Yealink SIP-T22P OpenVPN issue

[mahan77]

Hello every one,

Need help please; I’m trying to connect Yealink SIP-T22P over OpenVPN with asterisk. No luck at all. I have enabled VPN option and upload the file. If I use softphone over OpenVPN from mac it’s working fine. How can I solve this issue?

Many thanks
sathees

vpn.cnf

client
dev tap
proto udp
remote 192.168.1.100 1194 udp
ca /yealink/config/openvpn/keys/ca.crt
cert /yealink/config/openvpn/keys/client-yealink.crt
key /yealink/config/openvpn/keys/client-yealink.key
resolv-retry infinite
nobind
persist-key
persist-tun mute-replay-warnings ns-cert-type server comp-lzo
verb 3
mute 10


server.conf

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3

[Yealink Support]

Hi Please make sure "dev " is the same both in vpn.cnf and server.conf.
Do you want to use tun or tap?

[mahan77]

thank you.
the problem was easy-rsa

[mahan77]

Hello again,

I managed to solve the connection issue. After I upload the configuration file and reboot the device, I can’t access web page for setting. How can I solve this issue?
Many thanks
sathees

These are the logs from openvpn.log

Wed Mar 26 12:06:47 2014 192.168.1.74:1026 TLS: Initial packet from [AF_INET]192.168.1.74:1026, sid=be8c5adc 714c7286
Wed Mar 26 12:06:58 2014 192.168.1.74:1026 TLS: new session incoming connection from [AF_INET]192.168.1.74:1026
Wed Mar 26 12:07:00 2014 192.168.1.74:1026 VERIFY OK: depth=1, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=changeme, name=changeme, emailAddress=mail@host.domain
Wed Mar 26 12:07:00 2014 192.168.1.74:1026 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=changeme, CN=client, name=changeme, emailAddress=mail@host.domain
Wed Mar 26 12:07:00 2014 192.168.1.74:1026 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Mar 26 12:07:00 2014 192.168.1.74:1026 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Mar 26 12:07:00 2014 192.168.1.74:1026 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Mar 26 12:07:00 2014 192.168.1.74:1026 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Mar 26 12:07:00 2014 192.168.1.74:1026 TLS: move_session: dest=TM_ACTIVE src=TM_UNTRUSTED reinit_src=1
Wed Mar 26 12:07:00 2014 192.168.1.74:1026 TLS: tls_multi_process: untrusted session promoted to semi-trusted
Wed Mar 26 12:07:01 2014 192.168.1.74:1026 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Wed Mar 26 12:07:01 2014 192.168.1.74:1026 [client] Peer Connection Initiated with [AF_INET]192.168.1.74:1026
Wed Mar 26 12:07:01 2014 client/192.168.1.74:1026 MULTI_sva: pool returned IPv4=10.8.0.10, IPv6=(Not enabled)
Wed Mar 26 12:07:01 2014 client/192.168.1.74:1026 MULTI: Learn: 10.8.0.10 -> client/192.168.1.74:1026
Wed Mar 26 12:07:01 2014 client/192.168.1.74:1026 MULTI: primary virtual IP for client/192.168.1.74:1026: 10.8.0.10
Wed Mar 26 12:07:03 2014 client/192.168.1.74:1026 PUSH: Received control message: 'PUSH_REQUEST'
Wed Mar 26 12:07:03 2014 client/192.168.1.74:1026 send_push_reply(): safe_cap=940
Wed Mar 26 12:07:03 2014 client/192.168.1.74:1026 SENT CONTROL [client]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,route 10.0.0.0 255.0.0.0,route 172.16.1.0 255.240.0.0,route 10.8.0.0 255.255.255.0,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.10 10.8.0.9' (status=1)
Wed Mar 26 12:11:03 2014 client/192.168.1.74:1026 [client] Inactivity timeout (--ping-restart), restarting
Wed Mar 26 12:11:03 2014 client/192.168.1.74:1026 SIGUSR1[soft,ping-restart] received, client-instance restarting


