96xx Firmware 3.1 and VPN

[Sterrenjager]

Hi all,

I've been playing with the latest firmware fot the 96xx series. I put all the correct information in the settings file, I can view the options on the phone.

I put in the settings file that I'm able to change those setting, but whatever I do, I can only view.

I'm also not able to active the VPN mode.

Does anyone got an idea or run into the same problems?


The old 46xx VPN phone still works

 

[Mitch672]

you need to put a lot of setup information in the "46xxsettings.txt" file, or you won't even be able to administer or get into the VPN settings... Here is what I use, for CISCO PIX's or ASA's:

SET NVVPNCFGPROF 3
SET VPNPROC 2
SET VPNCODE ""
SET NVSGIP vpn.clientname.com
SET NVXAUTH 1
SET NVMCIPADD W.X.Y.Z (IP address of CLAN or PE)
SET NVIKEID "IPPHONE" (IKEID to login to the VPN tunnel)
SET NVIKEPSK "1adgjm" (IKE PreShared key for the above login)
SET NVIKEP1ENCALG 0
SET NVIKEP1AUTHALG 0
SET NVIKEP2ENCALG 0
SET NVIKEP2AUTHALG 0
SET NVVPNUSER ""
SET NVVPNPSWD ""
SET NVVPNUSERTYPE 1
SET NVVPNPSWDTYPE 1

This is pretty much the minimum, and if you get it setup correctly, the user will ony have to enable the VPN, and type in their username/password for their own VPN tunnel, you should be able to get all of the other parameters setup properly in the phone via just the settings data above...

You should download the documentation on setting up the 96XX VPN phones.. all of the above parameters are explained/shown.

Mitch



Mitch

AVAYA Certified Expert

 

[Sterrenjager]

The problem I have is that it will not enable vpn.

All the settings you mentioned are all filled in in the settings file. I read the documentation from top to bottom and back.

 

[Mitch672]

can you get in and check the VPN settings? are you getting past the "VPN settings", "Access Code" screen? I set a blank password in the above example, just hit [enter], then the very first field is the enable/disable for the VPN. You have to be on an external LAN/WAN before you even try it, it won't connect on your corporate LAN.

Mitch


Mitch

AVAYA Certified Expert

 

[Sterrenjager]

I'm at home atm and I can get passed the access code screen, the only problem after that is that I can't activate the vpn part or change it, and in the settings file I put in the value that I can change it.

I will put the settings in here tomorrow when I'm back at the office.

 

[Sterrenjager]

Here are the settings in my settings file.

SET NVVPNMODE 1
SET NVVPNCFGPROF 3
SET NVIKECONFIGMODE 1
SET NVIKEXCHGMODE 1
SET NVVPNAUTHTYPE 4
SET NVSGIP "w.x.y.z"
SET NVVPNUSER ""
SET NVVPNPSWDTYPE 1
SET NVVPNCOPYTOS 2
SET NVVPNENCAPS 0
SET NVIKEPSK 55000-vpnphone
SET NVIKEID “VPNPHONE”
SET NVIKEIDTYPE 11
SET NVIKEDHGRP 2
SET NVPFSDHGRP 2
SET NVIKEP1ENCALG 1
SET NVIKEP2ENCALG 1
SET NVIKEP1AUTHALG 2
SET NVIKEP2AUTHALG 2
SET NVXAUTH 1
SET VPNCODE "876"
SET VPNPROC 2
SET NVMCIPADD "a.b.c.d.,g.h.i.j."
SET NVVPNPSWD ""
SET NVVPNUSERTYPE 1

I'm on a totally different network or at home. The phone powers up, after about 60 seconds it tries to connect the normal way. Discovering of the mcipad address is in the display. I can access the vpn settings bij entering "mute 876# or using the craft login. But I'm not able to enable the vpn mode.

What do i do wrong?

 

[techlogik]

Have the same problem...anybody?

3.1.1 firmware on a 9630G phone.

 

[Mitch672]

You have to go through the settings and enable the VPN, this is best done BEFORE you take the phone off site to test it



Mitch

AVAYA Certified Expert

 

[techlogik]

I've done this. I have set the vpn settings in the 46xxsettings. Opstat is 111, I can clear all values and reset the phone, then go into vpn setup mode, I cannot highlight and change the VPN to Enable.

It only allows me to read the settings on the phone. Both my 9630 and 9620 phones are doing this I have tested.

I highligh VPN, and I can't change the value to Enabled. It is like I am locked in Read mode although I can change every other setting on the phone.

S3.110b firmware. Latest and greatest from Avaya.

Thanks

 

[tlpeter]

You need to enable this in the 46xxsettings.txt file.


ACS IP Office
APSS IP Office
ACA - Implement IP Telephony -- ACA - Design IP Telephony
APSS UC
ACA - Voice Services Management


______________
Women and cats can do as they please and men and dogs should relax and get used to the idea!

 

[Mitch672]

well techlogik, I would not use the "latest and greatest", there have been people having issue with no audio on it. I use R3.101a, which seems to work well. The new release seems to mostly have improvements for the IP Office, and the only noticable improvement for definity is the increased length of the VPN login/password.

I would go back to R3.101a firmware and try again.



Mitch

AVAYA Certified Expert

 

[techlogik]

I'll give that a try Mitch...because 3.1/3.11, like everything Avaya seems to do, is buggy..haha..

Will report back.

 

[techlogik]

Well, now I try a downgrade, have the correct .bin files in and the 96xxupgrade file pointing to it, but the phone won't download the bin file and install it?

 

[techlogik]

I finally got the phones downgraded, that was a hassle in and of itself.

Anyway, I can now enable the VPN and test it.

I am using an identical configuration as posted for a Cisco PIX.

But, I am stuck at the key exchange on the phone, then it fails saying incorrect config.

I did a debug of the crypto ipsec on the pix, it keep saying src denied or something like that.


Can't tell if this phone is trying to act like a site-to-site vpn, or a soft client vpn?

Here is my PIX config...if anybody has any ideas.




ip local pool DHCPPOOL 192.168.9.1-192.168.9.20

aaa-server remotevpn protocol radius
aaa-server remotevpn (inside) host xx.xx.xx.xx password timeout 5

(a couple of site-to-site vpns, but any softclient can connect also)

sysopt connection permit-ipsec
crypto ipsec transform-set DHCPSET esp-3des esp-md5-hmac
crypto dynamic-map DynMap 10 set transform-set DHCPSET
crypto map remotes 10 ipsec-isakmp
crypto map remotes 10 match address 101
crypto map remotes 10 set peer xx.xx.xx.xx
crypto map remotes 10 set peer xx.xx.xx.xx
crypto map remotes 10 set transform-set DHCPSET
crypto map remotes 20 ipsec-isakmp dynamic DynMap
crypto map remotes client authentication remotevpn
crypto map remotes interface outside
isakmp enable outside
isakmp key xxxxxx address xx.xx.xx.xx netmask 255.255.255.255
isakmp key xxxxxx address xx.xx.xx.xx netmask 255.255.255.255
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup tampacvb address-pool DHCPPOOL
vpngroup tampacvb dns-server xx.xx.xx.xx
vpngroup tampacvb default-domain xxx.com
vpngroup tampacvb split-tunnel 101
vpngroup tampacvb idle-time 43200
vpngroup tampacvb user-idle-timeout 43200
vpngroup tampacvb password xxxxx

 

[techlogik]

Got it working, have a thread over at avayausers.com for the Cisco VPN and 3.1 firmware on the phone.