Re: [Openvpn-users] client-connect is not executed

Jan Just Keijser Wed, 04 Sep 2013 08:15:13 -0700

Hi,

Dmitry Melekhov wrote:
> Hello!
>
> I run  OpenVPN 2.2.1 server.
>
> And there are clients connected by  mobile links, so they are not stable.
> Connections are over udp.
>
> On connect route add script is executed, on disconnect- route del.
> As you see, route del was executed, but no route add.
>
> Sep  4 12:45:19 inetgw1 openvpn[2692]: yuski/94.77.49.2:32768 TLS: 
> tls_process: killed expiring key
> Sep  4 12:45:22 inetgw1 openvpn[2692]: yuski/94.77.49.2:32768 TLS: soft 
> reset sec=0 bytes=2696526/0 pkts=25464/0
> Sep  4 12:45:23 inetgw1 openvpn[2692]: yuski/94.77.49.2:32768 CRL CHECK 
> OK: /C=RU/ST=Udm/L=Izhevsk/O=Belkam/CN=Belkam_CA/emailAddress=d...@belkam.com
> Sep  4 12:45:23 inetgw1 openvpn[2692]: yuski/94.77.49.2:32768 VERIFY OK: 
> depth=1, 
> /C=RU/ST=Udm/L=Izhevsk/O=Belkam/CN=Belkam_CA/emailAddress=d...@belkam.com
> Sep  4 12:45:23 inetgw1 openvpn[2692]: yuski/94.77.49.2:32768 CRL CHECK 
> OK: /C=RU/ST=Udm/L=Izhevsk/O=Belkam/CN=yuski/emailAddress=d...@belkam.com
> Sep  4 12:45:23 inetgw1 openvpn[2692]: yuski/94.77.49.2:32768 VERIFY OK: 
> depth=0, /C=RU/ST=Udm/L=Izhevsk/O=Belkam/CN=yuski/emailAddress=d...@belkam.com
> Sep  4 12:45:24 inetgw1 openvpn[2692]: yuski/94.77.49.2:32768 Data 
> Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
> Sep  4 12:45:24 inetgw1 openvpn[2692]: yuski/94.77.49.2:32768 Data 
> Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
> Sep  4 12:45:24 inetgw1 openvpn[2692]: yuski/94.77.49.2:32768 Data 
> Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
> Sep  4 12:45:24 inetgw1 openvpn[2692]: yuski/94.77.49.2:32768 Data 
> Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
> Sep  4 12:45:24 inetgw1 openvpn[2692]: yuski/94.77.49.2:32768 Control 
> Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
> Sep  4 12:46:01 inetgw1 openvpn[2692]: MULTI: Learn: 192.168.113.1 -> 
> yuski/94.77.49.2:32768
> Sep  4 12:51:01 inetgw1 openvpn[2692]: MULTI: Learn: 192.168.113.1 -> 
> yuski/94.77.49.2:32768
> Sep  4 12:56:02 inetgw1 openvpn[2692]: MULTI: Learn: 192.168.113.1 -> 
> yuski/94.77.49.2:32768
> Sep  4 13:01:02 inetgw1 openvpn[2692]: MULTI: Learn: 192.168.113.1 -> 
> yuski/94.77.49.2:32768
> Sep  4 13:06:01 inetgw1 openvpn[2692]: MULTI: Learn: 192.168.113.1 -> 
> yuski/94.77.49.2:32768
> Sep  4 13:11:01 inetgw1 openvpn[2692]: MULTI: Learn: 192.168.113.1 -> 
> yuski/94.77.49.2:32768
> Sep  4 13:14:20 inetgw1 openvpn[2692]: MULTI: Learn: 192.168.113.1 -> 
> yuski/94.77.49.2:32768
> Sep  4 13:16:01 inetgw1 openvpn[2692]: MULTI: Learn: 192.168.113.1 -> 
> yuski/94.77.49.2:32768
> Sep  4 13:21:01 inetgw1 openvpn[2692]: MULTI: Learn: 192.168.113.1 -> 
> yuski/94.77.49.2:32768
> Sep  4 13:26:01 inetgw1 openvpn[2692]: MULTI: Learn: 192.168.113.1 -> 
