Avaya 4621 IKE Xchg Mode

[techalum]

I have run into a new problem. We have several users that work remotely and use a 4621 IP phone. They were all able to connect properly to our phone system and work without any issues. However, a new vulnerability came up when we did our monthly PCI scan. It is an issue which requires that we disable aggressive mode on the firewall in order to be compliant.I disabled aggressive mode and the phones no longer connect. I went into the phone settings and can't find a way to set the phone to main mode. Has anyone run into this issue?

Thanks!
Tech

 

[gwebster]

Looking in the default 46xxsettings.txt file, it appears as though you can only change from Aggressive to Main mode on a 9600-series.
## NVIKEXCHGMODE specifies the exchange method to be used for IKE Phase 1.
## Valid Values
## 1 Aggressive Mode (default)
## 2 Main Mode
## This parameter is supported by:
## 96x1 H.323 R6.0 and later
## 96x0 H.323 R3.1 and later
## SET NVIKEXCHGMODE 2

 

[tlpeter]

Aggressive mode can be changed on the 46xx phones.
You need to enter the VPN settings on the phone.
It is somewhere there but i do not know it from the top of my head.



BAZINGA!

I'm not insane, my mother had me tested!

 

[techalum]

Webster and TLPeter,
Thanks for the information. The only thing for the settings on the phone for the 46xx on the config screen is aggressive and identity protect. I will also take a look at the 96xx text file. If you can think of anything else, please let me know. I will post my resolution and road blocks.

Thanks,
Techalum

 

[vaniello]

Has anyone successfully established a VPN connection from a 4621SW phone connected to a Cisco ASA firewall using IKEv1 Identity Protect (aka main mode)? The VPN connection works without an issue using IKEv1 aggressive mode, but when I switch to identify protect the VPN fails.