OpenVPN Error with PfSense - Printable Version

OpenVPN Error with PfSense - Printable Version

+- Yealink Forums (http://forum.yealink.com/forum)
+-- Forum: IP Phone Series (/forumdisplay.php?fid=4)
+--- Forum: Phone specific topic (/forumdisplay.php?fid=12)
+---- Forum: T3xP Series (/forumdisplay.php?fid=22)
+---- Thread: OpenVPN Error with PfSense (/showthread.php?tid=1007)

Pages: 1 2

OpenVPN Error with PfSense - Peleska - 11-08-2013 05:43 AM

Hi Guys,
I am using PFsense with a Yealink-T38G, Firmware 38.70.150.2.
I Created the Pfsense Side according to the Yealink Documentation, with the Wizard and with sscardefield´s really,really Great Documentation - but nothing works.
I have even reinstalled Pfsense from Scratch....

I have found three things which doesnt´t work if you use the Export Utility
1. You have to unpack and repack the generated client.tar with 7zip on Windows - if you don´t your Phone wouldn´t import the File.
2. If you leave the Line "verify-x509-name PhoneServer name" in the generated vpn.cnf the Phone can´t import the file either.
3. There seems to be a problem with the generated Certificates, the Phone (If you set Phone >Configuration > Log Level to 6 you get a usable Logfile which you can export)
It shows the following Error:
Nov 7 21:20:48 openvpn[289]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Nov 7 21:20:48 openvpn[289]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Nov 7 21:20:48 openvpn[289]: Re-using SSL/TLS context
Nov 7 21:20:48 openvpn[289]: LZO compression initialized
Nov 7 21:20:48 openvpn[289]: UDPv4 link local (bound): [undef]:1194
Nov 7 21:20:48 openvpn[289]: UDPv4 link remote: 213.221.100.187:1194
Nov 7 21:20:48 openvpn[289]: VERIFY ERROR: depth=1, error=certificate signature failure: /C=DE/ST=Hessen/L=Floersheim/O=Lorenzgroup/emailAddress=support@lorenzgroup.com/CN=PhoneCA
Nov 7 21:20:48 openvpn[289]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Nov 7 21:20:48 openvpn[289]: TLS Error: TLS object -> incoming plaintext read error
Nov 7 21:20:48 openvpn[289]: TLS Error: TLS handshake failed

IOS, Android and PC Clients connect without Problems,i am now really out of Ideas - Anybody else please?!

RE: OpenVPN Error with PfSense - Yealink Support - 11-08-2013 11:00 AM

Hi Peleska,

It seems that your certificate has something wrong. Is it out of date?

RE: OpenVPN Error with PfSense - Peleska - 11-09-2013 04:42 AM

(11-08-2013 11:00 AM)Yealink Support Wrote: Hi Peleska,

It seems that your certificate has something wrong. Is it out of date?

Hi Support,
I don´t think so because other Devices like Iphones or Android devices user those Certs without any Problem to connect to the Openvpn Server?!
I am using the following Versions on the Server side:
pfSense:
2.1-RELEASE (i386)
built on Wed Sep 11 18:16:22 EDT 2013
FreeBSD 8.3-RELEASE-p11

Export Package: 1.1.3.
I tried T-38G Firmware .150 and .236.

Maybe you could provide with an Updated Howto or Manual or something?!

I´d really appreciate your Help, so thanks in Advance:

