[YMCS/YDMP Free Trial Program]Yealink would like to offer Free Trial Program of Yealink device management service for our current eligible customers. You can see the details below.
https://www.yealink.com/ydmp-freetrial-2020


Post Reply 
 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
OpenVPN connection to Elastix failing
Author Message
l4telcom Offline
Junior Member
**

Posts: 6
Joined: Dec 2013
Reputation: 0
Post: #1
OpenVPN connection to Elastix failing
We have a test server running that has Elastix 2.4 with OpenVPN installed. I have confirmed that I can connect from a Windows PC running an OpenVPN client, but when I try to connect a T38, it fails.
The T38 is running firmware version 38.70.0.125 and the openvpn software running on the server is

Server config: server.conf
Code:
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/pbx102.crt
key /etc/openvpn/easy-rsa/keys/pbx102.key  
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 208.67.222.222"
client-to-client
keepalive 10 120
max-clients 10
persist-key
persist-tun
status /var/log/openvpn-status.log
log         /var/log/openvpn.log
log-append  /var/log/openvpn.log
verb 6

Windows PC client config: ext101.ovpn
Code:
client
setenv SERVER_POLL_TIMEOUT 4
nobind
remote xxx.xxx.xxx.xxx 1194 udp
remote xxx.xxx.xxx.xxx 443 tcp
dev tun
dev-type tun
ns-cert-type server
reneg-sec 604800
sndbuf 100000
rcvbuf 100000
auth-retry nointeract
# NOTE: LZO commands are pushed by the Access Server at connect time.
# NOTE: The below line doesn't disable LZO.
# comp-lzo no
verb 3

ca "C:\\Program Files (x86)\\OpenVPN\\config\\ca.crt"
cert "C:\\Program Files (x86)\\OpenVPN\\config\\ext101.crt"
key "C:\\Program Files (x86)\\OpenVPN\\config\\ext101.key"

T38 config: vpn.cnf
Code:
client
setenv SERVER_POLL_TIMEOUT 4
nobind
remote xxx.xxx.xxx.xxx 1194 udp
remote xxx.xxx.xxx.xxx 443 tcp
dev tun
dev-type tun
ns-cert-type server
reneg-sec 604800
sndbuf 100000
rcvbuf 100000
auth-retry nointeract
# NOTE: LZO commands are pushed by the Access Server at connect time.
# NOTE: The below line doesn't disable LZO.
comp-lzo no
verb 3

ca /config/openvpn/keys/ca.crt
cert /config/openvpn/keys/ext101.crt
key /config/openvpn/keys/ext101.key

On the server logs, the following is shown and just indefinitely repeats:
Code:
Wed Feb 26 17:10:12 2014 us=521050 xxx.xxx.xxx.xxx:1025 UDPv4 WRITE [114] to [AF_INET]xxx.xxx.xxx.xxx:1025: P_CONTROL_V1 kid=0 [ ] pid=24 DATA len=100
Wed Feb 26 17:10:12 2014 us=521192 xxx.xxx.xxx.xxx:1025 UDPv4 WRITE [114] to [AF_INET]xxx.xxx.xxx.xxx:1025: P_CONTROL_V1 kid=0 [ ] pid=21 DATA len=100
Wed Feb 26 17:10:13 2014 us=611876 xxx.xxx.xxx.xxx:1025 UDPv4 WRITE [114] to [AF_INET]xxx.xxx.xxx.xxx:1025: P_CONTROL_V1 kid=0 [ ] pid=22 DATA len=100
Wed Feb 26 17:10:14 2014 us=666310 xxx.xxx.xxx.xxx:1025 UDPv4 READ [14] from [AF_INET]xxx.xxx.xxx.xxx:1025: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Wed Feb 26 17:10:14 2014 us=666343 xxx.xxx.xxx.xxx:1025 TLS: new session incoming connection from [AF_INET]xxx.xxx.xxx.xxx:1025
Wed Feb 26 17:10:14 2014 us=666398 xxx.xxx.xxx.xxx:1025 UDPv4 WRITE [22] to [AF_INET]xxx.xxx.xxx.xxx:1025: P_ACK_V1 kid=0 [ 0 ]
Wed Feb 26 17:10:15 2014 us=817441 xxx.xxx.xxx.xxx:1025 UDPv4 WRITE [114] to [AF_INET]xxx.xxx.xxx.xxx:1025: P_CONTROL_V1 kid=0 [ ] pid=23 DATA len=100
Wed Feb 26 17:10:16 2014 us=968274 xxx.xxx.xxx.xxx:1025 UDPv4 WRITE [114] to [AF_INET]xxx.xxx.xxx.xxx:1025: P_CONTROL_V1 kid=0 [ ] pid=24 DATA len=100
Wed Feb 26 17:10:17 2014 us=4181 xxx.xxx.xxx.xxx:1025 UDPv4 READ [14] from [AF_INET]xxx.xxx.xxx.xxx:1025: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Wed Feb 26 17:10:17 2014 us=4222 xxx.xxx.xxx.xxx:1025 UDPv4 WRITE [22] to [AF_INET]xxx.xxx.xxx.xxx:1025: P_ACK_V1 kid=0 [ 0 ]
Wed Feb 26 17:10:20 2014 us=364755 xxx.xxx.xxx.xxx:1025 UDPv4 READ [14] from [AF_INET]xxx.xxx.xxx.xxx:1025: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Wed Feb 26 17:10:20 2014 us=364797 xxx.xxx.xxx.xxx:1025 TLS: new session incoming connection from [AF_INET]xxx.xxx.xxx.xxx:1025
Wed Feb 26 17:10:20 2014 us=364877 xxx.xxx.xxx.xxx:1025 UDPv4 WRITE [22] to [AF_INET]xxx.xxx.xxx.xxx:1025: P_ACK_V1 kid=0 [ 0 ]

