Stormshield
177 views
Skip to first unread message
Joel Marchand
Aug 25, 2024, 6:27:54 PM8/25/24
to tunnelblick-discuss
Hi,
Since 3.5 years, we used TunnelBlick versions to open VPN into a Stormshield firewall.
Stormshield is a french company. The VPN service for Linux and MacOS is based on OpenVPN.
Stormshield is a french company. The VPN service for Linux and MacOS is based on OpenVPN.
During these 3.5 years, we had no trouble with updates on TunnelBlick or on Stormshield.
But since 2024 june and the 4.3.27 version of Stormshield system, we can not open any VPN with TunnelBlick 4.0.1
When we try to connect, the Stormshield VPN service says "OK" (we see on log into Stormshield), but the TunnelBlick says that the VPN server refuses the authentification.
With this new version on Stormshield, we have no trouble with an OpenVPN client on Linux.
Any idea how to debug ?
Best regards,
Joel Marchand
Tunnelblick Developer
Aug 25, 2024, 6:58:24 PM8/25/24
to tunnelblick-discuss
- You can try Tunnelblick 6.0.0beta05.
- You can examine the Tunnelblick/OpenVPN log.
- You can post the Diagnostic Info (which includes the log) here, or email it to devel...@tunnelblick.net. (See Before You Post About a Problem.)
- You can enable extra logging about VPN authentication and connecting/disconnecting the VPN by running the following in /Applications/Utilities/Terminal:
defaults write net.tunnelblick.tunnelblick DB-AU -bool yes
defaults write net.tunnelblick.tunnelblick DB-CD -bool yes
- To disable the extra logging, run:
defaults delete net.tunnelblick.tunnelblick DB-AU
defaults delete net.tunnelblick.tunnelblick DB-CDJoel Marchand
Aug 26, 2024, 5:56:46 PM8/26/24
to tunnelblick-discuss
Hi,
Many thanks for your answer.
I try Tunnelblick 6.0.0beta05 this evening and the problem is the same.
The log are here :
2024-08-26 23:47:56.164571 *Tunnelblick:
macOS 10.13.6 (17G66); Tunnelblick 6.0beta05 (build 6090); prior version
4.0.1 (build 5971)
2024-08-26 23:43:57.358665 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2024-08-26 23:43:57.361099 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.
2024-08-26 23:43:57.179529 *Tunnelblick: openvpnstart starting OpenVPN
2024-08-26 23:43:57.361211 OpenVPN 2.6.12 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD]
2024-08-26 23:43:57.361226 library versions: OpenSSL 3.0.14 4 Jun 2024, LZO 2.10
2024-08-26 23:43:57.362414 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:56867
2024-08-26 23:43:57.362439 Need hold release from management interface, waiting...
2024-08-26 23:43:57.790996 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:49770
2024-08-26 23:43:57.823084 MANAGEMENT: CMD 'pid'
2024-08-26 23:43:57.823148 MANAGEMENT: CMD 'state on'
2024-08-26 23:43:57.823178 MANAGEMENT: CMD 'state'
2024-08-26 23:43:57.823238 MANAGEMENT: CMD 'bytecount 1'
2024-08-26 23:43:57.827749 MANAGEMENT: CMD 'hold release'
2024-08-26 23:44:09.537196 MANAGEMENT: CMD 'username "Auth" "jm...@ijm.fr"'
2024-08-26 23:44:09.537259 MANAGEMENT: CMD 'password [...]'
