Yealink phones
-
Well, it looks like you are making a hobby of reinstalling pfSense from scratch :D, so with the current situation, how about installing from scratch on version 2.0, test out your Yealink phones, then upgrade to the latest 2.1? If you still want to to continue testing regarding SHA2, you can create new CA certificates on 2.1 until its resolved, but at least you now have a working setup for Yealinks in the meantime.
I've been upgrading since version 1 so at least its working for me. I can understand your position on clean installs, but I don't think pfSense carries much trash from version to version, so I wouldn't worry about it too much.
-
I played with this a bit today and here are my findings.
pfSense 2.1
Export Utility 1.1.3Before testing I applied the patch jimp mentioned via the Patches utility. From what I can tell it took:
Afterwards, I recreated my server cert and user cert telling it to use SHA1 for both, then applied the new cert to my OpenVPN instance and exported the new config files via the Export Utility. Here is how it played out:
T38
38.70.0.105 - The phone won't accept the Export Utility config file T38 (1) or (2)
38.70.0.180 - The phone won't accept the Export Utility config file T38 (1) or (2)T26
6.71.0.140 - The phone accepts the Export Utility config file but makes no attempt to establish VPN connection during bootup (verified via packet capture)
6.71.0.149 - The phone accepts the Export Utility config file but makes no attempt to establish VPN connection during bootup (verified via packet capture)If I get some time tomorrow I will manually create the config files and see if they take.
-
Hi Guys,
Yes I am a true Reinstall Enthusiast…. well more a "Revert to Snapshot" Enthusiast ;)I get the same results as Seth, If I Use PFsense 2.0.3 everything works well - except the Export Utility which they updated to 2.1 I think.
But You can Create all Certs and the Server without Problems. You have to export the Certs and make your own vpn.cf - and If you use the latest Version of 7zip - you can get all of that together in a client.tar which Yealink Phones Accept! Works like a Charm!Soooo, If the Guys from the PFsense Team examines this Problem with Version 2.1 - I belive it´s something else than a plain GUI Issue -
and Change the Export Utility back to a for Yealink Phones working Version, I would be more than Happy... and not just me I guess ;DDoes anyone know if there is an option to get an older Version of the Export Utility - or how to Contact the developers and inform them about this Issue?!
-
Hi Again,
I have a Update for the Export Issue:
You have to install it AFTER you Create your CA etc. I removed and reinstalled the Export utility Package an Voila: It shows the Certs an generates the client.tar.
But the contents of the File are still incompatible with the Yealink Phones:The Export Utility generates this file:
dev tun
persist-tun
persist-key
cipher BF-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote xxx.xxx.xxx.xxx 1194 udp
verify-x509-name LGPhoneServerCert name
ca /phone/config/openvpn/keys/ca.crt
cert /phone/config/openvpn/keys/client1.crt
key /phone/config/openvpn/keys/client1.key
comp-lzoThe Working one is:
client
dev tun
persist-tun
persist-key
proto udp
nobind
remote xxx.xxx.xxx.xxx 1194
resolv-retry infinite
ns-cert-type server
comp-lzo
ca /phone/config/openvpn/keys/ca.crt
cert /phone/config/openvpn/keys/client1.crt
key /phone/config/openvpn/keys/client1.keySo, if the revert their Update from "verify-x509-name LGPhoneServerCert name" back to "ns-cert-type server" it seems that everything will work with 2.0.3….
-
Reinstalling pfSense or the package in another order before/after creating certificates wouldn't matter. The export package reads the certificates directly from the config, and doesn't change them. Reinstalling may have pulled in a newer version of the export package than you had before, but otherwise wouldn't have changed anything substantial.
I updated the export package to skip the verify-x509-name line if the export is happening for a Yealink or snom phone, or if the config is auth only. I found last week that an auth-only setup would not even attempt to connect if that line was in the config, even on the latest client. And the Yealink/snom OpenVPN clients are so old/crippled they don't support it.
Version 1.1.4 should show up in a few minutes.
-
Alright, I think we are good now. I removed everything and started from scratch (I'm weird like that too). So now using Client Export Utility 1.1.4 and SHA1, both the T26 and T38 successfully connect. And just to verify, I reset everything and used SHA256 and neither phone would connect. So the OpenVPN client on the Yealinks definitely only works with SHA1.
Thanks for all the help jimp.
-
Alright, I think we are good now. I removed everything and started from scratch (I'm weird like that too). So now using Client Export Utility 1.1.4 and SHA1, both the T26 and T38 successfully connect. And just to verify, I reset everything and used SHA256 and neither phone would connect. So the OpenVPN client on the Yealinks definitely only works with SHA1.
Thanks for all the help jimp.
Really? it didn't work for my T20P phones this way….
Even when you create your certificates selecting SHA1 encryption (1024 or 2048 key) the signature algorithm is still sha256RSA instead of sha1RSA and that didn't work for my Phones.