This is from the phone log
Mar 26 11:58:57 IPP[303]: IPP <4+warnin>137.470.293:unkown msg,00002006,00000000,00000000
Mar 26 11:58:57 IPP[303]: IPP <4+warnin>137.476.372:unkown msg,00002007,00000000,00000000
Mar 26 11:58:58 AUTP[342]: AUTP<3+error > network isn't complete, sleep 1s!
Mar 26 11:58:59 LIBD[342]: DANY<0+emerg > DANY=3
Mar 26 11:58:59 IPP[303]: IPP <4+warnin>139.347.641:unkown msg,000b0007,ffffffff,00000000
Mar 26 11:59:36 Log [365]: WEB <3+error > NOTE : readlan=[English]
Mar 26 11:59:36 Log [365]: WEB <3+error > NOTE : baklan=[1.English]
Mar 26 11:59:36 Log [365]: WEB <3+error > NOTE : lan=[1.English]
Mar 26 11:59:36 Log [396]: WEB <3+error > NOTE : readlan=[English]
Mar 26 11:59:36 Log [396]: WEB <3+error > NOTE : baklan=[1.English]
Mar 26 11:59:36 Log [396]: WEB <3+error > NOTE : lan=[1.English]
Mar 26 11:59:42 Log [365]: WEB <3+error > NOTE : readlan=[English]
Mar 26 11:59:42 Log [365]: WEB <3+error > NOTE : baklan=[1.English]
Mar 26 11:59:42 Log [365]: WEB <3+error > NOTE : lan=[1.English]
Mar 26 11:59:52 Log [396]: WEB <3+error > NOTE : readlan=[English]
Mar 26 11:59:52 Log [396]: WEB <3+error > NOTE : baklan=[1.English]
Mar 26 11:59:52 Log [396]: WEB <3+error > NOTE : lan=[1.English]
Mar 26 11:59:57 Log [365]: WEB <3+error > NOTE : readlan=[English]
Mar 26 11:59:57 Log [365]: WEB <3+error > NOTE : baklan=[1.English]
Mar 26 11:59:57 Log [365]: WEB <3+error > NOTE : lan=[1.English]
Mar 26 11:59:58 Log [396]: WEB <3+error > NOTE : readlan=[English]
Mar 26 11:59:58 Log [396]: WEB <3+error > NOTE : baklan=[1.English]
Mar 26 11:59:58 Log [396]: WEB <3+error > NOTE : lan=[1.English]

[Yealink Support]

1. Do you test to enter the webpage later? Can't you enter the webpage for ever?
2. Do you test in other browser?
3. Hi Please make sure "dev " is the same both in vpn.cnf and server.conf. TUN or TAP?

[siny]

(03-26-2014 11:23 AM)mahan77 Wrote:  thank you.
the problem was easy-rsa

Can you please elaborate on that: what was the problem with Easy-RSA?


Thank you.


Best regards,
Sinisa Bandin

[mahan77]

(05-23-2014 04:18 PM)siny Wrote:  

(03-26-2014 11:23 AM)mahan77 Wrote:  thank you.
the problem was easy-rsa

Can you please elaborate on that: what was the problem with Easy-RSA?


Thank you.


Best regards,
Sinisa Bandin

Sorry for late replay I was busy with work.

You need public key MD5 for the Yealink phone. Latest easy-rsa uses deferent alga rhythm called sha256. I didn’t know to change back to MD5. Best way to do this use easy-rsa 2.2.0. Use openssl-1.0.0.cnf on your vars file, every think will be ok.

Many thanks

[siny]

(05-27-2014 12:20 AM)mahan77 Wrote:  

(05-23-2014 04:18 PM)siny Wrote:  

(03-26-2014 11:23 AM)mahan77 Wrote:  thank you.
the problem was easy-rsa

Can you please elaborate on that: what was the problem with Easy-RSA?


Thank you.


Best regards,
Sinisa Bandin

Sorry for late replay I was busy with work.

