The Client Log Contains "Session invalidated: DECRYPT_ERROR"

Applicable Client

Windows OpenVPN Connect

Symptom

The connection is successful but is interrupted within 1 second. This process repeats continuously, and the following error information is recorded in the client log:

Session invalidated: DECRYPT_ERROR

Possible Causes

The cipher suite of the client does not match that of the server.

Procedure

Log in to the management console.
Click in the upper left corner and select the desired region and project.
Click in the upper left corner, and choose Networking > Virtual Private Network.
In the navigation pane on the left, choose Virtual Private Network > Enterprise – VPN Gateways.
Click the P2C VPN Gateways tab. In the P2C VPN gateway list, locate the target P2C VPN gateway, and click View Server in the Operation column.

On the Server tab page, view the encryption algorithm and authentication algorithm of the server in the Advanced Settings area.
Check the data-ciphers and auth parameters in the client configuration file. An example is as follows:
```
...
data-ciphers AES-XXX-GCM     # Encryption algorithm
auth SHAXXX      # Authentication algorithm
...
```
If the parameter settings in the client configuration file are inconsistent with the actual configuration of the server, use either of the following methods to rectify the fault:
- Method 1: Change the encryption algorithm of the server.
  1. On the Server tab page, click next to Advanced Settings, and change the encryption algorithm.
  2. Download the new client configuration file.
    The downloaded client configuration file is client_config.zip.
  3. Decompress client_config.zip to a specified directory, for example, D:\.
    After the decompression, the client_config.ovpn and client_config.conf files are generated.
  4. Open the client_config.ovpn file using Notepad or Notepad++.
  5. Add the client certificate and private key to the file.
    Enter the client certificate content and the corresponding private key in between <cert></cert> and <key></key> tags, respectively. An example is as follows:
    <cert> -----BEGIN CERTIFICATE----- Client certificate content -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- Client private key -----END PRIVATE KEY----- </key>
  6. Save the .ovpn configuration file.
- Method 2: Modify the client configuration file.
  1. Open the client_config.ovpn file using Notepad or Notepad++.
  2. Modify the data-ciphers and auth parameters.
```
...
data-ciphers AES-XXX-GCM      # The configured encryption algorithm must be the same as that of the server.
auth SHAXXX           # The configured authentication algorithm must be the same as that of the server.
...
```
  3. Save the .ovpn configuration file.
Start the OpenVPN Connect client.
Import the new client configuration file.
Use the client to reconnect to the VPN gateway.
Press Win+R and enter cmd to open the command window.

XX.XX.XX.XX indicates the private IP address of the ECS to be connected. Replace it with the actual private IP address.

If information similar to the following is displayed, the client can communicate with the ECS:

64 bytes from XX.XX.XX.XX: icmp_seq=1 ttl=63 time=1.27 ms
64 bytes from XX.XX.XX.XX: icmp_seq=2 ttl=63 time=1.36 ms
64 bytes from XX.XX.XX.XX: icmp_seq=3 ttl=63 time=1.40 ms
64 bytes from XX.XX.XX.XX: icmp_seq=4 ttl=63 time=1.29 ms
64 bytes from XX.XX.XX.XX: icmp_seq=5 ttl=63 time=1.35 ms
64 bytes from XX.XX.XX.XX: icmp_seq=6 ttl=63 time=1.52 ms

If the problem persists, submit a service ticket to contact Huawei technical support.

Parent topic: Client Connection Failures

Previous topic: The Client Log Contains "OPTIONS ERROR:failed to negotiate cipher with server.Add the server's cipher('AES-XXX-GCM') to --data-ciphers(currently 'AES-XXX-GCM') if you want to connect to this server."

Next topic: The Client Log Contains "Unrecognized option or missing or extra parameter(s) in xxx.ovpn:108: data-ciphers (2.4.12)"