Discussion:
[Openvpn-users] TCP/UDP: Incoming packet rejected from xxx.xx.xx.xx:37097[2], expected peer address
siegfried
2008-02-26 06:26:16 UTC
Permalink
I have an openvpn server that has been working for years in bridging mode at
xxx.xxx.xxx.xxx and is currently working from address zzz.zzz.zzz.zzz.
However, an old key that was working from another address is not working
from yyy.yy.yy.yy as indicated by the error messages below. I have searched
the archives and searched with google. I tried searching
http://sourceforge.net/search/?group_id=48978
<http://sourceforge.net/search/?group_id=48978&type_of_search=docs>
&type_of_search=docs but no luck there either.



Can someone help me resolve this error message so I can make a connection?
It looks like I have to edit some config file so it should not be a big deal
but I'm not sure exactly where I would add the -float or-remote.



Thanks,

Siegfried







Mon Feb 18 17:35:25 2008 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct
1 2006

Mon Feb 18 17:35:25 2008 IMPORTANT: OpenVPN's default port number is now
1194, based on an official port number assignment by IANA. OpenVPN
2.0-beta16 and earlier used 5000 as the default port.

Mon Feb 18 17:35:25 2008 WARNING: No server certificate verification method
has been enabled. See http://openvpn.net/howto.html#mitm for more info.

Mon Feb 18 17:35:25 2008 LZO compression initialized

Mon Feb 18 17:35:25 2008 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0
ET:0 EL:0 ]

Mon Feb 18 17:35:25 2008 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135
ET:32 EL:0 AF:3/1 ]

Mon Feb 18 17:35:25 2008 Local Options hash (VER=V4): 'd79ca330'

Mon Feb 18 17:35:25 2008 Expected Remote Options hash (VER=V4): 'f7df56b8'

Mon Feb 18 17:35:25 2008 UDPv4 link local: [undef]

Mon Feb 18 17:35:25 2008 UDPv4 link remote: xxx.xx.xxx.xxx:1194

Mon Feb 18 17:35:25 2008 TCP/UDP: Incoming packet rejected from
yyy.yy.yy.yy:37097[2], expected peer address: xxx.xx.xxx.xxx:1194 (allow
this incoming source address/port by removing --remote or adding --float)

Mon Feb 18 17:35:27 2008 TCP/UDP: Incoming packet rejected from
yyy.yy.yy.yy:37097[2], expected peer address: xxx.xx.xxx.xxx:1194 (allow
this incoming source address/port by removing --remote or adding --float)

Mon Feb 18 17:35:29 2008 TCP/UDP: Incoming packet rejected from
yyy.yy.yy.yy:37097[2], expected peer address: xxx.xx.xxx.xxx:1194 (allow
this incoming source address/port by removing --remote or adding --float)

Mon Feb 18 17:35:29 2008 TCP/UDP: Incoming packet rejected from
yyy.yy.yy.yy:37097[2], expected peer address: xxx.xx.xxx.xxx:1194 (allow
this incoming source address/port by removing --remote or adding --float)

Mon Feb 18 17:35:31 2008 TCP/UDP: Incoming packet rejected from
yyy.yy.yy.yy:37097[2], expected peer address: xxx.xx.xxx.xxx:1194 (allow
this incoming source address/port by removing --remote or adding --float)
Jan Just Keijser
2008-02-26 13:47:13 UTC
Permalink
without config files there's no way to tell.

