Hello every one,
Need help please; I’m trying to connect Yealink SIP-T22P over OpenVPN with asterisk. No luck at all. I have enabled VPN option and upload the file. If I use softphone over OpenVPN from mac it’s working fine. How can I solve this issue?
Many thanks
sathees
vpn.cnf
client
dev tap
proto udp
remote 192.168.1.100 1194 udp
ca /yealink/config/openvpn/keys/ca.crt
cert /yealink/config/openvpn/keys/client-yealink.crt
key /yealink/config/openvpn/keys/client-yealink.key
resolv-retry infinite
nobind
persist-key
persist-tun mute-replay-warnings ns-cert-type server comp-lzo
verb 3
mute 10
server.conf
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
Hi Please make sure "dev " is the same both in vpn.cnf and server.conf.
Do you want to use tun or tap?
thank you.
the problem was easy-rsa
Hello again,
I managed to solve the connection issue. After I upload the configuration file and reboot the device, I can’t access web page for setting. How can I solve this issue?
Many thanks
sathees
These are the logs from openvpn.log
Wed Mar 26 12:06:47 2014 192.168.1.74:1026 TLS: Initial packet from [AF_INET]192.168.1.74:1026, sid=be8c5adc 714c7286
Wed Mar 26 12:06:58 2014 192.168.1.74:1026 TLS: new session incoming connection from [AF_INET]192.168.1.74:1026
Wed Mar 26 12:07:00 2014 192.168.1.74:1026 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=changeme, name=changeme, emailAddress=mail@host.domain
Wed Mar 26 12:07:00 2014 192.168.1.74:1026 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=client, name=changeme, emailAddress=mail@host.domain
Wed Mar 26 12:07:00 2014 192.168.1.74:1026 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Mar 26 12:07:00 2014 192.168.1.74:1026 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Mar 26 12:07:00 2014 192.168.1.74:1026 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Mar 26 12:07:00 2014 192.168.1.74:1026 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Mar 26 12:07:00 2014 192.168.1.74:1026 TLS: move_session: dest=TM_ACTIVE src=TM_UNTRUSTED reinit_src=1
Wed Mar 26 12:07:00 2014 192.168.1.74:1026 TLS: tls_multi_process: untrusted session promoted to semi-trusted
Wed Mar 26 12:07:01 2014 192.168.1.74:1026 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Mar 26 12:07:01 2014 192.168.1.74:1026 [client] Peer Connection Initiated with [AF_INET]192.168.1.74:1026
Wed Mar 26 12:07:01 2014 client/192.168.1.74:1026 MULTI_sva: pool returned IPv4=10.8.0.10, IPv6=(Not enabled)
Wed Mar 26 12:07:01 2014 client/192.168.1.74:1026 MULTI: Learn: 10.8.0.10 -> client/192.168.1.74:1026
Wed Mar 26 12:07:01 2014 client/192.168.1.74:1026 MULTI: primary virtual IP for client/192.168.1.74:1026: 10.8.0.10
Wed Mar 26 12:07:03 2014 client/192.168.1.74:1026 PUSH: Received control message: 'PUSH_REQUEST'
Wed Mar 26 12:07:03 2014 client/192.168.1.74:1026 send_push_reply(): safe_cap=940
Wed Mar 26 12:07:03 2014 client/192.168.1.74:1026 SENT CONTROL [client]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,route 10.0.0.0 255.0.0.0,route 172.16.1.0 255.240.0.0,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.10 10.8.0.9' (status=1)
Wed Mar 26 12:11:03 2014 client/192.168.1.74:1026 [client] Inactivity timeout (--ping-restart), restarting
Wed Mar 26 12:11:03 2014 client/192.168.1.74:1026 SIGUSR1[soft,ping-restart] received, client-instance restarting
This is from the phone log
Mar 26 11:58:57 IPP[303]: IPP <4+warnin>137.470.293:unkown msg,00002006,00000000,00000000
Mar 26 11:58:57 IPP[303]: IPP <4+warnin>137.476.372:unkown msg,00002007,00000000,00000000
Mar 26 11:58:58 AUTP[342]: AUTP<3+error > network isn't complete, sleep 1s!
