[YMCS/YDMP Free Trial Program]Yealink would like to offer Free Trial Program of Yealink device management service for our current eligible customers. You can see the details below.
https://www.yealink.com/ydmp-freetrial-2020


Post Reply 
 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
OpenVPN Error with PfSense
Author Message
Peleska Offline
Junior Member
**

Posts: 2
Joined: Nov 2013
Reputation: 0
Post: #1
OpenVPN Error with PfSense
Hi Guys,
I am using PFsense with a Yealink-T38G, Firmware 38.70.150.2.
I Created the Pfsense Side according to the Yealink Documentation, with the Wizard and with sscardefield´s really,really Great Documentation - but nothing works.
I have even reinstalled Pfsense from Scratch....

I have found three things which doesnt´t work if you use the Export Utility
1. You have to unpack and repack the generated client.tar with 7zip on Windows - if you don´t your Phone wouldn´t import the File.
2. If you leave the Line "verify-x509-name PhoneServer name" in the generated vpn.cnf the Phone can´t import the file either.
3. There seems to be a problem with the generated Certificates, the Phone (If you set Phone >Configuration > Log Level to 6 you get a usable Logfile which you can export)
It shows the following Error:
Nov 7 21:20:48 openvpn[289]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Nov 7 21:20:48 openvpn[289]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Nov 7 21:20:48 openvpn[289]: Re-using SSL/TLS context
Nov 7 21:20:48 openvpn[289]: LZO compression initialized
Nov 7 21:20:48 openvpn[289]: UDPv4 link local (bound): [undef]:1194
Nov 7 21:20:48 openvpn[289]: UDPv4 link remote: 213.221.100.187:1194
Nov 7 21:20:48 openvpn[289]: VERIFY ERROR: depth=1, error=certificate signature failure: /C=DE/ST=Hessen/L=Floersheim/O=Lorenzgroup/emailAddress=support@lorenzgroup.com/CN=PhoneCA
Nov 7 21:20:48 openvpn[289]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Nov 7 21:20:48 openvpn[289]: TLS Error: TLS object -> incoming plaintext read error
Nov 7 21:20:48 openvpn[289]: TLS Error: TLS handshake failed

IOS, Android and PC Clients connect without Problems,i am now really out of Ideas - Anybody else please?!
11-08-2013 05:43 AM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Yealink Support Offline
Administrator
*******

Posts: 2,683
Joined: Dec 2012
Reputation: 25
Post: #2
RE: OpenVPN Error with PfSense
Hi Peleska,

It seems that your certificate has something wrong. Is it out of date?
11-08-2013 11:00 AM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Peleska Offline
Junior Member
**

Posts: 2
Joined: Nov 2013
Reputation: 0
Post: #3
RE: OpenVPN Error with PfSense
(11-08-2013 11:00 AM)Yealink Support Wrote:  Hi Peleska,

It seems that your certificate has something wrong. Is it out of date?

Hi Support,
I don´t think so because other Devices like Iphones or Android devices user those Certs without any Problem to connect to the Openvpn Server?!
I am using the following Versions on the Server side:
pfSense:
2.1-RELEASE (i386)
built on Wed Sep 11 18:16:22 EDT 2013
FreeBSD 8.3-RELEASE-p11

Export Package: 1.1.3.
I tried T-38G Firmware .150 and .236.

Maybe you could provide with an Updated Howto or Manual or something?!

I´d really appreciate your Help, so thanks in Advance:

