9600 IP VPN Phones on IPO R7.0(5)

[tekfree]

Ok,

I have a 9608, 9640, and 9641G (all in VPN mode) that I wish to get working off an Avaya IP Office R7.0(5).

So far, no luck.

After much reading and looking at the 100+ other IP Phones in VPN mode that I have done through the years, I am left to assume that since the new 9600 series do not have the ability to administer a 'Virtual IP Address' that I cannot use them in VPN mode?

I have:
1) Avaya IP Office R7.0(5)
2) Sonicwall Tz190 (Enhanced image)
3) All phones above (9600) have the newest firmware that came with R7.0(5) of the IPO

Yet, when I try to connect the phones via VPN, they hang on Phase 2. I can't get them to connect. Phone says, 'IKE Phase 2 No Response.' I've tried every change on the phone to get it to work.

On my Sonicwall, I am getting ' IKE error - duplicate packet dropped'

I have configured the Sonicwall based off the Avaya Tech Tip 190 for Sonicwall.

As a sanity test, I've taken the same phones and connected them to an existing VPN network that currently has 5600 VPN phones wokring, and it connects (gets past Phase 2) yet does not find, see, or 'discover' the IP Address of the Call Server (IP Office). Perhaps if I create a route in the IP Office to match the dynamic vpn pool that the phone comes in on, I'll get it to work.

But my big concern is getting the phone to authenticate at Phase 2, per my comments above.

Any suggestions?

 

[tlpeter]

You do not need the virtual ip but then you do need to use mode config.
Set the protected network to the iprange where the ipoffice is in.


BAZINGA!

I'm not insane, my mother had me tested!

 

[tekfree]

tlpeter, are you referring to enabling the IKE Config Mode?

 

[tekfree]

tlpeter, tried to be proactive and use the 'mode' config (IKE Config Mode) and I get a VPN Tunnel Error, 'Invalid Configuration' which would lead me to believe that I must change the configuration type on the Sonicwall, correct?

 

[tlpeter]

Yes you do.
First thing to do is not using the 9608 and 9641.
They do not have a good working vpn mode yet.


BAZINGA!

I'm not insane, my mother had me tested!

 

[tekfree]

I have a 9640. That phone should have a good working vpn mode, correct? I'll try it (making change on the Sonicwall) and let you know.

Thank you.

 

[hairlessupportmonkey]

iv found the 9621G and 9641G handsets, vpn works great....

ACSS - SME

 

[tlpeter]

For me it did not but that was on a Netgear which you love so much


BAZINGA!

I'm not insane, my mother had me tested!

 

[hairlessupportmonkey]

Cisco - worked first time ;-)

ACSS - SME

 

[CemSenkal]

Hi all !
I am trying to register my 9641G set to my ip office r7.0(5) but when i come to the login screen, it says "enter your extension"then "password" after i enter the extn. and pass. 9641G does not logins. How did you register the set? Did you create the user as asip or H323 ?

 

[tekfree]

cemsenkal, please start a new thread.

In reference to the thread that I started, I finally got the 9640 up and working, some minor tweaks needed to be made on the Sonicwall. We did not do the 'mode config' because that was not an option unless we were doing a 'site to site' vpn (which we were not).

The 9608 and 9641G still do not connect with the Sonicwall, yet they connect on another network using a Netgear FVS338.

Must be the Sonicwall that is not compatible.

Thanks all.

 

[intrigrant]

I tried to setup a 9621 as a VPN extension on a Netgear FVS338 but i coudn't get it working within two hours ( my frustration limit, after that i trash the sh*t ) and i took a 9620 which worked staright away.
How did you get a 9641 working on a Netgear? Do you used mode config or not?

If it ain't dutch it ain't much

 

[tlpeter]

Did you see the vpn log with the 0. instead of 172. intrigrant?
That is where it goes wrong.


BAZINGA!

I'm not insane, my mother had me tested!

 

[tekfree]

intrigant, no I did not use mode config.

On the Netgear FVS338, the 9641G came right up. I loaded the latest .tar files, etc from R7.0, and it works fine.

I just can't get the same phone to work on a Sonicwall.

 

[tlpeter]

I think the problem on the Netgear is mode config.


BAZINGA!

I'm not insane, my mother had me tested!

 

[intrigrant]

I think i know what the problem is with mode config but i did'nt had the time to check.

If it ain't dutch it ain't much

 

[gknight1]

tekfree,

can you post all of your settings of the sonicwall and the phones?

 

[rhawkins74]

I would like to see the settings used on the netgear

 

[jeffthephoneguy]

First off guys the VPN mode does not work in the new 9608 or 96X1 sets yet (maybe the next maintenance release).
Here is what I use for my Sonicwall TZ100W
Follow the global_techtip_190 docs.

SONICWALL VPN PHONE SETTINGS

VPN Profile Generic PSK

Server XXX.XXX.XXX.XXX (Public IP address)
IKE ID GroupVPN (case sensitive)
PSK – (Pre Shared Key) passWord
IKE Parameters
IKE ID Type FQDN
Diffie Hellman Group 2
Encryption ALG 3DES
Authentication ALG Sha1
IKE Xchange Mode Aggressive
IKE Config Mode Disabled
XAUTH Disable
Cert Expiry Check Disabled
Cert DN Check Disabled

IPSEC Parameters
Encryption ALG 3DES
Authentication ALG Sha1
Diffie Hellman Group 2
VPN Start Mode Boot
Password Type Save in Flash (Shows NA)
Encapsulation 4500 – 4500

Protected Nets
Remote Net #1 192.168.42.0/24
Remote Net #2
Remote Net #3
Copy TOS No
Connectivity Check Always
QTEST Disabled


or you can cut and paste this to your 46xxsettings file and put in your password and phone server and http server address.
Don't forget to make the right IP routes in Manager. And in your Sonicwall.

#############################################################
## Set VPN Mode On (On Boot)
## // Do not set this until VPN Settings have been modified
## Disabled if NVVPNMODE = "0"(default),
## Enabled if NVVPNMODE = "1"
##
## SET NVVPNMODE 1
##
SET NVVPNCODE 876
##
## VPNPROC: Whether VPNCODE accesses Special VPN Procedure-
## at all (0=No), in view-only mode (=1), or in view/modify mode (=2)
##
SET VPNPROC 2
##
## BST IT Tech Added Code Start
##
SET NVIKEDHGRP 2
SET NVIKEID "GroupVPN"
SET NVIKEIDTYPE 2
SET NVIKEOVERTCP 0
SET NVIKEP1AUTHALG 2
SET NVIKEP1ENCALG 2
SET NVIKEP2AUTHALG 2
SET NVIKEP2ENCALG 2
SET NVIKEPSK "passWord"
SET NVIKEXCHGMODE 1
SET NVIPSECSUBNET 192.168.X.0/24
SET NVPFSDHGRP 2
SET NVSGIP "XXX.XXX.XXX.XXX"
SET NVVPNAUTHTYPE 3
SET NVVPNENCAPS 0
SET NVVPNSVENDOR 4
SET NVXAUTH 2
## SET NVHTTPSRVR 192.168.42.1
## SET NVMCIPADD 192.168.42.1
##
## BST IT Tech Added Code End
##
#############################################################


Jeff
"the phone guy"
ACSS-SME
APSS-SME

http://www.bluestartelephone.com

 

[kolob4all]

Is this config for 56xx phones?