Tim Eggleston
2014-Apr-18 22:53 UTC
tinc 1.1pre10 "failed to decrypt record" on Windows client
Tinc newbie here so apologies if this is obvious or has been discussed
already; I did search but couldn't find anything.
I'm testing tinc 1.1pre10 between a Windows 7 client and Linux server.
The Linux machine is on the internet and the Windows machine is on my
home network behind NAT. I have successfully configured a Linux client
on my home network to communicate with the server already so I know the
issue isn't the server or my network/NAT config.
When attempting to connect to the server, the Windows client throws a
"failed to decrypt record" error (output from tincd -D below).
Something
instinctive is saying this is a key material problem -- originally I
copied and pasted the keys from notepad into my SSH session to transfer
them between machines, and I wondered if a non-printable character or a
Windows linebreak had snuck in and messed things up. However I've now
copied them directly between hosts using pscp.exe so I don't think it
can be that. I'm using both RSA and ECDSA keys, and I believe it
defaults to ECDSA usage in this version?
Any ideas appreciated! I can provide configs if necessary but this
didn't seem like a config problem, per se.
Cheers,
---tim
**********
Output from tincd -D on the Windows machine:
c:\Program Files (x86)\tinc>tincd -D -d 5 -n mesh1
tincd 1.1pre10 (Feb 7 2014 22:45:15) starting, debug level 5
Tap reader running
{2115B7D7-EFBB-468F-89AE-1818CF14091A} (vpn-mesh1) is a Windows tap
device
Listening on 0.0.0.0 port 655
Ready
Trying to connect to silverthrone (xxx.xxx.xxx.xxx port 655)
Connected to silverthrone (xxx.xxx.xxx.xxx port 655)
Sending ID to silverthrone (xxx.xxx.xxx.xxx port 655): 0 capricorn 17.3
Sending 17 bytes of metadata to silverthrone (xxx.xxx.xxx.xxx port 655)
Got ID from silverthrone (xxx.xxx.xxx.xxx port 655): 0 silverthrone 17.3
Sending ACK to silverthrone (xxx.xxx.xxx.xxx port 655): 4 655 358
300000c
Sending 18 bytes of metadata to silverthrone (xxx.xxx.xxx.xxx port 655)
Error while decrypting: error:00000000:lib(0):func(0):reason(0)
Failed to decrypt record
Closing connection with silverthrone (xxx.xxx.xxx.xxx port 655)
Could not set up a meta connection to silverthrone
**********
Lance Fredrickson
2014-Apr-18 23:15 UTC
tinc 1.1pre10 "failed to decrypt record" on Windows client
I also have not been able to get Windows clients to play with Linux ones on tinc1.1pre10. I sent an email February 11th describing my issue, to which the maintainer responded. For the time being I'm using 1.1pre9 and hoping the next release is more Windows friendly. -Lance On Apr 18, 2014 5:02 PM, "Tim Eggleston" <tim.lists at eggleston.ca> wrote:> Tinc newbie here so apologies if this is obvious or has been discussed > already; I did search but couldn't find anything. > > I'm testing tinc 1.1pre10 between a Windows 7 client and Linux server. The > Linux machine is on the internet and the Windows machine is on my home > network behind NAT. I have successfully configured a Linux client on my > home network to communicate with the server already so I know the issue > isn't the server or my network/NAT config. > > When attempting to connect to the server, the Windows client throws a > "failed to decrypt record" error (output from tincd -D below). Something > instinctive is saying this is a key material problem -- originally I copied > and pasted the keys from notepad into my SSH session to transfer them > between machines, and I wondered if a non-printable character or a Windows > linebreak had snuck in and messed things up. However I've now copied them > directly between hosts using pscp.exe so I don't think it can be that. I'm > using both RSA and ECDSA keys, and I believe it defaults to ECDSA usage in > this version? > > Any ideas appreciated! I can provide configs if necessary but this didn't > seem like a config problem, per se. > > Cheers, > > ---tim > > ********** > > Output from tincd -D on the Windows machine: > > c:\Program Files (x86)\tinc>tincd -D -d 5 -n mesh1 > tincd 1.1pre10 (Feb 7 2014 22:45:15) starting, debug level 5 > Tap reader