2024-08-26 23:44:09.537429 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2024-08-26 23:44:09.537443 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-08-26 23:44:09.543064 TCP/UDP: Preserving recently used remote address: [AF_INET]81.194.28.13:1194
2024-08-26 23:44:09.543121 Socket Buffers: R=[196724->196724] S=[9216->9216]
2024-08-26 23:44:09.543133 UDPv4 link local: (not bound)
2024-08-26 23:44:09.543144 UDPv4 link remote: [AF_INET]81.194.28.13:1194
2024-08-26 23:44:09.543191 MANAGEMENT: >STATE:1724708649,WAIT,,,,,,
2024-08-26 23:44:09.566909 MANAGEMENT: >STATE:1724708649,AUTH,,,,,,
2024-08-26 23:44:09.566946 TLS: Initial packet from [AF_INET]81.194.28.13:1194, sid=6452865d 69b39175
2024-08-26 23:44:09.641369 VERIFY OK: depth=1, C=US, ST=Default state, O=Stormshield, OU=sslvpnfull, CN=sslvpn-full-default-authority
2024-08-26 23:44:09.641992 VERIFY OK: depth=0, C=US, ST=Default state, O=Stormshield, OU=sslvpnfull, CN=openvpnserver.com
2024-08-26 23:44:09.708317 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 521 bits ECsecp521r1
2024-08-26 23:44:09.708346 [openvpnserver.com] Peer Connection Initiated with [AF_INET]81.194.28.13:1194
2024-08-26 23:44:09.708362 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2024-08-26 23:44:09.708411 TLS: tls_multi_process: initial untrusted session promoted to trusted
2024-08-26 23:44:10.768036 MANAGEMENT: >STATE:1724708650,GET_CONFIG,,,,,,
2024-08-26 23:44:10.768133 SENT CONTROL [openvpnserver.com]: 'PUSH_REQUEST' (status=1)
2024-08-26 23:44:11.827708 AUTH: Received control message: AUTH_FAILED,Data channel cipher negotiation failed (no shared cipher)
2024-08-26 23:44:11.827957 SIGUSR1[soft,auth-failure] received, process restarting
2024-08-26 23:44:11.827974 MANAGEMENT: >STATE:1724708651,RECONNECTING,auth-failure,,,,,
2024-08-26 23:44:17.585983 MANAGEMENT: CMD 'hold release'
2024-08-26 23:44:17.593796 MANAGEMENT: CMD 'username "Auth" "jm...@ijm.fr"'
2024-08-26 23:44:17.593847 MANAGEMENT: CMD 'password [...]'
2024-08-26 23:44:17.593870 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2024-08-26 23:44:17.593879 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-08-26 23:44:17.594152 TCP/UDP: Preserving recently used remote address: [AF_INET]81.194.28.13:1194
2024-08-26 23:44:17.594186 Socket Buffers: R=[196724->196724] S=[9216->9216]
2024-08-26 23:44:17.594197 UDPv4 link local: (not bound)
2024-08-26 23:44:17.594207 UDPv4 link remote: [AF_INET]81.194.28.13:1194
2024-08-26 23:44:17.594244 MANAGEMENT: >STATE:1724708657,WAIT,,,,,,
2024-08-26 23:44:17.618262 MANAGEMENT: >STATE:1724708657,AUTH,,,,,,
2024-08-26 23:44:17.618311 TLS: Initial packet from [AF_INET]81.194.28.13:1194, sid=2389dbb3 6de6e7c2
2024-08-26 23:44:17.690984 VERIFY OK: depth=1, C=US, ST=Default state, O=Stormshield, OU=sslvpnfull, CN=sslvpn-full-default-authority
2024-08-26 23:44:17.691553 VERIFY OK: depth=0, C=US, ST=Default state, O=Stormshield, OU=sslvpnfull, CN=openvpnserver.com
2024-08-26 23:44:17.756254 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 521 bits ECsecp521r1
2024-08-26 23:44:17.756283 [openvpnserver.com] Peer Connection Initiated with [AF_INET]81.194.28.13:1194
2024-08-26 23:44:17.756299 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2024-08-26 23:44:17.756342 TLS: tls_multi_process: initial untrusted session promoted to trusted
2024-08-26 23:44:19.075880 MANAGEMENT: >STATE:1724708659,GET_CONFIG,,,,,,
2024-08-26 23:44:19.075963 SENT CONTROL [openvpnserver.com]: 'PUSH_REQUEST' (status=1)
2024-08-26 23:44:19.100367 AUTH: Received control message: AUTH_FAILED,Data channel cipher negotiation failed (no shared cipher)
2024-08-26 23:44:19.100616 SIGUSR1[soft,auth-failure] received, process restarting
2024-08-26 23:44:19.100633 MANAGEMENT: >STATE:1724708659,RECONNECTING,auth-failure,,,,,
2024-08-26 23:44:30.880374 MANAGEMENT: CMD 'hold release'
2024-08-26 23:44:44.751950 MANAGEMENT: CMD 'username "Auth" "jm...@ijm.fr"'
2024-08-26 23:44:44.752002 MANAGEMENT: CMD 'password [...]'
