longzuyuan / ics-openvpn

Automatically exported from code.google.com/p/ics-openvpn
0 stars 0 forks source link

ta.key not accepted by server (but works fine for windows clients) #113

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. configure OVPN client for tls key
2.
3.

What is the expected output? What do you see instead?
Expected: server accepts my ta.key
Actual: server refuses ta.key with 
Thu Dec  6 11:53:31 2012 us=294553 Authenticate/Decrypt packet error: packet 
HMAC authentication failed
Thu Dec  6 11:53:31 2012 us=294673 TLS Error: incoming packet authentication 
failed from [AF_INET].....

What mobile phone are you using?
Navon Platinum 10 tablet

Which Android Version and stock ROM or aftermarket like cyanogenmod?
stock Android 4.04

Please provide any additional information below.
The ta.key works fine with windows client. The ta.key file contains
#
#2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
ea151c125ce7915ab970123a12bd000d
....
....
346f4b1d6cbd8c7c1d137e5c5bb94e6d
-----END OpenVPN Static key V1-----

Should ics-openvpn handle this?

Thanks, Michal

Original issue reported on code.google.com by themajkl...@gmail.com on 6 Dec 2012 at 11:14

GoogleCodeExporter commented 9 years ago
Yes the key should work fine. I personally have ta.keys which look exactly the 
same.

Original comment by arne@rfc2549.org on 6 Dec 2012 at 11:45

GoogleCodeExporter commented 9 years ago
Thanks for your answer. Where can I find config and log files to post it here?

Michal

Original comment by themajkl...@gmail.com on 6 Dec 2012 at 11:51

GoogleCodeExporter commented 9 years ago
CHeck if your log says using ta.key as static key file or "Control Channel 
Authentication: using '%s' as a free-form passphrase file" to be sure that 
openvpn reads your file.

The copying the log see the FAQ

Original comment by arne@rfc2549.org on 6 Dec 2012 at 12:10

GoogleCodeExporter commented 9 years ago
Not as a free-form passphrase file:

Spuštěno na platinum (crane) iNet, Android API 15
Log cleared.
Vytvářím konfiguraci…
Získán certifikát 
'OID.1.2.840.113549.1.9.1=#160E68616A656B406E737075682E637A, ...
Získán certifikát 
'OID.1.2.840.113549.1.9.1=#160E68616A656B406E737075682E637A, ....
Stav sítě: CONNECTED  to WIFI
P:OpenVPN 2.3_beta1 android-14-armeabi-v7a [SSL (OpenSSL)] [LZO] [EPOLL] [MH] 
[IPv6] built on Oct 10 2012
P:MANAGEMENT: Connected to management server at 
/data/data/de.blinkt.openvpn/cache/mgmtsocket
P:MANAGEMENT: CMD 'hold release'
P:MANAGEMENT: CMD 'bytecount 2'
P:MANAGEMENT: CMD 'state on'
P:MANAGEMENT: CMD 'proxy NONE'
P:WARNING: No server certificate verification method has been enabled.  See 
http://openvpn.net/howto.html#mitm for more info.
P:WARNING: file '/mnt/sdcard/.INSTALL/ta.key' is group or others accessible
P:Control Channel Authentication: using '/mnt/sdcard/.INSTALL/ta.key' as a 
OpenVPN static key file
P:Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' 
for HMAC authentication
P:Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' 
for HMAC authentication
P:Protecting socket fd 4
P:MANAGEMENT: CMD 'needok 'PROTECTFD' ok'
P:Socket Buffers: R=[110592->131072] S=[110592->131072]
P:MANAGEMENT: >STATE:1354796271,RESOLVE,,,
P:UDPv4 link local (bound): [undef]
P:UDPv4 link remote: [AF_INET]80.251.250.75:1194
P:MANAGEMENT: >STATE:1354796271,WAIT,,,

Original comment by themajkl...@gmail.com on 6 Dec 2012 at 12:23

GoogleCodeExporter commented 9 years ago
From the log it looks good. Try to import then windows configuration.

Original comment by arne@rfc2549.org on 6 Dec 2012 at 12:25

GoogleCodeExporter commented 9 years ago
Wow, imported configuration worked. I then changed keys from "inlined" to 
android store and path to ta..key and it works now too.  I do not get it, but I 
do not care :-)

Thanks, Michal

Original comment by themajkl...@gmail.com on 6 Dec 2012 at 1:36

GoogleCodeExporter commented 9 years ago
I am closing the issue since it works as it should

Original comment by arne@rfc2549.org on 6 Dec 2012 at 1:42