OpenVPN Error with PfSense - Printable Version +- Yealink Forums (http://forum.yealink.com/forum) +-- Forum: IP Phone Series (/forumdisplay.php?fid=4) +--- Forum: Phone specific topic (/forumdisplay.php?fid=12) +---- Forum: T3xP Series (/forumdisplay.php?fid=22) +---- Thread: OpenVPN Error with PfSense (/showthread.php?tid=1007) Pages: 1 2 |
OpenVPN Error with PfSense - Peleska - 11-08-2013 05:43 AM Hi Guys, I am using PFsense with a Yealink-T38G, Firmware 38.70.150.2. I Created the Pfsense Side according to the Yealink Documentation, with the Wizard and with sscardefield´s really,really Great Documentation - but nothing works. I have even reinstalled Pfsense from Scratch.... I have found three things which doesnt´t work if you use the Export Utility 1. You have to unpack and repack the generated client.tar with 7zip on Windows - if you don´t your Phone wouldn´t import the File. 2. If you leave the Line "verify-x509-name PhoneServer name" in the generated vpn.cnf the Phone can´t import the file either. 3. There seems to be a problem with the generated Certificates, the Phone (If you set Phone >Configuration > Log Level to 6 you get a usable Logfile which you can export) It shows the following Error: Nov 7 21:20:48 openvpn[289]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port. Nov 7 21:20:48 openvpn[289]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Nov 7 21:20:48 openvpn[289]: Re-using SSL/TLS context Nov 7 21:20:48 openvpn[289]: LZO compression initialized Nov 7 21:20:48 openvpn[289]: UDPv4 link local (bound): [undef]:1194 Nov 7 21:20:48 openvpn[289]: UDPv4 link remote: 213.221.100.187:1194 Nov 7 21:20:48 openvpn[289]: VERIFY ERROR: depth=1, error=certificate signature failure: /C=DE/ST=Hessen/L=Floersheim/O=Lorenzgroup/emailAddress=support@lorenzgroup.com/CN=PhoneCA Nov 7 21:20:48 openvpn[289]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Nov 7 21:20:48 openvpn[289]: TLS Error: TLS object -> incoming plaintext read error Nov 7 21:20:48 openvpn[289]: TLS Error: TLS handshake failed IOS, Android and PC Clients connect without Problems,i am now really out of Ideas - Anybody else please?! RE: OpenVPN Error with PfSense - Yealink Support - 11-08-2013 11:00 AM Hi Peleska, It seems that your certificate has something wrong. Is it out of date? RE: OpenVPN Error with PfSense - Peleska - 11-09-2013 04:42 AM (11-08-2013 11:00 AM)Yealink Support Wrote: Hi Peleska, Hi Support, I don´t think so because other Devices like Iphones or Android devices user those Certs without any Problem to connect to the Openvpn Server?! I am using the following Versions