2024-08-26 23:44:44.752026 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2024-08-26 23:44:44.752035 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-08-26 23:44:44.752205 TCP/UDP: Preserving recently used remote address: [AF_INET]81.194.28.13:1194
2024-08-26 23:44:44.752248 Socket Buffers: R=[196724->196724] S=[9216->9216]
2024-08-26 23:44:44.752258 UDPv4 link local: (not bound)
2024-08-26 23:44:44.752269 UDPv4 link remote: [AF_INET]81.194.28.13:1194
2024-08-26 23:44:44.752310 MANAGEMENT: >STATE:1724708684,WAIT,,,,,,
2024-08-26 23:44:44.776252 MANAGEMENT: >STATE:1724708684,AUTH,,,,,,
2024-08-26 23:44:44.776292 TLS: Initial packet from [AF_INET]81.194.28.13:1194, sid=0a7d4211 76ff76bf
2024-08-26 23:44:44.850712 VERIFY OK: depth=1, C=US, ST=Default state, O=Stormshield, OU=sslvpnfull, CN=sslvpn-full-default-authority
2024-08-26 23:44:44.851261 VERIFY OK: depth=0, C=US, ST=Default state, O=Stormshield, OU=sslvpnfull, CN=openvpnserver.com
2024-08-26 23:44:44.916041 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 521 bits ECsecp521r1
2024-08-26 23:44:44.916081 [openvpnserver.com] Peer Connection Initiated with [AF_INET]81.194.28.13:1194
2024-08-26 23:44:44.916098 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2024-08-26 23:44:44.916148 TLS: tls_multi_process: initial untrusted session promoted to trusted
2024-08-26 23:44:46.099658 MANAGEMENT: >STATE:1724708686,GET_CONFIG,,,,,,
2024-08-26 23:44:46.099713 SENT CONTROL [openvpnserver.com]: 'PUSH_REQUEST' (status=1)
2024-08-26 23:44:47.364275 AUTH: Received control message: AUTH_FAILED,Data channel cipher negotiation failed (no shared cipher)
2024-08-26 23:44:47.364545 SIGUSR1[soft,auth-failure] received, process restarting
2024-08-26 23:44:47.364563 MANAGEMENT: >STATE:1724708687,RECONNECTING,auth-failure,,,,,
2024-08-26 23:44:55.368512 SIGTERM[hard,init_instance] received, process exiting
2024-08-26 23:44:55.368541 MANAGEMENT: >STATE:1724708695,EXITING,init_instance,,,,,
2024-08-26 23:47:56.393850 *Tunnelblick: Attempting connection with openvpn_client; Set nameserver = 0x00000301; monitoring connection
2024-08-26 23:47:56.394900 *Tunnelblick: openvpnstart start openvpn_client.tblk 57256 0x00000301 0 3 0 0x0010c130 -ptADGNWradsgnw 2.6.12-openssl-3.0.14 <password>
2024-08-26 23:47:57.021032 *Tunnelblick: openvpnstart log:
OpenVPN started successfully.
