[YMCS/YDMP Free Trial Program]Yealink would like to offer Free Trial Program of Yealink device management service for our current eligible customers. You can see the details below.
https://www.yealink.com/ydmp-freetrial-2020

Yealink Forums » IP Phone Series » Configuration » VPN on T22

Post Reply 
 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
VPN on T22
Author Message
tbolick Offline
Junior Member
**

Posts: 3
Joined: Jul 2013
Reputation: 0
Post: #1
VPN on T22
I cannot seem to get the VPn working on my T22Ps.

Here is the server openvpn log:
OpenVPN 2.2.1 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Sep 12 2011
Mon Jul 15 12:45:01 2013 us=242541 WARNING: --ifconfig-pool-persist will not work with --duplicate-cn
Mon Jul 15 12:45:01 2013 us=242606 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Jul 15 12:45:01 2013 us=304143 Diffie-Hellman initialized with 2048 bit key
Mon Jul 15 12:45:01 2013 us=513480 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Jul 15 12:45:01 2013 us=513520 Socket Buffers: R=[245760->131072] S=[245760->131072]
Mon Jul 15 12:45:01 2013 us=513639 ROUTE: default_gateway=UNDEF
Mon Jul 15 12:45:01 2013 us=513846 TUN/TAP device tun1 opened
Mon Jul 15 12:45:01 2013 us=513865 TUN/TAP TX queue length set to 100
Mon Jul 15 12:45:01 2013 us=513902 /sbin/ip link set dev tun1 up mtu 1500
Mon Jul 15 12:45:01 2013 us=543602 /sbin/ip addr add dev tun1 local 10.8.0.1 peer 10.8.0.2
Mon Jul 15 12:45:01 2013 us=544517 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Mon Jul 15 12:45:01 2013 us=545170 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Jul 15 12:45:01 2013 us=545771 GID set to nobody
Mon Jul 15 12:45:01 2013 us=545841 UID set to nobody
Mon Jul 15 12:45:01 2013 us=545874 UDPv4 link local (bound): zz.zz.zzz.zzz:1194
Mon Jul 15 12:45:01 2013 us=545885 UDPv4 link remote: [undef]
Mon Jul 15 12:45:01 2013 us=545900 MULTI: multi_init called, r=256 v=256
Mon Jul 15 12:45:01 2013 us=545968 IFCONFIG POOL: base=10.8.0.4 size=62
Mon Jul 15 12:45:01 2013 us=545994 IFCONFIG POOL LIST
Mon Jul 15 12:45:01 2013 us=546027 Initialization Sequence Completed
Mon Jul 15 12:46:19 2013 us=504457 MULTI: multi_create_instance called
Mon Jul 15 12:46:19 2013 us=504531 XX.XX.XXX.XXX:1081 Re-using SSL/TLS context
Mon Jul 15 12:46:19 2013 us=504558 XX.XX.XXX.XXX:1081 LZO compression initialized
Mon Jul 15 12:46:19 2013 us=504686 XX.XX.XXX.XXX:1081 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Jul 15 12:46:19 2013 us=504697 XX.XX.XXX.XXX:1081 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Jul 15 12:46:19 2013 us=504765 XX.XX.XXX.XXX:1081 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Mon Jul 15 12:46:19 2013 us=504790 XX.XX.XXX.XXX:1081 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Mon Jul 15 12:46:19 2013 us=504816 XX.XX.XXX.XXX:1081 Local Options hash (VER=V4): '530fdded'
Mon Jul 15 12:46:19 2013 us=504833 XX.XX.XXX.XXX:1081 Expected Remote Options hash (VER=V4): '41690919'
Mon Jul 15 12:46:19 2013 us=504892 XX.XX.XXX.XXX:1081 TLS: Initial packet from XX.XX.XXX.XXX:1081, sid=1e297824 0e01e50f
Mon Jul 15 12:46:21 2013 us=997807 XX.XX.XXX.XXX:1081 TLS: new session incoming connection from XX.XX.XXX.XXX:1081
Mon Jul 15 12:46:30 2013 us=468544 read UDPv4 [ECONNREFUSED]: Connection refused (code=111)
Mon Jul 15 12:46:32 2013 us=496017 XX.XX.XXX.XXX:1081 TLS: new session incoming connection from XX.XX.XXX.XXX:1081

