[Bug 285340] scp traffic over OpenVPN 2.6.13 with fails with message authentication code incorrect

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=285340

            Bug ID: 285340
           Summary: scp traffic over OpenVPN 2.6.13 with fails with
                    message authentication code incorrect
           Product: Base System
           Version: 14.1-RELEASE
          Hardware: amd64
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: dvl@FreeBSD.org

With a OpenVPN 2.6.13 running on the FreeBSD 14.2 gateway and a FreeBSD 14.1
client, scp traffic fails.

Of note: the gateway mentioned above replaced a unit running FreeBSD
14.0-CURRENT amd64 1400094 and OpenVPN 2.6.8_1 - this configuration worked fine
with all OpenVPN clients.

The scp failure occurs like this:

% scp dan@zuul.vpn:FreeBSD-14.2-RELEASE-amd64-memstick.img .
FreeBSD-14.2-RELEASE-amd64-memstick.img           0%    0     0.0KB/s   --:-
ETAF
ssh_ssh_dispatch_run_fatal: Connection to 10.0.0.10 port 22: message
authentication code incorrect
scp: Connection closed

Interactive ssh sessions work fine.

This is repeatable. Over traffic over the web has similar issues. e.g. Bacula
backups fail with:

SD says - Error: openssl.c:108 TLS read/write failure.: ERR=error:0A000119:SSL
\
routines::decryption failed or bad record mac FD says - Error: bsock.c:397

Upgrading the hosts to FreeBSD 14.2 solves the problem. I know the fix for me:
I'm going to upgrade to 14.2 anyway. However, knowing the cause of the problem
might be important.

I've tried various MTU, talked to OpenVPN folks, discussed it on the Bacula
channel.

-- 
You are receiving this mail because:
You are the assignee for the bug.