Configure VPN connection on Cisco 8800 MPP series phones?

cisco20202020 · ‎08-29-2022

Both the 8800 MPP/3PCC series XML reference guide and the specific 8800 MPP/3PCC series VPN setup guide (both linked) confirm that 8800 series phones are able to be setup with some sort of VPN connection...

The above linked VPN setup guide mentions to go to Applications>Network Settings>VPN Settings. However, none of my 8800 series phones on the latest MPP firmware (specifically they are 8851 and 8861 MPP phones) have an option for "VPN Settings" under the Network Settings section, nor is there a "VPN Settings" section under the phone's web GUI>Voice>System (checked in Admin Login>Advanced mode).

Also, the VPN configuration described in the VPN setup guide is quite limited, i.e. you only input the server, username, and password. Does it create an IPSEC connection? Will it only work with specific Cisco firewalls, or can I set it up with something like a FortiGate (or any other IPSEC-capable firewall)? What are the encryption settings that need to be set on the VPN configuration on the other end in the firewall so that the connection gets established successfully? Is it SSL-VPN connection and if so will it work with FortiGate's SSL-VPN?? What are the details and has anyone set this up???

Geovani · ‎08-30-2022

Hi there,

Are you running 11.3.7?

cisco20202020 · ‎08-30-2022

Lol I checked and this firmware is new from June, and I was trying to figure out this VPN issue for so long that I was so sure the phone was on latest firmware... anyways, I now upgraded it to 11.3.7 and the VPN options ARE now in the configuration. Silly me.

Now can you please provide the details on setting up the VPN - is it SSL-VLN ? How to make it work with a FortiGate? Does the SSL port need to be 443? Or is it IPSEC?? etc.

Geovani · ‎08-31-2022

Hi there,

I've never tried this myselef, but VPN will work over SSL and Fortigate/Fortinet is supported. This is as far as I know.

Thanks

cisco20202020 · ‎08-31-2022

It looks like it is the same SSL-VPN type of setup as in the SPA525G series. The configuration is identical.

I'm sure someone here has setup working SSL-VPN on their SPA525G's with a FortiGate.

After inputting the VPN server address/username/password/tunnel group and clicking Enable VPN Connection, it gives error "Failed to obtain webvpn cookie". How to resolve this? The server has a valid LetsEncrypt SSL certificate.

Geovani · ‎09-01-2022

Hi there,,

take a look at what TLS version is being used on both ends. Sounds like a TLS version mismatch.

cisco20202020 · ‎09-01-2022

Can you please advise what TLS version the phone is expecting (8861 MPP) that way I can adjust the TLS version on the firewall to match it. I can’t find any documentation anywhere about what TLS version the phone expects

Geovani · ‎09-01-2022

The phone will use TLSv1.2 - but to be honest I don't know if this is what your issue is. Please give it a go

cisco20202020 · ‎09-01-2022

I changed firewall to use tlsv1.2 for SSL-VPN as it was set to use v1.3. Still no difference. Still getting error "Failed to obtain WebVPN cookie." What else could this be? thank you

Geovani · ‎09-01-2022

Silly question, but do you have port 443 open/forwarding on the firewall?

cisco20202020 · ‎09-01-2022

Yes, I have 443 forwarded and used by the SSL-VPN.

in the server address field on the phone I’ve tried inputting the https://serveraddress:443, https://serveraddress, serveraddress:443, and just serveraddress. All give the error

Geovani · ‎09-01-2022

Can you take a pcap in the phone and see if the TLS session is at least being established?

Are you able to look at the logs in the firewall, to see if there are any errors or mismatches?

cisco20202020 · ‎09-06-2022

In the debug logs this is what I see related to VPN:

3036 NOT Sep 06 19:39:43.225881 openconnect:validate_peer_cert Certificate from VPN server failed verification.Reason: self signed certificate in certificate chain
3037 NOT Sep 06 19:39:43.225985 openconnect:validate_peer_cert To trust this server in future, perhaps add this to your command line:
3038 NOT Sep 06 19:39:43.226051 openconnect:validate_peer_cert --servercert pin-sha256:ajq+IaMBGo3Dj/orcy2y4toCIw8BvFxC0qiVzLcnutE=
3039 NOT Sep 06 19:39:43.226117 openconnect: Enter 'yes' to accept, 'no' to abort; anything else to view:

3045 NOT Sep 06 19:39:43.342809 openconnect:process_http_response Error in chunked decoding. Expected '', got: '<HEAD>'

3053 NOT Sep 06 19:39:43.604627 openconnect:parse_xml_response XML response has no "auth" node
3054 NOT Sep 06 19:39:43.604750 openconnect:main Failed to obtain WebVPN cookie

Geovani · ‎09-07-2022

It looks like the phone does not trust the VPN server?! can you please set debug level to DEBUG and take a fresh set of logs?

If the phone does not trust the vpn server, you can try and upload a custom CA rule to the phone. Please take a look at "Custom CA Rule" in the admin guide.