Connecting to VPN fails with Watchguard device using OpenVPN
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openvpn (Ubuntu) |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
Downloaded ovpn file from watchguard device.
Get this error in system logs:
Oct 12 11:38:19 DXXXX nm-openvpn[14241]: OPTIONS ERROR: failed to negotiate cipher with server. Add the server's cipher ('AES-256-CBC') to --data-ciphers (currently 'AES-256-
Using the VPN GUI I:
Went To Advanced -> Security
The Cipher was already set as AES-256-CBC.
Changing the value for Cipher has no impact on the error message. "Tried disable cypher negotion" but this immediately failed due to:
Options error: Unrecognized option or missing or extra parameter(s) in [CMD-LINE]:1: ncp-disable (2.6_git)
ncp-disable was depreciated in openvpn 2.5 and removed in openvpn 2.6 so I think this flag will never work.
Looking in the .ovpn file it has the following lines:
cipher AES-256-CBC
auth SHA1
ProblemType: Bug
DistroRelease: Ubuntu 22.10
Package: openvpn 2.6.0~git202208
ProcVersionSign
Uname: Linux 5.19.0-19-generic x86_64
NonfreeKernelMo
ApportVersion: 2.23.1-0ubuntu2
Architecture: amd64
CasperMD5CheckR
CurrentDesktop: ubuntu:GNOME
Date: Wed Oct 12 11:34:00 2022
InstallationDate: Installed on 2022-10-11 (0 days ago)
InstallationMedia: Ubuntu 22.10 "Kinetic Kudu" - Beta amd64 (20220927.1)
ProcEnviron:
LANGUAGE=en_GB:en
PATH=(custom, no user)
XDG_RUNTIME_
LANG=en_GB.UTF-8
SHELL=/bin/bash
SourcePackage: openvpn
UpgradeStatus: No upgrade log present (probably fresh install)
Hello John and thanks for your bug report. Can you please explain more precisely what you mean by "VPN GUI"? Is it the GUI of the watchguard device (which, I imagine, is a firewall solution providing VPN access)?
What that error message is telling you is to change the cipher settings on the client side, but it would be better to make the device use a cipher that is supported by default (AES-256- GCM:AES- 128-GCM: CHACHA20- POLY1305) . But keep in mind that I'm trying to guess here.
I think this is not a bug in Ubuntu, but a consequence of new defaults requiring more secure encryption. Marking this as Incomplete for now.