Setup Sangoma phone on a vpn


(Laurent Francois) #1

Hi,
I treid to setup an Sangoma IP phone on a remote place with VPN

Here is my config :

Freepbx -(LAN net)- Routeur OpenWRT (IP-PUBLIC-ROUTEROPENWRT) – INTERNET – Router -(REMOTE net)-- IPPHONE SANGOMA.

It used to work for two years but not anymore. I think because of a change in the IP public of the Routeur OpenWRT.

So I reset all from scatch.

-web gui the phone now :
Config Server Path: http://‘user’:‘password’@IP-PUBLIC-ROUTER-OPENWRT:83

  • screen phone with the VPN activated notification

  • unplug / plug the phone on the REMOTE net

  • on the freepx server :

    • tail -f /var/log/httpd/accesslog : nothing happen.
    • cat /etc/openvpn/sysadmin_server1-status.log
TITLE	OpenVPN 2.3.7 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun  9 2015
TIME	Fri Nov 15 05:18:59 2019	1573755539
HEADER	CLIENT_LIST	Common Name	Real Address	Virtual Address	Bytes Received	Bytes Sent	Connected Since	Connected Since (time_t)	Username
CLIENT_LIST	client0	IP-PUBLIC-ROUTER-REMOTE:33032	10.8.0.3	27341	29049	Fri Nov 15 05:04:09 2019	1573754649	UNDEF
HEADER	ROUTING_TABLE	Virtual Address	Common Name	Real Address	Last Ref	Last Ref (time_t)
ROUTING_TABLE	10.8.0.3	client0	IP-PUBLIC-ROUTER-REMOTE:33032	Fri Nov 15 05:04:11 2019	1573754651
GLOBAL_STATS	Max bcast/mcast queue length	0
  • tail -f /var/log/messages :
Nov 15 05:41:27 FreePBX openvpn[21922]: client0/IP-PUBLIC-ROUTER-REMOTE:33032 TLS: new session incoming connection from [AF_INET]IP-PUBLIC-ROUTER-REMOTE:33032
Nov 15 05:41:29 FreePBX openvpn[21922]: client0/IP-PUBLIC-ROUTER-REMOTE:33032 CRL CHECK OK: CN=FreePBX
Nov 15 05:41:29 FreePBX openvpn[21922]: client0/IP-PUBLIC-ROUTER-REMOTE:33032 VERIFY OK: depth=1, CN=FreePBX
Nov 15 05:41:29 FreePBX openvpn[21922]: client0/IP-PUBLIC-ROUTER-REMOTE:33032 CRL CHECK OK: CN=client0
Nov 15 05:41:29 FreePBX openvpn[21922]: client0/IP-PUBLIC-ROUTER-REMOTE:33032 VERIFY OK: depth=0, CN=client0
Nov 15 05:41:29 FreePBX openvpn[21922]: client0/IP-PUBLIC-ROUTER-REMOTE:33032 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Nov 15 05:41:29 FreePBX openvpn[21922]: client0/IP-PUBLIC-ROUTER-REMOTE:33032 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 15 05:41:29 FreePBX openvpn[21922]: client0/IP-PUBLIC-ROUTER-REMOTE:33032 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Nov 15 05:41:29 FreePBX openvpn[21922]: client0/IP-PUBLIC-ROUTER-REMOTE:33032 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 15 05:41:29 FreePBX openvpn[21922]: client0/IP-PUBLIC-ROUTER-REMOTE:33032 TLS: move_session: dest=TM_ACTIVE src=TM_UNTRUSTED reinit_src=1
Nov 15 05:41:29 FreePBX openvpn[21922]: client0/IP-PUBLIC-ROUTER-REMOTE:33032 TLS: tls_multi_process: untrusted session promoted to semi-trusted
Nov 15 05:41:29 FreePBX openvpn[21922]: client0/IP-PUBLIC-ROUTER-REMOTE:33032 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Nov 15 05:41:34 FreePBX openvpn[21922]: client0/IP-PUBLIC-ROUTER-REMOTE:33032 PUSH: Received control message: 'PUSH_REQUEST'
Nov 15 05:41:34 FreePBX openvpn[21922]: client0/IP-PUBLIC-ROUTER-REMOTE:33032 send_push_reply(): safe_cap=940
Nov 15 05:41:34 FreePBX openvpn[21922]: client0/IP-PUBLIC-ROUTER-REMOTE:33032 SENT CONTROL [client0]: 'PUSH_REPLY,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.3 255.255.255.0' (status=1)

Every thing seems to work.
- web gui on the phone IP plug in remote lan
- syslog:

[...]
[11-15 06:05:10 50:19:73] ReDialInfo: aid 0, line 67, Number *43
[11-15 06:05:10 50:19:73] SIP: sdp_message_pro: Local IP is 10.8.0.3
[11-15 06:05:10 50:19:73] SIP: SendInvite to *43, cid 2, wIP 0xa080003, port 12102, Interval 2, Codec 0, Audio 0
[...]
[11-15 06:28:44 50:19:73] SIP: aid 0, Re-Register Timer Timeout, Try to Re-Register...
[11-15 06:28:44 50:19:73] SIP: aid 0 Reg Start...
[11-15 06:28:44 50:19:73] SIP: sip_nict_init, no route, req_uri->host:port is 10.66.0.2:5060
[11-15 06:29:48 50:19:73] SIP: aid 0, cid 0, tid 0, did 0, REQUEST: REGISTER, Event: 2
[11-15 06:29:48 50:19:73] SipProc:aid 0 enter NoAnswer SIP_REGISTRATION_FAILURE ====
[...]
- from freepbx server : 
      - ping 10.8.0.3 is OK
      - sip show  peers :  5 (Unspecified)  D  Yes        Yes         A  0        UNKNOWN   

But the ip phone is not connected.

Why do the IP phone get an IP REMOTE LAN ? I understand that it is the DHCP server of the REMOTE ROUTER.

I’m suck now. There is something I don’t undersand.
Is there something I should do, or read.
Thanks for your help.


#2

If OpenVPN is running on FreePBX server, then the VPN IP it receives would have nothing to do with your router.


(Laurent Francois) #3

OK Openvpn seems to work on Freepbx, because I got this

Freepbx# tail -f /var/log/messages

Nov 15 14:14:49 FreePBX openvpn[1508]: client0/IP_PUBLI_REMOTE_ROUTER:44552 TLS: soft reset sec=0 bytes=37381/0 pkts=712/0
Nov 15 14:14:52 FreePBX openvpn[1508]: client0/IP_PUBLI_REMOTE_ROUTER:44552 CRL CHECK OK: CN=FreePBX
Nov 15 14:14:52 FreePBX openvpn[1508]: client0/IP_PUBLI_REMOTE_ROUTER:44552 VERIFY OK: depth=1, CN=FreePBX
Nov 15 14:14:52 FreePBX openvpn[1508]: client0/IP_PUBLI_REMOTE_ROUTER:44552 CRL CHECK OK: CN=client0
Nov 15 14:14:52 FreePBX openvpn[1508]: client0/IP_PUBLI_REMOTE_ROUTER:44552 VERIFY OK: depth=0, CN=client0
Nov 15 14:14:53 FreePBX openvpn[1508]: client0/IP_PUBLI_REMOTE_ROUTER:44552 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Nov 15 14:14:53 FreePBX openvpn[1508]: client0/IP_PUBLI_REMOTE_ROUTER:44552 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 15 14:14:53 FreePBX openvpn[1508]: client0/IP_PUBLI_REMOTE_ROUTER:44552 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Nov 15 14:14:53 FreePBX openvpn[1508]: client0/IP_PUBLI_REMOTE_ROUTER:44552 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 15 14:14:53 FreePBX openvpn[1508]: client0/IP_PUBLI_REMOTE_ROUTER:44552 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA

And a tun0 interfaces on the freepbx server

With the ip phone pluged in the remote net I got :