Command used to start OpenVPN (one argument per displayed line):
/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.6.12-openssl-3.0.14/openvpn
--daemon
--log-append /Library/Application Support/Tunnelblick/Logs/-SLibrary-SApplication Support-STunnelblick-SShared-Sopenvpn_client.tblk-SContents-SResources-Sconfig.ovpn.769_0_3_0_1098032.57256.openvpn.log
--cd /Library/Application Support/Tunnelblick/Shared/openvpn_client.tblk/Contents/Resources
--machine-readable-output
--setenv IV_GUI_VER "net.tunnelblick.tunnelblick 6090 6.0beta05 (build 6090)"
--verb 3
--config /Library/Application Support/Tunnelblick/Shared/openvpn_client.tblk/Contents/Resources/config.ovpn
--setenv TUNNELBLICK_CONFIG_FOLDER /Library/Application Support/Tunnelblick/Shared/openvpn_client.tblk/Contents/Resources
--verb 3
--cd /Library/Application Support/Tunnelblick/Shared/openvpn_client.tblk/Contents/Resources
--management 127.0.0.1 57256 /Library/Application Support/Tunnelblick/Mips/openvpn_client.tblk.mip
--setenv IV_SSO webauth
--management-query-passwords
--management-hold
--script-security 2
--route-up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
--down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
2024-08-26 23:47:57.055665 *Tunnelblick: Established communication with OpenVPN
2024-08-26 23:47:57.057099 *Tunnelblick: >INFO:OpenVPN Management Interface Version 5 -- type 'help' for more info
2024-08-26 23:48:12.782240 *Tunnelblick: Delaying HOLD release for 1.000 seconds
2024-08-26 23:48:25.685577 *Tunnelblick: Disconnecting; user cancelled authorization
2024-08-26 23:48:25.831245 *Tunnelblick: Disconnecting using 'kill'
2024-08-26 23:48:27.381933 *Tunnelblick: Expected disconnection occurred.
2024-08-26 23:43:57.358665 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2024-08-26 23:43:57.361099 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.
2024-08-26 23:43:57.179529 *Tunnelblick: openvpnstart starting OpenVPN
2024-08-26 23:43:57.361211 OpenVPN 2.6.12 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD]
2024-08-26 23:43:57.361226 library versions: OpenSSL 3.0.14 4 Jun 2024, LZO 2.10
2024-08-26 23:43:57.362414 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:56867
2024-08-26 23:43:57.362439 Need hold release from management interface, waiting...
2024-08-26 23:43:57.790996 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:49770
2024-08-26 23:43:57.823084 MANAGEMENT: CMD 'pid'
2024-08-26 23:43:57.823148 MANAGEMENT: CMD 'state on'
2024-08-26 23:43:57.823178 MANAGEMENT: CMD 'state'
2024-08-26 23:43:57.823238 MANAGEMENT: CMD 'bytecount 1'
2024-08-26 23:43:57.827749 MANAGEMENT: CMD 'hold release'
2024-08-26 23:44:09.537196 MANAGEMENT: CMD 'username "Auth" "jm...@ijm.fr"'
2024-08-26 23:44:09.537259 MANAGEMENT: CMD 'password [...]'
2024-08-26 23:44:09.537429 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2024-08-26 23:44:09.537443 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-08-26 23:44:09.543064 TCP/UDP: Preserving recently used remote address: [AF_INET]81.194.28.13:1194
2024-08-26 23:44:09.543121 Socket Buffers: R=[196724->196724] S=[9216->9216]
2024-08-26 23:44:09.543133 UDPv4 link local: (not bound)
2024-08-26 23:44:09.543144 UDPv4 link remote: [AF_INET]81.194.28.13:1194
2024-08-26 23:44:09.543191 MANAGEMENT: >STATE:1724708649,WAIT,,,,,,
2024-08-26 23:44:09.566909 MANAGEMENT: >STATE:1724708649,AUTH,,,,,,
2024-08-26 23:44:09.566946 TLS: Initial packet from [AF_INET]81.194.28.13:1194, sid=6452865d 69b39175
2024-08-26 23:44:09.641369 VERIFY OK: depth=1, C=US, ST=Default state, O=Stormshield, OU=sslvpnfull, CN=sslvpn-full-default-authority
2024-08-26 23:44:09.641992 VERIFY OK: depth=0, C=US, ST=Default state, O=Stormshield, OU=sslvpnfull, CN=openvpnserver.com
2024-08-26 23:44:09.708317 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 521 bits ECsecp521r1
2024-08-26 23:44:09.708346 [openvpnserver.com] Peer Connection Initiated with [AF_INET]81.194.28.13:1194
2024-08-26 23:44:09.708362 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2024-08-26 23:44:09.708411 TLS: tls_multi_process: initial untrusted session promoted to trusted
2024-08-26 23:44:10.768036 MANAGEMENT: >STATE:1724708650,GET_CONFIG,,,,,,
2024-08-26 23:44:10.768133 SENT CONTROL [openvpnserver.com]: 'PUSH_REQUEST' (status=1)
2024-08-26 23:44:11.827708 AUTH: Received control message: AUTH_FAILED,Data channel cipher negotiation failed (no shared cipher)
2024-08-26 23:44:11.827957 SIGUSR1[soft,auth-failure] received, process restarting
2024-08-26 23:44:11.827974 MANAGEMENT: >STATE:1724708651,RECONNECTING,auth-failure,,,,,
2024-08-26 23:44:17.585983 MANAGEMENT: CMD 'hold release'
2024-08-26 23:44:17.593796 MANAGEMENT: CMD 'username "Auth" "jm...@ijm.fr"'
2024-08-26 23:44:17.593847 MANAGEMENT: CMD 'password [...]'