You need public key MD5 for the Yealink phone. Latest easy-rsa uses deferent alga rhythm called sha256. I didn’t know to change back to MD5. Best way to do this use easy-rsa 2.2.0. Use openssl-1.0.0.cnf on your vars file, every think will be ok.

Many thanks

Thank you for your reply, but...

Actualy, I am using easy-rsa 2.0-rc1 (all of the other 20+ keys are made by it so I did not want to change).
in "openssl.cnf" there is this line:
default_md = md5
so I suppose that should be OK, right?

(just to compare, I have downloaded easy-rsa 2.2.2, and there it says "sha256")

It seems I shall wait for the webinar on Wednesday, maybe there will pop up something new: http://forum.yealink.com/forum/showthrea...ht=openvpn


Best regards,
Sinisa Bandin

[mahan77]

(05-27-2014 03:51 AM)siny Wrote:  

(05-27-2014 12:20 AM)mahan77 Wrote:  

(05-23-2014 04:18 PM)siny Wrote:  

(03-26-2014 11:23 AM)mahan77 Wrote:  thank you.
the problem was easy-rsa

Can you please elaborate on that: what was the problem with Easy-RSA?


Thank you.


Best regards,
Sinisa Bandin

Sorry for late replay I was busy with work.

You need public key MD5 for the Yealink phone. Latest easy-rsa uses deferent alga rhythm called sha256. I didn’t know to change back to MD5. Best way to do this use easy-rsa 2.2.0. Use openssl-1.0.0.cnf on your vars file, every think will be ok.

Many thanks

Thank you for your reply, but...

Actualy, I am using easy-rsa 2.0-rc1 (all of the other 20+ keys are made by it so I did not want to change).
in "openssl.cnf" there is this line:
default_md = md5
so I suppose that should be OK, right?

(just to compare, I have downloaded easy-rsa 2.2.2, and there it says "sha256")

It seems I shall wait for the webinar on Wednesday, maybe there will pop up something new: http://forum.yealink.com/forum/showthrea...ht=openvpn


Best regards,
Sinisa Bandin

Yes! it should be ok. Long as you have this default_md = md5 line in your .cnf it will work.

Many Thanks
Sathees

[siny]

(05-27-2014 03:56 PM)mahan77 Wrote:  

(05-27-2014 03:51 AM)siny Wrote:  

(05-27-2014 12:20 AM)mahan77 Wrote:  

(05-23-2014 04:18 PM)siny Wrote:  

(03-26-2014 11:23 AM)mahan77 Wrote:  thank you.
the problem was easy-rsa

Can you please elaborate on that: what was the problem with Easy-RSA?


Thank you.


Best regards,
Sinisa Bandin

Sorry for late replay I was busy with work.

You need public key MD5 for the Yealink phone. Latest easy-rsa uses deferent alga rhythm called sha256. I didn’t know to change back to MD5. Best way to do this use easy-rsa 2.2.0. Use openssl-1.0.0.cnf on your vars file, every think will be ok.

Many thanks

Thank you for your reply, but...

Actualy, I am using easy-rsa 2.0-rc1 (all of the other 20+ keys are made by it so I did not want to change).
in "openssl.cnf" there is this line:
default_md = md5
so I suppose that should be OK, right?

(just to compare, I have downloaded easy-rsa 2.2.2, and there it says "sha256")

It seems I shall wait for the webinar on Wednesday, maybe there will pop up something new: http://forum.yealink.com/forum/showthrea...ht=openvpn


Best regards,
Sinisa Bandin

Yes! it should be ok. Long as you have this default_md = md5 line in your .cnf it will work.

Many Thanks
Sathees

Well, it is not OK

I create .tar file, as instructed in docs, go to Network -> Advanced menu, Browse file, Upload it, get the message "Upload success!", then Enable the VPN and when I click Confirm, message says "Please upload VPN config file first!".

I have other clients working with same certificates, using Linux, Android, Mikrotik routers and Windows.


Best regards,
Sinisa Bandin