SNOM 370 OPENVPN problems connecting to 3CX

Discussion in '3CX Phone System - General' started by martinp, Oct 16, 2009.

Thread Status:
Not open for further replies.
  1. martinp

    Joined:
    Oct 16, 2009
    Messages:
    6
    Likes Received:
    0
    Hi

    I´ve tried a lot, but i think is time to ask someone in this forum. I´m trying to get a SNOM 370 working with OPENVPN. I installed the OPENVPN on the 3CX Windows machine. It is possible to get a OPENVPN connection from a outside PC to the OPENVPN Server, so the configfile should be ok.

    I´ve tried the following Firmwares on the Phone:
    snom370-SIP 7.3.7-VPN
    snom370-SIP 7.3.23-VPN
    3CX Version used is: 8.0.9532

    Network:

    Office:
    Static IP: 82.xx.xx.21
    Internal IP og the OPENVPN and the 3CX: 192.168.2.10/255.255.255.0

    Home Office:
    Static IP: 83.xx.xx.22
    IP of the Phone: 192.168.1.207

    Both location have a Firewall which is on 192.168.2.1 and 192.168.1.1.
    But as mentioned, a PC OPENVPN connection is working, so it should not be a firewall issue.


    Here is my configuration:

    server.ovpn:

    mode server
    tls-server
    dev tap
    ca ca.crt
    cert server.crt
    key server.key
    dh dh1024.pem
    proto tcp-server
    keepalive 10 120
    verb 5

    3cx-phone: vpn.cnf:

    client
    tls-client
    dev tap
    ca /openvpn/ca.crt
    cert /openvpn/client.crt
    key /openvpn/client.key
    keepalive 10 120
    remote 87.xxx.xxx.xxx 1194
    proto tcp-client

    From a Windows 7 PC it is possible to get a connection running with the above configuration. I also tried proto udp, but i still get the same results.

    Here are the some of the lines in the logs with verbosity 5. The last lines come when restarting the phone.


    Sat Oct 17 00:09:08 2009 us=671000 MULTI: multi_create_instance called
    Sat Oct 17 00:09:08 2009 us=671000 Re-using SSL/TLS context
    Sat Oct 17 00:09:08 2009 us=671000 Control Channel MTU parms [ L:1575 D:140 EF:40 EB:0 ET:0 EL:0 ]
    Sat Oct 17 00:09:08 2009 us=671000 Data Channel MTU parms [ L:1575 D:1450 EF:43 EB:4 ET:32 EL:0 ]
    Sat Oct 17 00:09:08 2009 us=671000 Local Options String: 'V4,dev-type tap,link-mtu 1575,tun-mtu 1532,proto TCPv4_SERVER,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
    Sat Oct 17 00:09:08 2009 us=671000 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1575,tun-mtu 1532,proto TCPv4_CLIENT,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
    Sat Oct 17 00:09:08 2009 us=671000 Local Options hash (VER=V4): 'a917298a'
    Sat Oct 17 00:09:08 2009 us=671000 Expected Remote Options hash (VER=V4): '10f35004'
    Sat Oct 17 00:09:08 2009 us=671000 TCP connection established with 83.xx.xx.22:50814
    Sat Oct 17 00:09:08 2009 us=671000 Socket Buffers: R=[8192->8192] S=[8192->8192]
    Sat Oct 17 00:09:08 2009 us=671000 TCPv4_SERVER link local: [undef]
    Sat Oct 17 00:09:08 2009 us=671000 TCPv4_SERVER link remote: 83.xx.xx.22:50814
    Sat Oct 17 00:09:08 2009 us=671000 83.xx.xx.22:50814 TLS: Initial packet from 83.xx.xx.22:50814, sid=4595bfbc bb1be548
    Sat Oct 17 00:09:11 2009 us=187000 83.xx.xx.22:50814 VERIFY OK: depth=1, /C=DE/ST=xxx/L=xxx/O=xxx/OU=IT/CN=xxx_3CX_CA/emailAddress=info@x.com
    Sat Oct 17 00:09:11 2009 us=187000 83.xx.xx.22:50814 VERIFY OK: depth=0, /CN=3CX_VPN_Client_1/emailAddress=3cxvpn1@xxx.com
    Sat Oct 17 00:09:11 2009 us=359000 83.xx.xx.22:50814 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Sat Oct 17 00:09:11 2009 us=359000 83.xx.xx.22:50814 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Sat Oct 17 00:09:11 2009 us=359000 83.xx.xx.22:50814 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
    Sat Oct 17 00:09:11 2009 us=359000 83.xx.xx.22:50814 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
    Sat Oct 17 00:09:11 2009 us=625000 83.xx.xx.22:50814 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
    Sat Oct 17 00:09:11 2009 us=625000 83.xx.xx.22:50814 [3CX_VPN_Client_1] Peer Connection Initiated with 83.xx.xx.22:50814
    Sat Oct 17 00:09:11 2009 us=625000 3CX_VPN_Client_1/83.xx.xx.22:50814 MULTI: no dynamic or static remote --ifconfig address is available for 3CX_VPN_Client_1/83.xx.xx.22:50814
    Sat Oct 17 00:09:12 2009 us=500000 3CX_VPN_Client_1/83.xx.xx.22:50814 PUSH: Received control message: 'PUSH_REQUEST'
    Sat Oct 17 00:09:12 2009 us=500000 3CX_VPN_Client_1/83.xx.xx.22:50814 SENT CONTROL [3CX_VPN_Client_1]: 'PUSH_REPLY,ping 10,ping-restart 120' (status=1)


