前提:OpenVPN Server 運作沒問題,使用者也沒反應無法連線的狀態,但有使用者新裝了 【OpenVPN-2.6.8-I001】連線卻出現底下的錯誤訊息,明明帳號密碼都OK
2024-07-05 11:46:04 OPTIONS ERROR: failed to negotiate cipher with server. Add the server's cipher ('AES-128-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305') if you want to connect to this server.
2024-07-05 11:46:04 ERROR: Failed to apply push options
2024-07-05 11:46:04 Failed to open tun/tap interface
2024-07-05 11:46:04 SIGUSR1[soft,process-push-msg-failed] received, process restarting
2024-07-05 11:46:04 MANAGEMENT: >STATE:1720151164,RECONNECTING,process-push-msg-failed,,,,,
2024-07-05 11:46:04 Restart pause, 1 second(s)
我的例子主機是 Sophos XGS-136, 相關設定是
Encryption Algorithm:AES-128-CBC
Authentication Algorithm:SHA2 256
Key Size:2048 bits
Key LifeTime:28800
從錯誤訊息來看是Server 與 Client 間 Cipher 不一致造成的,那該怎麼處理呢?
【解決方式】:修改使用者的憑證檔案 .ovpn
在 x.ovpn 檔案哩,找到
cipher AES-128-CBC
改成
data-ciphers AES-256-GCM:AES-128-GCM:AES-128-CBC
存檔後,再重新連線應該就OK了
----
其方法是將原本指定使用 AES-128-CBC 這個加密方法,改成可選用 , AES-256-GCM:AES-128-GCM:AES-128-CBC 這三種 cipher 只要其中一個滿足即可。
這個在錯誤訊息中,就有提到
2024-07-05 11:46:04 OPTIONS ERROR: failed to negotiate cipher with server. Add the server's cipher ('AES-128-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305') if you want to connect to this server.
那我的 Sophos XGS 是否需要修改呢? 不需要,只要改 client 即可。
~END
沒有留言:
張貼留言