The phone log shows this:
Code:
Feb 26 22:13:49 openvpn[289]: LZO compression initialized
Feb 26 22:13:49 openvpn[289]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Feb 26 22:13:49 openvpn[289]: Socket Buffers: R=[112640->200000] S=[112640->200000]
Feb 26 22:13:49 openvpn[289]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Feb 26 22:13:49 openvpn[289]: Local Options hash (VER=V4): '41690919'
Feb 26 22:13:49 openvpn[289]: Expected Remote Options hash (VER=V4): '530fdded'
Feb 26 22:13:49 openvpn[289]: UDPv4 link local: [undef]
Feb 26 22:13:49 openvpn[289]: UDPv4 link remote: xxx.xxx.xxx.xxx:1194
Feb 26 22:13:49 openvpn[289]: TLS Error: Unroutable control packet received from xxx.xxx.xxx.xxx:1194 (si=3 op=P_ACK_V1)
Feb 26 22:13:51 openvpn[289]: TLS Error: Unroutable control packet received from xxx.xxx.xxx.xxx:1194 (si=3 op=P_ACK_V1)
Feb 26 22:13:53 openvpn[289]: Server poll timeout, restarting
Feb 26 22:13:53 openvpn[289]: TCP/UDP: Closing socket
Feb 26 22:13:53 openvpn[289]: SIGUSR1[soft,server_poll] received, process restarting
Feb 26 22:13:53 openvpn[289]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Feb 26 22:13:53 openvpn[289]: LZO compression initialized
Feb 26 22:13:53 openvpn[289]: Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Feb 26 22:13:53 openvpn[289]: Socket Buffers: R=[87380->200000] S=[16384->200000]
Feb 26 22:13:53 openvpn[289]: Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Feb 26 22:13:53 openvpn[289]: Local Options hash (VER=V4): '69109d17'
Feb 26 22:13:53 openvpn[289]: Expected Remote Options hash (VER=V4): 'c0103fa8'
Feb 26 22:13:53 openvpn[289]: Attempting to establish TCP connection with xxx.xxx.xxx.xxx:443 [nonblock]
Feb 26 22:13:54 openvpn[289]: TCP connection established with xxx.xxx.xxx.xxx:443
Feb 26 22:13:54 openvpn[289]: TCPv4_CLIENT link local: [undef]
Feb 26 22:13:54 openvpn[289]: TCPv4_CLIENT link remote: xxx.xxx.xxx.xxx:443
Feb 26 22:13:54 openvpn[289]: Connection reset, restarting [0]
Feb 26 22:13:54 IPP[502]: IPP <4+warnin>834.575.431:unkown msg,00010102,00000000,00000000
Feb 26 22:13:54 openvpn[289]: TCP/UDP: Closing socket
Feb 26 22:13:54 openvpn[289]: SIGUSR1[soft,connection-reset] received, process restarting
Feb 26 22:13:54 openvpn[289]: Restart pause, 1 second(s)


To make things even more confusing, I setup the Windows PC to act as a server with the same configuration, just modifying the paths to the key files, and then I adjusted the phone's config to point to the Windows PC's IP address. The phone connected to that VPN without error.