    I hope someone has a hint for me, i´ve tried so many different configs, but i can´t get it to connect.

    Kind regards,

    Martin
     
  2. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,374
    Likes Received:
    231
    Could it be anything to do with the difference in the IP's 192.168.1.XX and 192.168.2.XX? Maybe try a subnet mask of 255.255.0.0? Just a guess as I haven't used OpenVPN just PPTP with a PC to a DD-WRT router. What do the 3CX logs show when the set tries to register?
     
  3. martinp

    Joined:
    Oct 16, 2009
    Messages:
    6
    Likes Received:
    0
    Hi

    Sorry, maybe i mentioned it wrong.
    192.168.2.1 is the Gateway in the Office and 192.168.1.1 is at home.

    Just for information, it is a test setup - when it will be connecting, the "home" IP will be a different one, and maybe also a dynamic IP.

    Have a nice weekend

    Martin
     
  4. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,374
    Likes Received:
    231
    Forgive the questions, as I said, I haven't used OpenVPN.

    When you run this from the host/3CX PC I can understand it allowing a VPN connection from another, remote PC running the same program,and as you said, that works. But, does that remote PC also allow other devices (The SNOM), or a second PC NOT running OpenVPN on the remote network to also connect with the host/3CX PC's LAN? Since the SNOM isn't capable of running OpenVPN itself, it would be relying on the PC at it's end to do the "handshaking" (setting up the VPN connection, dealing with the differences in the two local LAN's IP's) for it, is that something that OpenVPN is capable of doing? Which ,means that the settings in the SNOM would have to "point" to the PC on it's local LAN rather than the LAN where 3CX is located since all communication would have to pass through there to be encrypted.
     
  5. martinp

    Joined:
    Oct 16, 2009
    Messages:
    6
    Likes Received:
    0
    Hi

    As mentioned in my post, a normal WIndows 7 PC, which is in the Home Office, can connect with the OPENVPN Tunnel, with exact the same config as the Phone.

    Kind regards,
    Martin
     
  6. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,374
    Likes Received:
    231
    But do you not have to be running OpenVPN client software on the Windows 7 (remote) PC? And does that also allow other devices on the remote LAN to connect with the OpenVPN server at the 3CX end? Because if it doesn't then the phone cannot establish a VPN connection with the OpenVPN server at the far end. If the client PC can only establish a VPN connection back to the server for itself then you would require a VPN router to allow more than one device to tunnel to the server LAN.
     
  7. martinp

    Joined:
    Oct 16, 2009
    Messages:
    6
    Likes Received:
    0
    Hi

    As i understand it, the SNOM 370 has OpenVPN installed with the firmware. I can also see that the phone "come in" in the OpenVPN console on the OpenVPN server, but it still isnt able to connect to the 3CX. As my knowledge in Openvpn is not too big, i cant see if the phone succesfully comes through the handshake. But as mentioned, the exact same config included the key and certs is running from a pc....
     
  8. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,374
    Likes Received:
    231
    If the SNOM inclueds OpenVPN, and it looks like it does, see this... http://wiki.snom.com/Networking/VPN ,then I'm not sure why it isn't working. You may want to do a search for forums dealing with the Snom 370, a quick search turned up a number.
     
