Bug 471397 - nm-openvpn[15690]: Authenticate/Decrypt packet error: cipher final failed
nm-openvpn[15690]: Authenticate/Decrypt packet error: cipher final failed
Product: Fedora
Classification: Fedora
Component: NetworkManager-openvpn (Show other bugs)
All Linux
medium Severity urgent
: ---
: ---
Assigned To: Dan Williams
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-11-13 09:27 EST by Robert Scheck
Modified: 2014-04-06 14:54 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-11-13 09:50:30 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Robert Scheck 2008-11-13 09:27:28 EST
Description of problem:
"nm-openvpn[15690]: Authenticate/Decrypt packet error: cipher final failed" - this always happens for me and the OpenVPN integration is completely useless
for me, as it doesn't work. I digged into and noticed, that I've to configure
the keysize, by putting "--keysize 256" to the command as well.

Version-Release number of selected component (if applicable):

How reproducible:
Everytime, see above.

Actual results:
Unusable OpenVPN integration into NetworkManager

Expected results:
Usable and configurable keysize appended as "--keysize 256" to the openvpn 

Additional info:
I'm also lacking the ability to run an own start/stop (--up/--down) script
for an own firewall explicitly for that connection. Currently, --up seems
to be abused by a network management helper. So fix that crappy idea ASAP,
please! :)
Comment 1 Christoph Höger 2008-11-13 09:50:30 EST

thanks for your bug report, the point is: NetworkManager-openvpn does not (and apparently will never) support _all_ openvpn options. If you need a special option you should consider making a request upstream (networkmanager-list@gnome.org).

I don not know the --keysize argument well, manpage tells that:

              Use care in
              changing a cipher’s default key size.   Many  ciphers  have  not
              been  extensively  cryptanalyzed  with non-standard key lengths,
              and a larger key may offer no real guarantee of greater  securi-
              ty, or may even reduce security.

So I think it's pretty unlikely that this option will make its way in the gui.

The --up script will propably be used, as long as openvpn does not use dbus to talk with NetworkManager.

I'll close that bug with the advice to use plain openvpn if you have to use such special features.
Comment 2 Robert Scheck 2008-11-13 09:53:47 EST
Well, the main problem is, that the concept of NetworkManager-openvpn itself
is broken and wrong. Even the Windows OpenVPN client uses the configuration
file as it is and calls openvpn using the configuration file and doesn't create 
an own one or only appending the parameters to the openvpn call. Very worse to
see that the Linux implementation of a thing is unusable while the Windows one
works fine.
Comment 3 Dan Williams 2008-11-13 09:57:30 EST
Any firewall changes should be done from NetworkManager dispatcher scripts on the 'vpn-up' event.  The VPN connection isn't the only connection, and policy gets applied to the machines *overall* IP configuration based on more than just the vpn connection.
Comment 4 Fedora Update System 2014-03-21 18:50:49 EDT
NetworkManager-openvpn-0.8.1-0.2.git20100609.el6 has been submitted as an update for Fedora EPEL 6.
Comment 5 Fedora Update System 2014-04-06 14:54:00 EDT
NetworkManager-openvpn-0.8.1-0.2.git20100609.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.