JJK
Post by siegfried
I have an openvpn server that has been working for years in bridging
mode at xxx.xxx.xxx.xxx and is currently working from address
zzz.zzz.zzz.zzz. However, an old key that was working from another
address is not working from yyy.yy.yy.yy as indicated by the error
messages below. I have searched the archives and searched with google.
I tried searching
http://sourceforge.net/search/?group_id=48978&type_of_search=docs
<http://sourceforge.net/search/?group_id=48978&type_of_search=docs>
but no luck there either.
Can someone help me resolve this error message so I can make a
connection? It looks like I have to edit some config file so it should
not be a big deal but I’m not sure exactly where I would add the
–float or—remote.
Thanks,
Siegfried
Mon Feb 18 17:35:25 2008 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built
on Oct 1 2006
Mon Feb 18 17:35:25 2008 IMPORTANT: OpenVPN's default port number is
now 1194, based on an official port number assignment by IANA.
OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Mon Feb 18 17:35:25 2008 WARNING: No server certificate verification
method has been enabled. See http://openvpn.net/howto.html#mitm for
more info.
Mon Feb 18 17:35:25 2008 LZO compression initialized
Mon Feb 18 17:35:25 2008 Control Channel MTU parms [ L:1574 D:138
EF:38 EB:0 ET:0 EL:0 ]
Mon Feb 18 17:35:25 2008 Data Channel MTU parms [ L:1574 D:1450 EF:42
EB:135 ET:32 EL:0 AF:3/1 ]
Mon Feb 18 17:35:25 2008 Local Options hash (VER=V4): 'd79ca330'
Mon Feb 18 17:35:25 2008 Expected Remote Options hash (VER=V4): 'f7df56b8'
Mon Feb 18 17:35:25 2008 UDPv4 link local: [undef]
Mon Feb 18 17:35:25 2008 UDPv4 link remote: xxx.xx.xxx.xxx:1194
Mon Feb 18 17:35:25 2008 TCP/UDP: Incoming packet rejected from
yyy.yy.yy.yy:37097[2], expected peer address: xxx.xx.xxx.xxx:1194
(allow this incoming source address/port by removing --remote or
adding --float)
Mon Feb 18 17:35:27 2008 TCP/UDP: Incoming packet rejected from
yyy.yy.yy.yy:37097[2], expected peer address: xxx.xx.xxx.xxx:1194
(allow this incoming source address/port by removing --remote or
adding --float)
Mon Feb 18 17:35:29 2008 TCP/UDP: Incoming packet rejected from
yyy.yy.yy.yy:37097[2], expected peer address: xxx.xx.xxx.xxx:1194
(allow this incoming source address/port by removing --remote or
adding --float)
Mon Feb 18 17:35:29 2008 TCP/UDP: Incoming packet rejected from
yyy.yy.yy.yy:37097[2], expected peer address: xxx.xx.xxx.xxx:1194
(allow this incoming source address/port by removing --remote or
adding --float)
Mon Feb 18 17:35:31 2008 TCP/UDP: Incoming packet rejected from
yyy.yy.yy.yy:37097[2], expected peer address: xxx.xx.xxx.xxx:1194
(allow this incoming source address/port by removing --remote or
adding --float)
Prasanna Krishnamoorthy
2008-02-27 09:51:27 UTC
Permalink
Post by siegfried
I have an openvpn server that has been working for years in bridging mode at
xxx.xxx.xxx.xxx and is currently working from address zzz.zzz.zzz.zzz.
However, an old key that was working from another address is not working
from yyy.yy.yy.yy as indicated by the error messages below. I have searched
the archives and searched with google. I tried searching
http://sourceforge.net/search/?group_id=48978&type_of_search=docs but no
luck there either.
If your new server is multihomed, then you could have this problem.

You will need to upgrade the server to 2.1rc and add "multihome" to
the server conf. Basically, the replies are supposed to go out of the
xxx.xxx.xxx.xxx interface but are going out of the yyy.yy.yy.yy
interface.

