VPN and Grandstream GXP21xx phones


((((GRIFFCOMM) #1

Hi, we have had a long standing “issue” with Grandstream phones and openVPN (we had many months of testing with Watchguard Firewalls (has an openVPN server in it) and the phones, and we have them working, with that in mind, it appears there are some settings missing in the openVPN config that freePBX downloads for the endpoint device.

Need to know the below:

  • Cipher method
  • Authentication encryption method

It appears the phone connections then the openVPN dumps the connection, which normally happens over password authentication methods (effected by both of the above settings), so if anyone has managed to get Grandstream GXP21xx phones working on VPN, what settings did you use?

Many Thanks


((((GRIFFCOMM) #2

UPDATE

I believe we got it working…, see below for others with this issue.

  • Cipher method = Blowfish
  • Authentication encryption = [blank} (for Grandstream phones this would have been entered in to the “Additional options” are as “auth SHA256;” as required by devices like WatchGuard firewalls mobile SSL VPN (which is openVPN)

However another setting is Comp-lzo needs to be on or YES, which is kinda ironic as this is a deprecated setting and should not be used due to a security risk

The other issue we saw was the CA cert as downloaded from freePBX was not formatted correctly for Grandstream phones, that cert should only have the key in the file and not all the text above it, like the below:

-----BEGIN CERTIFICATE-----
   key alpha numeric
-----END CERTIFICATE-----

Making sure ALL cert / key files have a carriage return at the end (there’s a bug with Grandstream phones that they MUST Have a carriage return at the end, so looks like they are using that character to read the line, so none at the end means it never sees the last line of the text file imported.

We have a single phone in the system and ir rings (did a lot of this remote) so now need to test more once i am with the remote phone.


#3

Sounds like very old GXP firmware. GXP firmware had supported selecting better ciphers for a long time now.

No real security is provided by blowfish.


((((GRIFFCOMM) #4

The phone has many ciphers, i can also confirm it does work on AES-256 as well, so appears it was the Comp-lzo setting creating the connection issue