VPN on T22 - Printable Version +- Yealink Forums (http://forum.yealink.com/forum) +-- Forum: IP Phone Series (/forumdisplay.php?fid=4) +--- Forum: Configuration (/forumdisplay.php?fid=24) +--- Thread: VPN on T22 (/showthread.php?tid=636)

VPN on T22 - tbolick - 07-16-2013 01:00 AM I cannot seem to get the VPn working on my T22Ps. Here is the server openvpn log: OpenVPN 2.2.1 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Sep 12 2011 Mon Jul 15 12:45:01 2013 us=242541 WARNING: --ifconfig-pool-persist will not work with --duplicate-cn Mon Jul 15 12:45:01 2013 us=242606 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Mon Jul 15 12:45:01 2013 us=304143 Diffie-Hellman initialized with 2048 bit key Mon Jul 15 12:45:01 2013 us=513480 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ] Mon Jul 15 12:45:01 2013 us=513520 Socket Buffers: R=[245760->131072] S=[245760->131072] Mon Jul 15 12:45:01 2013 us=513639 ROUTE: default_gateway=UNDEF Mon Jul 15 12:45:01 2013 us=513846 TUN/TAP device tun1 opened Mon Jul 15 12:45:01 2013 us=513865 TUN/TAP TX queue length set to 100 Mon Jul 15 12:45:01 2013 us=513902 /sbin/ip link set dev tun1 up mtu 1500 Mon Jul 15 12:45:01 2013 us=543602 /sbin/ip addr add dev tun1 local 10.8.0.1 peer 10.8.0.2 Mon Jul 15 12:45:01 2013 us=544517 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2 Mon Jul 15 12:45:01 2013 us=545170 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Mon Jul 15 12:45:01 2013 us=545771 GID set to nobody Mon Jul 15 12:45:01 2013 us=545841 UID set to nobody Mon Jul 15 12:45:01 2013 us=545874 UDPv4 link local (bound): zz.zz.zzz.zzz:1194 Mon Jul 15 12:45:01 2013 us=545885 UDPv4 link remote: [undef] Mon Jul 15 12:45:01 2013 us=545900 MULTI: multi_init called, r=256 v=256 Mon Jul 15 12:45:01 2013 us=545968 IFCONFIG POOL: base=10.8.0.4 size=62 Mon Jul 15 12:45:01 2013 us=545994 IFCONFIG POOL LIST Mon Jul 15 12:45:01 2013 us=546027 Initialization Sequence Completed Mon Jul 15 12:46:19 2013 us=504457 MULTI: multi_create_instance called Mon Jul 15 12:46:19 2013 us=504531 XX.XX.XXX.XXX:1081 Re-using SSL/TLS context Mon Jul 15 12:46:19 2013 us=504558 XX.XX.XXX.XXX:1081 LZO compression initialized Mon Jul 15 12:46:19 2013 us=504686 XX.XX.XXX.XXX:1081 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ] Mon Jul 15 12:46:19 2013 us=504697 XX.XX.XXX.XXX:1081 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Mon Jul 15 12:46:19 2013 us=504765 XX.XX.XXX.XXX:1081 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server' Mon Jul 15 12:46:19 2013 us=504790 XX.XX.XXX.XXX:1081 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client' Mon Jul 15 12:46:19 2013 us=504816 XX.XX.XXX.XXX:1081 Local Options hash (VER=V4): '530fdded' Mon Jul 15 12:46:19 2013 us=504833 XX.XX.XXX.XXX:1081 Expected Remote Options hash (VER=V4): '41690919' Mon Jul 15 12:46:19 2013 us=504892 XX.XX.XXX.XXX:1081 TLS: Initial packet from XX.XX.XXX.XXX:1081, sid=1e297824 0e01e50f Mon Jul 15 12:46:21 2013 us=997807 XX.XX.XXX.XXX:1081 TLS: new session incoming connection from XX.XX.XXX.XXX:1081 Mon Jul 15 12:46:30 2013 us=468544 read UDPv4 [ECONNREFUSED]: Connection refused (code=111) Mon Jul 15 12:46:32 2013 us=496017 XX.XX.XXX.XXX:1081 TLS: new session incoming connection from XX.XX.XXX.XXX:1081 Here is the phone log: Jul 15 16:45:57 openvpn[473]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Jul 15 16:45:57 openvpn[473]: TLS Error: TLS handshake failed Jul 15 16:45:57 openvpn[473]: TCP/UDP: Closing socket Jul 15 16:45:57 openvpn[473]: SIGUSR1[soft,tls-error] received, process restarting Jul 15 16:45:57 openvpn[473]: Restart pause, 2 second(s) Jul 15 16:45:57 syslog[469]: DEBUG: [get_output_if] connect: Network is unreachable Jul 15 16:45:59 openvpn[473]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Jul 15 16:45:59 openvpn[473]: Re-using SSL/TLS context Jul 15 16:45:59 openvpn[473]: LZO compression initialized Jul 15 16:45:59 openvpn[473]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ] Jul 15 16:45:59 openvpn[473]: Socket Buffers: R=[114688->131072] S=[114688->131072] Jul 15 16:46:17 syslog[469]: DEBUG: [get_output_if] connect: Network is unreachable Jul 15 16:46:19 openvpn[473]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Jul 15 16:46:19 openvpn[473]: Local Options hash (VER=V4): '41690919' Jul 15 16:46:19 openvpn[473]: Expected Remote Options hash (VER=V4): '530fdded' Jul 15 16:46:19 openvpn[473]: UDPv4 link local: [undef] Jul 15 16:46:19 openvpn[473]: UDPv4 link remote: XX.XX.XXX.XXX:1194 Jul 15 16:46:19 openvpn[473]: TLS: Initial packet from XX.XX.XXX.XXX:1194, sid=4994647a d1cc2a81 Jul 15 16:46:19 openvpn[473]: VERIFY ERROR: depth=1, error=certificate