> yuski/94.77.49.2:32768
> Sep  4 13:31:02 inetgw1 openvpn[2692]: MULTI: Learn: 192.168.113.1 -> 
> yuski/94.77.49.2:32768
> Sep  4 13:36:02 inetgw1 openvpn[2692]: MULTI: Learn: 192.168.113.1 -> 
> yuski/94.77.49.2:32768
> Sep  4 13:41:01 inetgw1 openvpn[2692]: MULTI: Learn: 192.168.113.1 -> 
> yuski/94.77.49.2:32768
> Sep  4 13:45:22 inetgw1 openvpn[2692]: yuski/94.77.49.2:32768 TLS: 
> tls_process: killed expiring key
> Sep  4 13:45:25 inetgw1 openvpn[2692]: yuski/94.77.49.2:32768 TLS: soft 
> reset sec=-1 bytes=3481446/0 pkts=19745/0
> Sep  4 13:46:01 inetgw1 openvpn[2692]: MULTI: Learn: 192.168.113.1 -> 
> yuski/94.77.49.2:32768
> Sep  4 13:46:25 inetgw1 openvpn[2692]: yuski/94.77.49.2:32768 TLS Error: 
> TLS key negotiation failed to occur within 60 seconds (check your 
> network connectivity)
> Sep  4 13:46:25 inetgw1 openvpn[2692]: yuski/94.77.49.2:32768 TLS Error: 
> TLS handshake failed
> Sep  4 13:46:25 inetgw1 openvpn[2692]: yuski/94.77.49.2:32768 TLS: 
> move_session: dest=TM_LAME_DUCK src=TM_ACTIVE reinit_src=1
> Sep  4 13:46:39 inetgw1 openvpn[2692]: 94.77.49.2:32770 CRL CHECK OK: 
> /C=RU/ST=Udm/L=Izhevsk/O=Belkam/CN=yuski/emailAddress=d...@belkam.com
> Sep  4 13:46:39 inetgw1 openvpn[2692]: 94.77.49.2:32770 VERIFY OK: 
> depth=0, /C=RU/ST=Udm/L=Izhevsk/O=Belkam/CN=yuski/emailAddress=d...@belkam.com
> Sep  4 13:46:39 inetgw1 openvpn[2692]: 94.77.49.2:32770 [yuski] Peer 
> Connection Initiated with [AF_INET]94.77.49.2:32770 (via 
> [AF_INET]192.168.42.2%vlan2)
> Sep  4 13:46:39 inetgw1 openvpn[2692]: yuski/94.77.49.2:32770 OPTIONS 
> IMPORT: reading client specific options from: ccd-udp/yuski
> Sep  4 13:46:39 inetgw1 openvpn: yuski sudo route add -net 192.168.113.0 
> netmask 255.255.255.0 gw 192.168.205.1
> Sep  4 13:46:39 inetgw1 openvpn[2692]: yuski/94.77.49.2:32770 OPTIONS 
> IMPORT: reading client specific options from: 
> /tmp/openvpn_cc_3033ceb343f4ebe50459758ab34f550d.tmp
> Sep  4 13:46:39 inetgw1 openvpn[2692]: yuski/94.77.49.2:32770 MULTI: 
> Learn: 192.168.205.142 -> yuski/94.77.49.2:32770
> Sep  4 13:46:39 inetgw1 openvpn[2692]: yuski/94.77.49.2:32770 MULTI: 
> primary virtual IP for yuski/94.77.49.2:32770: 192.168.205.142
> Sep  4 13:46:39 inetgw1 openvpn[2692]: yuski/94.77.49.2:32770 MULTI: 
> internal route 192.168.113.0/24 -> yuski/94.77.49.2:32770
> Sep  4 13:46:39 inetgw1 openvpn[2692]: yuski/94.77.49.2:32770 MULTI: 
> Learn: 192.168.113.0/24 -> yuski/94.77.49.2:32770
> Sep  4 13:46:40 inetgw1 openvpn[2692]: yuski/94.77.49.2:32770 PUSH: 
> Received control message: 'PUSH_REQUEST'
> Sep  4 13:46:40 inetgw1 openvpn[2692]: yuski/94.77.49.2:32770 
> send_push_reply(): safe_cap=960
> Sep  4 13:46:40 inetgw1 openvpn[2692]: yuski/94.77.49.2:32770 SENT 
> CONTROL [yuski]: 'PUSH_REPLY,explicit-exit-notify 3,route 