Can anyone shed some light on what I'm missing?

Thanks.
(This post was last modified: 02-28-2014 12:38 AM by l4telcom.)
02-27-2014 06:37 AM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Yealink Support Offline
Administrator
*******

Posts: 2,683
Joined: Dec 2012
Reputation: 25
Post: #2
RE: OpenVPN connection to Elastix failing
Hi l4telcom,

server.conf
1. Please add Local IP address above port. For example, Local xxx.xxx.xxx.xxx
2. Add "comp-lzo no" to server.conf

vpn.cnf
Please save the remote address "remote xxx.xxx.xxx.xxx 1194 udp" and delete other remote address.
Meanwhile, remote address should be the same as local address.
02-27-2014 09:42 AM
Find all posts by this user    like0    dislike0 Quote this message in a reply
l4telcom Offline
Junior Member
**

Posts: 6
Joined: Dec 2013
Reputation: 0
Post: #3
RE: OpenVPN connection to Elastix failing
Thanks for the fast response. If the server has a public IP address, would that be the 'Local xxx.xxx.xxx.xxx' I should add above the port line? I'm guessing yes based off your last sentence "Meanwhile, remote address should be the same as local address.". So, xxx.xxx.xxx.xxx in 'Local xxx.xxx.xxx.xxx' in server.conf should be the same as 'remote xxx.xxx.xxx.xxx 1194 udp'?
02-27-2014 10:21 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
l4telcom Offline
Junior Member
**

Posts: 6
Joined: Dec 2013
Reputation: 0
Post: #4
RE: OpenVPN connection to Elastix failing
I made the adjustments to the config files as requested, but I still have a problem.

One other forum just talking strictly about the VPN (not involving phones) suggested that the dates and times being off might be the problem.
I noticed that the phone thinks the time is 15:13 whereas the server thinks the time is 10:13. I have tried setting the phone's time manually, but the same timestamp occurs.

server.conf
Code:
local xxx.xxx.xxx.xxx #(public IP of Elastix server)
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/pbx102.crt
key /etc/openvpn/easy-rsa/keys/pbx102.key  
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 208.67.222.222"
client-to-client
keepalive 10 120
max-clients 10
persist-key
persist-tun
status /var/log/openvpn-status.log
log         /var/log/openvpn.log
log-append  /var/log/openvpn.log
verb 6

vpn.cnf
Code:
client
setenv SERVER_POLL_TIMEOUT 4
nobind
remote xxx.xxx.xxx.xxx 1194 udp
dev tun
dev-type tun
ns-cert-type server
reneg-sec 604800
sndbuf 100000
rcvbuf 100000
auth-retry nointeract
# NOTE: LZO commands are pushed by the Access Server at connect time.
# NOTE: The below line doesn't disable LZO.
# comp-lzo no
verb 9

ca /config/openvpn/keys/ca.crt
cert /config/openvpn/keys/ext101.crt
key /config/openvpn/keys/ext101.key