CA Cert:
-----BEGIN CERTIFICATE-----
MIIEZzCCA0+gAwIBAgIBADANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkhlc3NlbjETMBEGA1UEBxMKRmxvZXJzaGVpbTEUMBIGA1UEChML
TG9yZW56Z3JvdXAxJjAkBgkqhkiG9w0BCQEWF3N1cHBvcnRAbG9yZW56Z3JvdXAu
Y29tMRAwDgYDVQQDEwdQaG9uZUNBMB4XDTEzMTEwNzIxMDEyNloXDTIzMTEwNTIx
MDEyNlowgYMxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZIZXNzZW4xEzARBgNVBAcT
CkZsb2Vyc2hlaW0xFDASBgNVBAoTC0xvcmVuemdyb3VwMSYwJAYJKoZIhvcNAQkB
FhdzdXBwb3J0QGxvcmVuemdyb3VwLmNvbTEQMA4GA1UEAxMHUGhvbmVDQTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANvDRhr7xVivnaaoFhpoj5n1YxDS
a6GbzA7hydDcU0FwcuhzjluclhsGXBVb8n+CKmzVjaI3un/KG+zGaM787K6lXeHl
a0TyjwUTln6Dl6Aru/LFPASMcPhRZkKeLHAElXU8L+HC6TiY4u8sDDcYhPRpCyN5
o8CrX/m5EpiQNNWnzoP1vWfg05HLXYgJ9rRXgAs1XreHpCWpQx1rCgH5T4q9Usbq
XAB7S7Rv/gqz72bUDxnBTbQLsN86pUaAQhcPFZRBdCLNI1nX9HR6/UjxeBfpVzOK
J2KkUJPQs7TSvmHfk2AVQcl5Qn0he6D/uNWf1zl4q34wajpKRh1hMweSY+kCAwEA
AaOB4zCB4DAdBgNVHQ4EFgQU9pZNL1qdsMZXm1IIg6Y7G9TF57gwgbAGA1UdIwSB
qDCBpYAU9pZNL1qdsMZXm1IIg6Y7G9TF57ihgYmkgYYwgYMxCzAJBgNVBAYTAkRF
MQ8wDQYDVQQIEwZIZXNzZW4xEzARBgNVBAcTCkZsb2Vyc2hlaW0xFDASBgNVBAoT
C0xvcmVuemdyb3VwMSYwJAYJKoZIhvcNAQkBFhdzdXBwb3J0QGxvcmVuemdyb3Vw
LmNvbTEQMA4GA1UEAxMHUGhvbmVDQYIBADAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
DQEBCwUAA4IBAQC/IsfyX5id+Tny+nBhAgv+YJ3soNVyXRUFwsQzh8yQKdJ9X9lJ
poYoFb7OhKnc9eSy1xr/OTcR88RdloRclS+9qI9w8hf2dEROQ94Zp7k90v3yTMzf
EYm4rvm5dXyOp2n39JgoiLqK8FjgcHa7x4HxqRMBreWZG2HdjBGEcaa2XmbgSC6K
+qLGRNurbof+UiENqV9NFUB0jbgcStrSDzvkpMCxkHBkPXgYXinVDuXcKfPF+rzH
9X9cb+OA2fDizKvZA+ql4vfGCW4eyZx2yIDX17N3UQRSFL2N7TzkwKmVrvQlym8G
j+0l6uR6j8JRoeKFsVF9TVkXVrYk+/bN3eHQ
-----END CERTIFICATE-----

