Bug 471397 - nm-openvpn[15690]: Authenticate/Decrypt packet error: cipher final failed
Summary: nm-openvpn[15690]: Authenticate/Decrypt packet error: cipher final failed
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: NetworkManager-openvpn
Version: rawhide
Hardware: All
OS: Linux
medium
urgent
Target Milestone: ---
Assignee: Dan Williams
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-11-13 14:27 UTC by Robert Scheck
Modified: 2014-04-06 18:54 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2008-11-13 14:50:30 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Robert Scheck 2008-11-13 14:27:28 UTC 
Description of problem:
"nm-openvpn[15690]: Authenticate/Decrypt packet error: cipher final failed" - this always happens for me and the OpenVPN integration is completely useless
for me, as it doesn't work. I digged into and noticed, that I've to configure
the keysize, by putting "--keysize 256" to the command as well.

Version-Release number of selected component (if applicable):
NetworkManager-openvpn-0.7.0-16.svn4229.fc10

How reproducible:
Everytime, see above.

Actual results:
Unusable OpenVPN integration into NetworkManager

Expected results:
Usable and configurable keysize appended as "--keysize 256" to the openvpn 
command.

Additional info:
I'm also lacking the ability to run an own start/stop (--up/--down) script
for an own firewall explicitly for that connection. Currently, --up seems
to be abused by a network management helper. So fix that crappy idea ASAP,
please! :)
Comment 1 Christoph Höger 2008-11-13 14:50:30 UTC 
Hi,

thanks for your bug report, the point is: NetworkManager-openvpn does not (and apparently will never) support _all_ openvpn options. If you need a special option you should consider making a request upstream (networkmanager-list).

I don not know the --keysize argument well, manpage tells that:

              Use care in
              changing a cipher’s default key size.   Many  ciphers  have  not
              been  extensively  cryptanalyzed  with non-standard key lengths,
              and a larger key may offer no real guarantee of greater  securi-
              ty, or may even reduce security.

So I think it's pretty unlikely that this option will make its way in the gui.

The --up script will propably be used, as long as openvpn does not use dbus to talk with NetworkManager.

I'll close that bug with the advice to use plain openvpn if you have to use such special features.
Comment 2 Robert Scheck 2008-11-13 14:53:47 UTC 
Well, the main problem is, that the concept of NetworkManager-openvpn itself
is broken and wrong. Even the Windows OpenVPN client uses the configuration
file as it is and calls openvpn using the configuration file and doesn't create 
an own one or only appending the parameters to the openvpn call. Very worse to
see that the Linux implementation of a thing is unusable while the Windows one
works fine.
Comment 3 Dan Williams 2008-11-13 14:57:30 UTC 
Any firewall changes should be done from NetworkManager dispatcher scripts on the 'vpn-up' event.  The VPN connection isn't the only connection, and policy gets applied to the machines *overall* IP configuration based on more than just the vpn connection.
Comment 4 Fedora Update System 2014-03-21 22:50:49 UTC 
NetworkManager-openvpn-0.8.1-0.2.git20100609.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/NetworkManager-openvpn-0.8.1-0.2.git20100609.el6
Comment 5 Fedora Update System 2014-04-06 18:54:00 UTC 
NetworkManager-openvpn-0.8.1-0.2.git20100609.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.