996d021e1b
The VPN client that comes with the Cisco IP-Phone Enterprise firmware is based on AnyConnect but was unable to authenticate with ocserv. The phone makes an initial GET request and looks for a cookie named 'webvpn' that has an expiry attribute and a cookie named 'webvpnlogin' containing a non-empty value. When username+password mode is configured, the phone will then send a POST request containing those credentials. When using certificate authentication an empty POST request is sent. A handler that implements this new behaviour has been added under the '/svc' path. To use DTLS 'dtls-legacy' must be enabled and 'udp-port' must be 443, a new 'cisco-svc-client-compat' option automatically checks those settings. New test cases test-pass-svc and test-cert-svc check the above behaviour. Older versions of the phone's firmware will fail to create the DTLS tunnel if the cipher negotiated for HTTPS does not match that selected for DTLS. To work-around this either disable DTLS or only allow the RSA-AES-256-CBC/SHA1 or RSA-AES-128-CBC/SHA1 cipher to be used. doc/README-cisco-svc.md includes additional information. Note: 'Enterprise' here is used to differentiate between that firmware and the MPP (Multi-Platform) firmware which uses the same hardware. Signed-off-by: Gareth Palmer <gareth.palmer3@gmail.com>
1.6 KiB
Using Cisco IP-Phones with ocserv
The 'Enterprise' firmware on the 7800, 8800, 8900 and 9900 series Cisco IP-Phones can use ocserv as a VPN gateway.
An 'Enterprise' specific URL path of /svc is required when
configuring the phone. In the phone's SEPMAC.cnf.xml that looks
like:
<vpnGroup>
...
<addresses>
<url>https://host.name.for.ocserv/svc</url>
</addresses>
</vpnGroup>
Both username+password and certificate-based authentication are supported.
Ocserv configuration
In addition to requiring an 'Enterprise' specific path, ocserv must also be configured to work-around limitations in the behavior of the phone's VPN client.
To enable that mode use:
cisco-svc-client-compat = true
Note: If the ciphers do not match the phone will log the error
old session cipher not returned in the console log. Older phone
VPN clients may negotiate an unsupported TLS+DTLS cipher so you will
need to force either AES256-CBC or AES128-CBC, eg:
tls-priorities = "NONE:%SERVER_PRECEDENCE:%COMPAT:+VERS-TLS-ALL:+SIGN-ALL:+COMP-ALL:+RSA:+SHA1:+AES-256-CBC"
Note: While you may specify any port to use for HTTPS, the phone
will only use port 443 for DTLS.
Additional information
Refer to the following documentation on usecallmanager.nz for additional information about how to configure the phone's VPN.
- SEPMAC.cnf.xml: The main configuration file for the phone.
- VPN Group: VPN specific configuration.