Avaya 9620L VPN with Netgear FVS318N

[Techman1966]

I have a customer that has a Netgear FVS318n for their VPN/router. Has anyone ever successfully configured this type of router with a 9620L? I keep getting VPN tunnel failure/IKE no phase 1 response on the phone. Tried everything on the router in IKE policies, firewall, mode config, not sure why it is being so difficult. I have set these up using cisco and sonicwall with little issues. The biggest problem I have with this site is a Network person that does not know much about setting up VPNs and he bought the netgear because the customer does not want to spend much money. I have all but given up with this one and have suggested they use a Netgear SRX5308. Any thoughts out there?

 

[intrigrant]

Setting up a Netgear FVG318 or FRV338 for Remote IP VPN Phone, should work with most Netgear routers as the GUI is the same

Assumed Points:
VoIP Extension created with VPN phone allowed
VPN Phone Valid License
Group number set to 876 (VPN) on the ip phone
VPN Firmware loaded onto IP Phone

Netgear Steps:

My Netgear External IP is 81.81.81.81, Internal Subnet is 192.168.1.0
Remote External IP Address and Internal Address does not come into effect
I use DES and MD5 as Encrytion Methods (You can use your preffered as long as you match)
My FQDN is iphone.com
My Pre-Shared Key is presharedkey

****Update to the latest Netgear firmware - won't work otherwise***
****Program Policies Manually - do not use Wizard*****
_________________________________________________________________________

Step 1A...Create an IKE Policy Under VPN Tab

General___
Policy Name: IPPhone
Direction: Responder
Exchange Mode: Aggressive

Local___
Identifier: Local WAN IP
Remote: USER-FQDN
IDENTIFIER: ipphone.com

IKE-SA Param___
Encryption Algo: DES
Authentication Algo: MD5
Authentication Method: Pre-Shared Key
Pre-shared Key: presharedkey (min 8 characters)
Diffie-Hellman: Group2
SA-LifeTime: 28800

Step 1B... Create a New VPN Policy (this is the policy which the IKE user applies to)

General___
Policy Details:
Policy Name: IPPhone
Policy Type: Auto
Remote Endpoint: FQDN ipphone.com
Enable Netbios: Not Ticked

Traffic___ (Program this part to suit your network)
Local IP: Subnet
Start IP: My local LAN 192.168.1.0
Subnet Mask: 255.255.255.0
Remote IP: Any (this means that the phone can be plugged into any connection and set up VPN)

Manual Policy Param____NOT USED

Auto Policy Param___
SA Lifetime: 3600 seconds
Enryption Algo: DES
Integrigty Algo: MD5
PFS Key Group: DH2

Assign the Above Policy to IKE Policy created in STEP1A Above


___________________________________________________________________________________________________________

IP Phone Settings:

Generic PSK Profile Selected
Server: 81.81.81.81
IKE ID: ipphone.com
PSK: presharedkey

IKE Parmamaters___
IKE ID Type: User-Fqdn
Diff-Hellman: 2
Encryption alg: DES
Authentic Alg: MD5
IKE Xchg Mode: Aggressive
IKE Config Mode: Disable
XAuth: Enable
CertExpiryCheck: Enable
CerDNCheck: Enable

IPSec Parameters___
Encryption Alg: DES
Authentication Alg: MD5
Diffie-Hellman: 2

VPN Start Mode: Boot
Password Type: N/A
Encapsulation: Disable
Syslog Server: Not Using

Protected Nets___
Virtual IP: 0.0.0.0 (Any)
Remote Net#1: 192.168.1.0/24
Remote Net#2...5: Not Used

Copy TOS: No
File Server: TFTP Server Address if using on remote network (I am using Boot mode VPN so sets up VPN first then looks for TFTP)
QTest: Disable
Conenctivity Check: Never

 

[Techman1966]

I do not see the some of the settings in my 9620l phone. Everything else looks the same. This is a 7.0 IPO with two IP Endpoint licenses. I established a IP local network connection with them and they are registered to the system. I ran the 46xxx setting file and can enable vpn mode. Am I missing something? I Just tried your set up, no luck. Still saying IKE phase 1 no response.

I do not see these as options once in vpn programming on phone:
XAuth: Enable
CertExpiryCheck: Enable
CerDNCheck: Enable

VPN Start Mode: Boot
Password Type: N/A

VPN Start Mode: Boot

File Server: TFTP Server Address if using on remote network (I am using Boot mode VPN so sets up VPN first then looks for TFTP)
QTest: Disable
Conenctivity Check: Never

 

[tlpeter]

Don't use the 318.
It is too weak and does not work well.
The 336 will work much better.


BAZINGA!

I'm not insane, my mother had me tested!

