Yealink Forums
T4xG VPN to Watchguard - Printable Version

+- Yealink Forums (http://forum.yealink.com/forum)
+-- Forum: IP Phone Series (/forumdisplay.php?fid=4)
+--- Forum: T4x Series (/forumdisplay.php?fid=31)
+--- Thread: T4xG VPN to Watchguard (/showthread.php?tid=3192)



T4xG VPN to Watchguard - HiBit - 01-25-2015 04:00 AM

Hello,

did anyone get theese devices connected?
I tried several settings in the box, but unfortunately
I didn't get a connection from a T42G or T46G to my
XTM Watchguard (Version 11.9.4 )

I saw several error messages:

TLS Error: TLS handshake failed

TLS Error: TLS object -> incoming plaintext read error

TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

VERIFY nsCertType ERROR: /O=WatchGuard_Technologies/OU=Fireware/CN=Fireware_SSLVPN_Server, require nsCertType=SERVER

VERIFY OK: depth=1, /O=WatchGuard_Technologies/OU=Fireware/CN=Fireware_SSLVPN__SN_V1C5000000000_2014-04-06_16:16:09_GMT__CA

TLS: Initial packet from 1.2.3.4:444, sid=c85c67bc fadb0671

TCPv4_CLIENT link remote: 1.2.3.4:444

TCPv4_CLIENT link local: [undef]

TCP connection established with 1.2.3.4:444

(I changed the correct IP above)

Any suggestions to get it working?


RE: T4xG VPN to Watchguard - tsukraw - 01-25-2015 10:40 AM

Are you trying to get the VPN client on the phone its self to connect to the Watchguard SSL?

If so that is a very interesting idea. Never thought of trying that but i would be very interested in if this would work.


RE: T4xG VPN to Watchguard - HiBit - 01-25-2015 05:02 PM

Hi tsukraw,

yes, why not? The Watchgaurd supports openssl. If you connect to the box (htttps://<yourwatchgaurdip>:<theportyou confured>/sslvpn.html) your can login to a webinterface, where you can download the openssl config file. If you take a look at the configuration file you'll find the CA, the CERT and the KEY.
At this moment, I figured out the following things, beside extracting the certificates and the key to separate files - CERT and KEY files has to be named to ext_<extension>.CRT and EXT_<extension>.KEY, it is necessary to crate an auth.txt (maybe this has also to be named auth_<extension>.txt, I didn't test it up to now) file with username and Password ( I saw this anywhere else in one posting). But I didn't get through, the VPN didn't came up. I set up a syslog server to get some more information from the phone and there I got the error messages, I posted before.
I have several customers, which will be happy if I will solve this.