running > {2115B7D7-EFBB-468F-89AE-1818CF14091A} (vpn-mesh1) is a Windows tap device > Listening on 0.0.0.0 port 655 > Ready > Trying to connect to silverthrone (xxx.xxx.xxx.xxx port 655) > Connected to silverthrone (xxx.xxx.xxx.xxx port 655) > Sending ID to silverthrone (xxx.xxx.xxx.xxx port 655): 0 capricorn 17.3 > Sending 17 bytes of metadata to silverthrone (xxx.xxx.xxx.xxx port 655) > Got ID from silverthrone (xxx.xxx.xxx.xxx port 655): 0 silverthrone 17.3 > Sending ACK to silverthrone (xxx.xxx.xxx.xxx port 655): 4 655 358 300000c > Sending 18 bytes of metadata to silverthrone (xxx.xxx.xxx.xxx port 655) > Error while decrypting: error:00000000:lib(0):func(0):reason(0) > Failed to decrypt record > Closing connection with silverthrone (xxx.xxx.xxx.xxx port 655) > Could not set up a meta connection to silverthrone > > ********** > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://www.tinc-vpn.org/pipermail/tinc/attachments/20140418/1e8056c2/attachment.html>
Saverio Proto
2014-Apr-22 13:55 UTC
tinc 1.1pre10 "failed to decrypt record" on Windows client
Hello Tim, can you check on the Linux side with sptps_speed if everything is working as expected ? We expect something like this: saverio at nockid:~/SORGENTI/tinc$ ./src/sptps_speed 1 Generating keys for 1 seconds: 19194.23 op/s ECDSA sign for 1 seconds: 18650.55 op/s ECDSA verify for 1 seconds: 7253.07 op/s ECDH for 1 seconds: 5441.36 op/s SPTPS/TCP authenticate for 1 seconds: 2569.20 op/s SPTPS/TCP transmit for 1 seconds: 1.82 Gbit/s SPTPS/UDP authenticate for 1 seconds: 2552.64 op/s SPTPS/UDP transmit for 1 seconds: 1.79 Gbit/s saverio at nockid:~/SORGENTI/tinc$ Saverio 2014-04-19 0:53 GMT+02:00 Tim Eggleston <tim.lists at eggleston.ca>:> Tinc newbie here so apologies if this is obvious or has been discussed > already; I did search but couldn't find anything. > > I'm testing tinc 1.1pre10 between a Windows 7 client and Linux server. The > Linux machine is on the internet and the Windows machine is on my home > network behind NAT. I have successfully configured a Linux client on my home > network to communicate with the server already so I know the issue isn't the > server or my network/NAT config. > > When attempting to connect to the server, the Windows client throws a > "failed to decrypt record" error (output from tincd -D below). Something > instinctive is saying this is a key material problem -- originally I copied > and pasted the keys from notepad into my SSH session to transfer them > between machines, and I wondered if a non-printable character or a Windows > linebreak had snuck in and messed things up. However I've now copied them > directly between hosts using pscp.exe so I don't think it can be that. I'm > using both RSA and ECDSA keys, and I believe it defaults to ECDSA usage in > this version? > > Any ideas appreciated! I can provide configs if necessary but this didn't > seem like a config problem, per se. > > Cheers, > > ---tim > > ********** > > Output from tincd -D on the Windows machine: > > c:\Program Files (x86)\tinc>tincd -D -d 5 -n mesh1 > tincd 1.1pre10 (Feb 7 2014 22:45:15) starting, debug level 5 > Tap reader running > {2115B7D7-EFBB-468F-89AE-1818CF14091A} (vpn-mesh1) is a Windows tap device > Listening on 0.0.0.0 port 655 > Ready > Trying to connect to silverthrone (xxx.xxx.xxx.xxx port 655) > Connected to silverthrone (xxx.xxx.xxx.xxx port 655) > Sending ID to silverthrone (xxx.xxx.xxx.xxx port 655): 0 capricorn 17.3 > Sending 17 bytes of metadata to silverthrone (xxx.xxx.xxx.xxx port 655) > Got ID from silverthrone (xxx.xxx.xxx.xxx port 655): 0 silverthrone 17.3 > Sending ACK to silverthrone (xxx.xxx.xxx.xxx port 655): 4 655 358 300000c > Sending 18 bytes of metadata to silverthrone (xxx.xxx.xxx.xxx port 655) > Error while decrypting: error:00000000:lib(0):func(0):reason(0) > Failed to decrypt record > Closing connection with silverthrone (xxx.xxx.xxx.xxx port 655) > Could not set up a meta connection to silverthrone > > ********** > _______________________________________________ > tinc mailing list > tinc at tinc-vpn.org > http://www.tinc-vpn.org/cgi-bin/mailman/listinfo/tinc