13 17:17:25 2018 Authenticate/Decrypt packet error: packet HMAC 
authentication failed
Sat Oct 13 17:17:26 2018 Authenticate/Decrypt packet error: packet HMAC 
authentication failed
Sat Oct 13 17:17:31 2018 Authenticate/Decrypt packet error: packet HMAC 
authentication failed
Sat Oct 13 17:17:35 2018 Authenticate/Decrypt packet error: packet HMAC 
authentication failed
Sat Oct 13 17:17:36 2018 Authenticate/Decrypt packet error: packet HMAC 
authentication failed
Sat Oct 13 17:17:37 2018 NOTE: --mute triggered...

    On the server side:

Sat Oct 13 17:17:17 2018 kumquat/xx.xx.xx.138:1194 PUSH: Received control 
message: 'PUSH_REQUEST'
Sat Oct 13 17:17:17 2018 kumquat/xx.xx.xx.138:1194 PUSH: client wants to 
negotiate cipher (NCP), but server has already generated data channel keys, 
ignoring client request
Sat Oct 13 17:17:17 2018 kumquat/xx.xx.xx.138:1194 SENT CONTROL [kumquat]: 
'PUSH_REPLY,route 10.0.70.0 255.255.255.0,route 10.2.70.0 255.255.255.0,route 
192.168.10.0 255.255.255.0,route 192.168.12.0 255.255.255.0,topology p2p,ping 
10,ping-restart 120,ifconfig 10.99.0.54 10.99.0.49,peer-id 0' (status=1) 
Sat Oct 13 17:17:18 2018 kumquat/xx.xx.xx.138:1194 AEAD Decrypt error: cipher 
final failed
Sat Oct 13 17:17:19 2018 kumquat/xx.xx.xx.138:1194 AEAD Decrypt error: cipher 
final failed
Sat Oct 13 17:17:29 2018 kumquat/xx.xx.xx.138:1194 AEAD Decrypt error: cipher 
final failed
Sat Oct 13 17:17:29 2018 kumquat/xx.xx.xx.138:1194 AEAD Decrypt error: cipher 
final failed
Sat Oct 13 17:17:30 2018 kumquat/xx.xx.xx.138:1194 AEAD Decrypt error: cipher 
final failed
Sat Oct 13 17:17:31 2018 kumquat/xx.xx.xx.138:1194 AEAD Decrypt error: cipher 
final failed
Sat Oct 13 17:17:32 2018 kumquat/xx.xx.xx.138:1194 AEAD Decrypt error: cipher 
final failed
Sat Oct 13 17:17:33 2018 kumquat/xx.xx.xx.138:1194 AEAD Decrypt error: cipher 
final failed
Sat Oct 13 17:17:43 2018 kumquat/xx.xx.xx.138:1194 AEAD Decrypt error: cipher 
final failed
Sat Oct 13 17:17:43 2018 kumquat/xx.xx.xx.138:1194 AEAD Decrypt error: cipher 
final failed
Sat Oct 13 17:17:44 2018 kumquat/xx.xx.xx.138:1194 NOTE: --mute triggered...


-- System Information:
Debian Release: 9.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-8-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openvpn depends on:
ii  debconf [debconf-2.0]  1.5.61
ii  init-system-helpers    1.48
ii  iproute2               4.9.0-1+deb9u1
ii  libc6                  2.24-11+deb9u3
ii  liblz4-1               0.0~r131-2+b1
ii  liblzo2-2              2.08-1.2+b2
ii  libpam0g               1.1.8-3.6
ii  libpkcs11-helper1      1.21-1
ii  libssl1.0.2            1.0.2l-2+deb9u3
ii  libsystemd0            232-25+deb9u4
ii  lsb-base               9.20161125

Versions of packages openvpn recommends:
ii  easy-rsa  2.2.2-2

Versions of packages openvpn suggests:
ii  openssl     1.1.0f-3+deb9u2
pn  resolvconf  <none>

-- Configuration Files:
/etc/default/openvpn changed:
AUTOSTART="mango"
OPTARGS=""
OMIT_SENDSIGS=0

/etc/openvpn/update-resolv-conf changed:
[ -x /sbin/resolvconf ] || exit 0
case $script_type in
up)
        for optionname in ${!foreign_option_*} ; do
                option="${!optionname}"
                echo $option
                part1=$(echo "$option" | cut -d " " -f 1)
                if [ "$part1" == "dhcp-option" ] ; then
                        part2=$(echo "$option" | cut -d " " -f 2)
                        part3=$(echo "$option" | cut -d " " -f 3)
                        if [ "$part2" == "DNS" ] ; then
                                IF_DNS_NAMESERVERS="$IF_DNS_NAMESERVERS $part3"
                        fi
                        if [ "$part2" == "DOMAIN" ] ; then
                                IF_DNS_SEARCH="$IF_DNS_SEARCH $part3"
                        fi
                fi
        done
        R=""
        for SS in $IF_DNS_SEARCH ; do
                R="${R}search $SS
"
        done
        for NS in $IF_DNS_NAMESERVERS ; do
                R="${R}nameserver $NS
"
        done
        echo -n "$R" | /sbin/resolvconf -a "${dev}.inet"
        ;;
down)
        /sbin/resolvconf -d "${dev}.inet"
        ;;
esac


-- debconf information:
  openvpn/create_tun: false

Reply via email to