What i did was make the certificates for CA, Server and User (the phones) in PfSense 2.0.3 and export them and after that import them on PfSense 2.1.
Then create the OpenVPN server with these certificates and export the T28 client, with 1.1.5 that works again. -
Alright, I think we are good now. I removed everything and started from scratch (I'm weird like that too). So now using Client Export Utility 1.1.4 and SHA1, both the T26 and T38 successfully connect. And just to verify, I reset everything and used SHA256 and neither phone would connect. So the OpenVPN client on the Yealinks definitely only works with SHA1.
Thanks for all the help jimp.
Really? it didn't work for my T20P phones this way….
Even when you create your certificates selecting SHA1 encryption (1024 or 2048 key) the signature algorithm is still sha256RSA instead of sha1RSA and that didn't work for my Phones.
What i did was make the certificates for CA, Server and User (the phones) in PfSense 2.0.3 and export them and after that import them on PfSense 2.1.
Then create the OpenVPN server with these certificates and export the T28 client, with 1.1.5 that works again.You must not have applied the patch I posted earlier in the thread. Without that patch the GUI doesn't properly let you select SHA1.
-
You must not have applied the patch I posted earlier in the thread. Without that patch the GUI doesn't properly let you select SHA1.
You are correct, somehow i thought that wasn't necessary anymore… My mistake :-[
-
Hi Guys,
Now that I tested everything back an forth, ist seems that with the Exporter Update 1.3.4 and the GUI Patch Pfsense 2.1 works totally great!
(And it doesn´t matter if you did an Update from 2.0.3 or a Clean install with 2.1)I Tried T-38G,T-26P and T-22 Yealinks and everything works like a charm.
Thank you all so much for your help! - I am definitly getting a "Gold Membership" just to value your efforts! - There are many commercial company´s out there with lesser ability to help with problems.
(And maybe if you put another membership in between the Gold Membership for 99$ and the Support subscription for 600$ some more people like me are willing to pay you some more for yout really really great support)
Thanks!
Christian -
Hi All,
This may be my second post here. This forum is a fantastic resource for being spot on for resolution. I am having an issue with this set up as well. I am using Yealink T20P phones, pfSense 2.1, Export Client 1.2.4 and the applied GUI Patch all successfully installed according to pfSense. I removed everything, the CA, Server/Client Cert and Server and used different export methods, x509, tls-auth, with CN, without CN…I have tried everything and I keep getting UNDEF in my connection for the Phones. The log states "TLS Handshake failed" and "TLS key negotiation failed to occur within 60 seconds". I used the TLS authentication checked and unchecked, the VPN connects but states the same error and a virtual address is not assigned from my block.
I am using the T.28 export.
I removed the old cert on the T20 by disabling the VPN, reboot, upload new config and reboot. I have a static public IP on the Server and the IP phone is in the DMZ of a Linksys WRT54G2 on my ADSL router. My Windows and Android clients connect perfectly via another session on the same physical server. Can anyone assist/guide me as to what I am doing wrong? Could this be a NAT issue? -
there should be a client log you can get from the phone that has more detail.
If it times out like that, the client usually is rejecting something from the server, or something in its config.
Top suspects are usually either the clock, or the phone not liking something else about the certs.
-
Hi Jimp,
Thank you very much for the reply and your guidance, I was able to figure out the issue from the phone logs as you said. The issue that came up was:
"TLS Error: Unroutable control packet received from "x.x.x.x:1194" (si=3 op=P_CONTROL_V1)" …....(I hid my IP)
I was able to get a clue to the issue using this site:
http://glycogen.net/2012/12/01/pfsense-openvpn-server-with-dd-wrt-clients/
It eluded to an issue with the Common Name used in the CA Server Certificate, which must be a FQDN. This baffles me, maybe because I am new to this, however can you or someone else on this forum explain why this is necessary for these phones while a non FQDN Common Name works with my PC and Android phone? Does it have to do with the version of the OpenVPN/Client and the method used? Any information to help me understand this better would be greatly appreciated.
-
The clock/time is the most common cause of that particular error that I have seen. I am not aware nor have I seen anything require an FQDN for the cert CN.
-
Thanks. I implemented the solution today. During the Holidays it is near impossible to gain access to/leave our building due to the City area being extremely busy for shopping. As a rule we work remotely for this week, however I moved the PBX to another more manageable and secure network. The work we do is similar to a NOC, but Tier 2 which is on call. When persons try to contact the office it was difficult to get to my Staff members or the member needed to fix a problem. My staff can now work remotely using their Cell, Yealink or PC Soft Phone to remedy issues when someone calls the office PBX.
Thanks to you Jimp for guidance and showing me/us how to patch the GUI issue and also to sscardefield….a fantastic job of putting the step by step guide together showing the creation of Certificates for OpenVPN both with and without User Authentication. This actually got me to understand the process better than using the wizard. Thanks to everyone else who participated in this thread as well.
