Best VPN Solution for 9608

[dbuxton101]

Just wondering if anyone has the built in 9608 VPN client working flawlessly, and what VPN gateway they used.
Just after the best match

 

[hairlessupportmonkey]

Well I am biased, but we use Watchguard. little XTM25 is great for small offices.

ACSS - SME
General Geek

 

[nnaarrnn]

I have quite a few 9608s working flawlessly to Cisco ASA 5505s

 

[dbuxton101]

oh really!
nnarrnn, are you able to send us your 46xxsettings and ASA configs (minus ip addresses and passwords of course)

 

[hairlessupportmonkey]

I wouldnt use an ASA again. They overheat and their memory dies on them.

ACSS - SME
General Geek

 

[nnaarrnn]

I normally do the phone VPN configs manually, and I'll get a copy of an ASA config for you.

Here is what I use to setup the phones:

VPN Tab:
VPN Enabled
VPN Vendor: Cisco
Gateway: (Public IP Address of ASA)
EXT Router: 0.0.0.0 (Let DHCP Server of where remote phone is distribute)
Ext Subnet: 0.0.0.0 (Let DHCP Server of where remote phone is distribute)
Ext DNS: 0.0.0.0 (Let DHCP Server of where remote phone is distribute)
Encapsulation: 4500-4500
Copy TOS: No
Auth Type: PSK w/ XAuth
VPN User Type: Any
VPN User: (As you assign in ASA)
Password Type: Save in flash
User Password: (As you assign in ASA)
IKE ID: (As you assign in ASA - the group name)
PSK: (As you assign in the ASA - the group password)

IKE ID; KEY_ID
IKE Xchg Mode: Aggressive
IKE DH Group: 2 (or whatever you programmed for phase 1)
IKE Encryption Alg: Any
IKE Auth Alg: Any
IKE Config Mode: Enabled
IPSec PFSDH Group: 5 (or whatever you use for phase 2)
IPSec Encryption Alg: Any
IPSec Auth Alg: Any
Protected Network: 0.0.0.0/0
IKE Over TCP: Never

 

[nnaarrnn]

I wouldnt use an ASA again. They overheat and their memory dies on them.

Weird. We've deployed probably 1000+ ASA 5505s (and a few 5512-X's), and I think I've only seen one or two come back-which was a bad power supply after a bad storm.

 

[hairlessupportmonkey]

We deployed a decent number of them. they dont seem to age well. have replaced most of them with XTM25s from watchguard. most of them are all doing IPSEC tunnels on 24/7....

ACSS - SME
General Geek

 

[nnaarrnn]

Interesting.

I found a used Watchguard x15 wifi router/firewall in a building that a client bought. I've been toying with it some. I like it so far.

 

[dbuxton101]

Thanks heaps nnaarrnn,
I will eagerly await your ASA Config.

 

[hairlessupportmonkey]

> thanks heaps

Only a Kiwi says that....

ACSS - SME
General Geek

 

[jbalzeripo]

I have a client looking to convert an existing user to 9608 VPN user (employee is moving out of state). They use a cisco asa 5505.

nnaarrnn, any chance you could contact me with the settings/files you used?

John Balzer Jr
VoIP Engineer, Fox Telecom
ACE-IP Office, ACSS, APSS, Convergance+

 

[Ruuvan]

Cisco, Draytek, Technicolour; these are some of the models we have 96-series phones working through.
All we've ever had to configure on the handset
HTTP / HTTPS / CallServ / FileServ with the WAN IP of the main site. As long as all the relevant ports are forwarded on the routers it should be fine.

 

[Gunnaro]

As long as all the relevant ports are forwarded on the routers it should be fine.

So everyone can connect a phone from wherever they want, without any other authentication than the extn and pin code?

Sounds like madness to me.

Kind regards

Gunnar
______________________________________
Mille viae ducunt homines per saecula Romam

 

[owner66]

nnaarrnn, count me in on that ASA config also, my next step is to get VPN working on these phones,and the only articles I have found deal with cert services etc, looking for a simpler solution.
thanks,
ds

 

[Ruuvan]

Gunnar; it' what has been required of me, so just relaying from my experience.
Can't be sure if it's users moving to offices all over the country or what, but that's how I've needed it setup to work -shrug-