Cipher mismatches

In this recipe, we will change the cryptographic ciphers that OpenVPN uses. Initially, we will change the cipher only on the client side, which will cause the initialization of the VPN connection to fail. The primary purpose of this recipe is to show the error messages that appear, not to explore the different types of ciphers that OpenVPN supports.

Getting ready

Set up the client and server certificates using the first recipe from Chapter 2Client-server IP-only Networks. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.11, and the client was running Windows 7 64 bit and OpenVPN 2.3.10. Keep the configuration file, basic-udp-server.conf, from the Server-side routing recipe from Chapter 2Client-server IP-only Networks, as well as the client configuration file, basic-udp-client.conf.

How to do it...

  1. Start the server using the configuration file, basic-udp-server.conf:
            [root@server]# openvpn --config basic-udp-server.conf
    
  2. Next, create the client configuration file by appending a line to the basic-udp-client.conf file:
            cipher CAST5-CBC 
    

    Save it as example6-1-client.conf.

  3. Start the client, after which the following message will appear in the client log:
            [root@client]# openvpn --config example6-1-client.conf 
            ... WARNING: 'cipher' is used inconsistently, local='cipher 
            CAST5-CBC'', remote='cipher BF-CBC'' 
            ... [openvpnserver] Peer Connection Initiated with server-
            ip:1194 
            ... TUN/TAP device tun0 opened 
            ... /sbin/ip link set dev tun0 up mtu 1500 
            ... /sbin/ip addr add dev tun0 10.200.0.2/24 broadcast 
            10.200.0.255 
            ... Initialization Sequence Completed 
            ... Authenticate/Decrypt packet error: cipher final failed 
    

    And, similarly, on the server side:

            ... client-ip:52461 WARNING: 'cipher' is used inconsistently,         local='cipher BF-CBC'', remote='cipher CAST5-CBC'' 
            ... client-ip:52461 [client1] Peer Connection Initiated with         client1:52461 
            ... client1/client-ip:52461 Authenticate/Decrypt packet error: 
            cipher final failed 
            ... client1/client-ip:52461 Authenticate/Decrypt packet error: 
            cipher final failed 
    

    The connection will not be successfully established, but it will also not be disconnected immediately.

How it works...

During the connection phase, the client and the server negotiate several parameters needed to secure the connection. One of the most important parameters in this phase is the encryption cipher, which is used to encrypt and decrypt all the messages. If the client and server are using different ciphers, then they are simply not capable of talking to each other.

By adding the following configuration directive to the server configuration file, the client and the server can communicate again:

cipher CAST5-CBC 

There's more...

OpenVPN supports quite a few ciphers, although support for some of the ciphers is still experimental. To view the list of supported ciphers, type:

$ openvpn --show-ciphers

This will list all ciphers with both variables and fixed cipher length. The ciphers with variable cipher length are very well supported by OpenVPN, the others can sometimes lead to unpredictable results.

Pushable ciphers

Starting with version 2.4, OpenVPN clients support the option to process a cipher pushed from the server to the client. Thus, if all clients are running OpenVPN 2.4 or later it becomes much easier to change the encryption cipher in an existing deployment.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.216.197.92