CA Cert:
-----BEGIN CERTIFICATE-----
MIIEZzCCA0+gAwIBAgIBADANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkhlc3NlbjETMBEGA1UEBxMKRmxvZXJzaGVpbTEUMBIGA1UEChML
TG9yZW56Z3JvdXAxJjAkBgkqhkiG9w0BCQEWF3N1cHBvcnRAbG9yZW56Z3JvdXAu
Y29tMRAwDgYDVQQDEwdQaG9uZUNBMB4XDTEzMTEwNzIxMDEyNloXDTIzMTEwNTIx
MDEyNlowgYMxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZIZXNzZW4xEzARBgNVBAcT
CkZsb2Vyc2hlaW0xFDASBgNVBAoTC0xvcmVuemdyb3VwMSYwJAYJKoZIhvcNAQkB
FhdzdXBwb3J0QGxvcmVuemdyb3VwLmNvbTEQMA4GA1UEAxMHUGhvbmVDQTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANvDRhr7xVivnaaoFhpoj5n1YxDS
a6GbzA7hydDcU0FwcuhzjluclhsGXBVb8n+CKmzVjaI3un/KG+zGaM787K6lXeHl
a0TyjwUTln6Dl6Aru/LFPASMcPhRZkKeLHAElXU8L+HC6TiY4u8sDDcYhPRpCyN5
o8CrX/m5EpiQNNWnzoP1vWfg05HLXYgJ9rRXgAs1XreHpCWpQx1rCgH5T4q9Usbq
XAB7S7Rv/gqz72bUDxnBTbQLsN86pUaAQhcPFZRBdCLNI1nX9HR6/UjxeBfpVzOK
J2KkUJPQs7TSvmHfk2AVQcl5Qn0he6D/uNWf1zl4q34wajpKRh1hMweSY+kCAwEA
AaOB4zCB4DAdBgNVHQ4EFgQU9pZNL1qdsMZXm1IIg6Y7G9TF57gwgbAGA1UdIwSB
qDCBpYAU9pZNL1qdsMZXm1IIg6Y7G9TF57ihgYmkgYYwgYMxCzAJBgNVBAYTAkRF
MQ8wDQYDVQQIEwZIZXNzZW4xEzARBgNVBAcTCkZsb2Vyc2hlaW0xFDASBgNVBAoT
C0xvcmVuemdyb3VwMSYwJAYJKoZIhvcNAQkBFhdzdXBwb3J0QGxvcmVuemdyb3Vw
LmNvbTEQMA4GA1UEAxMHUGhvbmVDQYIBADAMBgNVHRMEBTADAQH/MA0GCSqGSIb3
DQEBCwUAA4IBAQC/IsfyX5id+Tny+nBhAgv+YJ3soNVyXRUFwsQzh8yQKdJ9X9lJ
poYoFb7OhKnc9eSy1xr/OTcR88RdloRclS+9qI9w8hf2dEROQ94Zp7k90v3yTMzf
EYm4rvm5dXyOp2n39JgoiLqK8FjgcHa7x4HxqRMBreWZG2HdjBGEcaa2XmbgSC6K
+qLGRNurbof+UiENqV9NFUB0jbgcStrSDzvkpMCxkHBkPXgYXinVDuXcKfPF+rzH
9X9cb+OA2fDizKvZA+ql4vfGCW4eyZx2yIDX17N3UQRSFL2N7TzkwKmVrvQlym8G
j+0l6uR6j8JRoeKFsVF9TVkXVrYk+/bN3eHQ
-----END CERTIFICATE-----

Client Cert:
-----BEGIN CERTIFICATE-----
MIIEmjCCA4KgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCREUx
DzANBgNVBAgTBkhlc3NlbjETMBEGA1UEBxMKRmxvZXJzaGVpbTEUMBIGA1UEChML
TG9yZW56Z3JvdXAxJjAkBgkqhkiG9w0BCQEWF3N1cHBvcnRAbG9yZW56Z3JvdXAu
Y29tMRAwDgYDVQQDEwdQaG9uZUNBMB4XDTEzMTEwNzIxMDIyOFoXDTIzMTEwNTIx
MDIyOFowgYQxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZIZXNzZW4xEzARBgNVBAcT
CkZsb2Vyc2hlaW0xFDASBgNVBAoTC0xvcmVuemdyb3VwMSYwJAYJKoZIhvcNAQkB
FhdzdXBwb3J0QGxvcmVuemdyb3VwLmNvbTERMA8GA1UEAxMIWWVhbGluazEwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC1xK3YoiBHmiIjHXvwaln0giD4
veNVLiWCjscaymqXXYwT8NLXewaoxZ525NayoconqoB7TUi64jzxAiyNviI5MY9I
35QOYyAMNmARrrhUmliOY7l9vUFL4WKrbdgN4HbDhQAPuIAQ+ZCDZIAprdElZPnV
UoZL7ILblz8ZBLMAZE/bKpQ4psIUVdK7827Ax3U867HFbZxIZdr0Fe1ZgYF7Xnct
4XnIlaKaZ6i+xKB/5UDdQktPXf6Kg+XOc+gq54ZKzhniBPbc6GDHNRonqMgE2ihM
AwjZKt6Su2Gg7lxoUGDsYFY7ibCDGNI15gypAXUxyBCeGFQ4JbNGZqtY/qbjAgMB
AAGjggEUMIIBEDAJBgNVHRMEAjAAMDEGCWCGSAGG+EIBDQQkFiJPcGVuU1NMIEdl
bmVyYXRlZCBVc2VyIENlcnRpZmljYXRlMB0GA1UdDgQWBBTEyHv0816jLzWuDGzy
A7ZHZ47MHjCBsAYDVR0jBIGoMIGlgBT2lk0vWp2wxlebUgiDpjsb1MXnuKGBiaSB
hjCBgzELMAkGA1UEBhMCREUxDzANBgNVBAgTBkhlc3NlbjETMBEGA1UEBxMKRmxv
ZXJzaGVpbTEUMBIGA1UEChMLTG9yZW56Z3JvdXAxJjAkBgkqhkiG9w0BCQEWF3N1
cHBvcnRAbG9yZW56Z3JvdXAuY29tMRAwDgYDVQQDEwdQaG9uZUNBggEAMA0GCSqG
SIb3DQEBCwUAA4IBAQBvcwbtea5bpUnx7cK9AqcvSrqurMp9BKBnYKjk5os0A4rm
kjkwOTxxo/vU9skxTLaKNUua4+/9bvsT9eNDOz/evEl4MoU8fjQTw3GOu3wi+xdC
QpOpaAfWXPcTaf3tqNxCzWufA29hrDKc1+9i2gkcPOvX3GwoLFbnbcWa382eHYoG
35abaikKwmgc219FwG2DJXkA7+HUn2amm/C52AEZfpFYRCVVBHeHYJwYGD3zDG6I
jZyUWhVPwvBRadRU6zOOsAzzheREfiwSOQdUPJ9ES9N+koOkTac6nvcGxuvrARpO
oH5nGhs8pvHGIzow2+OFY8zxSyCzxCzrwVElq0fb
-----END CERTIFICATE-----
11-09-2013 04:42 AM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Yealink Support Offline
Administrator
*******