> 192.168.205.1,topology net30,ping 10,ping-restart 120,route 10.0.0.0 
> 255.0.0.0,route 192.168.0.0 255.255.0.0,ifconfig 192.168.205.142 
> 192.168.205.141' (status=1)
> Sep  4 13:47:41 inetgw1 openvpn[2692]: yuski/94.77.49.2:32768 TLS Error: 
> TLS key negotiation failed to occur within 60 seconds (check your 
> network connectivity)
> Sep  4 13:47:41 inetgw1 openvpn[2692]: yuski/94.77.49.2:32768 TLS Error: 
> TLS handshake failed
> Sep  4 13:48:33 inetgw1 openvpn[2692]: yuski/94.77.49.2:32768 [UNDEF] 
> Inactivity timeout (--ping-restart), restarting
> Sep  4 13:48:33 inetgw1 openvpn[2692]: yuski/94.77.49.2:32768 
> SIGUSR1[soft,ping-restart] received, client-instance restarting
> Sep  4 13:48:33 inetgw1 openvpn: yuski sudo route del -net 192.168.113.0 
> netmask 255.255.255.0 gw 192.168.205.1
> Sep  4 14:46:39 inetgw1 openvpn[2692]: yuski/94.77.49.2:32770 TLS: soft 
> reset sec=0 bytes=1878484/0 pkts=6064/0
> Sep  4 14:46:40 inetgw1 openvpn[2692]: yuski/94.77.49.2:32770 CRL CHECK 
> OK: /C=RU/ST=Udm/L=Izhevsk/O=Belkam/CN=Belkam_CA/emailAddress=d...@belkam.com
> Sep  4 14:46:40 inetgw1 openvpn[2692]: yuski/94.77.49.2:32770 VERIFY OK: 
> depth=1, 
> /C=RU/ST=Udm/L=Izhevsk/O=Belkam/CN=Belkam_CA/emailAddress=d...@belkam.com
> Sep  4 14:46:40 inetgw1 openvpn[2692]: yuski/94.77.49.2:32770 CRL CHECK 
> OK: /C=RU/ST=Udm/L=Izhevsk/O=Belkam/CN=yuski/emailAddress=d...@belkam.com
> Sep  4 14:46:40 inetgw1 openvpn[2692]: yuski/94.77.49.2:32770 VERIFY OK: 
> depth=0, /C=RU/ST=Udm/L=Izhevsk/O=Belkam/CN=yuski/emailAddress=d...@belkam.com
> Sep  4 14:46:40 inetgw1 openvpn[2692]: yuski/94.77.49.2:32770 Data 
> Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
> Sep  4 14:46:40 inetgw1 openvpn[2692]: yuski/94.77.49.2:32770 Data 
> Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
> Sep  4 14:46:40 inetgw1 openvpn[2692]: yuski/94.77.49.2:32770 Data 
> Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
> Sep  4 14:46:40 inetgw1 openvpn[2692]: yuski/94.77.49.2:32770 Data 
> Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
> Sep  4 14:46:40 inetgw1 openvpn[2692]: yuski/94.77.49.2:32770 Control 
> Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
> Sep  4 15:39:12 inetgw1 openvpn[2692]: MULTI: Learn: 192.168.113.1 -> 
> yuski/94.77.49.2:32770
>
>
> What can I do to solve this problem?
>
> I have
> push "explicit-exit-notify 3"
>
>   
- post your server config
- try replacing the 'client-connect' script with something like


#!/bin/bash
exit 1

clients should no longer be able to connect - if they are, you know the 
client-connect script is not called properly

- post your existing client-connect script.

HTH,

JJK


------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Re: [Openvpn-users] client-connect is not executed

Reply via email to