2024-08-26 23:44:17.593870 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2024-08-26 23:44:17.593879 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-08-26 23:44:17.594152 TCP/UDP: Preserving recently used remote address: [AF_INET]81.194.28.13:1194
2024-08-26 23:44:17.594186 Socket Buffers: R=[196724->196724] S=[9216->9216]
2024-08-26 23:44:17.594197 UDPv4 link local: (not bound)
2024-08-26 23:44:17.594207 UDPv4 link remote: [AF_INET]81.194.28.13:1194
2024-08-26 23:44:17.594244 MANAGEMENT: >STATE:1724708657,WAIT,,,,,,
2024-08-26 23:44:17.618262 MANAGEMENT: >STATE:1724708657,AUTH,,,,,,
2024-08-26 23:44:17.618311 TLS: Initial packet from [AF_INET]81.194.28.13:1194, sid=2389dbb3 6de6e7c2
2024-08-26 23:44:17.690984 VERIFY OK: depth=1, C=US, ST=Default state, O=Stormshield, OU=sslvpnfull, CN=sslvpn-full-default-authority
2024-08-26 23:44:17.691553 VERIFY OK: depth=0, C=US, ST=Default state, O=Stormshield, OU=sslvpnfull, CN=openvpnserver.com
2024-08-26 23:44:17.756254 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 521 bits ECsecp521r1
2024-08-26 23:44:17.756283 [openvpnserver.com] Peer Connection Initiated with [AF_INET]81.194.28.13:1194
2024-08-26 23:44:17.756299 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2024-08-26 23:44:17.756342 TLS: tls_multi_process: initial untrusted session promoted to trusted
2024-08-26 23:44:19.075880 MANAGEMENT: >STATE:1724708659,GET_CONFIG,,,,,,
2024-08-26 23:44:19.075963 SENT CONTROL [openvpnserver.com]: 'PUSH_REQUEST' (status=1)
2024-08-26 23:44:19.100367 AUTH: Received control message: AUTH_FAILED,Data channel cipher negotiation failed (no shared cipher)
2024-08-26 23:44:19.100616 SIGUSR1[soft,auth-failure] received, process restarting
2024-08-26 23:44:19.100633 MANAGEMENT: >STATE:1724708659,RECONNECTING,auth-failure,,,,,
2024-08-26 23:44:30.880374 MANAGEMENT: CMD 'hold release'
2024-08-26 23:44:44.751950 MANAGEMENT: CMD 'username "Auth" "jm...@ijm.fr"'
2024-08-26 23:44:44.752002 MANAGEMENT: CMD 'password [...]'
