OpenVPN Yealink T48G issues… TLS key negotiation failed

jdetmold

I have been fighting with this for days…

I have a T48G that i am trying to get working with pfSense OpenVPN

I have tried many things that I think should work but so far nothing.

currently I have:

Remote Access SSL/TSL
TSL Authentication is unchecked
CA & Cert are set correctly
I have tried many encryption algorithms (found this thread https://forum.pfsense.org/index.php?topic=54294.0 so currently set to bf-cbc)
tunnel network and local network are correct.

I then export for T38G(2) as far as I can tell it should be the same for T48G (/config/openvpn/keys/)

when the phone reboots It does show up in openvpn status (sort of)

Common Name	Real Address	Virtual Address	Connected Since	Bytes Sent	Bytes Received status  Running	restart stop

UNDEF	10.99.147.113:1194		Tue Jan 20 23:22:07 2015	8226	1350

and the open vpn log shows

Jan 20 23:10:56	openvpn[8747]: 10.99.147.113:1194 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jan 20 23:10:56	openvpn[8747]: 10.99.147.113:1194 TLS Error: TLS handshake failed

if anyone can offer any help or suggestions to try that would be great!

Jeff

divsys

I haven't played with that particular phone, but you may be able to get some more log info on the pfSense side by upping the diagnostics level.  Add the command "verb 5" (or even "verb 7" to get tooooons of info) to the Advanced Configuration section of the OpenVPN server.

The messages generated may help you to track down exactly where the connection fails, especially if you can compare it to a log for the T38G (which I presume does work?).

jimp

Get the log from the phone, IIRC you can download it from one of the diagnostics pages.

Did you make sure to set both the CA and certs up using SHA1, not the default SHA256? Some of those handsets will only deal with SHA1 certificates.

cmb

@jimp:

Did you make sure to set both the CA and certs up using SHA1, not the default SHA256? Some of those handsets will only deal with SHA1 certificates.

more than likely this. IIRC all the Yealink phones will fail with anything > SHA1.

bchow

Was there a confirmed solution for this?  I'm having the same issue with T46G ever since upgrading to from 2.1 to 2.2.  I can also add that it does actually connect to the vpn when connecting from the LAN side, but not from the WAN side.  What's even more confusing is that I can connect with some different clients, such as OpenVPN connect on Android, while getting similar failing results with other phones such as a SNOM 720.  The sip phones all seem to run various versions of OpenVPN 2.2 or 2.1.  These all did work prior to the 2.2 upgrade.

** Edit
CA and certs are SHA1