 

[intrigrant]

This is the script I always use and it has never failed me, and as tlpeter advise : use the 336 VPN router it is a lot more reliable.

 

[Techman1966]

Have any of you used the Netgear SRX5308? There is an configuration PDF from Avaya dated 2013 on the knowledge base. My biggest problem at this point is that I am limited on network knowledge and their data guy is not much better. The customer is also using AT&T UVERSE in bridge mode. I was also specific in telling their guy to make sure the firewall is not blocking IPSEC IKE ports. Anything else I need to make him aware of?

 

[wspence]

I agree with tipeter and intrigrant on the FVS318. I was actually forced to get a VPN phone going on a FVS318 today myself. I also have limited network knowledge but was able to follow technical tip 184

https://downloads.avaya.com/elmodocs2/ip_office/tech/Global_IP_Office_Technical_Tip_184.pdf

and get my 9608 on an IP500 9.0 working on the VPN. I was able to find every setting mentioned using Option 1 Mode Config and X-Auth, except the last setting for protected nets. There was no Virtual IP, nor Remote IP settings, only a single Protected Nets setting, in my case was my Lan subnet 192.168.100.0/24. Hope this helps.

 

[Techman1966]

I cannot see these settings in the 9620 - (Cert Expiry Check Disable Cert DN Check Disable) in the IKE parameters. I have the current firmware on the phone. I ran the 46xx settings from my 9.0 at my shop and can enable VPN mode and program everything else. The 46xx settings I am using is from 2009 is there a newer one?

 

[wspence]

Your 46XX file is fine from 209. I'll check on my 9620 tomorrow. What Profile do you have set in the phone?

 

[Techman1966]

My profile is set to "OTHER" right arrow over then it shows PSK with AUX. When I changed my 46xx text file I removed # under the first box then put SET VPNPROC 2 in it's place. This is what I did on two other deployments of VPN 9600s phones that were using Cisco and Sonicwall routers and they both worked great.

 

[wspence]

Found this for a 9620 that may help. Shows the cert expiry and cert dn are not there.
General
VPN: Enabled
VPN Vendor:Other
Gateway Address: Public IP of VPN Router
External Phone IP: 0.0.0.0 for DHCP
External Router: 0.0.0.0 for DHCP
External Subnet: 0.0.0.0 for DHCP
External DNS: 0.0.0.0 for DHCP
Encapsulation: 4500-4500
Copy TOS: No
Auth . Type
PSK
IKE PSK
IKE ID: vpnphone1_remote
Pre-Shared Key: vpnphone1
IKE Phase 1
IKE ID Type: FQDN
IKE Xchg Mode: Aggressive
IKE DH Group: 2
IKE Encryption Alg: 3DES
IKE Auth.Alg.: SHA-1
IKE Config Mode: Disabled
IKE Phase 2
IPsec PFS DH Group: 2
IPsec Encryption Alg: 3DES
IPsec Auth Alg: SHA-1
Protected Net: X.X.X.X/24 Subnet where the VPN router is.
IKE Over TCP
No

 

[wspence]

Change your phone to PSK only and go through all your phone settings beginning to end, matching your IKE and VPN policies of the router.

 

[Techman1966]

WSpence, that is exactly what I have on my phone. I can't for the life of me find the other settings that apply for Generic. I used that set u on a sonicwall it worked well. I am dealing with this netgear and a data guy that isn't a data guy. The first thread to my original question is what I am trying to do since that worked for a netgear setup. This is killing me. I am on a quest to get this. Thanks for the help. I am still looking into the 46xx text parameter settings to see if that is where I can change something that will effect what I see on the phone once in VPN programming.

 

[wspence]

Seems like a couple of years back when I tried my first one on a 318 I could never make it work. Ended up going with the 336 which was replaced by a 338. Just today I tried again on a 318, this time on, technical tip 184, I followed Option 1 Mode Config and X-Auth. The phone's profile is set to Juniper when using that config. Good luck!

 

[Techman1966]

Wspence, can you tell me what your 46xxx setting file is set to? Mine is "SET VPNPROC 2"

 

[tlpeter]

The SRX5308 works also very well.
Stop trying the 318 as it is slightly different and lacks features.
Use the 336 or any model higher then that.
Google for the VPN phone doc for the Netgear routers and it will work fine.


BAZINGA!

I'm not insane, my mother had me tested!

 

[wspence]

I do not have a 46xxsettings file on this box, therefore not using it.

Go with tipeters suggestion to get away from this router. I unplugged my remote phone last night, when I plugged it back in this morning it says discover IP Office address. I am rebooting the router to resolve.

 

[Techman1966]

Thank you for all the comments. I advised the customer today that they need to upgrade their router and their data guy