9608 VPN Phone

[dphoneguy24]

I know that there was a document I had seen somewhere about how to use the 9600 series phones for VPN phones. Can't seem to find it. The 5610/5621/4610/4621 sets are the only ones that need to download the VPN remote software?

What needs to be done on a 9600 series phone?

The H.323 Installation doc for R7 seems to be a little lacking - outdate as well - mentions the new sets but thats about it

Thanks

 

[telecomtekperson]

9608 is not supported as a VPN device yet, so no documentation.

 

[dphoneguy24]

Are any of the 9600 sets supported on ipo as vpn sets?

 

[dphoneguy24]

Right from the H.323 IP Office IP Telephone Installation manual issue 17a Mar 7, 2011

Avaya IP Office VPNremote firmware can be used to connect IP phones at remote locations to the IP Office via IPSec VPN tunnels. IP Office 4.1 and higher supports this with some 4600 Series and 5600 Series IP Phones. IP Office Release 6 also supports VPNremote on 9600 Series phones supported by IP Office.

Doesn't say which 9600 series phones.

I have used the 46xx and 56xx many times. Sure don't want to sell a customer a 56xx set that has been disconinued.

Jenne had a webex presentation one day about the differences between the 46/56 and 96 series. There was no VPNremote fw to load on the 96. If it was first setup on the IPO as a regular set, then you did something to beboot it and change it to a VPN set. You could then choose how to set it up (similar to the 46/56) depending on which type of firewall/vpn device you would be connecting to.

 

[tlpeter]

9608 is not supported as a VPN device yet, so no documentation.

That is what NPI told me but it is not mentioned anywhere.
I have tried a 9608 with a Netgear 336 and it does not work.
The protected network ip that i have entered in the phone turns out to be wrong when the tunnel is build.

Example:

On the phone and in the router i have 192.168.42.0/24
When the phone builds a tunnel then i see in the vpn log this:
0.168.42.0/24

This also happened on a 9641.


BAZINGA!

I'm not insane, my mother had me tested!

 

[TheSmash]

Peter - that sounds suspiciously like Avaya have crippled it deliberately. Either that or it's an epic FAIL on Avaya's part!

;-)

ACSS (SME)

I never touched anything...

 

[tlpeter]

I know, with the 5600 end of sale and the old 9600 being more expensive to push the new 9600 this will be an issue


BAZINGA!

I'm not insane, my mother had me tested!

 

[hairlessupportmonkey]

9620C works a treat - just use what you know works and is supported. the customer will thank you for it!

ACSS - SME

 

[tlpeter]

HSM, you are absolutely right.
I always recommend a 9620 but i would love to see the 9608 working too.
It is a nice phone with a nice price.

BAZINGA!

I'm not insane, my mother had me tested!

 

[BlueRiver31]

Does anyone know if the 9621 will work with a VPN on IPO?

 

[tlpeter]

The vpn software on the phone itself does not work at the moment.
I saw that sp3 is released for these phones (CM/Aura) where this should be fixed so i think the next maintenance release should have working vpn firmware in it.


BAZINGA!

I'm not insane, my mother had me tested!

 

[gknight1]

how do you access the VPN settings on the 9600s? when I go to VPN settings under the Avaya menu and put in my pin nothing happens...

 

[tlpeter]

You need to enable it.

################################################## #
## VPN Mode
## 0: Disabled, 1: Enabled. 
################################################## #

SET NVVPNMODE 1

################################################## #
## Vendor. 
## 1: Juniper/Netscreen, 2. Cisco
## 3: CheckPoint/ Nokia 4: Other
## 5: Nortel.
################################################## #

SET NVVPNSVENDOR 1

################################################## #
## Gateway Address
################################################## #

## SET NVSGIP

################################################## #
## Encapsulation Type. 
## 0: 4500-4500, 1: Disabled
## 2: 2070-500, 3: ?
## 4: RFC (500-500) 
################################################## #

SET NVVPNENCAPS 0

################################################## #
## Copy TOS. 
## 1: Yes, 2: No 
################################################## #

SET NVVPNCOPYTOS 0

################################################## #
## Authentication Type. 
##
## [For Cisco/Juniper/Checkpoint/Other]
## 3: PSK, 4: PSK with Xauth
## 5: RSA signatures with Xauth, 6: Hybrid Xauth
## 7: RSA signatures. 
##
## [Nortel Authentication Type]
## 1: Local credentials, 2: Radius Credentials.
## 3: Radius SecureID, 4: Radius Axent. 
################################################## #

