How to enable VPN on 9620L if it's disabled?

[jyang12]

Hi all,

I've seen posts here discussing how to configure VPN on 9620 or 9620L phones. But I've been struggling on how to enable the VPN option in the first place - for some reason that option is disabled on the 9620L I have and there is no way for me to enable it... Is there any way for me to do that without messing with the 46xxsettings.txt? Thanks

 

[holdmusic34]

No. How else would you propose to configure it?

At the very least you would need

VPNPROC 2 And
IF $GROUP SEQ 0 GOTO NO96XXVPN
IF $GROUP SEQ 876 GOTO 96XXVPN in your 46XX

Put your defaulted handset in group 876 and it will pick up the data in the 96XXVPN.txt YOU will create.
TIP: I find that you need to put VPNPROC 2 at the top of the 46XX or the handset will not give you VPN programming options when it is in group 876.

Something like this at the top of your 46XX:

Set VPNROC 2
################ AVAYA SCREEN SAVER SETTINGS ###################
##
## Idle time before the Avaya Screen Saver is activated (minutes).
## Number of minutes without phone activity to wait
## before the screen saver is activated. A value of 0 means
## the screen saver is never activated. The default is 240 minutes.
## This parameter does not apply to 16cc SIP phones.
##
## Note:
## This setting activates the Avaya Screen Saver which is
## different than the "idle screen" accessed by WMLIDLEURI.
## While it is possible to use WMLIDLEURI as an "idle
## screen", it is recommended that the SCREENSAVERON
## timer and the Avaya Screen Saver display be used for
## screen saver purposes.
##
SET SCREENSAVERON 20
##
## The automatic default for Release 6 - applicable to 9600 phones
## This can be modified to add your companies own screen saver
##
SET SCREENSAVER SCFSCREENSAVER.jpg
##
############### DISPLAY BACKLIGHT CONTROL ################
##
## Idle Time Before Turning Off Backlight (minutes)
## Number of minutes without phone activity to wait
## before turning off backlight. A value of 0 means the
## backlight is never turned off. This parameter is
## supported only by phones which have a backlight.
## The default is 120 minutes.
SET BAKLIGHTOFF 20

# 96XXVPN
IF $GROUP SEQ 0 GOTO NO96XXVPN
IF $GROUP SEQ 876 GOTO 96XXVPN


# 96XXVPN

GET 96xxVPN.TXT

GOTO END

# NO96XXVPN
SET NVVPNMODE 0
SET PROCSTAT 0
SET VPNPROC 2
SET PROCPSWD 27238

GOTO END

<The rest of your 46xx text file here>
For brevity i did not post it all.


The 96xxVPN will look something like this while you work with it:
# 96XXVPN


################################################## #
## VPN Mode
## 0: Disabled, 1: Enabled.
################################################## #

SET NVVPNMODE 1

################################################## #
## Vendor.
## 1: Juniper/Netscreen, 2. Cisco
## 3: CheckPoint/ Nokia 4: Other
## 5: Nortel.
################################################## #

SET NVVPNSVENDOR 4

################################################## #
## Encapsulation Type.
## 0: 4500-4500, 1: Disabled
## 2: 2070-500, 3: ?
## 4: RFC (500-500)
################################################## #

SET NVVPNENCAPS 0

################################################## #
## Copy TOS.
## 1: Yes, 2: No
################################################## #

SET NVVPNCOPYTOS 0

################################################## #
## Authentication Type.
##
## [For Cisco/Juniper/Checkpoint/Other]
## 3: PSK, 4: PSK with Xauth
## 5: RSA signatures with Xauth, 6: Hybrid Xauth
## 7: RSA signatures.
##
## [Nortel Authentication Type]
## 1: Local credentials, 2: Radius Credentials.
## 3: Radius SecureID, 4: Radius Axent.
################################################## #

SET NVVPNAUTHTYPE 3

################################################## #
## VPN User Type.
## 1: Any, 2: User
################################################## #

