anyone setup the FVS338 VPN with remotephone??

[phneguy]

this is kicking my butt!!!!


i know avaya has the setup for this to download which i have done. i guess im just stupid! or i cant follow directions very well (maybe thats why i never passed the 1st grade?)


can someone give me a little help on this?


i have the 406v2 4.1.9, 4610SWIP, remotephone license which is valid


i have tried to setup the router both ways as avaya has discribed in "IP OFFICE Technical Tip" Tip # 184


any help would be GREAT!

 

[IPOfficeIreland]

have done this on the 318 model which is the same config.

what messages are you getting on the phone and what error messages are you getting on the vpn log in the netgear router?

1 very important thing to do.... upgrade the firmware to the latest on the router, I didn't change any settings and when i updated the firmware it worked immediately!

When you update you simply match the settings on both sides, MD5, etc, FQDN or WAN IP , etc. Very easy, but without the firmware you will be going around in circles.

 

[phneguy]

i just upgraded to 3.0.2-21 with no luck.


which mode did you set this up in?


there are 2 options...


option 1: Using Mode Config and X-Auth

option 2: IKE and VPN Policy Settings


is there a specific message you would have me look for? here is something you could look at??? (netgear VPN Log)


2008 Feb 20 14:11:32 [FVS338] [IKE] Responding to new phase 2 negotiation: 69.128.189.62[0]<=>192.168.1.111[0]_
2008 Feb 20 14:11:32 [FVS338] [IKE] Ignore INITIAL-CONTACT notification from 192.168.1.111[2070] because it is only accepted after phase1._
2008 Feb 20 14:11:32 [FVS338] [IKE] Failed to get IPsec SA configuration for: 192.128.0.0/10<->192.168.1.160/32 from fvs_remote_
2008 Feb 20 14:11:33 [FVS338] [IKE] Responding to new phase 2 negotiation: 69.128.189.62[0]<=>192.168.1.111[0]_
2008 Feb 20 14:11:33 [FVS338] [IKE] Ignore INITIAL-CONTACT notification from 192.168.1.111[2070] because it is only accepted after phase1._
2008 Feb 20 14:11:33 [FVS338] [IKE] Failed to get IPsec SA configuration for: 192.128.0.0/10<->192.168.1.160/32 from fvs_remote_
2008 Feb 20 14:11:35 [FVS338] [IKE] Responding to new phase 2 negotiation: 69.128.189.62[0]<=>192.168.1.111[0]_
2008 Feb 20 14:11:35 [FVS338] [IKE] Ignore INITIAL-CONTACT notification from 192.168.1.111[2070] because it is only accepted after phase1._
2008 Feb 20 14:11:35 [FVS338] [IKE] Failed to get IPsec SA configuration for: 192.128.0.0/10<->192.168.1.160/32 from fvs_remote_
2008 Feb 20 14:11:37 [FVS338] [IKE] Responding to new phase 2 negotiation: 69.128.189.62[0]<=>192.168.1.111[0]_
2008 Feb 20 14:11:37 [FVS338] [IKE] Ignore INITIAL-CONTACT notification from 192.168.1.111[2070] because it is only accepted after phase1._
2008 Feb 20 14:11:37 [FVS338] [IKE] Failed to get IPsec SA configuration for: 192.128.0.0/10<->192.168.1.160/32 from fvs_remote_
2008 Feb 20 14:11:39 [FVS338] [IKE] Responding to new phase 2 negotiation: 69.128.189.62[0]<=>192.168.1.111[0]_
2008 Feb 20 14:11:39 [FVS338] [IKE] Ignore INITIAL-CONTACT notification from 192.168.1.111[2070] because it is only accepted after phase1._
2008 Feb 20 14:11:39 [FVS338] [IKE] Failed to get IPsec SA configuration for: 192.128.0.0/10<->192.168.1.160/32 from fvs_remote_
2008 Feb 20 14:11:41 [FVS338] [IKE] Purged ISAKMP-SA with proto_id=ISAKMP and spi=3ead2358732d3bbf:555f2c4d186cd6a5._
2008 Feb 20 14:11:42 [FVS338] [IKE] ISAKMP-SA deleted for 69.128.189.62[500]-192.168.1.111[2070] with spi:3ead2358732d3bbf:555f2c4d186cd6a5_
2008 Feb 20 14:11:43 [FVS338] [IKE] 192.168.1.160 IP address has been released by remote peer._


hope that helps?

also, this is a phone inside the office. does the phone need to outside the office on a different network to work if im trying to run the vpnremotephone?

thanks,
Kyle

 

[kwing112000]

I dont think you can VPN from inside the office. I know for a fact it willnot work with Cisco and juniper so i would only guess it wont work. You cant go out and in on the same interface.

 

[phneguy]

thats what i thought, i just wanted to make sure.

was just wondering what mode i should use as i described in the last reply?

config mode with X-Auth or IKE & VPN Policy

 

[IPOfficeIreland]

ike and vpn policy is the easiest

 

[phneguy]

I tried to do the IKE and VPN policy but could not even see the phone getting to the router?

Again the phone is inside the office. Hopefully if I put the phone at the remote location it will work?

 

[IPOfficeIreland]

vpn wont establish to same network, that's how vpns work,
so 192.168.0.1 trying to connect to remote network 192.168.0.0 is not going to establish.

 

[puregold]

I have the FVS 338 set up ok.

I used X auth and i am using 2 ports on a layer 3 VLAN switch as a seperate VLAN to simulate the internet etc.

That works fine for me.

