forked from usecallmanagernz/usecallmanagernz.github.io
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathvpn-connection.html
More file actions
152 lines (146 loc) · 9.04 KB
/
vpn-connection.html
File metadata and controls
152 lines (146 loc) · 9.04 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
<!DOCTYPE html>
<html lang="en">
<head>
<title>VPN Connection</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1,shrink-to-fit=no">
<link rel="shortcut icon" href="images/logo.svg">
<link rel="stylesheet" href="https://fonts.googleapis.com/css2?family=Roboto">
<link rel="stylesheet" href="https://fonts.googleapis.com/css2?family=Material+Symbols+Outlined:FILL@0..1">
<link rel="stylesheet" href="includes/theme.css">
<link rel="stylesheet" href="includes/prettify.css">
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>
<script src="includes/prettify.js"></script>
<script>
jQuery(window).on("load", function () {
prettyPrint();
});
</script>
</head>
<body>
<header>
<a href="/"><img src="images/logo.svg" alt=""></a>
<h2><<span>proxy</span>></h2><h1><span>USECALLMANAGER</span>.nz</h1><h2></<span>proxy</span>></h2>
</header>
<main>
<nav>
<ul>
<li><a href="documentation-overview.html"><span class="icon">home</span> Documentation Overview</a></li>
<li><a href="patching-asterisk.html"><span class="icon">build</span> Patching Asterisk</a></li>
<li><a href="change-log.html"><span class="icon">news</span> Change Log</a></li>
</ul>
<ul>
<li><h3>Network Configuration</h3></li>
<li><a href="dhcp-options.html"><span class="icon">settings_ethernet</span> DHCP Options</a></li>
<li><a href="http-provisioning.html"><span class="icon">file_download</span> HTTP Provisioning</a></li>
<li><a href="tftp-provisioning.html"><span class="icon">file_download</span> TFTP Provisioning</a></li>
</ul>
<ul>
<li><h3>Phone Configuration</h3></li>
<li><a href="sepmac-cnf-xml.html"><span class="icon">settings_phone</span> SEPMAC.cnf.xml</a></li>
<li><a href="dial-template.html"><span class="icon">dialpad</span> Dial Template</a></li>
<li><a href="application-dial-rules.html"><span class="icon">bluetooth</span> Application Dial Rules</a></li>
<li><a href="soft-keys.html"><span class="icon">power_input</span> Soft Keys</a></li>
<li><a href="line-keys.html"><span class="icon">format_list_bulleted</span> Line Keys</a></li>
<li><a href="feature-policy.html"><span class="icon">fact_check</span> Feature Policy</a></li>
<li><a href="network-locale.html"><span class="icon">language</span> Network Locale</a></li>
<li><a href="user-locale.html"><span class="icon">face</span> User Locale</a></li>
<li><a href="load-information.html"><span class="icon">file_upload</span> Firmware Load Information</a></li>
<li><a href="background-images.html"><span class="icon">wallpaper</span> Background Images</a></li>
<li><a href="ring-tones.html"><span class="icon">ring_volume</span> Ring Tones</a></li>
<li><a href="device-security.html"><span class="icon">security</span> Device Security</a></li>
<li><a href="trust-verification.html"><span class="icon">verified</span> Trust Verification</a></li>
<li><a href="certificate-enrollment.html"><span class="icon">card_membership</span> Certificate Enrollment</a></li>
<li><span class="icon selected">vpn_key</span> <b>VPN Connection</b></li>
</ul>
<ul>
<li><h3>Asterisk Configuration</h3></li>
<li><a href="sip-peers.html"><span class="icon">dialer_sip</span> SIP Peers</a></li>
<li><a href="sip-notify-commands.html"><span class="icon">settings_power</span> SIP Notify Commands</a></li>
<li><a href="dialplan-extensions.html"><span class="icon">format_list_numbered</span> Dialplan Extensions</a></li>
<li><a href="call-parking.html"><span class="icon">local_parking</span> Call Parking</a></li>
<li><a href="sip-peer-options.html"><span class="icon">code</span> SIPPEER Options</a></li>
<li><a href="rtp-streaming.html"><span class="icon">volume_up</span> RTP Streaming</a></li>
<li><a href="command-line.html"><span class="icon">keyboard_arrow_right</span> Command Line</a></li>
<li><a href="freepbx-integration.html"><span class="icon">view_kanban</span> FreePBX Integration</a></li>
</ul>
<ul>
<li><h3>XML Services</h3></li>
<li><a href="phone-services.html"><span class="icon">settings</span> Phone Services</a></li>