signature failure: /C=US/ST=GA/L=Atlanta/O=GasInc/OU=IT-TABSOFT/CN=OpenVPN-CA/name=EasyRSA/emailAddress=webadmin@gasinc.net Jul 15 16:46:19 openvpn[473]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Jul 15 16:46:19 openvpn[473]: TLS Error: TLS object -> incoming plaintext read error Jul 15 16:46:19 openvpn[473]: TLS Error: TLS handshake failed Jul 15 16:46:19 openvpn[473]: TCP/UDP: Closing socket Jul 15 16:46:19 openvpn[473]: SIGUSR1[soft,tls-error] received, process restarting Jul 15 16:46:19 openvpn[473]: Restart pause, 2 second(s) Jul 15 16:46:21 openvpn[473]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Jul 15 16:46:21 openvpn[473]: Re-using SSL/TLS context Jul 15 16:46:21 openvpn[473]: LZO compression initialized Jul 15 16:46:21 openvpn[473]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ] Jul 15 16:46:21 openvpn[473]: Socket Buffers: R=[114688->131072] S=[114688->131072] Jul 15 16:46:21 openvpn[473]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Jul 15 16:46:21 openvpn[473]: Local Options hash (VER=V4): '41690919' Jul 15 16:46:21 openvpn[473]: Expected Remote Options hash (VER=V4): '530fdded' Jul 15 16:46:21 openvpn[473]: UDPv4 link local: [undef] Jul 15 16:46:21 openvpn[473]: UDPv4 link remote: XX.XX.XXX.XXX:1194 Jul 15 16:46:22 openvpn[473]: TLS Error: Unroutable control packet received from XX.XX.XXX.XXX:1194 (si=3 op=P_CONTROL_V1) Jul 15 16:46:22 openvpn[473]: TLS: Initial packet from XX.XX.XXX.XXX:1194, sid=8ab6dc37 54bf39bc Jul 15 16:46:22 openvpn[473]: TLS Error: Unroutable control packet received from XX.XX.XXX.XXX:1194 (si=3 op=P_CONTROL_V1) Jul 15 16:46:23 openvpn[473]: TLS Error: Unroutable control packet received from XX.XX.XXX.XXX:1194 (si=3 op=P_CONTROL_V1) Jul 15 16:46:24 openvpn[473]: TLS Error: Unroutable control packet received from XX.XX.XXX.XXX:1194 (si=3 op=P_CONTROL_V1) Jul 15 16:46:25 openvpn[473]: TLS Error: Unroutable control packet received from XX.XX.XXX.XXX:1194 (si=3 op=P_CONTROL_V1) Jul 15 16:46:26 openvpn[473]: TLS Error: Unroutable control packet received from XX.XX.XXX.XXX:1194 (si=3 op=P_CONTROL_V1) Jul 15 16:46:28 openvpn[473]: TLS Error: Unroutable control packet received from XX.XX.XXX.XXX:1194 (si=3 op=P_CONTROL_V1) Jul 15 16:46:28 openvpn[473]: TLS Error: Unroutable control packet received from XX.XX.XXX.XXX:1194 (si=3 op=P_CONTROL_V1) Jul 15 16:46:30 openvpn[473]: VERIFY ERROR: depth=1, error=certificate signature failure: /C=US/ST=GA/L=Atlanta/O=etc Jul 15 16:46:30 openvpn[473]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Jul 15 16:46:30 openvpn[473]: TLS Error: TLS object -> incoming plaintext read error Jul 15 16:46:30 openvpn[473]: NOTE: --mute triggered... Jul 15 16:46:30 openvpn[473]: 1 variation(s) on previous 10 message(s) suppressed by --mute Jul 15 16:46:30 openvpn[473]: TCP/UDP: Closing socket Jul 15 16:46:30 openvpn[473]: SIGUSR1[soft,tls-error] received, process restarting Jul 15 16:46:30 openvpn[473]: Restart pause, 2 second(s) I can connect fine from my PC using the same keys, etc. I noticed the time diff, but they show the same times. Any suggestions? Please? I already sent my info to support but have not heard back. Tom... Tom... RE: VPN on T22 - Yealink Support - 07-17-2013 04:29 PM Hi Tom, 1. Do you mean the time of syslog is different from the server? 2. Could you let us know where are you from? And could you send again to support@yealink.com? I will check again. 3. For this issue, i am afraid we need phone logs to analyze the problem. So could you provide PCAP trace, syslog(level 6) and config.bin file to us, so we can analyze? Before you export the syslog, please set log level as 6, and reboot the phone, then click Start,and reproduce the issue, then click Stop,and export the trace, syslog, config,bin to us. (About where to export these files, please refer to attached screenshot.) These three files are very important for us, hope you can kindly understand. 4. And also need your certification files. Thanks. RE: VPN on T22 - tbolick - 07-17-2013 11:48 PM YAY! Received an email from support that correctly identified the problem! The Yealinks (T22 at least) only support MD5 signature algorithm and the latest easy-rsa and openssl now default to SHA256. So, to fix, edit your openssl-x.x.x.conf to change the lines from: default_md = default # or sha256 to: (there are probably 2 or more of these lines) default_md = md5 everywhere you find it. Then you will have to fully recreate your CA, server and client keys, updating both the server and phone. Hope this helps someone else with this problem. Tom... RE: VPN on T22 - Yealink Support - 07-19-2013 10:09 AM Great news, thanks for your sharing Tom.