OpenVPN Error : TLS Error: local/remote TLS keys are out of sync: [AF_INET]
- by Lucidity
Fist off thanks for reading this, I appreciate any and all suggestions.
I am having some serious problems reconnecting to my OpenVPN client using Riseup.net's VPN.
I have spent a few days banging my head against the wall in attempts to set this up on my iOS devices....but that is a whole other issue.
I was however able to set it up on my Mac OS X specifically on my Windows Vista 32 bit BootCamp VM with relatively little trouble.
To originally connect I only had to modify the recommended Config file very slightly (Config file included at the end of this post):
- I had to enter the code directly into my config file
- And change "dev tap" to "dev tun"
So I was connected. (Note - I did test to ensure the VPN was actually working after I originally connected, it was. Also verified the .pem file (inserted as the coding in my config file) for authenticity). I left the VPN running. My computer went to sleep. Today I went to use the internet expecting (possibly incorrectly - I am now unsure if I was wrong to leave it running) to still be connected to the VPN. However I saw immediately I was not. I went to reconnect. And was (am) unable to.
My logs after attempting to connect (and getting a connection failed dialog box) show everything working as it should (as far as I can tell) until the end where I get the following lines:
Mon Sep 23 21:07:49 2013 us=276809 Initialization Sequence Completed
Mon Sep 23 21:07:49 2013 us=276809 MANAGEMENT: >STATE:1379995669,CONNECTED,SUCCESS, OMITTED
Mon Sep 23 21:22:50 2013 us=390350 Authenticate/Decrypt packet error: packet HMAC authentication failed
Mon Sep 23 21:23:39 2013 us=862180 TLS Error: local/remote TLS keys are out of sync: [AF_INET] VPN IP OMITTED [2]
Mon Sep 23 21:23:57 2013 us=395183 Authenticate/Decrypt packet error: packet HMAC authentication failed
Mon Sep 23 22:07:41 2013 us=296898 TLS: soft reset sec=0 bytes=513834601/0 pkts=708032/0
Mon Sep 23 22:07:41 2013 us=671299 VERIFY OK: depth=1, C=US, O=Riseup Networks, L=Seattle, ST=WA, CN=Riseup Networks, [email protected]
Mon Sep 23 22:07:41 2013 us=671299 VERIFY OK: depth=0, C=US, O=Riseup Networks, L=Seattle, ST=WA, CN=vpn.riseup.net
Mon Sep 23 22:07:46 2013 us=772508 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Sep 23 22:07:46 2013 us=772508 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Sep 23 22:07:46 2013 us=772508 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mon Sep 23 22:07:46 2013 us=772508 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Sep 23 22:07:46 2013 us=772508 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
So I have searched for a solution online and I have included what I have attempted below, however I fear (know) I am not knowledgeable enough in this area to fix this myself. I apologize in advance for my ignorance. I do tech support for a living, but not this kind of tech support unfortunately.
Other notes and troubleshooting done -
- Windows Firewall is disabled completely, as well as other Anti-virus programs
- Tor is disabled completely
- No Proxies running
- Time is correct in all locations
- Router Firmware is up to date
- Able to connect to the internet and as far as I can tell all necessary ports are open.
- No settings have been altered since I was able to connect successfully.
- Ethernet as well as wifi connections attempted, resulted in same error.
Also tried adding the following lines to my config file (without success or change in error):
persist-key
persist-tun
proto tcp
(after reading that this error generally occurs on UDP connections, and is extremely rare on TCP)
resolv-retry infinite
(thinking the connection may have timed out since the issues occurred after leaving VPN connected during about 10 hrs of computer in sleep mode)
All attempts resulted in exact same error code included at the top of this post.
The original suggestions I found online stated -
(regarding the TLS Error) - This error should resolve itself within 60 seconds, or if not quit wait 120 seconds and try again. (Which isnt the case here...)
(regarding the Out of Sync" error) - If you continue to get "out of sync" errors and the link does not come up,
then it means that something is probably wrong with your config file. You
must use either ping and ping-restart on both sides of the connection, or
keepalive on the server side of a client/server connection, in order to
gracefully recover from "local/remote TLS keys are out
of sync" errors.
I wouldn't be surprised if my config file is lacking, or not correct. However I can confirm I followed the instructions to a tee. And was able to connect originally (and have not modified my settings or config file since I was able to connect to when the error began occurring).
I have a very simple config file:
client
dev tun
tun-mtu 1500
remote vpn.riseup.net
auth-user-pass
ca RiseupCA.pem
redirect-gateway
verb 4
<ca>
-----BEGIN CERTIFICATE-----
[OMITTED]
-----END CERTIFICATE-----
</ca>
I would really appreciate any help or suggestions. I am at a total loss here, I know I'm asking a lot here.
Though I am a new user on this site I help others on many forums including Microsoft's support community and especially Apple's support communities, so I will definitely pass on anything I learn here to help others. Thanks so so so much in advance for reading this.