ACE - Avaya Certified Expert
ACI - Avaya Certified Instructor

 

[phneguy]

purgold

would the ike & VPN policy be easier?


thanks for all the help, but im still a little "iffiy" on the whole set up.

is there anyway someone could help me set this up?

thanks again,

Kyle

 

[puregold]

Who knows, that was at the top of the bulletin so that was the one i went for cause im lazy. It works.

Ill try the other one tommorow.

ACE - Avaya Certified Expert
ACI - Avaya Certified Instructor

 

[phneguy]

ill try to mess with this again today. i will let you know how it goes.

hopefully something works this time????

 

[phneguy]

i was able to go next door to try and connect the remote phone to the office with no luck.

here is the VPN log... maybe someone can tell me what it means???


2008 Feb 21 15:56:40 [FVS338] [IKE] Remote configuration for identifier "fvx_remote" found_
2008 Feb 21 15:56:40 [FVS338] [IKE] Received request for new phase 1 negotiation: 69.128.189.62[500]<=>24.158.196.110[1227]_
2008 Feb 21 15:56:40 [FVS338] [IKE] Beginning Aggressive mode._
2008 Feb 21 15:56:40 [FVS338] [IKE] Received unknown Vendor ID_
- Last output repeated 2 times -
2008 Feb 21 15:56:40 [FVS338] [IKE] Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02__
2008 Feb 21 15:56:40 [FVS338] [IKE] Received unknown Vendor ID_
2008 Feb 21 15:56:40 [FVS338] [IKE] Received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt_
2008 Feb 21 15:56:40 [FVS338] [IKE] For 24.158.196.110[1227], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02_
2008 Feb 21 15:56:41 [FVS338] [IKE] The packet is retransmitted by 24.158.196.110[1227]._
2008 Feb 21 15:56:42 [FVS338] [IKE] Floating ports for NAT-T with peer 24.158.196.110[1228]_
2008 Feb 21 15:56:42 [FVS338] [IKE] NAT-D payload matches for 69.128.189.62[4500]_
2008 Feb 21 15:56:42 [FVS338] [IKE] NAT-D payload does not match for 24.158.196.110[1228]_
2008 Feb 21 15:56:42 [FVS338] [IKE] NAT detected: Peer is behind a NAT device_
2008 Feb 21 15:56:42 [FVS338] [IKE] ISAKMP-SA established for 69.128.189.62[4500]-24.158.196.110[1228] with spi:e215c118debd7a52:e5eec643d899e0de_
2008 Feb 21 15:56:42 [FVS338] [IKE] Sending Informational Exchange: notify payload[INITIAL-CONTACT]_
2008 Feb 21 15:56:42 [FVS338] [IKE] Remote address mismatched. Local=24.158.196.110[1228], Peer=24.158.196.110[1227]_
- Last output repeated twice -
2008 Feb 21 15:56:43 [FVS338] [IKE] Responding to new phase 2 negotiation: 69.128.189.62[0]<=>24.158.196.110[0]_
2008 Feb 21 15:56:43 [FVS338] [IKE] Ignore INITIAL-CONTACT notification from 24.158.196.110[1228] because it is only accepted after phase1._
2008 Feb 21 15:56:43 [FVS338] [IKE] Failed to get IPsec SA configuration for: 192.128.0.0/10<->192.168.1.101/32 from fvx_remote_
2008 Feb 21 15:56:43 [FVS338] [IKE] Responding to new phase 2 negotiation: 69.128.189.62[0]<=>24.158.196.110[0]_
2008 Feb 21 15:56:43 [FVS338] [IKE] Ignore INITIAL-CONTACT notification from 24.158.196.110[1228] because it is only accepted after phase1._
2008 Feb 21 15:56:43 [FVS338] [IKE] Failed to get IPsec SA configuration for: 192.128.0.0/10<->192.168.1.101/32 from fvx_remote_
2008 Feb 21 15:56:45 [FVS338] [IKE] Responding to new phase 2 negotiation: 69.128.189.62[0]<=>24.158.196.110[0]_
2008 Feb 21 15:56:45 [FVS338] [IKE] Ignore INITIAL-CONTACT notification from 24.158.196.110[1228] because it is only accepted after phase1._
2008 Feb 21 15:56:45 [FVS338] [IKE] Failed to get IPsec SA configuration for: 192.128.0.0/10<->192.168.1.101/32 from fvx_remote_
2008 Feb 21 15:56:47 [FVS338] [IKE] Responding to new phase 2 negotiation: 69.128.189.62[0]<=>24.158.196.110[0]_
2008 Feb 21 15:56:47 [FVS338] [IKE] Ignore INITIAL-CONTACT notification from 24.158.196.110[1228] because it is only accepted after phase1._
2008 Feb 21 15:56:47 [FVS338] [IKE] Failed to get IPsec SA configuration for: 192.128.0.0/10<->192.168.1.101/32 from fvx_remote_
2008 Feb 21 15:56:49 [FVS338] [IKE] Responding to new phase 2 negotiation: 69.128.189.62[0]<=>24.158.196.110[0]_
2008 Feb 21 15:56:49 [FVS338] [IKE] Ignore INITIAL-CONTACT notification from 24.158.196.110[1228] because it is only accepted after phase1._
2008 Feb 21 15:56:49 [FVS338] [IKE] Failed to get IPsec SA configuration for: 192.128.0.0/10<->192.168.1.101/32 from fvx_remote_


thanks guys!

 

[kwing112000]

It looks like phase 2 is failing. It is IKE phase 2. maybe goolge that and see what it comes up with.

 

[IPTMarcus]

I ran into same issue on FVS338. I had port 4500 going to a PC on the network and I needed to remove that rule...It uses UDP port 4500 to talk as well as the normal port 500