Here is the phone log:
Jul 15 16:45:57 openvpn[473]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jul 15 16:45:57 openvpn[473]: TLS Error: TLS handshake failed
Jul 15 16:45:57 openvpn[473]: TCP/UDP: Closing socket
Jul 15 16:45:57 openvpn[473]: SIGUSR1[soft,tls-error] received, process restarting
Jul 15 16:45:57 openvpn[473]: Restart pause, 2 second(s)
Jul 15 16:45:57 syslog[469]: DEBUG: [get_output_if] connect: Network is unreachable
Jul 15 16:45:59 openvpn[473]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Jul 15 16:45:59 openvpn[473]: Re-using SSL/TLS context
Jul 15 16:45:59 openvpn[473]: LZO compression initialized
Jul 15 16:45:59 openvpn[473]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Jul 15 16:45:59 openvpn[473]: Socket Buffers: R=[114688->131072] S=[114688->131072]
Jul 15 16:46:17 syslog[469]: DEBUG: [get_output_if] connect: Network is unreachable
Jul 15 16:46:19 openvpn[473]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Jul 15 16:46:19 openvpn[473]: Local Options hash (VER=V4): '41690919'
Jul 15 16:46:19 openvpn[473]: Expected Remote Options hash (VER=V4): '530fdded'
Jul 15 16:46:19 openvpn[473]: UDPv4 link local: [undef]
Jul 15 16:46:19 openvpn[473]: UDPv4 link remote: XX.XX.XXX.XXX:1194
Jul 15 16:46:19 openvpn[473]: TLS: Initial packet from XX.XX.XXX.XXX:1194, sid=4994647a d1cc2a81
Jul 15 16:46:19 openvpn[473]: VERIFY ERROR: depth=1, error=certificate signature failure: /C=US/ST=GA/L=Atlanta/O=GasInc/OU=IT-TABSOFT/CN=OpenVPN-CA/name=EasyRSA/emailAddress=webadmin@gasinc.net
Jul 15 16:46:19 openvpn[473]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Jul 15 16:46:19 openvpn[473]: TLS Error: TLS object -> incoming plaintext read error
Jul 15 16:46:19 openvpn[473]: TLS Error: TLS handshake failed
Jul 15 16:46:19 openvpn[473]: TCP/UDP: Closing socket
Jul 15 16:46:19 openvpn[473]: SIGUSR1[soft,tls-error] received, process restarting
Jul 15 16:46:19 openvpn[473]: Restart pause, 2 second(s)
Jul 15 16:46:21 openvpn[473]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Jul 15 16:46:21 openvpn[473]: Re-using SSL/TLS context
Jul 15 16:46:21 openvpn[473]: LZO compression initialized
Jul 15 16:46:21 openvpn[473]: Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Jul 15 16:46:21 openvpn[473]: Socket Buffers: R=[114688->131072] S=[114688->131072]
Jul 15 16:46:21 openvpn[473]: Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Jul 15 16:46:21 openvpn[473]: Local Options hash (VER=V4): '41690919'
Jul 15 16:46:21 openvpn[473]: Expected Remote Options hash (VER=V4): '530fdded'
Jul 15 16:46:21 openvpn[473]: UDPv4 link local: [undef]
Jul 15 16:46:21 openvpn[473]: UDPv4 link remote: XX.XX.XXX.XXX:1194
Jul 15 16:46:22 openvpn[473]: TLS Error: Unroutable control packet received from XX.XX.XXX.XXX:1194 (si=3 op=P_CONTROL_V1)
Jul 15 16:46:22 openvpn[473]: TLS: Initial packet from XX.XX.XXX.XXX:1194, sid=8ab6dc37 54bf39bc
Jul 15 16:46:22 openvpn[473]: TLS Error: Unroutable control packet received from XX.XX.XXX.XXX:1194 (si=3 op=P_CONTROL_V1)
Jul 15 16:46:23 openvpn[473]: TLS Error: Unroutable control packet received from XX.XX.XXX.XXX:1194 (si=3 op=P_CONTROL_V1)
Jul 15 16:46:24 openvpn[473]: TLS Error: Unroutable control packet received from XX.XX.XXX.XXX:1194 (si=3 op=P_CONTROL_V1)
Jul 15 16:46:25 openvpn[473]: TLS Error: Unroutable control packet received from XX.XX.XXX.XXX:1194 (si=3 op=P_CONTROL_V1)
Jul 15 16:46:26 openvpn[473]: TLS Error: Unroutable control packet received from XX.XX.XXX.XXX:1194 (si=3 op=P_CONTROL_V1)
Jul 15 16:46:28 openvpn[473]: TLS Error: Unroutable control packet received from XX.XX.XXX.XXX:1194 (si=3 op=P_CONTROL_V1)
Jul 15 16:46:28 openvpn[473]: TLS Error: Unroutable control packet received from XX.XX.XXX.XXX:1194 (si=3 op=P_CONTROL_V1)
Jul 15 16:46:30 openvpn[473]: VERIFY ERROR: depth=1, error=certificate signature failure: /C=US/ST=GA/L=Atlanta/O=etc
Jul 15 16:46:30 openvpn[473]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Jul 15 16:46:30 openvpn[473]: TLS Error: TLS object -> incoming plaintext read error
Jul 15 16:46:30 openvpn[473]: NOTE: --mute triggered...
Jul 15 16:46:30 openvpn[473]: 1 variation(s) on previous 10 message(s) suppressed by --mute
Jul 15 16:46:30 openvpn[473]: TCP/UDP: Closing socket
Jul 15 16:46:30 openvpn[473]: SIGUSR1[soft,tls-error] received, process restarting
Jul 15 16:46:30 openvpn[473]: Restart pause, 2 second(s)