server log:
Code:
Thu Feb 27 10:13:12 2014 us=346045 xxx.xxx.xxx.xxx:1025 TLS: new session incoming connection from [AF_INET]xxx.xxx.xxx.xxx:1025
Thu Feb 27 10:13:12 2014 us=346124 xxx.xxx.xxx.xxx:1025 UDPv4 WRITE [114] to [AF_INET]xxx.xxx.xxx.xxx:1025: P_CONTROL_V1 kid=0 [ ] pid=22 DATA len=100
Thu Feb 27 10:13:12 2014 us=346216 xxx.xxx.xxx.xxx:1025 UDPv4 WRITE [22] to [AF_INET]xxx.xxx.xxx.xxx:1025: P_ACK_V1 kid=0 [ 0 ]
Thu Feb 27 10:13:12 2014 us=507456 xxx.xxx.xxx.xxx:1024 UDPv4 WRITE [114] to [AF_INET]xxx.xxx.xxx.xxx:1024: P_CONTROL_V1 kid=0 [ ] pid=23 DATA len=100
Thu Feb 27 10:13:12 2014 us=507622 xxx.xxx.xxx.xxx:1024 UDPv4 WRITE [114] to [AF_INET]xxx.xxx.xxx.xxx:1024: P_CONTROL_V1 kid=0 [ ] pid=23 DATA len=100
Thu Feb 27 10:13:13 2014 us=515303 xxx.xxx.xxx.xxx:1025 UDPv4 WRITE [114] to [AF_INET]xxx.xxx.xxx.xxx:1025: P_CONTROL_V1 kid=0 [ ] pid=23 DATA len=100
Thu Feb 27 10:13:13 2014 us=515436 xxx.xxx.xxx.xxx:1025 UDPv4 WRITE [114] to [AF_INET]xxx.xxx.xxx.xxx:1025: P_CONTROL_V1 kid=0 [ ] pid=22 DATA len=100
Thu Feb 27 10:13:13 2014 us=677283 xxx.xxx.xxx.xxx:1024 UDPv4 WRITE [114] to [AF_INET]xxx.xxx.xxx.xxx:1024: P_CONTROL_V1 kid=0 [ ] pid=24 DATA len=100
Thu Feb 27 10:13:14 2014 us=685082 xxx.xxx.xxx.xxx:1025 UDPv4 WRITE [114] to [AF_INET]xxx.xxx.xxx.xxx:1025: P_CONTROL_V1 kid=0 [ ] pid=24 DATA len=100
Thu Feb 27 10:13:14 2014 us=685238 xxx.xxx.xxx.xxx:1025 UDPv4 WRITE [114] to [AF_INET]xxx.xxx.xxx.xxx:1025: P_CONTROL_V1 kid=0 [ ] pid=23 DATA len=100
Thu Feb 27 10:13:14 2014 us=700063 xxx.xxx.xxx.xxx:1024 UDPv4 WRITE [114] to [AF_INET]xxx.xxx.xxx.xxx:1024: P_CONTROL_V1 kid=0 [ ] pid=24 DATA len=100
Thu Feb 27 10:13:14 2014 us=733688 xxx.xxx.xxx.xxx:1025 UDPv4 READ [14] from [AF_INET]xxx.xxx.xxx.xxx:1025: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Thu Feb 27 10:13:14 2014 us=733731 xxx.xxx.xxx.xxx:1025 UDPv4 WRITE [22] to [AF_INET]xxx.xxx.xxx.xxx:1025: P_ACK_V1 kid=0 [ 0 ]
Thu Feb 27 10:13:15 2014 us=740894 xxx.xxx.xxx.xxx:1025 UDPv4 WRITE [114] to [AF_INET]xxx.xxx.xxx.xxx:1025: P_CONTROL_V1 kid=0 [ ] pid=21 DATA len=100
Thu Feb 27 10:13:15 2014 us=741046 xxx.xxx.xxx.xxx:1025 UDPv4 WRITE [114] to [AF_INET]xxx.xxx.xxx.xxx:1025: P_CONTROL_V1 kid=0 [ ] pid=24 DATA len=100
Thu Feb 27 10:13:16 2014 us=762732 xxx.xxx.xxx.xxx:1025 UDPv4 WRITE [114] to [AF_INET]xxx.xxx.xxx.xxx:1025: P_CONTROL_V1 kid=0 [ ] pid=22 DATA len=100
Thu Feb 27 10:13:16 2014 us=762870 xxx.xxx.xxx.xxx:1025 UDPv4 WRITE [114] to [AF_INET]xxx.xxx.xxx.xxx:1025: P_CONTROL_V1 kid=0 [ ] pid=21 DATA len=100
Thu Feb 27 10:13:16 2014 us=830412 xxx.xxx.xxx.xxx:1025 UDPv4 READ [14] from [AF_INET]xxx.xxx.xxx.xxx:1025: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Thu Feb 27 10:13:16 2014 us=830434 xxx.xxx.xxx.xxx:1025 TLS: new session incoming connection from [AF_INET]xxx.xxx.xxx.xxx:1025
Thu Feb 27 10:13:16 2014 us=830481 xxx.xxx.xxx.xxx:1025 UDPv4 WRITE [22] to [AF_INET]xxx.xxx.xxx.xxx:1025: P_ACK_V1 kid=0 [ 0 ]
Thu Feb 27 10:13:17 2014 us=837528 xxx.xxx.xxx.xxx:1025 UDPv4 WRITE [114] to [AF_INET]xxx.xxx.xxx.xxx:1025: P_CONTROL_V1 kid=0 [ ] pid=23 DATA len=100
Thu Feb 27 10:13:17 2014 us=837678 xxx.xxx.xxx.xxx:1025 UDPv4 WRITE [114] to [AF_INET]xxx.xxx.xxx.xxx:1025: P_CONTROL_V1 kid=0 [ ] pid=22 DATA len=100
Thu Feb 27 10:13:18 2014 us=858359 xxx.xxx.xxx.xxx:1025 UDPv4 WRITE [114] to [AF_INET]xxx.xxx.xxx.xxx:1025: P_CONTROL_V1 kid=0 [ ] pid=24 DATA len=100
Thu Feb 27 10:13:18 2014 us=858554 xxx.xxx.xxx.xxx:1025 UDPv4 WRITE [114] to [AF_INET]xxx.xxx.xxx.xxx:1025: P_CONTROL_V1 kid=0 [ ] pid=23 DATA len=100
Thu Feb 27 10:13:18 2014 us=873329 xxx.xxx.xxx.xxx:1024 UDPv4 WRITE [114] to [AF_INET]xxx.xxx.xxx.xxx:1024: P_CONTROL_V1 kid=0 [ ] pid=21 DATA len=100
Thu Feb 27 10:13:18 2014 us=873458 xxx.xxx.xxx.xxx:1024 UDPv4 WRITE [114] to [AF_INET]xxx.xxx.xxx.xxx:1024: P_CONTROL_V1 kid=0 [ ] pid=21 DATA len=100
Thu Feb 27 10:13:18 2014 us=906118 xxx.xxx.xxx.xxx:1025 UDPv4 READ [14] from [AF_INET]xxx.xxx.xxx.xxx:1025: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Thu Feb 27 10:13:18 2014 us=906168 xxx.xxx.xxx.xxx:1025 UDPv4 WRITE [22] to [AF_INET]xxx.xxx.xxx.xxx:1025: P_ACK_V1 kid=0 [ 0 ]
Thu Feb 27 10:13:19 2014 us=913171 xxx.xxx.xxx.xxx:1025 UDPv4 WRITE [114] to [AF_INET]xxx.xxx.xxx.xxx:1025: P_CONTROL_V1 kid=0 [ ] pid=24 DATA len=100
Thu Feb 27 10:13:19 2014 us=928116 xxx.xxx.xxx.xxx:1024 UDPv4 WRITE [114] to [AF_INET]xxx.xxx.xxx.xxx:1024: P_CONTROL_V1 kid=0 [ ] pid=22 DATA len=100
Thu Feb 27 10:13:19 2014 us=928230 xxx.xxx.xxx.xxx:1024 UDPv4 WRITE [114] to [AF_INET]xxx.xxx.xxx.xxx:1024: P_CONTROL_V1 kid=0 [ ] pid=22 DATA len=100
Thu Feb 27 10:13:20 2014 us=939983 xxx.xxx.xxx.xxx:1025 UDPv4 WRITE [114] to [AF_INET]xxx.xxx.xxx.xxx:1025: P_CONTROL_V1 kid=0 [ ] pid=21 DATA len=100
Thu Feb 27 10:13:20 2014 us=954953 xxx.xxx.xxx.xxx:1024 UDPv4 WRITE [114] to [AF_INET]xxx.xxx.xxx.xxx:1024: P_CONTROL_V1 kid=0 [ ] pid=23 DATA len=100
Thu Feb 27 10:13:20 2014 us=955091 xxx.xxx.xxx.xxx:1024 UDPv4 WRITE [114] to [AF_INET]xxx.xxx.xxx.xxx:1024: P_CONTROL_V1 kid=0 [ ] pid=23 DATA len=100
Thu Feb 27 10:13:21 2014 us=14110 xxx.xxx.xxx.xxx:1025 UDPv4 READ [14] from [AF_INET]xxx.xxx.xxx.xxx:1025: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0

phone log:
Code:
Feb 27 15:13:11 openvpn[289]:  event_wait returned 1
Feb 27 15:13:11 openvpn[289]: UDPv4 read returned 114
Feb 27 15:13:11 openvpn[289]: UDPv4 READ [114] from xxx.xxx.xxx.xxx:1194: P_CONTROL_V1 kid=0 sid=efd774cb d67255ae [ ] pid=21 DATA c6c2f540 1970f640 9d201c15 0f140d05 5902acb3 de50d039 cdfa3f47 ae7827a[more...]
Feb 27 15:13:11 openvpn[289]: VERIFY ERROR: depth=1, error=certificate signature failure: /C=US/ST=FL/L=PSL/O=L4/OU=VoIP/CN=CA/name=EasyRSA/emailAddress=email@domain.com
Feb 27 15:13:11 openvpn[289]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Feb 27 15:13:11 openvpn[289]: TLS Error: TLS object -> incoming plaintext read error
Feb 27 15:13:11 openvpn[289]: TLS Error: TLS handshake failed
Feb 27 15:13:11 openvpn[289]: TCP/UDP: Closing socket
Feb 27 15:13:11 openvpn[289]: SIGUSR1[soft,tls-error] received, process restarting
Feb 27 15:13:11 openvpn[289]: Restart pause, 1 second(s)
Feb 27 15:13:12 openvpn[289]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Feb 27 15:13:12 openvpn[289]: Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]
Feb 27 15:13:12 openvpn[289]: Socket Buffers: R=[112640->200000] S=[112640->200000]
Feb 27 15:13:12 openvpn[289]: Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Feb 27 15:13:12 openvpn[289]: Local Options String: 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Feb 27 15:13:12 openvpn[289]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Feb 27 15:13:12 openvpn[289]: Local Options hash (VER=V4): '3514370b'
Feb 27 15:13:12 openvpn[289]: Expected Remote Options hash (VER=V4): '239669a8'
Feb 27 15:13:12 openvpn[289]: UDPv4 link local: [undef]
Feb 27 15:13:12 openvpn[289]: UDPv4 link remote: xxx.xxx.xxx.xxx:1194
Feb 27 15:13:12 openvpn[289]:  event_wait returned 1
Feb 27 15:13:12 openvpn[289]: UDPv4 WRITE [14] to xxx.xxx.xxx.xxx:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 sid=9556f882 e5b163bb [ ] pid=0 DATA
Feb 27 15:13:12 openvpn[289]: UDPv4 write returned 14
Feb 27 15:13:12 openvpn[289]:  event_wait returned 1
Feb 27 15:13:12 openvpn[289]: UDPv4 read returned 114
Feb 27 15:13:12 openvpn[289]: UDPv4 READ [114] from xxx.xxx.xxx.xxx:1194: P_CONTROL_V1 kid=0 sid=1e9fbd62 67d1be10 [ ] pid=22 DATA 59b3efd8 f23841af 5c1e51ec 1b36994c ed207f7a ea1f4c89 a041f56f f4417bd[more...]
Feb 27 15:13:12 openvpn[289]: TLS Error: Unroutable control packet received from xxx.xxx.xxx.xxx:1194 (si=3 op=P_CONTROL_V1)
Feb 27 15:13:12 openvpn[289]:  event_wait returned 1
Feb 27 15:13:12 openvpn[289]: UDPv4 read returned 22
Feb 27 15:13:12 openvpn[289]: UDPv4 READ [22] from xxx.xxx.xxx.xxx:1194: P_ACK_V1 kid=0 sid=efd774cb d67255ae [ 0 sid=9556f882 e5b163bb ]
Feb 27 15:13:12 openvpn[289]: TLS Error: Unroutable control packet received from xxx.xxx.xxx.xxx:1194 (si=3 op=P_ACK_V1)