  9. jelliott52

    Joined:
    Oct 21, 2009
    Messages:
    28
    Likes Received:
    0
    Martinp
    Just my 2 cents worth, but you have to have the openvpn installed on the phone or your 2 networks have to be joined together via openvpn. You have the openvpn installed on the win7 PC and it connects fine, so the openvpn is installed correctly, but the phone doesn't know about the other network. An easier why id to install openvpn at the router on each end and then you have one big happy network. I use Clark Connect router software for stuff like this. Works great !

    Jay
     
  10. martinp

    Joined:
    Oct 16, 2009
    Messages:
    6
    Likes Received:
    0
    Hi

    The problem is, i can´t find anyone dealing with that issue i have. As you maybe can see, i also posted a message in the SNOM Forum (VPN). We are not talking about a lot of openvpn snom related forums and posts, i´ve seen about 20 posts for now....

    We only want the phones to connect via Openvpn. Site-to-Site VPN is to intensive when dealing with several outside the office workers.....

    Therefor openvpn on a snom 370 is really cool. We configure it at our office, send it to the user, he plugs it in his router/switch, DONE.

    But as i can see, that is at the moment not the case.

    Isn´t there someone having knowledge in Openvpn and can have a look at my config i provided? Maybe the phone needs to have other values than a PC. (but the config is exact that what 3CX provides on their site: http://www.3cx.com/support/secure-calls-openvpn.html )

    Thanks
    Martin
     
  11. martinp

    Joined:
    Oct 16, 2009
    Messages:
    6
    Likes Received:
    0
    Hi again

    I tried another config yesterday, which also shows on the telephone that i am connected to VPN. I can also see that there happens more in the openvpn console. But i cant ping the phone from inside the network and the phone doesn´t register on the 3cx. When i use wireshark, i can see that it sends SIP connections to the 3CX but doesn´t get answers back....
    I think we are really near to finish this case. I think it is a routing problem, but i can´t figure it out.....

    I followed this manual: http://wiki.snom.com/Networking/Virtual_Private_Network_%28VPN%29/How_To_for_windows


    Here is my config:

    Server.ovpn

    port 1194
    proto udp
    dev tun
    ca ca.crt
    cert server.crt
    key server.key
    dh dh1024.pem
    server 192.168.200.0 255.255.255.0
    client-to-client
    keepalive 10 120
    persist-key
    persist-tun
    status C:\\openvpn-status.log
    verb 6
    ifconfig 192.168.200.230 192.168.200.231


    vpn.cnf (the client)

    client
    dev tun
    proto udp
    remote 87.x.x.249 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca /openvpn/ca.crt
    cert /openvpn/client.crt
    key /openvpn/client.key
    ns-cert-type server
    verb 0
    ping 10
    ping-restart 60
    ifconfig 192.168.200.231 192.168.200.230

    IP-Config from the OpenVPN Server:

    Ethernet adapter Network Bridge:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : MAC Bridge Miniport
    Physical Address. . . . . . . . . : 02-FF-EF-30-36-B4
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 192.168.200.1
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    IP Address. . . . . . . . . . . . : 192.168.2.10
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.2.1

    Route Print vom OpenVPN Server:
    ===========================================================================
    Interface List
    0x1 ........................... MS TCP Loopback interface
    0x10003 ...02 ff ef 30 36 b4 ...... MAC Bridge Miniport
    ===========================================================================
    ===========================================================================
    Active Routes:
    Network Destination Netmask Gateway Interface Metric
    0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.10 10
    127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
    192.168.2.0 255.255.255.0 192.168.2.10 192.168.2.10 10
    192.168.2.10 255.255.255.255 127.0.0.1 127.0.0.1 10
    192.168.2.255 255.255.255.255 192.168.2.10 192.168.2.10 10
    192.168.200.0 255.255.255.0 192.168.200.1 192.168.2.10 10
    192.168.200.0 255.255.255.0 192.168.200.2 192.168.2.10 1
    192.168.200.1 255.255.255.255 127.0.0.1 127.0.0.1 10
    192.168.200.255 255.255.255.255 192.168.200.1 192.168.2.10 10
    224.0.0.0 240.0.0.0 192.168.2.10 192.168.2.10 10
    255.255.255.255 255.255.255.255 192.168.2.10 192.168.2.10 1
    Default Gateway: 192.168.2.1
    ===========================================================================
    Persistent Routes:
    None

    Kind regards
    Martin
     
Thread Status:
Not open for further replies.