Hi, On 03-11-17 15:03, Jan Just Keijser wrote: > whilst testing some new hardware with OpenVPN I ran into the following > messages which keep popping up from time to time: > > AEAD Decrypt error: cipher final failed > > > Config: > > server running OpenVPN 2.4.3, basic config, Ubuntu 17, kernel 4.14, > openssl 1.0.2g > client running OpenVPN 2.4.4, basic config, CentOS 7.4, kernel 3.10, > openssl 1.0.2k > > it's the client that is throwing the above message during heavy load > (900 Mbps VPN traffic). It happens only with NCP ciphers , I am not > seeing any cipher messages with 'ncp-disable' set. > > as soon as I add 'verb 5' or higher, the message goes away, because > performance drops to below 500 Mbps due to excessive output. > Any idea how to tackle this?
This is (most likely) the GCM authentication check failing. What would be interesting is to see at least what is on the wire and what the receiving process thinks it's receiving. Also, printing the session keys would help to verify the crypto. The verb level do not allow enough granularity to achieve this, so you'll have to change the code to print the session keys (after the kex) and the full received packet if this error occurs, and keep a pcap of the transfer. Though I'm not very sure whether it's doable to store a pcap @ 900 mbit - it's probably not on my old/cheap hw ;-) -Steffan ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
