[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pfsense-discussion
Subject:    [pfSense] OpenVPN issues with iOS OpenVPN client
From:       Stefan Baur <newsgroups.mail2 () stefanbaur ! de>
Date:       2013-12-04 14:48:25
Message-ID: 529F40B9.5080708 () stefanbaur ! de
[Download RAW message or body]

Hi List,

I'm having trouble getting an iPhone connect to my pfSense OpenVPN 
installation.

On the Server, I'm seeing:
openvpn[2371]: [remote IP here]:11125 WARNING: Bad encapsulated packet 
length from peer (1404), which must be > 0 and <= 1300 -- please ensure 
that --tun-mtu or --link-mtu is equal on both peers -- this condition 
could also indicate a possible active attack on the TCP link -- 
[Attempting restart...]

While the Client says:

[certificate shown here]
issued  on    : 2013-11-28 22:02:23
expires on    : 2023-11-26 22:02:23
signed using  : RSA+SHA1
RSA key size  : 2048 bits

2013-12-04 15:33:45 TCP recv EOF
2013-12-04 15:33:45 Transport Error: Transport error on '[my dyndns name here]: NETWORK_EOF_ERROR
2013-12-04 15:33:45 Client terminated, restarting in 2...
2013-12-04 15:33:47 EVENT: RECONNECTING
2013-12-04 15:33:47 LZO-ASYM init swap=0 asym=0

I'm passing
link-mtu 1300;
mssfix 1260;

to both client and server, so I don't know where the 1404 is coming from.

What am I doing wrong? And why is it that only the iPhone has trouble 
connecting, while an Android phone (using another certificate, but the 
same settings) works fine?

If you need further info (settings, more log file excerpts), please let 
me know what I should post.

This is a pfSense behind another pfSense (which is set to forward TCP 
packets on port 1194 to the second pfSense, that has OpenVPN configured) 
which in turn is attached to a SoHo DSL router (which is set to forward 
all packets to the first pfSense WAN IP), so I'm using tcp instead of 
udp and the 1300 mtu setting to avoid trouble due to multiple NATing and 
forwarding. Worked fine for Android, just the iPhone is acting up.

IoW: [DSL]---[SoHo router]----[pfSense #1]----[pfSense #2 with OpenVPN]

-Stefan
_______________________________________________
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic