OpenVPN Yealink T48G issues… TLS key negotiation failed
-
I have been fighting with this for days…
I have a T48G that i am trying to get working with pfSense OpenVPN
I have tried many things that I think should work but so far nothing.
currently I have:
Remote Access SSL/TSL
TSL Authentication is unchecked
CA & Cert are set correctly
I have tried many encryption algorithms (found this thread https://forum.pfsense.org/index.php?topic=54294.0 so currently set to bf-cbc)
tunnel network and local network are correct.I then export for T38G(2) as far as I can tell it should be the same for T48G (/config/openvpn/keys/)
when the phone reboots It does show up in openvpn status (sort of)
Common Name Real Address Virtual Address Connected Since Bytes Sent Bytes Received status Running restart stop UNDEF 10.99.147.113:1194 Tue Jan 20 23:22:07 2015 8226 1350
and the open vpn log shows
Jan 20 23:10:56 openvpn[8747]: 10.99.147.113:1194 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) Jan 20 23:10:56 openvpn[8747]: 10.99.147.113:1194 TLS Error: TLS handshake failed
if anyone can offer any help or suggestions to try that would be great!
Jeff
-
I haven't played with that particular phone, but you may be able to get some more log info on the pfSense side by upping the diagnostics level. Add the command "verb 5" (or even "verb 7" to get tooooons of info) to the Advanced Configuration section of the OpenVPN server.
The messages generated may help you to track down exactly where the connection fails, especially if you can compare it to a log for the T38G (which I presume does work?).
-
Get the log from the phone, IIRC you can download it from one of the diagnostics pages.
Did you make sure to set both the CA and certs up using SHA1, not the default SHA256? Some of those handsets will only deal with SHA1 certificates.
-
Did you make sure to set both the CA and certs up using SHA1, not the default SHA256? Some of those handsets will only deal with SHA1 certificates.
more than likely this. IIRC all the Yealink phones will fail with anything > SHA1.
-
Was there a confirmed solution for this? I'm having the same issue with T46G ever since upgrading to from 2.1 to 2.2. I can also add that it does actually connect to the vpn when connecting from the LAN side, but not from the WAN side. What's even more confusing is that I can connect with some different clients, such as OpenVPN connect on Android, while getting similar failing results with other phones such as a SNOM 720. The sip phones all seem to run various versions of OpenVPN 2.2 or 2.1. These all did work prior to the 2.2 upgrade.
** Edit
CA and certs are SHA1