Discussion:
[Openvpn-users] TLS Error: local/remote TLS keys are out of sync
Steve Shellswell
2004-11-25 10:22:05 UTC
Permalink
Hi,

Please forgive ignorance.

When I start the client end manually I get this message.

Does anybody know what keys being out of sync means? Is there some
webpage I should read about this?

Many thanks in advance

Steve
Steve Shellswell
2004-12-01 06:33:07 UTC
Permalink
Hi all,

I am still struggling with this. Please can anyone shed any light on the
error message?

TLS Error: local/remote TLS keys are out of sync: 1.2.3.4:1194 [0]

It is even an openssl error and not openvpn?

I apologise if this has been covered before but I searched the group and
didn't find it... Google doesn't tell me much...

Sorry to bother you all again...

Steve
Charles Duffy
2004-12-01 07:02:00 UTC
Permalink
Post by Steve Shellswell
I am still struggling with this. Please can anyone shed any light on the
error message?
TLS Error: local/remote TLS keys are out of sync: 1.2.3.4:1194 [0]
I don't know the error, but the code that would result in the different
(desired) path being taken follows:

if (DECRYPT_KEY_ENABLED (multi, ks)
&& key_id == ks->key_id
&& ks->authenticated
&& addr_port_match(from, &ks->remote_addr))

so... DECRYPT_KEY_ENABLED could be false, the key_id values could fail to
match, the key_state (ks) could be unauthenticated, or we could have no
remote address match.

Without more context (and better knowledge of the surrounding codebase),
I'm not in a good condition to make suggesions wrt which is most likely.
So, let's back up:

This happens every time, immediately after startup -- right?

How did you generate your CA/key/cert? You're using the same CA on both
ends, right? Any other errorlike messages in your output?

Mind posting your config files?
Steve Shellswell
2004-12-01 07:29:03 UTC
Permalink
This post might be inappropriate. Click to display it.
Steve Shellswell
2004-12-01 07:38:01 UTC
Permalink
BTW: Just to clarify, the port that the error message reads is 900, not
1194.

When I changed the ip address I changed the port aswell.

Thanks for this.