Client Cert:
-----BEGIN CERTIFICATE-----
MIIEmjCCA4KgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkhlc3NlbjETMBEGA1UEBxMKRmxvZXJzaGVpbTEUMBIGA1UEChML
TG9yZW56Z3JvdXAxJjAkBgkqhkiG9w0BCQEWF3N1cHBvcnRAbG9yZW56Z3JvdXAu
Y29tMRAwDgYDVQQDEwdQaG9uZUNBMB4XDTEzMTEwNzIxMDIyOFoXDTIzMTEwNTIx
MDIyOFowgYQxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZIZXNzZW4xEzARBgNVBAcT
CkZsb2Vyc2hlaW0xFDASBgNVBAoTC0xvcmVuemdyb3VwMSYwJAYJKoZIhvcNAQkB
FhdzdXBwb3J0QGxvcmVuemdyb3VwLmNvbTERMA8GA1UEAxMIWWVhbGluazEwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC1xK3YoiBHmiIjHXvwaln0giD4
veNVLiWCjscaymqXXYwT8NLXewaoxZ525NayoconqoB7TUi64jzxAiyNviI5MY9I
35QOYyAMNmARrrhUmliOY7l9vUFL4WKrbdgN4HbDhQAPuIAQ+ZCDZIAprdElZPnV
UoZL7ILblz8ZBLMAZE/bKpQ4psIUVdK7827Ax3U867HFbZxIZdr0Fe1ZgYF7Xnct
4XnIlaKaZ6i+xKB/5UDdQktPXf6Kg+XOc+gq54ZKzhniBPbc6GDHNRonqMgE2ihM
AwjZKt6Su2Gg7lxoUGDsYFY7ibCDGNI15gypAXUxyBCeGFQ4JbNGZqtY/qbjAgMB
AAGjggEUMIIBEDAJBgNVHRMEAjAAMDEGCWCGSAGG+EIBDQQkFiJPcGVuU1NMIEdl
bmVyYXRlZCBVc2VyIENlcnRpZmljYXRlMB0GA1UdDgQWBBTEyHv0816jLzWuDGzy
A7ZHZ47MHjCBsAYDVR0jBIGoMIGlgBT2lk0vWp2wxlebUgiDpjsb1MXnuKGBiaSB
hjCBgzELMAkGA1UEBhMCREUxDzANBgNVBAgTBkhlc3NlbjETMBEGA1UEBxMKRmxv
ZXJzaGVpbTEUMBIGA1UEChMLTG9yZW56Z3JvdXAxJjAkBgkqhkiG9w0BCQEWF3N1
cHBvcnRAbG9yZW56Z3JvdXAuY29tMRAwDgYDVQQDEwdQaG9uZUNBggEAMA0GCSqG
SIb3DQEBCwUAA4IBAQBvcwbtea5bpUnx7cK9AqcvSrqurMp9BKBnYKjk5os0A4rm
kjkwOTxxo/vU9skxTLaKNUua4+/9bvsT9eNDOz/evEl4MoU8fjQTw3GOu3wi+xdC
QpOpaAfWXPcTaf3tqNxCzWufA29hrDKc1+9i2gkcPOvX3GwoLFbnbcWa382eHYoG
35abaikKwmgc219FwG2DJXkA7+HUn2amm/C52AEZfpFYRCVVBHeHYJwYGD3zDG6I
jZyUWhVPwvBRadRU6zOOsAzzheREfiwSOQdUPJ9ES9N+koOkTac6nvcGxuvrARpO
oH5nGhs8pvHGIzow2+OFY8zxSyCzxCzrwVElq0fb
-----END CERTIFICATE-----

RE: OpenVPN Error with PfSense - Yealink Support - 11-11-2013 04:13 PM

Hi Peleska,

Maybe you lost some settings in OpenVPN?
Please refer to the below guide.
http://www.yealink.com/Upload/T4X/GA/OpenVPN_Feature_on_Yealink_IP_Phones(Linux_Windows)_V71.pdf

RE: OpenVPN Error with PfSense - Yealink Support - 11-11-2013 04:25 PM

Hi Peleska,

I find the Signature hash algorithm of your ca.crt is sha256. We just support "sha1" and "md5".
So please change the Signature hash algorithm and test again.

RE: OpenVPN Error with PfSense - davidpablo - 02-20-2014 11:29 PM

Hello i have the same problem any guy have solution to connect to pfsense 2.1 to yealink phones?

RE: OpenVPN Error with PfSense - Yealink Support - 02-24-2014 03:10 PM

(02-20-2014 11:29 PM)davidpablo Wrote: Hello i have the same problem any guy have solution to connect to pfsense 2.1 to yealink phones?

Hi davidpablo,

Do you check your Signature hash algorithm of your ca.crt ?
"I find the Signature hash algorithm of your ca.crt is sha256. We just support "sha1" and "md5".
So please change the Signature hash algorithm and test again."

RE: OpenVPN Error with PfSense - davidpablo - 02-24-2014 03:37 PM

yes it is sha1 i build ca, server and phone using sha1 only

RE: OpenVPN Error with PfSense - Yealink Support - 03-04-2014 11:34 AM

Hi davidpablo,

Do you follow openvpn user guide in post #5 ?
Can you post your server.conf,vpn.cnf for me?

RE: OpenVPN Error with PfSense - mahan77 - 03-26-2014 11:20 AM

i hade same issue with easy-rsa-2.2.2
but i will able to connect with easy-rsa-2.2.0