<li><a href="cgi-execute.html"><span class="icon">phone_forwarded</span> CGI Execute</a></li>
</ul>
<ul>
<li><h3>Additional Features</h3></li>
<li><a href="as-feature-events.html"><span class="icon">extension</span> AS Feature Events</a></li>
</ul>
</nav>
<article>
<h1>VPN Connection</h1>
The <b>8800</b>, <b>8900</b> and <b>9900</b> series phones can setup a VPN using the AnyConnect protocol which connects via HTTPS and optionally, DTLS. To enable the VPN connection set <<code class="tag">url1</code>> and <<code class="tag">certHash1</code>> in <a href="sepmac-cnf-xml.html#vpnGroup.url1">SEPMAC.cnf.xml</a> and then enter your username and password via the settings or applications menu on the phone.<br>
<br>
Steps for compiling and installing OpenConnect VPN Server are below. You should be familiar with building from source before attempting this.<br>
<br>
<b>1.</b> Download a version of OpenConnect that is <code class="literal">1.2.0</code> or later.<br>
<br>
<a href="https://ocserv.gitlab.io/www/download.html"><span class="icon">open_in_browser</span> OpenConnect VPN Server Downloads</a>.<br>
<br>
<b>2.</b> Extract the archive.<br>
<br>
<code class="command-line"><span class="prompt">~$</span> tar --extract --xz --file ocserv-X.X.X.tar.xz
<span class="prompt">~$</span> cd ocserv-X.X.X</code>
<br>
<b>3.</b> Configure and build OpenConnect.<br>
<br>
<code class="command-line"><span class="prompt">~/ocserv-X.X.X$</span> ./configure --prefix=/usr --sysconfdir=/etc/ocserv
<span class="prompt">~/ocserv-X.X.X$</span> make</code>
<br>
<b>4.</b> Install OpenConnect.<br>
<br>
<code class="command-line"><span class="prompt">~/ocserv-X.X.X$</span> sudo make install</code>
<br>
<b>5.</b> Install the sample configuration file.<br>
<br>
<code class="command-line"><span class="prompt">~/ocserv-X.X.X$</span> sudo cp doc/sample.config /etc/ocserv/ocserv.conf</code>
<br>
<h2 id="ocserv-conf">ocserv.conf <a href="#ocserv-conf" title="Link">link</a></h2>
The VPN server requires an RSA key and X509 certificate, if you already have a certificate that can be used instead. Otherwise a new certificate can be generated using <code class="literal">mkcert</code>. See <a href="device-security.html">Device Security</a> for more information.<br>
<br>
<code class="command-line"><span class="prompt">~/certutils-X.X$</span> sudo ./mkcert --common "OpenConnect" --organization "OpenConnect" --unit "OpenConnect" \
/etc/ocserv/ocserv.pem</code>
<br>
<code class="prettify">...
# Username and password authentication, the ocpasswd(1) tool can be used to
# manage the password file.
auth = "plain[passwd=/etc/ocserv/passwd]"
# Alternatively[1] use either the MIC or LSC for authentication
#auth = certificate
# User is commonName (CN)
#cert-user-oid = 2.5.4.3
# Group is organizationName (O)
#cert-group-oid = 2.5.4.10
# Authenticate MIC using Cisco Root CA 2048 + Cisco Manufacturing CA 2
#ca-cert = "/etc/ocserv/ciscoca.pem"
# Authenticate LSC using a local CA, see Certificate Enrollment
#ca-cert = "/etc/oscerv/capf.pem"
# The key and the certificates of the server. The certificate must match the
# hash set in one of <certHash1> ... <certHash10>.
server-cert = "/etc/ocserv/ocserv.pem"
server-key = "/etc/ocserv/ocserv.pem"
# Enable cisco phone VPN client checks
cisco-svc-client-compat = true
# If you are using older model phones such as 894x or 99xx series
# then you may need to force the allowed ciphers
#tls-priorities = "NONE:%SERVER_PRECEDENCE:%COMPAT:+VERS-TLS-ALL:+SIGN-ALL:+COMP-ALL:+RSA:+SHA1:+AES-256-CBC"
...</code>
<br>
<h2 id="certhash">certhash <a href="#certhash" title="Link">link</a></h2>
<code class="literal">certhash</code> is used to generate a base64 encoded version of the SHA1 hash of the VPN server certificate. The hash is then set in one of <<code class="tag">certHash1</code>> ... <<code class="tag">certHash10</code>> in <a href="sepmac-cnf-xml.html#vpnGroup.certHash1">SEPMAC.cnf.xml</a>.<br>
<br>
<code class="command-line"><span class="prompt">~/certutils-X.X$</span> ./certhash --digest sha1 /etc/ocserv/ocserv.pem</code>
</article>
</main>
<footer>
<span class="icon">copyright</span> Gareth Palmer and individual contributors. Documentation distributed under <a href="LICENSE">CC BY 4.0</a>.
</footer>
</body>
</html>