OpenVPN ssl issues

[lantech]

I haven't been able to get the ssl vpn to work. I'm not sure its configured correctly with the lack of documentation.

Here is what I am getting in the log.

2007:01:09-09:44:53 (none) openvpn[5271]: TCP connection established with ******xx:61688
2007:01:09-09:44:53 (none) openvpn[5271]: Socket Buffers: R=[131072->131072] S=[131072->131072]
2007:01:09-09:44:53 (none) openvpn[5271]: TCPv4_SERVER link local: [undef]
2007:01:09-09:44:53 (none) openvpn[5271]: TCPv4_SERVER link remote: ******xx:61688
2007:01:09-09:44:53 (none) openvpn[5271]: ******x:61688 WARNING: Bad encapsulated packet length from peer (32829), which must be > 0 and <= 1555 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attemping restart...]
2007:01:09-09:44:53 (none) openvpn[5271]: ******x:61688 Connection reset, restarting [0]
2007:01:09-09:44:53 (none) openvpn[5271]: *********:61688 SIGUSR1[soft,connection-reset] received, client-instance restarting
2007:01:09-09:44:53 (none) openvpn[5271]: TCP/UDP: Closing socket

windows xp sp2 client

[mastercane]

Quote:

2007:01:09-09:44:53 (none) openvpn[5271]: ******x:61688 WARNING: Bad encapsulated packet length from peer (32829), which must be > 0 and <= 1555 -- please ensure that --tun-mtu or --link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attemping restart...]

Probier den angebotenen Fix doch einfach mal aus.

mfg
cane

[lantech]

I looked into that a little and didn't find where to actually change those settings. I am running windows xp SP2 on the client side. Suggestions where to look?

[Stephan_Scholz]

Please check the MTU on the virtual network adapter:
- Right-click on "My network places", select "Properties"
- Richt-click on "Astaro SSL VPN adapter", select "Properties"
- Click on "Configure"
- Select "Advanced" and click on "MTU".

Which MTU value do you get?

Stephan

[lantech]

I'm not even getting to the point where the ssl vpn adapter is installed. I can get to the management site at ***:4444, but I can't get to an actual page where I could even get the SSL adapter download.

[Stephan_Scholz]

You need to enable the user portal in WebAdmin (Management->End-User-Portal), then connect to the user portal (default on standard HTTPS port) with the VPN user and download the package there.

Stephan

[lantech]

Quote:

Originally Posted by Stephan_Scholz

You need to enable the user portal in WebAdmin (Management->End-User-Portal), then connect to the user portal (default on standard HTTPS port) with the VPN user and download the package there.

Stephan

I missed that part. It's working now.

I would have assumed that the SSL VPN wouldn't require a client though. That really makes it no better than an IPSEC client except for fewer firewall issues. Doesn't help someone trying to connect from a different PC other than their own.

[Stephan_Scholz]

Glad that it works now, thanks for reporting.

Actually other SSL VPN solutions come with a client, too (if they provide full network access, that is, and if you want to use local applications). It's only that they hide the installation better by installing an ActiveX control :-)

Stephan

[BrucekConvergent]

Quote:

Originally Posted by lantech

I missed that part. It's working now.

I would have assumed that the SSL VPN wouldn't require a client though. That really makes it no better than an IPSEC client except for fewer firewall issues. Doesn't help someone trying to connect from a different PC other than their own.

I would point out that making it easy for clients to connect from a random PC (copy shop, coffee shop, etc.) is not a good idea... those types of public computers are favorite targets for keyloggers and other malware... I for one like the SSL VPN capability.