Posts: 2,683
Joined: Dec 2012
Reputation: 25
Post: #4
RE: OpenVPN Error with PfSense
Hi Peleska,

Maybe you lost some settings in OpenVPN?
Please refer to the below guide.
http://www.yealink.com/Upload/T4X/GA/Ope...s)_V71.pdf
11-11-2013 04:13 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Yealink Support Offline
Administrator
*******

Posts: 2,683
Joined: Dec 2012
Reputation: 25
Post: #5
RE: OpenVPN Error with PfSense
Hi Peleska,

I find the Signature hash algorithm of your ca.crt is sha256. We just support "sha1" and "md5".
So please change the Signature hash algorithm and test again.
11-11-2013 04:25 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
davidpablo Offline
Junior Member
**

Posts: 5
Joined: Feb 2014
Reputation: 0
Post: #6
RE: OpenVPN Error with PfSense
Hello i have the same problem any guy have solution to connect to pfsense 2.1 to yealink phones?
02-20-2014 11:29 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Yealink Support Offline
Administrator
*******

Posts: 2,683
Joined: Dec 2012
Reputation: 25
Post: #7
RE: OpenVPN Error with PfSense
(02-20-2014 11:29 PM)davidpablo Wrote:  Hello i have the same problem any guy have solution to connect to pfsense 2.1 to yealink phones?
Hi davidpablo,

Do you check your Signature hash algorithm of your ca.crt ?
"I find the Signature hash algorithm of your ca.crt is sha256. We just support "sha1" and "md5".
So please change the Signature hash algorithm and test again."
02-24-2014 03:10 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
davidpablo Offline
Junior Member
**

Posts: 5
Joined: Feb 2014
Reputation: 0
Post: #8
RE: OpenVPN Error with PfSense
yes it is sha1 i build ca, server and phone using sha1 only
02-24-2014 03:37 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Yealink Support Offline
Administrator
*******

Posts: 2,683
Joined: Dec 2012
Reputation: 25
Post: #9
RE: OpenVPN Error with PfSense
Hi davidpablo,

Do you follow openvpn user guide in post #5 ?
Can you post your server.conf,vpn.cnf for me?
03-04-2014 11:34 AM
Find all posts by this user    like0    dislike0 Quote this message in a reply
mahan77 Offline
Junior Member
**

Posts: 11
Joined: Mar 2014
Reputation: 0
Post: #10
RE: OpenVPN Error with PfSense
i hade same issue with easy-rsa-2.2.2
but i will able to connect with easy-rsa-2.2.0
03-26-2014 11:20 AM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Post Reply 


Possibly Related Threads...
Thread: Author Replies: Views: Last Post
  T38G File Format Error w03zd8rc 3 15,250 03-25-2016 09:52 PM
Last Post: w03zd8rc
  Action URL entry is causing a "File Format Error" lazlototh 8 29,285 01-25-2015 12:17 AM
Last Post: psichel
  OpenVPN and PfSense paulhuynh 1 13,355 06-26-2013 02:22 PM
Last Post: Yealink Support
  transfers error whith exp mod, and blfs in t38g whit firmware 38.70.0.125 rleon 2 13,266 04-18-2013 11:21 PM
Last Post: rleon
  Help with T38G OpenVPN moakhtar 2 14,888 03-12-2013 12:58 PM
Last Post: rfrantik@rfcinc.com

Forum Jump:


User(s) browsing this thread: 1 Guest(s)

Contact Us   Yealink   Return to Top   Return to Content   Lite (Archive) Mode   RSS Syndication