OpenVPN Error: pushed cipher not allowed in VyOS 1.3.0-rc5

Bugs
1

Hello,

I got an error with OpenVPN after update from VyOS 1.3.0-rc4 to VyOS 1.3.0-rc5. I think it because them send cipher with upper case, as “cipher AES-256-CBC”.

vtun0.conf file on VyOS VM is identical with both versions

# Encryption options
cipher aes-256-cbc
ncp-ciphers aes-256-cbc:aes-256-gcm:AES-256-CBC:AES-256-GCM

Log from my OpenVPN client device (EdgeRouter)

Connectiong with VyOS 1.3.0-rc5

OPTIONS IMPORT: data channel crypto options modified
Error: pushed cipher not allowed - AES-256-CBC not in aes-256-cbc or AES-256-GCM:AES-128-GCM
OPTIONS ERROR: failed to import crypto options

Connecting with VyOS 1.3.0-rc4. It is OK

OPTIONS IMPORT: data channel crypto options modified.

Log from my OpenVPN server VM (VyOS 1.3.0-rc5)

Jul 31 15:26:15 gw4 openvpn-vtun0[6800]: 10.20.35.29:49646 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Jul 31 15:26:15 gw4 openvpn-vtun0[6800]: 10.20.35.29:49646 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Jul 31 15:26:15 gw4 openvpn-vtun0[6800]: 10.20.35.29:49646 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Jul 31 15:26:15 gw4 openvpn-vtun0[6800]: 10.20.35.29:49646 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Jul 31 15:26:15 gw4 openvpn-vtun0[6800]: 10.20.35.29:49646 TLS: Initial packet from [AF_INET]10.20.35.29:49646, sid=c04cb46c e85ac48b
Jul 31 15:26:15 gw4 openvpn-vtun0[6800]: 10.20.35.29:49646 VERIFY OK: depth=1, C=RU, ...
Jul 31 15:26:15 gw4 openvpn-vtun0[6800]: 10.20.35.29:49646 VERIFY OK: depth=0, C=RU, ...
Jul 31 15:26:15 gw4 openvpn-vtun0[6800]: 10.20.35.29:49646 peer info: IV_VER=2.4.7
Jul 31 15:26:15 gw4 openvpn-vtun0[6800]: 10.20.35.29:49646 peer info: IV_PLAT=linux
Jul 31 15:26:15 gw4 openvpn-vtun0[6800]: 10.20.35.29:49646 peer info: IV_PROTO=2
Jul 31 15:26:15 gw4 openvpn-vtun0[6800]: 10.20.35.29:49646 peer info: IV_NCP=2
Jul 31 15:26:15 gw4 openvpn-vtun0[6800]: 10.20.35.29:49646 peer info: IV_LZ4=1
Jul 31 15:26:15 gw4 openvpn-vtun0[6800]: 10.20.35.29:49646 peer info: IV_LZ4v2=1
Jul 31 15:26:15 gw4 openvpn-vtun0[6800]: 10.20.35.29:49646 peer info: IV_LZO=1
Jul 31 15:26:15 gw4 openvpn-vtun0[6800]: 10.20.35.29:49646 peer info: IV_COMP_STUB=1
Jul 31 15:26:15 gw4 openvpn-vtun0[6800]: 10.20.35.29:49646 peer info: IV_COMP_STUBv2=1
Jul 31 15:26:15 gw4 openvpn-vtun0[6800]: 10.20.35.29:49646 peer info: IV_TCPNL=1
Jul 31 15:26:15 gw4 openvpn-vtun0[6800]: 10.20.35.29:49646 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Jul 31 15:26:15 gw4 openvpn-vtun0[6800]: 10.20.35.29:49646 [tunnel_Cli50] Peer Connection Initiated with [AF_INET]10.20.35.29:49646
Jul 31 15:26:15 gw4 openvpn-vtun0[6800]: MULTI: new connection by client 'tunnel_Cli50' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.
Jul 31 15:26:15 gw4 openvpn-vtun0[6800]: MULTI_sva: pool returned IPv4=192.168.100.6, IPv6=(Not enabled)
Jul 31 15:26:15 gw4 openvpn-vtun0[6800]: OPTIONS IMPORT: reading client specific options from: /run/openvpn/ccd/vtun0/tunnel_Cli50
Jul 31 15:26:15 gw4 openvpn-vtun0[6800]: MULTI: Learn: 192.168.100.14 -> tunnel_Cli50/10.20.35.29:49646
Jul 31 15:26:15 gw4 openvpn-vtun0[6800]: MULTI: primary virtual IP for tunnel_Cli50/10.20.35.29:49646: 192.168.100.14
Jul 31 15:26:15 gw4 openvpn-vtun0[6800]: MULTI: internal route 10.50.0.0/16 -> tunnel_Cli50/10.20.35.29:49646
Jul 31 15:26:15 gw4 openvpn-vtun0[6800]: MULTI: Learn: 10.50.0.0/16 -> tunnel_Cli50/10.20.35.29:49646