on the Server side: pfSense: 2.1-RELEASE (i386) built on Wed Sep 11 18:16:22 EDT 2013 FreeBSD 8.3-RELEASE-p11 Export Package: 1.1.3. I tried T-38G Firmware .150 and .236. Maybe you could provide with an Updated Howto or Manual or something?! I´d really appreciate your Help, so thanks in Advance: CA Cert: -----BEGIN CERTIFICATE----- MIIEZzCCA0+gAwIBAgIBADANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCREUx DzANBgNVBAgTBkhlc3NlbjETMBEGA1UEBxMKRmxvZXJzaGVpbTEUMBIGA1UEChML TG9yZW56Z3JvdXAxJjAkBgkqhkiG9w0BCQEWF3N1cHBvcnRAbG9yZW56Z3JvdXAu Y29tMRAwDgYDVQQDEwdQaG9uZUNBMB4XDTEzMTEwNzIxMDEyNloXDTIzMTEwNTIx MDEyNlowgYMxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZIZXNzZW4xEzARBgNVBAcT CkZsb2Vyc2hlaW0xFDASBgNVBAoTC0xvcmVuemdyb3VwMSYwJAYJKoZIhvcNAQkB FhdzdXBwb3J0QGxvcmVuemdyb3VwLmNvbTEQMA4GA1UEAxMHUGhvbmVDQTCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANvDRhr7xVivnaaoFhpoj5n1YxDS a6GbzA7hydDcU0FwcuhzjluclhsGXBVb8n+CKmzVjaI3un/KG+zGaM787K6lXeHl a0TyjwUTln6Dl6Aru/LFPASMcPhRZkKeLHAElXU8L+HC6TiY4u8sDDcYhPRpCyN5 o8CrX/m5EpiQNNWnzoP1vWfg05HLXYgJ9rRXgAs1XreHpCWpQx1rCgH5T4q9Usbq XAB7S7Rv/gqz72bUDxnBTbQLsN86pUaAQhcPFZRBdCLNI1nX9HR6/UjxeBfpVzOK J2KkUJPQs7TSvmHfk2AVQcl5Qn0he6D/uNWf1zl4q34wajpKRh1hMweSY+kCAwEA AaOB4zCB4DAdBgNVHQ4EFgQU9pZNL1qdsMZXm1IIg6Y7G9TF57gwgbAGA1UdIwSB qDCBpYAU9pZNL1qdsMZXm1IIg6Y7G9TF57ihgYmkgYYwgYMxCzAJBgNVBAYTAkRF MQ8wDQYDVQQIEwZIZXNzZW4xEzARBgNVBAcTCkZsb2Vyc2hlaW0xFDASBgNVBAoT C0xvcmVuemdyb3VwMSYwJAYJKoZIhvcNAQkBFhdzdXBwb3J0QGxvcmVuemdyb3Vw LmNvbTEQMA4GA1UEAxMHUGhvbmVDQYIBADAMBgNVHRMEBTADAQH/MA0GCSqGSIb3 DQEBCwUAA4IBAQC/IsfyX5id+Tny+nBhAgv+YJ3soNVyXRUFwsQzh8yQKdJ9X9lJ poYoFb7OhKnc9eSy1xr/OTcR88RdloRclS+9qI9w8hf2dEROQ94Zp7k90v3yTMzf EYm4rvm5dXyOp2n39JgoiLqK8FjgcHa7x4HxqRMBreWZG2HdjBGEcaa2XmbgSC6K +qLGRNurbof+UiENqV9NFUB0jbgcStrSDzvkpMCxkHBkPXgYXinVDuXcKfPF+rzH 9X9cb+OA2fDizKvZA+ql4vfGCW4eyZx2yIDX17N3UQRSFL2N7TzkwKmVrvQlym8G j+0l6uR6j8JRoeKFsVF9TVkXVrYk+/bN3eHQ -----END CERTIFICATE----- Client Cert: -----BEGIN CERTIFICATE----- MIIEmjCCA4KgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCREUx DzANBgNVBAgTBkhlc3NlbjETMBEGA1UEBxMKRmxvZXJzaGVpbTEUMBIGA1UEChML TG9yZW56Z3JvdXAxJjAkBgkqhkiG9w0BCQEWF3N1cHBvcnRAbG9yZW56Z3JvdXAu Y29tMRAwDgYDVQQDEwdQaG9uZUNBMB4XDTEzMTEwNzIxMDIyOFoXDTIzMTEwNTIx MDIyOFowgYQxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZIZXNzZW4xEzARBgNVBAcT CkZsb2Vyc2hlaW0xFDASBgNVBAoTC0xvcmVuemdyb3VwMSYwJAYJKoZIhvcNAQkB FhdzdXBwb3J0QGxvcmVuemdyb3VwLmNvbTERMA8GA1UEAxMIWWVhbGluazEwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC1xK3YoiBHmiIjHXvwaln0giD4 veNVLiWCjscaymqXXYwT8NLXewaoxZ525NayoconqoB7TUi64jzxAiyNviI5MY9I 