Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 6 subscribers
  • Views 85446 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Yealink VoIP SSL VPN Capabilities

BangkokBob
I have been testing a Yealink T21 phone which incorporates settings for OpenVPN SSL in its firmware.  

If I can connect a phone to the UTMs SSLVPN it would simplify connections from dynamic addresses.  I would no longer need to worry about managing SIP and RTP ports for dynamic addresses as they would all be tunneled.

Has anyone been successful in getting a Yealink to connect to the UTM SSL VPN?  One issue I have is with managing user name and password, which it seems I need passed by the phone.


This thread was automatically locked due to age.
  • 0

    HI BangkokBob,

     

    did you find a solution for this?

  • +1 in reply to Tebogo Monyesetlhone

    Gents, I managed to get the yealink T21P E2 to work with sophos VPN(SSL).

    see below the config file(vpn.cnf) the order of must be exactly as per below

    client
    dev tun
    proto tcp
    remote xxx.xxx.xxx.xxx 443
    tls-remote "/C=za/L=JHB/O=Company Name/CN=me.domain/emailAddress=me@domain.com"
    route remote_host 255.255.255.255 net_gateway
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca /config/openvpn/keys/ca.crt
    cert /config/openvpn/keys/client1.crt
    key /config/openvpn/keys/client1.key
    auth-user-pass /config/openvpn/keys/auth.cfg
    cipher AES-128-CBC
    auth MD5
    comp-lzo
    route-delay 4
    verb 3
    reneg-sec 0

  • 0 in reply to Tumelo Lathane

    Hello,

    I'm also trying to get a Yealink T41 to work with Sophos VPN(SSL).

    Only a sample vpn.cnf is shown in the thread.

    Could you please briefly document the whole process ?

    From creating the certificates on the sophos utm, including which fields need entering etc. To uploading the files to the phone

    It saves me re-inventing the wheel.

    Thanks.

  • 0 in reply to WindyMiller

    You ever get an answer to this? I am trying to accomplish the same.

  • 0 in reply to Tumelo Lathane

    Hi,

    I have added your posted lines to my configuration, on  a yealink IP Phone SIP-T21P E2 firmware version: 52.81.0.110

     

     


    *----This log it's from my Yealink:

    ov 13 21:09:05 192.168.196.207 openvpn[1027]: TLS Error: TLS object -> incoming plaintext read error
    Nov 13 21:09:05 192.168.196.207 openvpn[1027]: TLS Error: TLS handshake failed
    Nov 13 21:09:05 192.168.196.207 openvpn[1027]: Fatal TLS error (check_tls_errors_co), restarting
    Nov 13 21:09:05 192.168.196.207 openvpn[1027]: TCP/UDP: Closing socket
    Nov 13 21:09:05 192.168.196.207 openvpn[1027]: SIGUSR1[soft,tls-error] received, process restarting
    Nov 13 21:09:05 192.168.196.207 openvpn[1027]: Restart pause, 5 second(s)
    Nov 13 21:09:06 192.168.196.207 ipvp[1059]: IPVP<5+notice> 346.363.256:Message=0x00040001(0x00000000+0x00000001+0)
    Nov 13 21:09:10 192.168.196.207 openvpn[1027]: WARNING: Make sure you understand the semantics of --tls-remote before using it (see the man page).
    Nov 13 21:09:10 192.168.196.207 openvpn[1027]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
    Nov 13 21:09:10 192.168.196.207 openvpn[1027]: Re-using SSL/TLS context
    Nov 13 21:09:10 192.168.196.207 openvpn[1027]: LZO compression initialized
    Nov 13 21:09:10 192.168.196.207 openvpn[1027]: Control Channel MTU parms [ L:1556 D:140 EF:40 EB:0 ET:0 EL:0 ]
    Nov 13 21:09:10 192.168.196.207 openvpn[1027]: Socket Buffers: R=[87380->131072] S=[16384->131072]
    Nov 13 21:09:10 192.168.196.207 openvpn[1027]: Data Channel MTU parms [ L:1556 D:1450 EF:56 EB:135 ET:0 EL:0 AF:3/1 ]
    Nov 13 21:09:10 192.168.196.207 openvpn[1027]: Local Options hash (VER=V4): '619088b2'
    Nov 13 21:09:10 192.168.196.207 openvpn[1027]: Expected Remote Options hash (VER=V4): 'a4f12474'
    Nov 13 21:09:10 192.168.196.207 openvpn[1027]: Attempting to establish TCP connection with 187.216.10.34:443 [nonblock]
    Nov 13 21:09:11 192.168.196.207 openvpn[1027]: TCP connection established with x.xx.x.x:443
    Nov 13 21:09:11 192.168.196.207 openvpn[1027]: TCPv4_CLIENT link local: [undef]
    Nov 13 21:09:11 192.168.196.207 openvpn[1027]: TCPv4_CLIENT link remote: x.x.x.x:443
    Nov 13 21:09:11 192.168.196.207 openvpn[1027]: TLS: Initial packet from x.x.x.x:443, sid=959c805f 1284564d
    Nov 13 21:09:11 192.168.196.207 openvpn[1027]: VERIFY OK: depth=1,Nov 13 21:09:30 192.168.196.207 openvpn[1027]: VERIFY X509NAME ERROR: /C=mx/L=x/O=x/CN=utmfw01/emailAddress=someone@example.com, must be C=x, L=x, x, O=x, CN=utmfw01, emailAddress=someone@example.com must be C=x, L=x, x, O=x, CN=utmfw01, emailAddress=omeone@example.com
    Nov 13 21:09:30 192.168.196.207 openvpn[1027]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Unfiltered HTML