ESR21 OpenVPN проблема с TLS
Добавлено: 25 ноя 2021 22:32
Коллеги, добры день
Выполняю настройки OpenVPN сервера на маршрутизаторе EAR21
Выполнил все настройки по инструкции.
Не устанавливается соединение с сервером OpenVPN.
interface gigabitethernet 1/0/1
description "TO_SW-ISP"
security-zone untrusted
ip address 192.168.7.50/24
exit
security zone-pair VPN untrusted
rule 10
action permit
enable
exit
exit
remote-access openvpn SERVER_OPENVPN
network 10.253.253.0/24
protocol tcp
tunnel ip
route 10.133.251.0/29
encryption algorithm aes256
authentication algorithm sha-256
certificate ca ca.crt
certificate dh dh.pem
certificate server-key server.key
certificate server-crt server.crt
certificate ta ta.key
security-zone VPN
enable
exit
Конфигурация клиента
client
remote 192.168.7.50 1194
proto tcp
dev tun
remote-cert-tls server
ca ca.crt
cert client.crt
key client.key
tls-auth ta.key 1
cipher AES-256-CBC
auth SHA256
verb 3
Лог с клиента
2021-11-25 16:20:04 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2021-11-25 16:20:04 OpenVPN 2.5.4 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Oct 20 2021
2021-11-25 16:20:04 Windows version 10.0 (Windows 10 or greater) 64bit
2021-11-25 16:20:04 library versions: OpenSSL 1.1.1l 24 Aug 2021, LZO 2.10
2021-11-25 16:20:04 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
2021-11-25 16:20:04 Need hold release from management interface, waiting...
2021-11-25 16:20:04 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
2021-11-25 16:20:04 MANAGEMENT: CMD 'state on'
2021-11-25 16:20:04 MANAGEMENT: CMD 'log all on'
2021-11-25 16:20:04 MANAGEMENT: CMD 'echo all on'
2021-11-25 16:20:04 MANAGEMENT: CMD 'bytecount 5'
2021-11-25 16:20:04 MANAGEMENT: CMD 'hold off'
2021-11-25 16:20:04 MANAGEMENT: CMD 'hold release'
2021-11-25 16:20:04 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-11-25 16:20:04 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-11-25 16:20:04 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.7.50:1194
2021-11-25 16:20:04 Socket Buffers: R=[65536->65536] S=[65536->65536]
2021-11-25 16:20:04 Attempting to establish TCP connection with [AF_INET]192.168.7.50:1194 [nonblock]
2021-11-25 16:20:04 MANAGEMENT: >STATE:1637846404,TCP_CONNECT,,,,,,
2021-11-25 16:20:04 TCP connection established with [AF_INET]192.168.7.50:1194
2021-11-25 16:20:04 TCP_CLIENT link local: (not bound)
2021-11-25 16:20:04 TCP_CLIENT link remote: [AF_INET]192.168.7.50:1194
2021-11-25 16:20:04 MANAGEMENT: >STATE:1637846404,WAIT,,,,,,
2021-11-25 16:20:04 MANAGEMENT: >STATE:1637846404,AUTH,,,,,,
2021-11-25 16:20:04 TLS: Initial packet from [AF_INET]192.168.7.50:1194, sid=45e30778 55444f89
2021-11-25 16:20:04 Connection reset, restarting [0]
Куда посмотреть?
Выполняю настройки OpenVPN сервера на маршрутизаторе EAR21
Выполнил все настройки по инструкции.
Не устанавливается соединение с сервером OpenVPN.
interface gigabitethernet 1/0/1
description "TO_SW-ISP"
security-zone untrusted
ip address 192.168.7.50/24
exit
security zone-pair VPN untrusted
rule 10
action permit
enable
exit
exit
remote-access openvpn SERVER_OPENVPN
network 10.253.253.0/24
protocol tcp
tunnel ip
route 10.133.251.0/29
encryption algorithm aes256
authentication algorithm sha-256
certificate ca ca.crt
certificate dh dh.pem
certificate server-key server.key
certificate server-crt server.crt
certificate ta ta.key
security-zone VPN
enable
exit
Конфигурация клиента
client
remote 192.168.7.50 1194
proto tcp
dev tun
remote-cert-tls server
ca ca.crt
cert client.crt
key client.key
tls-auth ta.key 1
cipher AES-256-CBC
auth SHA256
verb 3
Лог с клиента
2021-11-25 16:20:04 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
2021-11-25 16:20:04 OpenVPN 2.5.4 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Oct 20 2021
2021-11-25 16:20:04 Windows version 10.0 (Windows 10 or greater) 64bit
2021-11-25 16:20:04 library versions: OpenSSL 1.1.1l 24 Aug 2021, LZO 2.10
2021-11-25 16:20:04 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
2021-11-25 16:20:04 Need hold release from management interface, waiting...
2021-11-25 16:20:04 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
2021-11-25 16:20:04 MANAGEMENT: CMD 'state on'
2021-11-25 16:20:04 MANAGEMENT: CMD 'log all on'
2021-11-25 16:20:04 MANAGEMENT: CMD 'echo all on'
2021-11-25 16:20:04 MANAGEMENT: CMD 'bytecount 5'
2021-11-25 16:20:04 MANAGEMENT: CMD 'hold off'
2021-11-25 16:20:04 MANAGEMENT: CMD 'hold release'
2021-11-25 16:20:04 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-11-25 16:20:04 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
2021-11-25 16:20:04 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.7.50:1194
2021-11-25 16:20:04 Socket Buffers: R=[65536->65536] S=[65536->65536]
2021-11-25 16:20:04 Attempting to establish TCP connection with [AF_INET]192.168.7.50:1194 [nonblock]
2021-11-25 16:20:04 MANAGEMENT: >STATE:1637846404,TCP_CONNECT,,,,,,
2021-11-25 16:20:04 TCP connection established with [AF_INET]192.168.7.50:1194
2021-11-25 16:20:04 TCP_CLIENT link local: (not bound)
2021-11-25 16:20:04 TCP_CLIENT link remote: [AF_INET]192.168.7.50:1194
2021-11-25 16:20:04 MANAGEMENT: >STATE:1637846404,WAIT,,,,,,
2021-11-25 16:20:04 MANAGEMENT: >STATE:1637846404,AUTH,,,,,,
2021-11-25 16:20:04 TLS: Initial packet from [AF_INET]192.168.7.50:1194, sid=45e30778 55444f89
2021-11-25 16:20:04 Connection reset, restarting [0]
Куда посмотреть?