Synology vs OpenVPN via IOS - KEV_Negotiate_error

Sun Jun 02 11:25:11 2019 Flag 'def1' added to --redirect-gateway (iservice is in use)
Sun Jun 02 11:25:11 2019 OpenVPN 2.4.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 26 2017
Sun Jun 02 11:25:11 2019 Windows version 6.2 (Windows 8 or greater) 64bit
Sun Jun 02 11:25:11 2019 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
Enter Management Password:
Sun Jun 02 11:25:13 2019 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sun Jun 02 11:25:13 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]PUBLIC IP:1194
Sun Jun 02 11:25:13 2019 UDP link local (bound): [AF_INET][undef]:1194
Sun Jun 02 11:25:13 2019 UDP link remote: [AF_INET]PUBLIC IP:1194
Sun Jun 02 11:25:13 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Jun 02 11:26:13 2019 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sun Jun 02 11:26:13 2019 TLS Error: TLS handshake failed
Sun Jun 02 11:26:13 2019 SIGUSR1[soft,tls-error] received, process restarting
Sun Jun 02 11:26:18 2019 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sun Jun 02 11:26:18 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]PUBLIC IP:1194
Sun Jun 02 11:26:18 2019 UDP link local (bound): [AF_INET][undef]:1194
Sun Jun 02 11:26:18 2019 UDP link remote: [AF_INET]PUBLIC IP:1194
Sun Jun 02 11:26:22 2019 [mynas.nl] Peer Connection Initiated with [AF_INET]LOCAL IP:1194
Sun Jun 02 11:26:23 2019 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Sun Jun 02 11:26:23 2019 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Sun Jun 02 11:26:23 2019 WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
Sun Jun 02 11:26:23 2019 open_tun
Sun Jun 02 11:26:23 2019 TAP-WIN32 device [Ethernet 3] opened: \\.\Global\{40C4A9B8-E6AD-433F-A215-90562E442A05}.tap
Sun Jun 02 11:26:23 2019 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.5.6/255.255.255.252 on interface {40C4A9B8-E6AD-433F-A215-90562E442A05} [DHCP-serv: 192.168.5.5, lease-time: 31536000]
Sun Jun 02 11:26:23 2019 Successful ARP Flush on interface [8] {40C4A9B8-E6AD-433F-A215-90562E442A05}
Sun Jun 02 11:26:23 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sun Jun 02 11:26:28 2019 Initialization Sequence Completed

dev tun
tls-client

remote PUBLIC IP 1194

# The "float" tells OpenVPN to accept authenticated packets from any address,
# not only the address which was specified in the --remote option.
# This is useful when you are connecting to a peer which holds a dynamic address
# such as a dial-in user or DHCP client.
# (Please refer to the manual of OpenVPN for more information.)

float

# If redirect-gateway is enabled, the client will redirect it's
# default network gateway through the VPN.
# It means the VPN connection will firstly connect to the VPN Server
# and then to the internet.
# (Please refer to the manual of OpenVPN for more information.)

redirect-gateway

# dhcp-option DNS: To set primary domain name server address.
# Repeat this option to set secondary DNS server addresses.

dhcp-option DNS 192.168.1.1

mssfix 1100

pull

# If you want to connect by Server's IPv6 address, you should use
# "proto udp6" in UDP mode or "proto tcp6-client" in TCP mode
proto udp

script-security 2


comp-lzo

reneg-sec 0

cipher BF-CBC

auth SHA1

auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
......
</ca>