I also now noticed this in the phone log:
Code:
Feb 27 15:13:11 openvpn[289]: VERIFY ERROR: depth=1, error=certificate signature failure: /C=US/ST=FL/L=PSL/O=L4/OU=VoIP/CN=CA/name=EasyRSA/emailAddress=email@domain.com
Feb 27 15:13:11 openvpn[289]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Feb 27 15:13:11 openvpn[289]: TLS Error: TLS object -> incoming plaintext read error
Feb 27 15:13:11 openvpn[289]: TLS Error: TLS handshake failed
Although, I'm not really sure what to make of it...

I found a user with a similar problem in http://forum.yealink.com/forum/showthread.php?tid=1007 but I am unsure of how to verify that I am using sha1 (which is supposedly the default for openvpn). I did verify that the pbx102.crt and ext101.crt certificates verify ok against ca.crt using 'openssl verify -CAfile ca.crt ext101.crt' and 'openssl verify -CAfile ca.crt pbx102.crt'
(This post was last modified: 02-28-2014 01:26 AM by l4telcom.)
02-28-2014 12:37 AM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Yealink Support Offline
Administrator
*******

Posts: 2,683
Joined: Dec 2012
Reputation: 25
Post: #5
RE: OpenVPN connection to Elastix failing
Hi l4telcom,

Can you sent me the ca.crt ext101.crt and pbx102.crt in privately?
02-28-2014 03:58 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
l4telcom Offline
Junior Member
**

Posts: 6
Joined: Dec 2013
Reputation: 0
Post: #6
RE: OpenVPN connection to Elastix failing
Ok, so when I was sending you the crts privately, I did notice that they said Signature Algorithm: sha256WithRSAEncryption. I found that the way to change the Signature Algorithm was to modify the openssl-#.#.#.cnf files as follows:
under the [ CA_default ] header change 'default_md = sha256' to 'default_md = sha1'
and under the [ req ] header change 'default_md = sha256' to 'default_md = sha1'

After making those changes, I created all new keys, and now they show Signature Algorithm: sha1WithRSAEncryption. After recreating my tar file to upload to the phone, I was able to get the phone to connect to the VPN. I can register up an extension against the Elastix PBX using the VPN IP 10.8.0.1, but whenever I place test calls, I get a serious delay with audio going from the VoIP phone to the outside call as well as sever audio quality issues. There is no delay or quality issues with the audio from the outside call to the VoIP phone. I have tried adding in the
Code:
nat=yes
externip=xxx.xxx.xxx.xxx
localnet=10.8.0.0/255.255.255.0
but that doesn't seem to resolve the problem. If I try to register the extension by using the public ip of the PBX, I do not get any audio from the to the VoIP phone outside call.
03-01-2014 01:47 AM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Yealink Support Offline
Administrator
*******

Posts: 2,683
Joined: Dec 2012
Reputation: 25
Post: #7
RE: OpenVPN connection to Elastix failing
Please check to set "verb 3" in vpn.cnf.
(This post was last modified: 03-01-2014 09:56 AM by Yealink Support.)
03-01-2014 09:55 AM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Post Reply 


Possibly Related Threads...
Thread: Author Replies: Views: Last Post
  Passing only LDAP traffic through OPENVPN Commensus 0 1,983 02-23-2022 09:47 PM
Last Post: Commensus
  Configuring OPENVPN with Yealink Commensus 0 2,477 02-23-2022 09:45 PM
Last Post: Commensus
  DHCP not working on T26P when OpenVPN is enabled. LandonL 11 35,941 05-12-2021 10:46 AM
Last Post: 1sae
  Solved Openvpn.tar creating the right size file compsos 3 8,196 08-20-2020 06:49 AM
Last Post: complex1
  OpenVPN and QoS/TOS roelvanmeer 0 4,537 02-19-2019 09:27 AM
Last Post: roelvanmeer
  OpenVPN Timeout connecting p2xt 3 10,064 07-13-2018 07:37 PM
Last Post: jolouis
  Network Directory gives Connection Error TelNet Worldwide_Support 1 6,516 09-15-2017 02:59 AM
Last Post: Lucia_Yealink
  openvpn w52p setup rafael 4 19,009 08-10-2017 02:03 PM
Last Post: indicato
  can't setup openvpn with t48g zzz 8 24,120 07-18-2017 09:04 AM
Last Post: sj
  BLF Trunk Monitor Elastix Ricardo111 1 6,402 12-30-2016 10:13 AM
Last Post: Jensen_Yealink

Forum Jump:


User(s) browsing this thread: 1 Guest(s)

Contact Us   Yealink   Return to Top   Return to Content   Lite (Archive) Mode   RSS Syndication