Steve
Post by Steve Shellswell
Post by Charles Duffy
Post by Steve Shellswell
I am still struggling with this. Please can anyone shed any light on
the error message?
TLS Error: local/remote TLS keys are out of sync: 1.2.3.4:1194 [0]
I don't know the error, but the code that would result in the different
if (DECRYPT_KEY_ENABLED (multi, ks)
&& key_id == ks->key_id
&& ks->authenticated
&& addr_port_match(from, &ks->remote_addr))
so... DECRYPT_KEY_ENABLED could be false, the key_id values could fail to
match, the key_state (ks) could be unauthenticated, or we could have no
remote address match.
Without more context (and better knowledge of the surrounding codebase),
I'm not in a good condition to make suggesions wrt which is most likely.
This happens every time, immediately after startup -- right?
No. Just sometimes. I first noticed it after I had started and stopped
the client end several times in relatively quick succession. This is the
output from starting openvpn manually...
-----------------------------------------------------------
Thu Nov 25 10:30:55 2004 us=161452 config = 'config.ovpn'
Thu Nov 25 10:30:55 2004 us=161502 mode = 0
Thu Nov 25 10:30:55 2004 us=161544 show_ciphers = DISABLED
Thu Nov 25 10:30:55 2004 us=161582 show_digests = DISABLED
Thu Nov 25 10:30:55 2004 us=161619 show_engines = DISABLED
Thu Nov 25 10:30:55 2004 us=161656 genkey = DISABLED
Thu Nov 25 10:30:55 2004 us=161693 key_pass_file = '[UNDEF]'
Thu Nov 25 10:30:55 2004 us=161731 show_tls_ciphers = DISABLED
Thu Nov 25 10:30:55 2004 us=161794 proto = 0
Thu Nov 25 10:30:55 2004 us=161835 NOTE: --mute triggered...
Thu Nov 25 10:30:55 2004 us=161977 173 variation(s) on previous 10
message(s) suppressed by --mute
Thu Nov 25 10:30:55 2004 us=161992 OpenVPN 2.0_beta15 Win32-MinGW [SSL]
[LZO] built on Oct 28 2004
Thu Nov 25 10:30:55 2004 us=165986 LZO compression initialized
Thu Nov 25 10:30:55 2004 us=166131 Control Channel MTU parms [ L:1574
D:138 EF:38 EB:0 ET:0 EL:0 ]
Thu Nov 25 10:30:55 2004 us=182889 Data Channel MTU parms [ L:1574
D:1450 EF:42 EB:19 ET:32 EL:0 ]
Thu Nov 25 10:30:55 2004 us=182970 Local Options String: 'V4,dev-type
tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher BF-CBC,auth
SHA1,keysize 128,key-method 2,tls-client'
'V4,dev-type tap,link-mtu 1574,tun-mtu 1532,proto UDPv4,comp-lzo,cipher
BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Thu Nov 25 10:30:55 2004 us=183020 Local Options hash (VER=V4): 'd79ca330'
Thu Nov 25 10:30:55 2004 us=183042 Expected Remote Options hash
(VER=V4): 'f7df56b8'
Thu Nov 25 10:30:55 2004 us=183091 Socket Buffers: R=[8192->8192]
S=[8192->8192]
Thu Nov 25 10:30:55 2004 us=183117 UDPv4 link local (bound): [undef]:900
Thu Nov 25 10:30:55 2004 us=183133 UDPv4 link remote: 1.2.3.4:900
Thu Nov 25 10:30:55 2004 us=602337 TLS Error: local/remote TLS keys are
out of sync: 1.2.3.4:900 [0]
Thu Nov 25 10:31:06 2004 us=398701 TLS Error: local/remote TLS keys are
out of sync: 1.2.3.4:900 [0]
Thu Nov 25 10:31:11 2004 us=304750 TLS Error: local/remote TLS keys are
out of sync: 1.2.3.4:900 [0]
Thu Nov 25 10:31:21 2004 us=413660 TLS Error: local/remote TLS keys are
out of sync: 1.2.3.4:900 [0]
------------------------------------------------------------
Post by Charles Duffy
How did you generate your CA/key/cert?
Following the instructions on the howto page.
You're using the same CA on both
Post by Charles Duffy
ends, right?
Yep, CA on the server.
Any other errorlike messages in your output?
Post by Charles Duffy
Mind posting your config files?
---------------------------------------------------------------
remote 1.2.3.4
port 900
proto udp
dev tap
tls-client
ca cacert.pem
cert cert.pem
key key.pem
resolv-retry 86400
up-delay
ping 10
ping-restart 300
comp-lzo
verb 4
mute 10
----------------------------------------------------------------
----------------------------------------------------------------
port 900
mode server
proto udp
tls-server
dh ../ssl/dh1024.pem
ca ../ssl/cacert.pem
cert ovpncert.pem
key ovpnkey.pem
key-method 2
user nobody
group nogroup
persist-key
ping 10
comp-lzo
client-config-dir /etc/openvpn/clients
verb 4
mute 10
up /etc/local/sbin/tapup
dev tap
persist-tun
----------------------------------------------------------------
Post by Charles Duffy
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
Charles Duffy
2004-12-01 07:49:09 UTC
Permalink
Post by Steve Shellswell
Post by Charles Duffy
This happens every time, immediately after startup -- right?
No. Just sometimes. I first noticed it after I had started and stopped
the client end several times in relatively quick succession. This is the
output from starting openvpn manually...
Hmm. This is *really* looking like a problem for James.

One thing I'm still a touch unclear on: Does this only happen immediately
after startup, or can it happen later on? (You might want specify
--reneg-sec 30 or somesuch during debugging).
James Yonan
2004-12-01 15:09:02 UTC
Permalink
This post might be inappropriate. Click to display it.
James Yonan
2004-12-01 15:24:01 UTC
Permalink
Post by Charles Duffy
Post by Steve Shellswell
I am still struggling with this. Please can anyone shed any light on the
error message?
TLS Error: local/remote TLS keys are out of sync: 1.2.3.4:1194 [0]
I don't know the error, but the code that would result in the different
if (DECRYPT_KEY_ENABLED (multi, ks)
&& key_id == ks->key_id
&& ks->authenticated
&& addr_port_match(from, &ks->remote_addr))
This is the basic test of TLS state compatibility between a local OpenVPN
instance and its remote peer.

If the test fails, it tells us that we are getting a packet from a source
which claims reference to a prior negotiated TLS session, but the local
OpenVPN instance has no memory of such a negotiation.

It almost always occurs on UDP sessions when the passive side of the
connection is restarted without the active side restarting as well (The
passive side is the server which only listens for the connections, the
active side is the client which initiates connections).

James

Alex Filonov
2004-12-01 14:11:08 UTC
Permalink
Post by Steve Shellswell
When I start the client end manually I get this message.
Does anybody know what keys being out of sync means? Is there some
I had the same problem with Openvpn 2.0beta15. Upgrading to 20.beta18 fixed the
problem.

HTH.

Alex.
Loading...