35QOYyAMNmARrrhUmliOY7l9vUFL4WKrbdgN4HbDhQAPuIAQ+ZCDZIAprdElZPnV UoZL7ILblz8ZBLMAZE/bKpQ4psIUVdK7827Ax3U867HFbZxIZdr0Fe1ZgYF7Xnct 4XnIlaKaZ6i+xKB/5UDdQktPXf6Kg+XOc+gq54ZKzhniBPbc6GDHNRonqMgE2ihM AwjZKt6Su2Gg7lxoUGDsYFY7ibCDGNI15gypAXUxyBCeGFQ4JbNGZqtY/qbjAgMB AAGjggEUMIIBEDAJBgNVHRMEAjAAMDEGCWCGSAGG+EIBDQQkFiJPcGVuU1NMIEdl bmVyYXRlZCBVc2VyIENlcnRpZmljYXRlMB0GA1UdDgQWBBTEyHv0816jLzWuDGzy A7ZHZ47MHjCBsAYDVR0jBIGoMIGlgBT2lk0vWp2wxlebUgiDpjsb1MXnuKGBiaSB hjCBgzELMAkGA1UEBhMCREUxDzANBgNVBAgTBkhlc3NlbjETMBEGA1UEBxMKRmxv ZXJzaGVpbTEUMBIGA1UEChMLTG9yZW56Z3JvdXAxJjAkBgkqhkiG9w0BCQEWF3N1 cHBvcnRAbG9yZW56Z3JvdXAuY29tMRAwDgYDVQQDEwdQaG9uZUNBggEAMA0GCSqG SIb3DQEBCwUAA4IBAQBvcwbtea5bpUnx7cK9AqcvSrqurMp9BKBnYKjk5os0A4rm kjkwOTxxo/vU9skxTLaKNUua4+/9bvsT9eNDOz/evEl4MoU8fjQTw3GOu3wi+xdC QpOpaAfWXPcTaf3tqNxCzWufA29hrDKc1+9i2gkcPOvX3GwoLFbnbcWa382eHYoG 35abaikKwmgc219FwG2DJXkA7+HUn2amm/C52AEZfpFYRCVVBHeHYJwYGD3zDG6I jZyUWhVPwvBRadRU6zOOsAzzheREfiwSOQdUPJ9ES9N+koOkTac6nvcGxuvrARpO oH5nGhs8pvHGIzow2+OFY8zxSyCzxCzrwVElq0fb -----END CERTIFICATE----- RE: OpenVPN Error with PfSense - Yealink Support - 11-11-2013 04:13 PM Hi Peleska, Maybe you lost some settings in OpenVPN? Please refer to the below guide. http://www.yealink.com/Upload/T4X/GA/OpenVPN_Feature_on_Yealink_IP_Phones(Linux_Windows)_V71.pdf RE: OpenVPN Error with PfSense - Yealink Support - 11-11-2013 04:25 PM Hi Peleska, I find the Signature hash algorithm of your ca.crt is sha256. We just support "sha1" and "md5". So please change the Signature hash algorithm and test again. RE: OpenVPN Error with PfSense - davidpablo - 02-20-2014 11:29 PM Hello i have the same problem any guy have solution to connect to pfsense 2.1 to yealink phones? RE: OpenVPN Error with PfSense - Yealink Support - 02-24-2014 03:10 PM (02-20-2014 11:29 PM)davidpablo Wrote: Hello i have the same problem any guy have solution to connect to pfsense 2.1 to yealink phones?Hi davidpablo, Do you check your Signature hash algorithm of your ca.crt ? "I find the Signature hash algorithm of your ca.crt is sha256. We just support "sha1" and "md5". So please change the Signature hash algorithm and test again." RE: OpenVPN Error with PfSense - davidpablo - 02-24-2014 03:37 PM yes it is sha1 i build ca, server and phone using sha1 only RE: OpenVPN Error with PfSense - Yealink Support - 03-04-2014 11:34 AM Hi davidpablo, Do you follow openvpn user guide in post #5 ? Can you post your server.conf,vpn.cnf for me? RE: OpenVPN Error with PfSense - mahan77 - 03-26-2014 11:20 AM i hade same issue with easy-rsa-2.2.2 but i will able to connect with easy-rsa-2.2.0 |