SET NVVPNUSERTYPE 1

################################################## #
## Password Type.
## 1: Save in Flash, 2: Erase on reset
## 3: Numeric OTP, 4: Alpha-Numeric OTP
## 5: Erase on VPN termination.
################################################## #

SET NVVPNPSWDTYPE 1

################################################## #
## IKE ID (Group Name).
################################################## #

SET NVIKEID yourrouterID@xxxcontainers.com.au

################################################## #
## IKE ID Type.
## 1: IPv4_ADDR, 2: FQDN
## 3: USER_FQDN, 9: DER_ASN1_DN
## 11: Key ID
################################################## #

SET NVIKEIDTYPE 3

################################################## #
## IKE Xchg Mode.
## 1: Aggressive, 2: Identity Protect.
################################################## #

SET NVIKEXCHGMODE 1

################################################## #
## IKE DH Group.
################################################## #

SET NVIKEDHGRP 2

################################################## #
## IKE Encryption Algo.
## 1: AES-128, 2: 3DES
## 3: DEs 4: AEs-192
## 5: AES-256 0: Any
################################################## #

SET NVIKEP1ENCALG 2

################################################## #
## IKE Auth algo.
## 0: Any, 1: MD5
## 2: sHA-1
################################################## #

SET NVIKEP1AUTHALG 2

################################################## #
## IPsec PFS DH group.
################################################## #

SET NVPFSDHGRP 2

################################################## #
## IPsec Encryption Algo.
## 1: AES-128, 2: 3DES
## 3: DEs 4: AEs-192
## 5: AES-256 6: None
## 0: Any
################################################## #

SET NVIKEP2ENCALG 2

################################################## #
## IPsec Authentication Algo.
## 0: Any, 1: MD5
## 2: sHA-1
################################################## #

SET NVIKEP2AUTHALG 2

################################################## #
## Protected Network.
################################################## #

SET NVIPSECSUBNET 10.9.100.1

################################################## #
## IKE Over TCP.
## 0: Never, 1: Auto
## 2: Always
################################################## #

SET NVIKEOVERTCP 0

################################################## #
## Craft access
## 0: Enabled, 1: only view option is available?
################################################## #

SET PROCSTAT 0

################################################## #
## VPN craft access
## 0: disabled, 1: view only
## 2: View and edit.
################################################## #

SET VPNPROC 2

################################################## #
## Call Server address
################################################## #

SET MCIPADD 10.9.100.250

################################################## #
## craft access code
################################################## #

SET PROCPSWD 27238

GOTO END

# END

Your finished 96xxvpn file which you upload to the system will look better in a format like this:

# 96XXVPN
SET VPNPROC 2
SET NVVPNMODE 1
SET NVVPNSVENDOR 4
SET NVVPNENCAPS 0
SET NVVPNCOPYTOS 0
SET NVVPNAUTHTYPE 3
SET NVVPNUSERTYPE 1
SET NVVPNPSWDTYPE 1
SET NVIKEID abc
SET NVIKEIDTYPE 3
SET NVIKEXCHGMODE 1
SET NVIKEDHGRP 2
SET NVIKEP1ENCALG 2
SET NVIKEP1AUTHALG 2
SET NVPFSDHGRP 2
SET NVIKEP2ENCALG 2
SET NVIKEP2AUTHALG 2
SET NVIPSECSUBNET 10.9.100.1
SET NVIKEOVERTCP 2
SET PROCSTAT 0
SET MCIPADD 10.9.100.250
SET PROCPSWD 27238
SET SCREENSAVERON 20
SET SCREENSAVER YOURSCREENSAVER.jpg
SET BAKLIGHTOFF 20
GOTO END

# END

************************************************************************************************************

After that you has uploaded to the handset you craft in and program your passwords and PSKs programmed in the router.