103.17.45.190 - a59e816d [15/Nov/2019:15:15:52 +1100] "GET /factory0700.bin HTTP/1.1" 404 292 "-" "Sangoma S700 2.0.4.28 00:50:58:50:19:73"
103.17.45.190 - a59e816d [15/Nov/2019:15:15:52 +1100] "GET /cfg0700.xml HTTP/1.1" 200 703 "-" "Sangoma S700 2.0.4.28 00:50:58:50:19:73"
103.17.45.190 - a59e816d [15/Nov/2019:15:15:54 +1100] "GET /005058501973.cfg HTTP/1.1" 404 293 "-" "Sangoma S700 2.0.4.28 00:50:58:50:19:73"
103.17.45.190 - a59e816d [15/Nov/2019:15:15:54 +1100] "GET /cfg005058501973 HTTP/1.1" 404 292 "-" "Sangoma S700 2.0.4.28 00:50:58:50:19:73"
103.17.45.190 - a59e816d [15/Nov/2019:15:15:54 +1100] "GET /cfg005058501973.xml HTTP/1.1" 200 62323 "-" "Sangoma S700 2.0.4.28 00:50:58:50:19:73"
103.17.45.190 - a59e816d [15/Nov/2019:15:15:57 +1100] "GET /ringtones/formatted/ring4.bin HTTP/1.1" 404 306 "-" "Sangoma S700 2.0.4.28 00:50:58:50:19:73"
103.17.45.190 - a59e816d [15/Nov/2019:15:15:57 +1100] "GET /ringtones/formatted/ring5.bin HTTP/1.1" 404 306 "-" "Sangoma S700 2.0.4.28 00:50:58:50:19:73"
103.17.45.190 - a59e816d [15/Nov/2019:15:15:58 +1100] "GET /ringtones/formatted/ring6.bin HTTP/1.1" 404 306 "-" "Sangoma S700 2.0.4.28 00:50:58:50:19:73"
103.17.45.190 - a59e816d [15/Nov/2019:15:15:58 +1100] "GET /ringtones/formatted/ring7.bin HTTP/1.1" 404 306 "-" "Sangoma S700 2.0.4.28 00:50:58:50:19:73"
103.17.45.190 - a59e816d [15/Nov/2019:15:15:58 +1100] "GET /ringtones/formatted/ring8.bin HTTP/1.1" 404 306 "-" "Sangoma S700 2.0.4.28 00:50:58:50:19:73"
103.17.45.190 - a59e816d [15/Nov/2019:15:15:58 +1100] "GET /ringtones/formatted/ring9.bin HTTP/1.1" 404 306 "-" "Sangoma S700 2.0.4.28 00:50:58:50:19:73"
103.17.45.190 - a59e816d [15/Nov/2019:15:15:58 +1100] "GET /ringtones/formatted/ring10.bin HTTP/1.1" 404 307 "-" "Sangoma S700 2.0.4.28 00:50:58:50:19:73"
103.17.45.190 - a59e816d [15/Nov/2019:15:15:58 +1100] "GET /005058501973-vpn.tar HTTP/1.1" 200 11776 "-" "Sangoma S700 2.0.4.28 00:50:58:50:19:73"
103.17.45.190 - a59e816d [15/Nov/2019:15:15:58 +1100] "GET /cfg5-states.xml HTTP/1.1" 200 6016 "-" "Sangoma S700 2.0.4.28 00:50:58:50:19:73"
103.17.45.190 - a59e816d [15/Nov/2019:15:16:02 +1100] "GET /sangoma/1/fw700.rom HTTP/1.1" 200 18536058 "-" "Sangoma S700 2.0.4.28 00:50:58:50:19:73"

but when I tried to test my port forwarding for VPN port
https://www.yougetsignal.com/tools/open-ports/
IP = IP_PUBLIC_ROUTER_OPENWRT
Port 1194
it is said Closed is it normal?


#4

You are probably testing tcp ports, OpenVPN runs on udp. Since your phone connects to OpenVPN, the port is open.


(Laurent Francois) #5

OK thanks.
I still try to fix my problem.


(Laurent Francois) #6

In the web gui of the phone plug in the remote net I got:

’ Account / Basic :

  • Account status Register failed (of course)
  • Primary IP-LAN-SERVER-FREEPBX:5060

What should be the address of the sip server for a correct configuration of IP phone over VPN. thanks.


#7

If you are configuring the phone through the commercial endpoint manager, I guess that the values are automatically populated.


(Laurent Francois) #8

Yes configuration by endpoint manager.
If I understand :
if the vpn is OK between the remote phone and the freepbx an internal address of freepbx net should be seen as a local address even if the phone is in a remote place.
So IP_LAN_FREEPBX is OK.


#9

Can you first connect the phone to the same lan where FreePBX is? This way you can get the phone autoprovisioned for the first time in a controlled way so to speak.


(Laurent Francois) #10

Yes This is what I did first.
I explain thoroughly what I did in the first message.
But I will start again from scratch.
I must have miss something but realy don’t know what.

May be it"s a SIP problem.
Whooo…


(Laurent Francois) #11

A question
in Endpoint Manager / Brand / Sangoma
template
what should I choose for SIP destination adress :

  • Internal
  • External
  • Custom
    thanks for your help

(Laurent Francois) #12

endpoint management / brand / sangoma
sip destination address : Internal


(Laurent Francois) #13

From FREEPBX server I can ping 10.8.0.4 ip vpn of the phone.
Nmap -A 10.8.0.4 say it’s a sangoma.
unplug remote phone and can’t ping anymore.
plug again and can ping again from freepbx server .

system admin / VPN server / client / client iP 10.8.0.4 connected.

but web gui ipphone : Account / account status register failed
and sip show peers
5 (Unspecified) D Yes Yes A 0 UNKNOWN

How can I debug this ?
Thank you.


(system) closed #14

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.