Mar 26 11:58:59 LIBD[342]: DANY<0+emerg > DANY=3
Mar 26 11:58:59 IPP[303]: IPP <4+warnin>139.347.641:unkown msg,000b0007,ffffffff,00000000
Mar 26 11:59:36 Log [365]: WEB <3+error > NOTE : readlan=[English]
Mar 26 11:59:36 Log [365]: WEB <3+error > NOTE : baklan=[1.English]
Mar 26 11:59:36 Log [365]: WEB <3+error > NOTE : lan=[1.English]
Mar 26 11:59:36 Log [396]: WEB <3+error > NOTE : readlan=[English]
Mar 26 11:59:36 Log [396]: WEB <3+error > NOTE : baklan=[1.English]
Mar 26 11:59:36 Log [396]: WEB <3+error > NOTE : lan=[1.English]
Mar 26 11:59:42 Log [365]: WEB <3+error > NOTE : readlan=[English]
Mar 26 11:59:42 Log [365]: WEB <3+error > NOTE : baklan=[1.English]
Mar 26 11:59:42 Log [365]: WEB <3+error > NOTE : lan=[1.English]
Mar 26 11:59:52 Log [396]: WEB <3+error > NOTE : readlan=[English]
Mar 26 11:59:52 Log [396]: WEB <3+error > NOTE : baklan=[1.English]
Mar 26 11:59:52 Log [396]: WEB <3+error > NOTE : lan=[1.English]
Mar 26 11:59:57 Log [365]: WEB <3+error > NOTE : readlan=[English]
Mar 26 11:59:57 Log [365]: WEB <3+error > NOTE : baklan=[1.English]
Mar 26 11:59:57 Log [365]: WEB <3+error > NOTE : lan=[1.English]
Mar 26 11:59:58 Log [396]: WEB <3+error > NOTE : readlan=[English]
Mar 26 11:59:58 Log [396]: WEB <3+error > NOTE : baklan=[1.English]
Mar 26 11:59:58 Log [396]: WEB <3+error > NOTE : lan=[1.English]
1. Do you test to enter the webpage later? Can't you enter the webpage for ever?
2. Do you test in other browser?
3. Hi Please make sure "dev " is the same both in vpn.cnf and server.conf. TUN or TAP?
(03-26-2014 11:23 AM)mahan77 Wrote: [ -> ]thank you.
the problem was easy-rsa
Can you please elaborate on that: what was the problem with Easy-RSA?
Thank you.
Best regards,
Sinisa Bandin
(05-23-2014 04:18 PM)siny Wrote: [ -> ] (03-26-2014 11:23 AM)mahan77 Wrote: [ -> ]thank you.
the problem was easy-rsa
Can you please elaborate on that: what was the problem with Easy-RSA?
Thank you.
Best regards,
Sinisa Bandin
Sorry for late replay I was busy with work.
You need public key MD5 for the Yealink phone. Latest easy-rsa uses deferent alga rhythm called sha256. I didn’t know to change back to MD5. Best way to do this use easy-rsa 2.2.0. Use openssl-1.0.0.cnf on your vars file, every think will be ok.
Many thanks
(05-27-2014 12:20 AM)mahan77 Wrote: [ -> ] (05-23-2014 04:18 PM)siny Wrote: [ -> ] (03-26-2014 11:23 AM)mahan77 Wrote: [ -> ]thank you.
the problem was easy-rsa
Can you please elaborate on that: what was the problem with Easy-RSA?
Thank you.
Best regards,
Sinisa Bandin
Sorry for late replay I was busy with work.
