DTLS not working

Choon Hoe Chua choonhoe at gmail.com
Fri Dec 1 17:44:05 PST 2017 

Here is the output from syslog

Thanks & best regards

- chua

Dec  1 03:16:04 ubuntu ocserv[3531]: sec-mod: using 'radius' authentication to authenticate user (session: N6VkZq)
Dec  1 03:16:24 ubuntu ocserv[3531]: radius-auth: communicating username (chchua) and password
Dec  1 03:16:25 ubuntu ocserv[3528]: main: [::ffff:113.210.110.153]:20200 user disconnected (reason: unspecified, rx: 0, tx: 0)
Dec  1 03:16:26 ubuntu ocserv[3528]: main: [::ffff:113.210.110.153]:1553 user disconnected (reason: unspecified, rx: 0, tx: 0)
Dec  1 03:16:26 ubuntu ocserv[3531]: radius-auth: opening session N6VkZqnPsAlH2uTDE5Mo67OccwK6z1t/Ij6Yj7DSQ/s=
Dec  1 03:16:27 ubuntu ocserv[3531]: sec-mod: initiating session for user 'chchua' (session: N6VkZq)
Dec  1 03:16:27 ubuntu ocserv[3528]: main[chchua]: [::ffff:113.210.110.153]:16524 new user session
Dec  1 03:16:27 ubuntu ocserv[3528]: main[chchua]: [::ffff:113.210.110.153]:16524 user logged in
Dec  1 03:16:27 ubuntu ocserv[3610]: worker[chchua]: ::ffff:113.210.110.153 suggesting DPD of 1800 secs
Dec  1 03:16:27 ubuntu ocserv[3610]: worker[chchua]: ::ffff:113.210.110.153 configured link MTU is 1500
Dec  1 03:16:27 ubuntu ocserv[3610]: worker[chchua]: ::ffff:113.210.110.153 peer's link MTU is 1500
Dec  1 03:16:27 ubuntu ocserv[3610]: worker[chchua]: ::ffff:113.210.110.153 reducing MTU due to TCP MSS to 1375 (from 1500)
Dec  1 03:16:27 ubuntu ocserv[3610]: worker[chchua]: ::ffff:113.210.110.153 sending IPv4 192.168.1.108
Dec  1 03:16:27 ubuntu ocserv[3610]: worker[chchua]: ::ffff:113.210.110.153 adding DNS 8.8.8.8
Dec  1 03:16:27 ubuntu ocserv[3610]: worker[chchua]: ::ffff:113.210.110.153 DTLS ciphersuite: AES128-SHA
Dec  1 03:16:27 ubuntu ocserv[3610]: worker[chchua]: ::ffff:113.210.110.153 DTLS data MTU 1261
Dec  1 03:16:27 ubuntu ocserv[3610]: worker[chchua]: ::ffff:113.210.110.153 Link MTU is 1375 bytes
Dec  1 03:16:27 ubuntu ocserv[3528]: main: [::ffff:113.210.110.153]:2907 user disconnected (reason: unspecified, rx: 0, tx: 0)
Dec  1 03:16:27 ubuntu ocserv[3528]: main[chchua]: [::ffff:113.210.110.153]:16524 main.c:868: bind UDP to [::]:443: Invalid argument
Dec  1 03:16:27 ubuntu ocserv[3528]: main[chchua]: [::ffff:113.210.110.153]:16524 main.c:877: connect UDP socket from [::ffff:113.210.110.153]:56182: Network is unreachable
Dec  1 03:16:28 ubuntu ocserv[3528]: main[chchua]: [::ffff:113.210.110.153]:16524 main.c:868: bind UDP to [::]:443: Invalid argument
Dec  1 03:16:28 ubuntu ocserv[3528]: main[chchua]: [::ffff:113.210.110.153]:16524 main.c:877: connect UDP socket from [::ffff:113.210.110.153]:56182: Network is unreachable
Dec  1 03:16:30 ubuntu ocserv[3528]: main[chchua]: [::ffff:113.210.110.153]:16524 main.c:868: bind UDP to [::]:443: Invalid argument
Dec  1 03:16:30 ubuntu ocserv[3528]: main[chchua]: [::ffff:113.210.110.153]:16524 main.c:877: connect UDP socket from [::ffff:113.210.110.153]:56182: Network is unreachable
Dec  1 03:16:34 ubuntu ocserv[3528]: main[chchua]: [::ffff:113.210.110.153]:16524 main.c:868: bind UDP to [::]:443: Invalid argument
Dec  1 03:16:34 ubuntu ocserv[3528]: main[chchua]: [::ffff:113.210.110.153]:16524 main.c:877: connect UDP socket from [::ffff:113.210.110.153]:56182: Network is unreachable
Dec  1 03:16:42 ubuntu ocserv[3528]: main[chchua]: [::ffff:113.210.110.153]:16524 main.c:868: bind UDP to [::]:443: Invalid argument
Dec  1 03:16:42 ubuntu ocserv[3528]: main[chchua]: [::ffff:113.210.110.153]:16524 main.c:877: connect UDP socket from [::ffff:113.210.110.153]:56182: Network is unreachable


> On 30 Nov 2017, at 10:58 PM, Nikos Mavrogiannopoulos <n.mavrogiannopoulos at gmail.com> wrote:
> 
> On Thu, Nov 30, 2017 at 1:21 AM, Choon Hoe Chua <choonhoe at gmail.com> wrote:
>> “occtl show users” show dtls-cipher as (no-dtls)
>> 
>> I kind of got DTLS working by doing this:
>> 
>> sudo systemctl stop ocserv.socket
>> sudo ocserv -c /etc/ocserv/ocserv.conf
>> 
>> So it seems if I stop ocserv.socket and start ocserv manually then DTLS
>> works.
>> But this does not stick after rebooting.
> 
> Could you increase debugging and send the output that you see
> initially in ocserv (just prior to connection), when started by your
> systemd unit?
> 
> regards,
> Nikos

More information about the openconnect-devel mailing list