Jul 31 15:26:15 gw4 openvpn-vtun0[6800]: Data Channel: using negotiated cipher 'AES-256-CBC'
Jul 31 15:26:15 gw4 openvpn-vtun0[6800]: Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Jul 31 15:26:15 gw4 openvpn-vtun0[6800]: Outgoing Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
Jul 31 15:26:15 gw4 openvpn-vtun0[6800]: Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
Jul 31 15:26:15 gw4 openvpn-vtun0[6800]: Incoming Data Channel: Using 512 bit message hash 'SHA512' for HMAC authentication
Jul 31 15:26:17 gw4 openvpn-vtun0[6800]: tunnel_Cli50/10.20.35.29:49646 PUSH: Received control message: 'PUSH_REQUEST'
Jul 31 15:26:17 gw4 openvpn-vtun0[6800]: tunnel_Cli50/10.20.35.29:49646 SENT CONTROL [tunnel_Cli50]: 'PUSH_REPLY,route 10.206.250.0 255.255.255.0,route 192.168.100.1,topology net30,ping 10,ping-restart 600,ifconfig 192.168.100.14 255.255.255.224,peer-id 0,cipher AES-256-CBC' (status=1)
Jul 31 15:26:27 gw4 openvpn-vtun0[6800]: 10.20.35.29:60148 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Jul 31 15:26:27 gw4 openvpn-vtun0[6800]: 10.20.35.29:60148 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Jul 31 15:26:27 gw4 openvpn-vtun0[6800]: 10.20.35.29:60148 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Jul 31 15:26:27 gw4 openvpn-vtun0[6800]: 10.20.35.29:60148 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Jul 31 15:26:27 gw4 openvpn-vtun0[6800]: 10.20.35.29:60148 TLS: Initial packet from [AF_INET]10.20.35.29:60148, sid=521cd929 00a31cd7
Jul 31 15:26:27 gw4 openvpn-vtun0[6800]: 10.20.35.29:60148 VERIFY OK: depth=1, C=RU, ...
Jul 31 15:26:27 gw4 openvpn-vtun0[6800]: 10.20.35.29:60148 VERIFY OK: depth=0, C=RU, ...
Jul 31 15:26:27 gw4 openvpn-vtun0[6800]: 10.20.35.29:60148 peer info: IV_VER=2.4.7
Jul 31 15:26:27 gw4 openvpn-vtun0[6800]: 10.20.35.29:60148 peer info: IV_PLAT=linux
Jul 31 15:26:27 gw4 openvpn-vtun0[6800]: 10.20.35.29:60148 peer info: IV_PROTO=2
Jul 31 15:26:27 gw4 openvpn-vtun0[6800]: 10.20.35.29:60148 peer info: IV_NCP=2
Jul 31 15:26:27 gw4 openvpn-vtun0[6800]: 10.20.35.29:60148 peer info: IV_LZ4=1
Jul 31 15:26:27 gw4 openvpn-vtun0[6800]: 10.20.35.29:60148 peer info: IV_LZ4v2=1
Jul 31 15:26:27 gw4 openvpn-vtun0[6800]: 10.20.35.29:60148 peer info: IV_LZO=1
Jul 31 15:26:27 gw4 openvpn-vtun0[6800]: 10.20.35.29:60148 peer info: IV_COMP_STUB=1
Jul 31 15:26:27 gw4 openvpn-vtun0[6800]: 10.20.35.29:60148 peer info: IV_COMP_STUBv2=1
Jul 31 15:26:27 gw4 openvpn-vtun0[6800]: 10.20.35.29:60148 peer info: IV_TCPNL=1
Jul 31 15:26:27 gw4 openvpn-vtun0[6800]: 10.20.35.29:60148 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Jul 31 15:26:27 gw4 openvpn-vtun0[6800]: 10.20.35.29:60148 [tunnel_Cli50] Peer Connection Initiated with [AF_INET]10.20.35.29:60148
Jul 31 15:26:27 gw4 openvpn-vtun0[6800]: MULTI: new connection by client 'tunnel_Cli50' will cause previous active sessions by this client to be dropped.  Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.

Log from my OpenVPN server VM (VyOS 1.3.0-rc4)

SENT CONTROL [prlnkshp_Cli50]: 'PUSH_REPLY,route 10.20.250.0 255.255.255.0,route 192.168.100.1,topology net30,ping 10,ping-restart 600,ifconfig 192.168.100.14 255.255.255.224,peer-id 0,cipher aes-256-cbc' (status=1)
2

Hi @cubic .
Looks like your VyOS OpenVPN Server was configured with cipher AES-256-CTR, but the Edge Router is not accepting that cipher.
Both cipher configuration should match on both sides.