You need public key MD5 for the Yealink phone. Latest easy-rsa uses deferent alga rhythm called sha256. I didn’t know to change back to MD5. Best way to do this use easy-rsa 2.2.0. Use openssl-1.0.0.cnf on your vars file, every think will be ok.
Many thanks
Thank you for your reply, but...
Actualy, I am using easy-rsa 2.0-rc1 (all of the other 20+ keys are made by it so I did not want to change).
in "openssl.cnf" there is this line:
default_md = md5
so I suppose that should be OK, right?
(just to compare, I have downloaded easy-rsa 2.2.2, and there it says "sha256")
It seems I shall wait for the webinar on Wednesday, maybe there will pop up something new:
http://forum.yealink.com/forum/showthrea...ht=openvpn
Best regards,
Sinisa Bandin
(05-27-2014 03:51 AM)siny Wrote: [ -> ] (05-27-2014 12:20 AM)mahan77 Wrote: [ -> ] (05-23-2014 04:18 PM)siny Wrote: [ -> ] (03-26-2014 11:23 AM)mahan77 Wrote: [ -> ]thank you.
the problem was easy-rsa
Can you please elaborate on that: what was the problem with Easy-RSA?
Thank you.
Best regards,
Sinisa Bandin
Sorry for late replay I was busy with work.
You need public key MD5 for the Yealink phone. Latest easy-rsa uses deferent alga rhythm called sha256. I didn’t know to change back to MD5. Best way to do this use easy-rsa 2.2.0. Use openssl-1.0.0.cnf on your vars file, every think will be ok.
Many thanks
Thank you for your reply, but...
Actualy, I am using easy-rsa 2.0-rc1 (all of the other 20+ keys are made by it so I did not want to change).
in "openssl.cnf" there is this line:
default_md = md5
so I suppose that should be OK, right?
(just to compare, I have downloaded easy-rsa 2.2.2, and there it says "sha256")
It seems I shall wait for the webinar on Wednesday, maybe there will pop up something new: http://forum.yealink.com/forum/showthrea...ht=openvpn
Best regards,
Sinisa Bandin
Yes! it should be ok. Long as you have this default_md = md5 line in your .cnf it will work.
Many Thanks
Sathees
(05-27-2014 03:56 PM)mahan77 Wrote: [ -> ] (05-27-2014 03:51 AM)siny Wrote: [ -> ] (05-27-2014 12:20 AM)mahan77 Wrote: [ -> ] (05-23-2014 04:18 PM)siny Wrote: [ -> ] (03-26-2014 11:23 AM)mahan77 Wrote: [ -> ]thank you.
the problem was easy-rsa
Can you please elaborate on that: what was the problem with Easy-RSA?
Thank you.
Best regards,
Sinisa Bandin
Sorry for late replay I was busy with work.
You need public key MD5 for the Yealink phone. Latest easy-rsa uses deferent alga rhythm called sha256. I didn’t know to change back to MD5. Best way to do this use easy-rsa 2.2.0. Use openssl-1.0.0.cnf on your vars file, every think will be ok.
Many thanks
Thank you for your reply, but...
Actualy, I am using easy-rsa 2.0-rc1 (all of the other 20+ keys are made by it so I did not want to change).
in "openssl.cnf" there is this line:
default_md = md5
so I suppose that should be OK, right?
(just to compare, I have downloaded easy-rsa 2.2.2, and there it says "sha256")
It seems I shall wait for the webinar on Wednesday, maybe there will pop up something new: http://forum.yealink.com/forum/showthrea...ht=openvpn
Best regards,
Sinisa Bandin
Yes! it should be ok. Long as you have this default_md = md5 line in your .cnf it will work.
Many Thanks
Sathees
Well, it is not OK
I create .tar file, as instructed in docs, go to Network -> Advanced menu, Browse file, Upload it, get the message "Upload success!", then Enable the VPN and when I click Confirm, message says "Please upload VPN config file first!".
I have other clients working with same certificates, using Linux, Android, Mikrotik routers and Windows.
Best regards,
Sinisa Bandin