Prasanna.
Post by siegfried
Can someone help me resolve this error message so I can make a connection?
It looks like I have to edit some config file so it should not be a big deal
but I'm not sure exactly where I would add the –float or—remote.
Thanks,
Siegfried
Mon Feb 18 17:35:25 2008 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct
1 2006
Mon Feb 18 17:35:25 2008 IMPORTANT: OpenVPN's default port number is now
1194, based on an official port number assignment by IANA. OpenVPN
2.0-beta16 and earlier used 5000 as the default port.
Mon Feb 18 17:35:25 2008 WARNING: No server certificate verification method
has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Mon Feb 18 17:35:25 2008 LZO compression initialized
Mon Feb 18 17:35:25 2008 Control Channel MTU parms [ L:1574 D:138 EF:38 EB:0
ET:0 EL:0 ]
Mon Feb 18 17:35:25 2008 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135
ET:32 EL:0 AF:3/1 ]
Mon Feb 18 17:35:25 2008 Local Options hash (VER=V4): 'd79ca330'
Mon Feb 18 17:35:25 2008 Expected Remote Options hash (VER=V4): 'f7df56b8'
Mon Feb 18 17:35:25 2008 UDPv4 link local: [undef]
Mon Feb 18 17:35:25 2008 UDPv4 link remote: xxx.xx.xxx.xxx:1194
Mon Feb 18 17:35:25 2008 TCP/UDP: Incoming packet rejected from
yyy.yy.yy.yy:37097[2], expected peer address: xxx.xx.xxx.xxx:1194 (allow
this incoming source address/port by removing --remote or adding --float)
Mon Feb 18 17:35:27 2008 TCP/UDP: Incoming packet rejected from
yyy.yy.yy.yy:37097[2], expected peer address: xxx.xx.xxx.xxx:1194 (allow
this incoming source address/port by removing --remote or adding --float)
Mon Feb 18 17:35:29 2008 TCP/UDP: Incoming packet rejected from
yyy.yy.yy.yy:37097[2], expected peer address: xxx.xx.xxx.xxx:1194 (allow
this incoming source address/port by removing --remote or adding --float)
Mon Feb 18 17:35:29 2008 TCP/UDP: Incoming packet rejected from
yyy.yy.yy.yy:37097[2], expected peer address: xxx.xx.xxx.xxx:1194 (allow
this incoming source address/port by removing --remote or adding --float)
Mon Feb 18 17:35:31 2008 TCP/UDP: Incoming packet rejected from
yyy.yy.yy.yy:37097[2], expected peer address: xxx.xx.xxx.xxx:1194 (allow
this incoming source address/port by removing --remote or adding --float)
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Openvpn-users mailing list
https://lists.sourceforge.net/lists/listinfo/openvpn-users
--
www.elinanetworks.com
Seamless, secure delivery of applications.
siegfried
2008-02-27 16:50:37 UTC
Permalink
Thank you Prasanna. I'm sorry I posted twice, that was not intentional.
Post by Prasanna Krishnamoorthy
Post by siegfried
I have an openvpn server that has been working for years in bridging
mode at xxx.xxx.xxx.xxx and is currently working from address
zzz.zzz.zzz.zzz.
Post by Prasanna Krishnamoorthy
Post by siegfried
However, an old key that was working from another address is not
working from yyy.yy.yy.yy as indicated by the error messages below. I
have searched the archives and searched with google. I tried searching
http://sourceforge.net/search/?group_id=48978&type_of_search=docs but
no luck there either.
If your new server is multihomed, then you could have this problem.
You will need to upgrade the server to 2.1rc and add "multihome" to
the server conf.
I wonder if this is going to be a problem for me since I (and my two
VPN clients "alpha" and "beta") are in WA and my bridging server is in
CO. My bridging server is a WRT54GS. Fortunately I left the ssh port
open so I can access it without the VPN (I hope).

Assuming it is a problem:

