Page 2 of 2 FirstFirst 12
Results 11 to 16 of 16
  1. #11
    Untanglit
    Join Date
    Jan 2009
    Posts
    22

    Default

    I should add that (without altering the client config in Untangle) I was able to set "comp-lzo" line in pfSense to match what is in Untangle (so that they both read "comp-lzo" with no value and the behavior is the same (brief connecting with no traffic and disconnect).

  2. #12
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,606

    Default

    the whole line has to go away on both sides.

    you still have compression.
    If you think I got Grumpy

  3. #13
    Untanglit
    Join Date
    Jan 2009
    Posts
    22

    Default

    In case it helps, with the comp-lzo matching I am still having the same issue as when it was "comp-lzo" on the client and "comp-lzo adaptive" on the server, here is a log section from the pfSense (server) side of the connection, this will keep repeating about once per minute and is basically the same logging I was seeing when I initially found the issue and had not done anything. Obviously I've redacted a few things such as IPs. Log verbosity is set to 4.

    Code:
    Aug 30 01:16:49	openvpn	33451	TLS: new session incoming connection from [AF_INET]xxx.xxx.xxx.xxx:4473
    Aug 30 01:16:49	openvpn	33451	VERIFY SCRIPT OK: depth=1, CN=OpenVPN CA, C=US, ST=xxx, L=xxx, O=xxxxx
    Aug 30 01:16:49	openvpn	33451	VERIFY OK: depth=1, CN=OpenVPN CA, C=US, ST=xxx, L=xxx, O=xxxxx
    Aug 30 01:16:49	openvpn	33451	VERIFY SCRIPT OK: depth=0, C=US, ST=xxx, L=xxx, O=xxxxx, CN=xxxxx
    Aug 30 01:16:49	openvpn	33451	VERIFY OK: depth=0, C=US, ST=xxx, L=xxx, O=xxxxx, CN=xxxxx
    Aug 30 01:16:49	openvpn	33451	peer info: IV_VER=2.4.7
    Aug 30 01:16:49	openvpn	33451	peer info: IV_PLAT=linux
    Aug 30 01:16:49	openvpn	33451	peer info: IV_PROTO=2
    Aug 30 01:16:49	openvpn	33451	peer info: IV_NCP=2
    Aug 30 01:16:49	openvpn	33451	peer info: IV_LZ4=1
    Aug 30 01:16:49	openvpn	33451	peer info: IV_LZ4v2=1
    Aug 30 01:16:49	openvpn	33451	peer info: IV_LZO=1
    Aug 30 01:16:49	openvpn	33451	peer info: IV_COMP_STUB=1
    Aug 30 01:16:49	openvpn	33451	peer info: IV_COMP_STUBv2=1
    Aug 30 01:16:49	openvpn	33451	peer info: IV_TCPNL=1
    Aug 30 01:16:49	openvpn	33451	WARNING: 'ifconfig' is present in local config but missing in remote config, local='ifconfig 173.22.1.1 173.22.1.2'
    Aug 30 01:16:49	openvpn	33451	Outgoing Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
    Aug 30 01:16:49	openvpn	33451	Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
    Aug 30 01:16:49	openvpn	33451	Incoming Data Channel: Cipher 'AES-128-CBC' initialized with 128 bit key
    Aug 30 01:16:49	openvpn	33451	Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
    Aug 30 01:16:49	openvpn	33451	TLS: move_session: dest=TM_ACTIVE src=TM_UNTRUSTED reinit_src=1
    Aug 30 01:16:49	openvpn	33451	TLS: tls_multi_process: untrusted session promoted to semi-trusted
    Aug 30 01:16:49	openvpn	33451	Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
    Aug 30 01:16:49	openvpn	33451	[UntangleClient] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:4473
    Aug 30 01:16:50	openvpn	33451	PUSH: Received control message: 'PUSH_REQUEST'
    Aug 30 01:16:50	openvpn	33451	SENT CONTROL [UntangleClient]: 'PUSH_REPLY,route 192.168.22.0 255.255.255.0,peer-id 0' (status=1)
    Aug 30 01:16:57	openvpn	33451	MANAGEMENT: Client connected from /var/etc/openvpn/server2.sock
    Last edited by WizADSL; 08-29-2020 at 10:30 PM.

  4. #14
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,606

    Default

    Sorry, I saw the other message first.

    Quote Originally Posted by WizADSL View Post
    (plus I don't want to break something).

    have no fear, It is already broken

    If I understand correctly I should check "Exclude" in order to omit the setting from the client configuration?


    Will this affect the client that is already set up or does this only control the client created from this server?

    ha. it won't do either. you have to delete the line in the client .conf file on NGFW. sorry, my bad.

    In order to make this server connect as a client to PfSense I exported a mock OpenVPN client from this server and edited the resulting ZIP file with the certificates and info for the PfSense box. If editing the ZIP file I used to import the client config is all I need to do then I can do that instead.

    It goes the other way, the client should be generated from the pfsense side.

    or just delete the line in the existing .conf file
    Last edited by Jim.Alles; 08-29-2020 at 10:30 PM.
    If you think I got Grumpy

  5. #15
    Untanglit
    Join Date
    Jan 2009
    Posts
    22

    Default

    Quote Originally Posted by Jim.Alles View Post
    the whole line has to go away on both sides.

    you still have compression.
    Ok, I can remove the line. My question is, once I do, do I need to re-generate the client ZIP or will the change affect the already imported client?

  6. #16
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,606

    Default

    you are editing the imported client .conf

    that should do it.
    If you think I got Grumpy

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2