Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 2 subscribers
  • Views 10634 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

OpenVPN Option for --reneg-sec n

JayMan

I've started putting Grandstream phones on my VPN since Grandstream now has that option on there 21xx models for OpenVPN.  But every 3600 seconds it does a TLS Reneg which makes the phone drop audio, lights etc.. for 1-2 seconds and then it comes back on. You don't lose the call just the phone as a blip.   According to the openVPN website I can  --reneg-sec n so it resyncs at a longer period than 3600.  Is this a server side or client side setting and if it is server side where can I make this change?



This thread was automatically locked due to age.
Parents
  • 0

    hi,

     

    for it to be effective must be set on both server and client. for the utm that is remote access > ssl > advanced under cryptographic settings key lifetime

    however the grandstream should not do what it does while renegotiating (its should impact functionality) try newer firmware or the famous new beta ? and for sure report it to grandstream.

     

    and usual disclaimer : increasing keylifetime might make a system more vulnerable to attack (maybe).

    >>> it could also be that your utm keylifetime is set different then your grandstream so do verify both are the same.

  • 0 in reply to brunomc

    UTM currently has 36000 for the keylife time but the grandsteam phone doesn't let you set it.   I am running the newest 1.0.8.5 firmware that allows OpenVPN with Login/Password.

     

    I did report it to grandstream as a bug.

  • 0 in reply to JayMan

    Hi,

     

    if you cannot change it on the phone that's a problem then. (both client and server have an independent reneg-sec setting, and either can force a renegotiation.)

    do try setting server to same as phone as a test , unless you already tried that.

    Maybe someone else knows a grandstream hack ? or other optimal setting that does work for them ?

     

    Lets hope Grandstream fixes the issue.

Reply
  • 0 in reply to JayMan

    Hi,

     

    if you cannot change it on the phone that's a problem then. (both client and server have an independent reneg-sec setting, and either can force a renegotiation.)

    do try setting server to same as phone as a test , unless you already tried that.

    Maybe someone else knows a grandstream hack ? or other optimal setting that does work for them ?

     

    Lets hope Grandstream fixes the issue.

Children
No Data
Unfiltered HTML