Fabian Arrotin wrote:
> On Fri, 2008-03-28 at 18:41 -0700, Todd and Margo Chester wrote:
>> Hi All,
>>
>> I am working on a mystery. I am using
>> openvpn-2.1_beta7-gui-1.0.3-install on all
>> the computers in question. All computers
>> are running XP-Pro-SP2. (Mine is running
>> in a virtual window -- details below.)
>>
>> This configuration works perfectly from my office.
>> I use it to call five facilities:
>>
>> remote aa.bb.cc.dd
>> port 5030
>> proto udp
>> dev tap
>> ifconfig 192.168.240.30 255.255.255.0
>> secret iamnottellingyou.txt
>> ping-restart 60
>> ping-timer-rem
>> persist-tun
>> persist-key
>> resolv-retry 86400
>> ping 10
>> comp-lzo
>> verb 6
>> mute 10
>>
>>
>> But, this EXACT config works on TWO other
>> computers, but not mine:
>>
>> remote ww.xx.yy.zz 5020
>> client
>> dev tap
>> proto udp
>> resolv-retry infinite
>> nobind
>> persist-key
>> persist-tun
>> ca foo-ca.crt
>> cert foo-client1.crt
>> key foo-client1.key
>> ns-cert-type server
>> ping 10
>> comp-lzo
>> verb 3
>>
>>
>> The only difference between the two computers
>> that MY config works on and mine, is that
>> my computer is running in a virtual window.
>>
>> Host: Cent OS 5.1
>> Guest XP-Pro-SP2
>> VM: VirtualBox-1.5.6_28266_rhel5-1.i586.rpm
>>
>> The host and the guest are connected by
>> a bridge (br0):
>>
>> DEVICE=br0
>> TYPE=Bridge
>> BOOTPROTO=static
>> BROADCAST=192.168.255.255
>> IPADDR=192.168.255.10
>> NETMASK=255.255.255.0
>> NETWORK=192.168.255.0
>> GATEWAY=192.168.255.10
>> ONBOOT=yes
>> USERCTL=yes
>> IPV6INIT=no
>> PEERDNS=no
>> PROMISC=yes
>>
>>
>> When trying to connect, the same error message
>> pops up on my computer (virtual XP) and on the
>> distant end's (XP) server:
>>
>> TLS Error: TLS key negotiation failed to occur
>> within 60 seconds (check your network connectivity)
>>
>> The SAME error message!
>>
>>
>> Why does the first config work, but not the
>> second? It is obviously not the config: it
>> is identical on the other two computers
>> that it works on. I think it may
>> be the way open vpn is reacting to my bridge,
>> but then, again, the first config works.
>>
>> Editorial comment: AAAAAAAAAHHHHHHHHHHHHHHHHHHH!!!!
>>
>> Anyone know what I am doing wrong?
>>
>> Many thanks,
>> -T
>>
>
> I've had the same problem one time when the openvpn server was behind a
> Watchguard Firewall .. i don't know why but some clients machine were
> not able to connect while others could ...
> I switched to tcp-server/tcp-client protocol instead of udp and the
> problem went away directly ...
> BTW, when possible now, i configure openvpn to listen on 443/tcp so that
> openvpn clients are able to connect remotely, even through a proxy at
> the other side ... ;-)
>
Follow up: Charter is ("Reserves the right") blocking certain ports
on the "Dynamic IP's", especially VPN connections. They are not
suppose to on their "Fixed IP" connections, but they do anyway.
Fabian called it.
So, it wasn't me. The tip off is that you can do a trace route
from point A to point B, but not point B to Point A.
--T
p.s. the customer is dropping Charter