Networking-Forums.com

Professional Discussions => Voice, Video, and Telepresence => Topic started by: Dieselboy on May 21, 2018, 04:32:48 AM

Title: Cisco AnyConnect IP phones to openvpn server ?
Post by: Dieselboy on May 21, 2018, 04:32:48 AM
I have some anyconnect phones (8945). I dont have a proper SSL VPN server (such as ASA or IOS router). I tried but have been unable to get my anyconnect laptop software connecting to an openvpn server I set up as a test. The issue seems to be openvpn wants certificates to be involved. In the case of cisco phone, the phone can send a Cisco cert or I can have the user prompted for username and password. I would want to try the 2nd option (not ideal but want to see if it works).

I thought I could use any SSL VPN server, but I think openvpn is out because of client cert has to be subordinate of server cert. Which isnt possible with cisco phone. When I try connecting with anyconnect software the software complains there's no cert. So seems though the server is always expecting cert.

Can anyone with more experience confirm this? And may be suggest some open source software to run a SSL VPN for authenticating client with username and pass?
Title: Re: Cisco AnyConnect IP phones to openvpn server ?
Post by: dlots on May 22, 2018, 09:51:04 AM
Is this just for testing?  Or is it going into production?

If it's just for testing you can probably setup a virtual ASA in GNS3
Title: Re: Cisco AnyConnect IP phones to openvpn server ?
Post by: Dieselboy on May 22, 2018, 08:42:01 PM
Was looking at production. Bit of a weird request, I know.

I spent all day on this yesterday, reading docs and following some examples online and adding what I had learnt from the docs. I found that yes, we can authenticate the client by username and password only but the next problem is openvpn is either TCP or UDP only. Unlike Cisco's SSL VPN where the authentication is done on TCP and then a DTLS UDP data channel is opened up.

So I thought some more and I think it's best to run a VPN from an upstream device like a router and then the phone will simply do SCCP only to CUCM. I could splash out and set up a asav or csr virtual router, but the minimum specs for those is overkill for me. This in turn makes it expensive for licensing and cloud VM running costs. At the moment I literally have three telephones that I want to connect to a VPN in the cloud. I have another idea, so going to look into that today.

Thanks for the information dlots :)
Title: Re: Cisco AnyConnect IP phones to openvpn server ?
Post by: deanwebb on May 25, 2018, 09:18:23 AM
Would you have the same issues with softphones running on PCs that had their own VPN sessions running?
Title: Re: Cisco AnyConnect IP phones to openvpn server ?
Post by: Dieselboy on May 28, 2018, 01:49:31 AM
Thanks for the suggestion but at the moment yes as the VPN server is on complete opposite sides of the globe :). The goal is to get the RTP routing to the ITSP as close to the users as possible (ie at least in the same country as both the users and the ITSP). My 'other idea' is looking really promising. I'll post up some more about it once it's finished.
Title: Re: Cisco AnyConnect IP phones to openvpn server ?
Post by: deanwebb on May 29, 2018, 08:24:34 PM
"Other idea"... ?

:think:
Title: Re: Cisco AnyConnect IP phones to openvpn server ?
Post by: Dieselboy on May 29, 2018, 08:42:58 PM
I've bought a couple of cigarette packet-sized firewall / routers. From that device I can use openvpn. Behind that device lives the phone which wont use anyconnect any longer  ;)
Title: Re: Cisco AnyConnect IP phones to openvpn server ?
Post by: deanwebb on May 30, 2018, 07:04:13 AM
Well, that satisfies the technical requirements, but does it satisfy the security requirements.

In other words, are those devices on any critical vulnerability announcements for Home / Small Office router compromises?
Title: Re: Cisco AnyConnect IP phones to openvpn server ?
Post by: Dieselboy on May 30, 2018, 09:38:56 PM
I have thought about that. When they arrive I'll do some sherlock holmes type investigative work. But they will not be internet facing (the WAN port will plug into the users home LAN) and will be running a 'deny all' firewall so I am expecting that to be sufficient. But will check it out anyway.