SET NVVPNAUTHTYPE 4

################################################## #
## VPN User Type. 
## 1: Any, 2: User
################################################## #

SET NVVPNUSERTYPE 1

################################################## #
## Password Type.
## 1: Save in Flash, 2: Erase on reset
## 3: Numeric OTP, 4: Alpha-Numeric OTP
## 5: Erase on VPN termination. 
################################################## #

SET NVVPNPSWDTYPE 1

################################################## #
## Username
################################################## #

## SET NVVPNUSER

################################################## #
## User Password. 
################################################## #

## SET NVVPNPSWD

################################################## #
## IKE ID (Group Name). 
################################################## #

SET NVIKEID vpn_avaya

################################################## #
## IKE ID Type. 
## 1: IPv4_ADDR, 2: FQDN
## 3: USER_FQDN, 9: DER_ASN1_DN
## 11: Key ID 
################################################## #

SET NVIKEIDTYPE 2

################################################## #
## IKE Xchg Mode. 
## 1: Aggressive, 2: Identity Protect. 
################################################## #

SET NVIKEXCHGMODE 1

################################################## #
## IKE DH Group. 
################################################## #

SET NVIKEDHGRP 2

################################################## #
## IKE Encryption Algo. 
## 1: AES-128, 2: 3DES
## 3: DEs 4: AEs-192
## 5: AES-256 0: Any
################################################## #

SET NVIKEP1ENCALG 2

################################################## #
## IKE Auth algo. 
## 0: Any, 1: MD5
## 2: sHA-1 
################################################## #

SET NVIKEP1AUTHALG 2

################################################## #
## IPsec PFS DH group. 
################################################## #

SET NVPFSDHGRP 2

################################################## #
## IPsec Encryption Algo. 
## 1: AES-128, 2: 3DES
## 3: DEs 4: AEs-192
## 5: AES-256 6: None
## 0: Any
################################################## #

SET NVIKEP2ENCALG 2

################################################## #
## IPsec Authentication Algo. 
## 0: Any, 1: MD5
## 2: sHA-1 
################################################## #

SET NVIKEP2AUTHALG 2

################################################## #
## Protected Network. 
################################################## #

## SET NVIPSECSUBNET 192.168.42.0/24

################################################## #
## IKE Over TCP. 
## 0: Never, 1: Auto
## 2: Always 
################################################## #

SET NVIKEOVERTCP 0

################################################## #
## Craft access
## 0: Enabled, 1: only view option is available?
################################################## #

SET PROCSTAT 0

################################################## #
## VPN craft access
## 0: disabled, 1: view only
## 2: View and edit.
################################################## #

SET VPNPROC 2

################################################## #
## Call Server address
################################################## #

SET MCIPADD 192.168.42.1

################################################## #
## craft access code
################################################## #

SET PROCPSWD 27238

# END

BAZINGA!

I'm not insane, my mother had me tested!

 

[dphoneguy24]

I have tested with a 9608 on IPO R6.1. I get the 9608 to come up to the point where it says VPN tunnel failure - fails on exchanging keys - IKE Phase 1 no response

Is this what is broken in the set?

 

[tlpeter]

Nope, it is phase 2

BAZINGA!

I'm not insane, my mother had me tested!

 

[dphoneguy24]

Well then, if I could get past the phase 1 trouble, then I would be where anyone else has been with the 9608.

Testing on a watchGuard here. Have several 56 series IP phones working on WG.

 

[amriddle01]

Stick a VPN capable router in and a 1608, still cheaper than a 9600 and I find it easier to manage too

ACSS (SME)
APSS (SME)

http://www.ipoffice.tel

"I'm just off to Hartlepool to buy some exploding trousers

 

[TheSmash]

That's just cheating Andy

ACSS (SME)

I never touched anything...

 

[tlpeter]

Indeed, it should work

BAZINGA!

I'm not insane, my mother had me tested!

 

[jeffthephoneguy]

The VPN firmware for the 9608 and other 96X1 sets will be out the next maintenance release. They still have a lot of issues with these sets, that's why they didn't release the 9611 sets for R7.0(5). I played with the VPN settings for over a week during the Beta of R7. its a mess! You just have to be patient and wait like the rest of us.

Jeff
"the phone guy"
ACSS-SME
APSS-SME

http://www.bluestartelephone.com