2024-08-26 23:44:44.752026 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2024-08-26 23:44:44.752035 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2024-08-26 23:44:44.752205 TCP/UDP: Preserving recently used remote address: [AF_INET]81.194.28.13:1194
2024-08-26 23:44:44.752248 Socket Buffers: R=[196724->196724] S=[9216->9216]
2024-08-26 23:44:44.752258 UDPv4 link local: (not bound)
2024-08-26 23:44:44.752269 UDPv4 link remote: [AF_INET]81.194.28.13:1194
2024-08-26 23:44:44.752310 MANAGEMENT: >STATE:1724708684,WAIT,,,,,,
2024-08-26 23:44:44.776252 MANAGEMENT: >STATE:1724708684,AUTH,,,,,,
2024-08-26 23:44:44.776292 TLS: Initial packet from [AF_INET]81.194.28.13:1194, sid=0a7d4211 76ff76bf
2024-08-26 23:44:44.850712 VERIFY OK: depth=1, C=US, ST=Default state, O=Stormshield, OU=sslvpnfull, CN=sslvpn-full-default-authority
2024-08-26 23:44:44.851261 VERIFY OK: depth=0, C=US, ST=Default state, O=Stormshield, OU=sslvpnfull, CN=openvpnserver.com
2024-08-26 23:44:44.916041 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 521 bits ECsecp521r1
2024-08-26 23:44:44.916081 [openvpnserver.com] Peer Connection Initiated with [AF_INET]81.194.28.13:1194
2024-08-26 23:44:44.916098 TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
2024-08-26 23:44:44.916148 TLS: tls_multi_process: initial untrusted session promoted to trusted
2024-08-26 23:44:46.099658 MANAGEMENT: >STATE:1724708686,GET_CONFIG,,,,,,
2024-08-26 23:44:46.099713 SENT CONTROL [openvpnserver.com]: 'PUSH_REQUEST' (status=1)
2024-08-26 23:44:47.364275 AUTH: Received control message: AUTH_FAILED,Data channel cipher negotiation failed (no shared cipher)
2024-08-26 23:44:47.364545 SIGUSR1[soft,auth-failure] received, process restarting
2024-08-26 23:44:47.364563 MANAGEMENT: >STATE:1724708687,RECONNECTING,auth-failure,,,,,
2024-08-26 23:44:55.368512 SIGTERM[hard,init_instance] received, process exiting
2024-08-26 23:44:55.368541 MANAGEMENT: >STATE:1724708695,EXITING,init_instance,,,,,
2024-08-26 23:47:56.393850 *Tunnelblick: Attempting connection with openvpn_client; Set nameserver = 0x00000301; monitoring connection
2024-08-26 23:47:56.394900 *Tunnelblick: openvpnstart start openvpn_client.tblk 57256 0x00000301 0 3 0 0x0010c130 -ptADGNWradsgnw 2.6.12-openssl-3.0.14 <password>
2024-08-26 23:47:57.021032 *Tunnelblick: openvpnstart log:
OpenVPN started successfully.
Command used to start OpenVPN (one argument per displayed line):
/Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.6.12-openssl-3.0.14/openvpn
--daemon
--log-append /Library/Application Support/Tunnelblick/Logs/-SLibrary-SApplication Support-STunnelblick-SShared-Sopenvpn_client.tblk-SContents-SResources-Sconfig.ovpn.769_0_3_0_1098032.57256.openvpn.log
--cd /Library/Application Support/Tunnelblick/Shared/openvpn_client.tblk/Contents/Resources
--machine-readable-output
--setenv IV_GUI_VER "net.tunnelblick.tunnelblick 6090 6.0beta05 (build 6090)"
--verb 3
--config /Library/Application Support/Tunnelblick/Shared/openvpn_client.tblk/Contents/Resources/config.ovpn
--setenv TUNNELBLICK_CONFIG_FOLDER /Library/Application Support/Tunnelblick/Shared/openvpn_client.tblk/Contents/Resources
--verb 3
--cd /Library/Application Support/Tunnelblick/Shared/openvpn_client.tblk/Contents/Resources
--management 127.0.0.1 57256 /Library/Application Support/Tunnelblick/Mips/openvpn_client.tblk.mip
--setenv IV_SSO webauth
--management-query-passwords
--management-hold
--script-security 2
--route-up /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
--down /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw
2024-08-26 23:47:57.055665 *Tunnelblick: Established communication with OpenVPN
2024-08-26 23:47:57.057099 *Tunnelblick: >INFO:OpenVPN Management Interface Version 5 -- type 'help' for more info
2024-08-26 23:48:12.782240 *Tunnelblick: Delaying HOLD release for 1.000 seconds
2024-08-26 23:48:25.685577 *Tunnelblick: Disconnecting; user cancelled authorization
2024-08-26 23:48:25.831245 *Tunnelblick: Disconnecting using 'kill'
2024-08-26 23:48:27.381933 *Tunnelblick: Expected disconnection occurred.
