Sangoma VPN activated, traffic not passing to PBX

Fully patched FreePBX 14.0.13.40 hanging outside the office firewall on WAN 98.xxx.xxx.105. Configs pushed to Sangoma S305s in VPN group at users homes display “VPN activated” and provide dialtone, but no outbound or inbound traffic. S305s in the office work as expected. VPN wiki articles followed to verify settings. I may have missed something, but they look correct for my situation.

However:

Admin > Asterisk CLI > sip show peers:

Name/username Host Dyn Forcerport Comedia ACL Port Status
201/201 98.xxx.xxx.105 D Yes Yes A 27198 OK (7 ms)
202 (Unspecified) D Yes Yes A 0 UNKNOWN
203/203 98.xxx.xxx.105 D Yes Yes A 47300 OK (7 ms)
204 (Unspecified) D Yes Yes A 0 UNKNOWN
205 (Unspecified) D Yes Yes A 0 UNKNOWN
206 (Unspecified) D Yes Yes A 0 UNKNOWN
301/301 98.xxx.xxx.105 D Yes Yes A 26036 OK (59 ms)
302/302 98.xxx.xxx.105 D Yes Yes A 54836 OK (5 ms)
303/303 98.xxx.xxx.105 D Yes Yes A 54250 OK (10 ms)
304/304 98.xxx.xxx.105 D Yes Yes A 6653 OK (10 ms)
99202 (Unspecified) D Yes Yes A 0 UNKNOWN
99204 (Unspecified) D Yes Yes A 0 UNKNOWN
99205 (Unspecified) D Yes Yes A 0 UNKNOWN
99206 (Unspecified) D Yes Yes A 0 UNKNOWN
FusionOut/2162951900 64.xxx.xxx.6 Yes Yes 5060 Unmonitored
15 sip peers [Monitored: 6 online, 8 offline Unmonitored: 1 online, 0 offline]

One thought, VPN was implemented and working successfully for six months to the date of failure this past Monday. Could a certificate expire at six months?

If so, how would I fix that?

What other diagnostic reports would be helpful for this problem?

Thanks in advance,

- Ed -

I think my idea it is an expired certificate may be the problem. I ssh into the FreePBX server and issued these diagnostic commands:

[root@freepbx ~]# ifconfig
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.8.0.1 netmask 255.255.255.0 destination 10.8.0.1
inet6 fe80::e2a9:27c9:54c0:cbc3 prefixlen 64 scopeid 0x20
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)

[root@freepbx ~]# tail -f /var/log/messages
Dec 10 16:27:14 freepbx openvpn: Thu Dec 10 16:27:14 2020 173.xxx.xx.28:54143 TLS Error: TLS object -> incoming plaintext read error
Dec 10 16:27:14 freepbx openvpn: Thu Dec 10 16:27:14 2020 173.xxx.xx.28:54143 TLS Error: TLS handshake failed
Dec 10 16:27:14 freepbx openvpn: Thu Dec 10 16:27:14 2020 173.xxx.xx.28:54143 SIGUSR1[soft,tls-error] received, client-instance restarting
Dec 10 16:27:41 freepbx openvpn: Thu Dec 10 16:27:41 2020 75.xxx.xxx.245:38448 TLS: Initial packet from [AF_INET]75.xxx.xxx.245:38448, sid=ea14e157 b046e375
Dec 10 16:27:41 freepbx openvpn: Thu Dec 10 16:27:41 2020 75.xxx.xxx.245:38448 VERIFY ERROR: depth=0, error=CRL has expired: CN=client5
Dec 10 16:27:41 freepbx openvpn: Thu Dec 10 16:27:41 2020 75.xxx.xxx.245:38448 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
Dec 10 16:27:41 freepbx openvpn: Thu Dec 10 16:27:41 2020 75.xxx.xxx.245:38448 TLS_ERROR: BIO read tls_read_plaintext error

I’m not sure which cert is the problem (CA, clients).

Should I just create new CA and client certificates and push the new configs out to my VPN remote endpoints?

If so, how can I make the certs last longer than six months?

 - Ed -

Still don’t know why the certs failed at six months, but the fix was to regenerate self signed certs and push new configs out to the VPN group phones:

Regenerate VPN SA self signed certificate credentials

Admin > System Admin > VPN Server > Settings tab > Enabled

Change from yes to no, submit, OK
Change from no to yes, submit, OK

Push new certs out to VPN endpoint phones

Settings > Endpoint manager > Endpoint > Extension mapping

Check the box next to the VPN phones that are highlighted in yellow (indicating that they need their configurations updated)

Scroll to the very bottom and select “Save, Rebuild Configs, update device”
Apply

I needed the employees to hard reboot their phones to get them to reconnect solidly.

Success!

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.