Results 1 to 6 of 6
  1. #1
    Newbie
    Join Date
    May 2017
    Posts
    11

    Default Site to Site VPN isn't connecting

    I have an OpenVPN(Untangle V15) server that has roughly 200 connections including 20 branch to branch connections. My most recent two branch deployments won't connect. I tried a packet test and I do not see any VPN connection attempts. The config is pointed to the IP address and it pings just fine, but the VPN will not establish a connection. I cloned my config to another identical box and sat them on the same network to remove all ISP/port issues. Its two boxes connected to a switch(both have public IP's) again I can ping fine, see traffic (ICMP, ARP, etc..) but nothing on port 1194. All other modules including firewall have been turned off. I'm not sure where the logs are located for client and server. The only config-line I've changed(months ago) was to add tls-cipher "DEFAULT:@SECLEVEL=0" to the client config. Could this be throwing off branch to branch configs?

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    8,542

    Default

    Check if there is a network range overlap. It's a common issue when an existing VPN client network has the same as a new network.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Newbie
    Join Date
    May 2017
    Posts
    11

    Default

    update, removing this config line and reissuing the client config worked. This line was put in place to fix a compatibility issue with desktop clients... It seems I will not be able to use this going forward. What is the recommended fix for the certificate issue? I'd like to continue to support desktop and branch to branch without manually adjusting config files for each staff member.

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,219

    Default

    The fix is to nuke your OpenVPN module, and reinstall it and reconfigure it all from scratch.

    Which is something you need to desperately do, that old certificate is out of support and will remain so forever for a reason.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Newbie
    Join Date
    May 2017
    Posts
    11

    Default

    Ouch... 200+ devices and 20+ branches... that is going to be a project. Nuking the old module means they all have to be updated at once? How are other people doing this?

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,219

    Default

    Quote Originally Posted by Haahof View Post
    Ouch... 200+ devices and 20+ branches... that is going to be a project. Nuking the old module means they all have to be updated at once? How are other people doing this?
    The hard way... and we've been doing it since v12 launched. The base certificate encryption changed from MD5 to SHA, because MD5 was broken. You're just now finding out about it... which is good, but it also means you're behind the curve.

    There is an export button you can use to dump them all, which affords an import, but the new module makes entirely new clients based on an entirely updated certificate chain... which necessitates manually redeploying all of the clients. While you're at it, double check on the advanced tab the compression directives for both client and server are either not present, or excluded. If you don't, you'll be doing all this again relatively soon.

    Here's the relevant article: https://support.untangle.com/hc/en-u...tificate-Error

    You'll also note this: https://openvpn.net/faq/md5-signatur...rithm-support/

    Support for MD5 started dying two years ago. What you're dealing with is an updated OpenVPN client on v15 that's now at a version level that apparently fully deprecates MD5. I had wondered when this would happen... but if the work around you linked didn't work I have no other explanation. And if v15 didn't update OpenVPN, v15.1 certainly will... and this might just crop up in the future anyway. So in any event this situation is a warning to figure this out, and soon.
    Last edited by sky-knight; 03-02-2020 at 10:16 PM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2