I precise that I am sure about the backoffice authentification because
1/ I can connect from this Mac and with this account/password on
https://vpn.ijm.fr/auth : the Web interface to obtain the .ovpn config file on our Stormshield firewall
2/ when I try to connect with TunnelBlick, I get this message on the firewall log :
Aug 26 23:53:57
fw454.ijm.univ-paris-diderot.priv id=firewall time="2024-08-26 23:53:57"
fw="IJM" tz=+0200 startime="2024-08-26 23:53:57" ipproto="UDP"
user="jma2" domain="ijm.fr" src=81.51.46.71 remotenet=10.0.1.6
localnet=10.0.1.5 msg="User authenticated in ASQ" logtype="xvpn"
Aug 26 23:53:57 fw454.ijm.univ-paris-diderot.priv id=firewall time="2024-08-26 23:53:57" fw="IJM" tz=+0200 startime="2024-08-26 23:53:57" ipproto="UDP" user="jma2" domain="ijm.fr" src=81.51.46.71 remotenet=10.0.1.6 localnet=10.0.1.5 port=59505 msg="SSL tunnel created" logtype="xvpn"
Aug 26 23:53:57 fw454.ijm.univ-paris-diderot.priv id=firewall time="2024-08-26 23:53:57" fw="IJM" tz=+0200 startime="2024-08-26 23:53:57" ipproto="UDP" user="jma2" domain="ijm.fr" src=81.51.46.71 remotenet=10.0.1.6 localnet=10.0.1.5 port=59505 msg="SSL tunnel created" logtype="xvpn"
Best regards,
Joel Marchand
Tunnelblick Developer
Aug 26, 2024, 7:36:49 PM8/26/24
to tunnelblick-discuss
This:
2024-08-26 23:44:11.827708 AUTH: Received control message: AUTH_FAILED,Data channel cipher negotiation failed (no shared cipher)
is not talking about the username/password authentication. "no shared cipher" means that the server and the client could not agree on a cipher for encryption.
That means that the server configuration and the client configuration do not have a common cipher.
This could be caused by the version of OpenVPN and/or OpenSSL being used. Tunnelblick has several versions of OpenVPN/OpenSSL and you are using the most recent (OpenVPN 2.6.12 and OpenSSL 3.0.14), which may not be compatible with your Stormshield OpenVPN configuration. You should try using older versions of OpenVPN/OpenSSL – select them on the "Settings" tab of the "Configurations" panel in Tunnelblick's "VPN Details" window. For more information, see Tunnelblick 4.
Joel Marchand
Aug 27, 2024, 4:41:35 PM8/27/24
to tunnelblick-discuss
Hi,
Thanks a lot again.
You are right.
Stormshield, the editor of our firewall, has published a note :
"As far as we know only OpenVPN GUI and some others less known SSL VPN
clients are impacted, Stormhield SSL VPN client and OpenVPN Connect are
not"
Two workarounds are proposed. I test one with TunnelBlick 4.x
" A second workaround consist of changing SNS cipher to one of those presented by OpenVPN client during negotiation.
enopenvpn
In our example log, we see that AES-256-GCM and AES-128-GCM are presented by OpenVPN client during negotiation, we can then modify SNS configuration to use one of these ciphers:
setconf ~/ConfigFiles/Openvpn/openvpn Config cipher AES-256-GCMenopenvpn
Note that it is recommended that you stay the closest to your default SNS cipher, in our example the cipher presented by the SNS was AES-256-CBC, so it is best to change to AES-256-GCM
If the default cipher presented by SNS is AES-128-CBC, it is better to change to AES-128-GCM."
And it works !
The other workaround published is
" The issue is related to a missing parameter in generated client .ovpn configuration, as a workaround you can add this parameter in your .ovpn configuration file:
data-ciphers AES-256-CBCNote that in this example we add AES-256-CBC because it is the one presented by the SNS, however this depend on the firewall model, AES-128-CBC can also be used for example
To see which one is presented by the SNS you can check for "cipher" token in your .ovpn configuration (can also be seen on DEPRECATED OPTION log line, here for example we see that --cipher given is set to AES-256-CBC)"
Thanks again a lot for your help !"
And congratulations for your software.
Joel
Reply all
Reply to author
Forward
0 new messages