Annoying VPN phone issue

[Pepp77]

Okay I have been trying to get a 5610 VPN phone working for the best part of 2 weeks now and am starting to wonder if I am missing something stupidly obvious that could be causing it to not work.

The phone connects to a Juniper Firewall using PSK - and the actual VPN tunnel connects no problem, the issue is that it then sits there on

Discover 192.168.99.201 (the address of the LAN 2 port on the IP office)

On the phone system I have a default route set as

0.0.0.0 / 0.0.0.0 / 192.168.99.254 / LAN 2

192.168.99.254 is the router on site (we have changed the standard RemoteManager IP address range to 192.168.100.x).

This site also has SIP via voiceflex and that uses the same IP route to get out and the SIP works flawlessly.

When the phone is connected it has an IP address of 10.10.10.11 and if I go into SSA and ping it from there via LAN 2 I get 3 quick replies, so I know the phone system can route to the phone.

We have tried 2 different phones and have just today (for an unrelated issue) swapped out their 406v2 for a new 500v2 on the latest software level and whilst I hoped it would; as expected it didnt make a difference.

The IT maintainers say that if they create a VPN connection using the same VPN details but on a laptop they are able to ping through to the phone system with no issues, so I can only assume that port 1719 is being blocked somewhere, but I have said this to the IT maintainers a few times and they dont seem to think so.

So the big question I have is can anyone think of anything obvious I may be overlooking or give me some things I can try to get this phone working.



| ACSS SME |

 

[kolob4all]

You need to create IP route for 10.10.10.x network on the IPO and point it to your VPN router (Juniper in your case).Otherwise IPO won't know where to look for that IP

 

[amriddle01]

Indeed, unless you also use the Junpier as your router on 192.168.99.254 then the IPO will be talking to the wrong place

http://www.ipoffice.tel

 

[Pepp77]

Thanks for the replies - the juniper is the device on 192.168.99.254 (at least thats what the IT people tell me).

| ACSS SME |

 

[Pepp77]

Okay a bit more information in case it can help anyone resolve this.

I have been advised the Juniper is running ScreenOS version 6.2.0r6.0 and the phone we are using is a 5610SW.

With a client VPN using the same details as the phone the IT guys are able to ping and get to the webpage for the Avaya on its IP address.

The documentation used to create the VPN was for ScreenOS 5.4 and is entitled:-

Application Notes for Configuring Avaya VPNremote™ Phone with Juniper Secure Services Gateway using Policy-Based IPSec VPN and XAuth Enhanced Authentication – Issue 1.0

Here are the settings used on the phone (minus the gateway and PSK)

VPN Phone Configuration Information

Company Name
Phone Type 5610

Profile Juniper Xauth with PSK

Server
Username VOIPPhones
Password VOIPPhones
Group Name VPNClient
Group PSK
VPN Start Mode Boot
Password Type Save in Flash
Encapsulation 4500-4500
Syslog Server

IKE Parameters DH2-ANY-ANY
IKE ID Type FQDN
Diffie-Hellman Group 2
Encryption Alg Any
Authentication Alg Any
IKE Xchg Mode Aggressive
IKE Config Mode Disable
Xauth Enable
Cert Expiry Check Disable
Cert DN Check Disable

IPSec Parameters DH2-ANY-ANY
Encryption Alg Any
Authentication Alg Any
Diffie-Hellman Group 2

Protected Nets
Virtual IP 10.10.10.11
Remote Net #1 192.168.99.0/24
Remote Net #2
Remote Net #3
Remote Net #4
Remote Net #5

Copy TOS No
File Svr
Connectivity Check Never
Qtest Disable


Does anyone know if there is a new Avaya document for ScreenOS 6.2?

| ACSS SME |

 

[TheodisButler]

The old, "Discover ip.office.ip.addr"

I hated seeing that message. Let me know the phone was "almost" working.

Forget about creating a route for a specific network, the default route on your IPO should be fine as long as the gateway is the same as every other device on the same network as the IP Office.

What you need to do is have your IT guys watch the firewall log as you power up your VPN phone from home. They need to look for drop packets to and from the phone IP address in addition to VPN/encryption/SA errors.

Sometimes the VPN tunnel can "seem" up when it is only partially up. Also, just because you can ping (icmp protocol) and access Avaya web page (http) from a computer does not mean VoIP traffic is allowed to pass-thru.

The fact that your IT guys don't "think" it's being blocked shows their incompetence--either it is or it isn't.

Theodis Butler
President

http://www.megalithtechnologies.com

 

[hairlessupportmonkey]

why not use config mode and let the juniper assign an IP from a virtual pool?

then, set your protected nets on the phone to 0.0.0.0/0

should work then.

ACSS - SME
General Geek

 

[Pepp77]

And it was something completely obvious - the previous maintainers for this system had turned off H323 Gatekeeper on the LAN tab - and as we never do I didnt think to check it.

Turned this on and the phone works perfectly.

| ACSS SME |

 

[tlpeter]

, that is all i can do

That is the last place where you look while it should be the first one.
I never ever turned it off but i have seen it being turned off.


BAZINGA!

I'm not insane, my mother had me tested!