Avaya 5610 IP - VPN - with Linksys RV042

[CPATT]

All,

Having problems getting an Avaya 5610SW IP Phone to work in VPN mode with a Linksys RV042 (router/vpn/firewall device. (firmware 1.3.12.19-tm)

I have a 5610SW IP Phone (all necessary .bin files are loaded - as this phone has worked previously in a different VPN environment).

An Avaya VPN lic has been purchased - and does show up in the IP406V2 running R5.0(8)

At head end (main site) - there is a Linksys RV042 - static IP 70.X.X.249. We have created a 'client-to-gateway' profile in the Linksys RV042 - with the following:

LOCAL SECURITY GROUP:
1) IP Only
2) IP address - 70.X.X.249 (shows up automatically)
3) Local Security Group Type - Subnet
4) IP Address: 192.168.2.0
5) Subnet Mask: 255.255.255.0

REMOTE CLIENT SETUP:
1) Remote Client: IP+ Domain Name (FDQN) Authentication
2) IP Address: 67.X.X.123 (static WAN IP of SOHO)
3) Domain Name: fvx_remote

IPSec SETUP:
1) Keying Mode: IKE with Preshared Key
2) Phase 1 DH Group: Group 1
3) Phase 1 Encryption: 3DES
4) Phase 1 Authentication: SHA1
5) Phase 1 SA Life Time: 28800
6) Perfect Forward Secrecy - checked
7) Phase 2 DH Group - Group 2
8) Phase 2 Encryption - 3DES
9) Phase 2 Authentication - SHA1
10) Phase 2 SA Life Time - 3600 seconds
11) Preshared Key - 1234567890

ADVANCED (tab)
these items are checked:
1) Keep Alive
2) Dead Peer Detection (DPD)


Ok - on the AVAYA 5610SW IP PHONE - these are the settings:

First - we are using the Generic PSK profile

1) Server: 70.X.X.249
2) IKE ID: fvx_remote
3) PSK: 1234567890
4) IKE PARAMETERS:
A. IKE ID Type: FQDN
B. DH Group - 1
C. Encryption - 3DES
D. Authentication - SHA1
E. IKE Exchange - Aggressive
F. IKE Config - Disable
G. XAUTH - Disable
H. Cert - Disable
I. Certn DN - Disable
5) IPSEC PARAMETERS:
A. Encryption - 3DES
B. Authentication - SHA1
C. DH Group - 2
6) Encapsulation - RFC
7) Protected Nets - Virtual IP - I inserted a private address from the Main Site (192.168.2.240) - that I know is not being used

That's it.

Tunnel never works - I get all sorts of logs in the Linksys - primarily the Linksys' logs say:

Informational Exchange message is invalid because it has a previously used Message ID (0x92505624)

The phone - after 130 seconds says - (4 errors):

1) Error 1/4 - IKE Phase 1 send notify - error code 3997698:4

2) Error 2/4 - IKE Phase 1 no response - error code: 3997698:0

3) Error 3/4 - IKE Phase 1 send notify - error code 3997698:4

4) Error 4/4 - IKE Phase 1 send notify - error code 3997698:18

Does anyone have an RV042 working with an Avaya 5600 IP Phone?

If so - a sample config - would be great - as this is kicking my butt!!!

 

[CarGoSki]

Any reason why you are running two different Diffie-Hellman groups? You have group 1 in IKE and 2 in IPSEC. They should both be 2.

I see some other things that should maybe change. Where did you get the setup from?

 

[CPATT]

CarGoSki - "Any reason why you are running two different Diffie-Hellman groups? You have group 1 in IKE and 2 in IPSEC. They should both be 2."

I just followed the Avaya Tech Tip - on the NetGear FVS338 tip - as that is what it had.

"see some other things that should maybe change. Where did you get the setup from? "

Again - just reading and borrowing from all the tech tips that Avaya released - really. That is all I have been able to do - in an effort to get it to work.

What suggestions/changes do you have in mind?

 

[CarGoSki]

You really should go back to the guide and correct your entries.

http://marketingtools.avaya.com/kno...cts/bulletins/techtips/global_techtip_196.pdf

 

[CPATT]

CarGoSki- my Linksys RV042 does NOT support XAUTH - therefore, the tech tip (link) is not applicable.

 

[CarGoSki]

Well o.k. but the tech tip you used has option #2 with xauth off AND diffie hellman group to the same number. Far be it for me to suggest that your prime modulus group is the same and the possible problem.

Diffie-Hellman is a public-key cryptography scheme that allows two parties to establish a shared secret over an insecure communications channel. It is also used within IKE to establish session keys.

The group can be one of the following:

group1—Specifies that IKE use the 768-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange.
group2—Specifies that IKE use the 1,024-bit Diffie-Hellman prime modulus group when performing the new Diffie-Hellman exchange.
group2 provides more security but requires more processing time.

Good luck..busy

 

[CPATT]

CarGoSki - thank you for the explanation.

Have tried it - the way you explained above - and still a no go. Changed both groups back to 1.

After reading through ALL the Avaya tech tips on VPN phones - I was just trying anything possible.

Anyone know?

 

[joeloh]

I have tried many times with the Linksys RV042 model. It will not work. Get the Netgear FVS338!

 

[CPATT]

Just a FYI to all - the Linksys RV042 will not work.

I purchased a Netgear FVS338 - and followed the tech tip - and the VPN phone came up in a matter of minutes.

Thanks all.

 

[joeloh]

Just wondering, which version of Netgear firmware you are using for the FVS338. I am having some issues where the router sometimes has to be rebooted in order for the phone to reconnect.

Thanks

 

[CPATT]

JOELOH - Firmware Version: 3.0.3-17