I can connect fine from my PC using the same keys, etc.

I noticed the time diff, but they show the same times.

Any suggestions? Please?

I already sent my info to support but have not heard back.

Tom...

Tom...
07-16-2013 01:00 AM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Yealink Support Offline
Administrator
*******

Posts: 2,683
Joined: Dec 2012
Reputation: 25
Post: #2
RE: VPN on T22
Hi Tom,
1. Do you mean the time of syslog is different from the server?
2. Could you let us know where are you from? And could you send again to support@yealink.com? I will check again.
3. For this issue, i am afraid we need phone logs to analyze the problem.
So could you provide PCAP trace, syslog(level 6) and config.bin file to us, so we can analyze?
Before you export the syslog, please set log level as 6, and reboot the phone, then click Start,and reproduce the issue, then click Stop,and export the trace, syslog, config,bin to us.
(About where to export these files, please refer to attached screenshot.)
These three files are very important for us, hope you can kindly understand.
4. And also need your certification files.
Thanks.


Attached File(s) Thumbnail(s)
   
07-17-2013 04:29 PM
Find all posts by this user    like0    dislike0 Quote this message in a reply
tbolick Offline
Junior Member
**

Posts: 3
Joined: Jul 2013
Reputation: 0
Post: #3
Wink RE: VPN on T22
YAY! Received an email from support that correctly identified the problem! The Yealinks (T22 at least) only support MD5 signature algorithm and the latest easy-rsa and openssl now default to SHA256.

So, to fix, edit your openssl-x.x.x.conf to change the lines from:
default_md = default # or sha256
to: (there are probably 2 or more of these lines)
default_md = md5

everywhere you find it. Then you will have to fully recreate your CA, server and client keys, updating both the server and phone.

Hope this helps someone else with this problem.

Tom...
(This post was last modified: 07-17-2013 11:49 PM by tbolick.)
07-17-2013 11:48 PM
Find all posts by this user    like1    dislike0 Quote this message in a reply
Yealink Support Offline
Administrator
*******

Posts: 2,683
Joined: Dec 2012
Reputation: 25
Post: #4
RE: VPN on T22
Great news, thanks for your sharing Tom.
07-19-2013 10:09 AM
Find all posts by this user    like0    dislike0 Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)

Contact Us   Yealink   Return to Top   Return to Content   Lite (Archive) Mode   RSS Syndication