Can client "alpha" become VPN bridging server for "beta" (both in WA)
where "alpha" is simultaneously a bridging client to my WRT54Gs server
in CO?
Post by Prasanna Krishnamoorthy
Basically, the replies are supposed to go out of the
xxx.xxx.xxx.xxx interface but are going out of the yyy.yy.yy.yy
interface.
Prasanna.
Post by siegfried
Can someone help me resolve this error message so I can make a connection?
It looks like I have to edit some config file so it should not be a
big deal but I'm not sure exactly where I would add the -float or-remote.
Thanks,
Siegfried
Mon Feb 18 17:35:25 2008 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on Oct
1 2006
Mon Feb 18 17:35:25 2008 IMPORTANT: OpenVPN's default port number is
now 1194, based on an official port number assignment by IANA.
OpenVPN
2.0-beta16 and earlier used 5000 as the default port.
Mon Feb 18 17:35:25 2008 WARNING: No server certificate verification
method has been enabled. See http://openvpn.net/howto.html#mitm for more
info.
Post by Prasanna Krishnamoorthy
Post by siegfried
Mon Feb 18 17:35:25 2008 LZO compression initialized
Mon Feb 18 17:35:25 2008 Control Channel MTU parms [ L:1574 D:138
EF:38 EB:0 ET:0 EL:0 ]
Mon Feb 18 17:35:25 2008 Data Channel MTU parms [ L:1574 D:1450 EF:42 EB:135
ET:32 EL:0 AF:3/1 ]
Mon Feb 18 17:35:25 2008 Local Options hash (VER=V4): 'd79ca330'
Mon Feb 18 17:35:25 2008 Expected Remote Options hash (VER=V4): 'f7df56b8'
Mon Feb 18 17:35:25 2008 UDPv4 link local: [undef]
Mon Feb 18 17:35:25 2008 UDPv4 link remote: xxx.xx.xxx.xxx:1194
Mon Feb 18 17:35:25 2008 TCP/UDP: Incoming packet rejected from
yyy.yy.yy.yy:37097[2], expected peer address: xxx.xx.xxx.xxx:1194
(allow this incoming source address/port by removing --remote or
adding --float)
Mon Feb 18 17:35:27 2008 TCP/UDP: Incoming packet rejected from
yyy.yy.yy.yy:37097[2], expected peer address: xxx.xx.xxx.xxx:1194
(allow this incoming source address/port by removing --remote or
adding --float)
Mon Feb 18 17:35:29 2008 TCP/UDP: Incoming packet rejected from
yyy.yy.yy.yy:37097[2], expected peer address: xxx.xx.xxx.xxx:1194
(allow this incoming source address/port by removing --remote or
adding --float)
Mon Feb 18 17:35:29 2008 TCP/UDP: Incoming packet rejected from
yyy.yy.yy.yy:37097[2], expected peer address: xxx.xx.xxx.xxx:1194
(allow this incoming source address/port by removing --remote or
adding --float)
Mon Feb 18 17:35:31 2008 TCP/UDP: Incoming packet rejected from
yyy.yy.yy.yy:37097[2], expected peer address: xxx.xx.xxx.xxx:1194
(allow this incoming source address/port by removing --remote or
adding --float)
----------------------------------------------------------------------
--- This SF.net email is sponsored by: Microsoft Defy all
challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Openvpn-users mailing list
https://lists.sourceforge.net/lists/listinfo/openvpn-users
--
www.elinanetworks.com
Seamless, secure delivery of applications.
Prasanna Krishnamoorthy
2008-02-27 18:51:09 UTC
Permalink
Post by siegfried
Thank you Prasanna. I'm sorry I posted twice, that was not intentional.
Post by Prasanna Krishnamoorthy
Post by siegfried
I have an openvpn server that has been working for years in bridging
mode at xxx.xxx.xxx.xxx and is currently working from address
zzz.zzz.zzz.zzz.
Post by Prasanna Krishnamoorthy
Post by siegfried
However, an old key that was working from another address is not
working from yyy.yy.yy.yy as indicated by the error messages below. I
have searched the archives and searched with google. I tried searching
http://sourceforge.net/search/?group_id=48978&type_of_search=docs but
no luck there either.
If your new server is multihomed, then you could have this problem.
You will need to upgrade the server to 2.1rc and add "multihome" to
the server conf.
I wonder if this is going to be a problem for me since I (and my two
VPN clients "alpha" and "beta") are in WA and my bridging server is in
CO. My bridging server is a WRT54GS. Fortunately I left the ssh port
open so I can access it without the VPN (I hope).
Can client "alpha" become VPN bridging server for "beta" (both in WA)
where "alpha" is simultaneously a bridging client to my WRT54Gs server
in CO?
You can run any system as a server, as long as you have port 1194 UDP
open on the server firewall(s). Change your WRT54GS to a 2.0 client,
if you can't upgrade it to 2.1rc. Then on the server end, specify
'float', because the WRT54GS might send outgoing packets on either
interface - ideally you'd fix the outgoing interface, by specifying
"local blah.blah.blah.blah"

Actually, on your server conf right now, specify, "local xx.xx.x.x"
and see if that fixes your problem. If you don't need real
multihoming, then you should be able to make do with this change.

Prasanna.
--
www.elinanetworks.com
Seamless, secure delivery of applications.
Loading...