 

[jyang12]

To make it less complicated, how about just SET NVVPNMODE 1 if 9620 is detected and do the rest on the phone itself? I can just add that one line on the default 46xxsettings.txt(on the 9620 portion), right?

Also I'm trying to figure out how to modify the 46xxsettings.txt file, as I found that the TFTP server is the IPO itself... I can download the file but how can I upload it back?

Thanks

 

[holdmusic34]

Test your solution out yourself post back.

Upload using embedded file manager in manger. Basic stuff.
Read the installation manual, VPN Administrator manual and some case notes on Avaya VPN solutions using different routers for further information. We all had to.

 

[jyang12]

A stupid question: I can't find the 46xxsettings.txt from embeded file management. That's my first impression but just can't find it... I can download it thru http though. That's why I got confused as how do I upload back the modified version??

 

[holdmusic34]

It's in your bins folder in ProgramFiles> Manager

 

[jyang12]

Well I don't know what happen but I can't find such folder either in the embeded file management or the Manager folder of our VM Pro server... I do see the 46xxsettings.txt under the Manager folder but it's different than the one I download from http(thus what the phones are using). We're running 7.0 with VM Pro.

 

[TouchToneTommy]

You could change the files on your computer and install "Avaya MV_IP Tel Mgr", then change the file server address and group number on the phone. This will reboot the phone, and cause it to look to your computer for the files.

 

[jyang12]

Oh that sounds better - is it a free tool? I can download the 46xxsettings.txt and modify it and save it on my PC. Then change the file server address on the phone(do I have to change the group number still?). After confirming the VPN is enabled then I just change the file server address back on the phone? Did I capture all these right?

Thanks

 

[jyang12]

And you care to point me the link - searched on avaya.com and there are many different versions. Looking for version that's best compatible with IPO500 V2 7.0, and 9620L. Thanks

 

[jyang12]

Guys, still struggling in trying to locate the right spot for the 46xxsettings.txt. The copy on the VM Pro server is not matching with the live one available from IPO(which is also the file server for all phones). I checked embeded file management as well and don't see it there either... Where else should I check - this shouldn't be that complicated??

 

[jyang12]

Well, I'm reporting back what I did here: I realized it doesn't matter whether the version online is different, I could just go ahead and upload a version into the embeded file management. So I went ahead and verified after the upload that it's the online copy now. But my simplification attempt doesn't work too well, as I was hoping I can minimize the change on the txt file and do most of the VPN configuration work on the phone. Our environment lets the 96xx phones to download a file called 96xxupgrade.txt first, in which then refer to the 46xxsettings.txt(it's pretty much empty). So I modified the 96xxupgrade file to below:

## IPOFFICE/7.0(278401) 10.1.1.10 AUTOGENERATED
IF $GROUP SEQ 876 GOTO 9620VPN
IF $MODEL4 SEQ 9620 goto BACKUPAPP96XX
IF $MODEL4 SEQ 9630 goto BACKUPAPP96XX
IF $MODEL4 SEQ 9640 goto BACKUPAPP96XX
IF $MODEL4 SEQ 9650 goto BACKUPAPP96XX
goto END
# 9620VPN
SET VPNPROC 2
SET NVVPNMODE 1
SET NVVPNSVENDOR 2 ==> we use Cisco
goto GETSET
# BACKUPAPP96XX
IF $VPNACTIVE SEQ 1 GOTO PHONEAPP96XX
IF $BOOTNAME SEQ hb96xxua3_11.bin goto PHONEAPP96XX
SET APPNAME hb96xxua3_11.bin
goto GETSET
# PHONEAPP96XX
SET APPNAME ha96xxua3_186aS.bin
goto GETSET
# GETSET
GET 46xxsettings.txt
# END

The original version is like this:

## IPOFFICE/7.0(278401) 10.1.1.10 AUTOGENERATED
IF $MODEL4 SEQ 9620 goto BACKUPAPP96XX
IF $MODEL4 SEQ 9630 goto BACKUPAPP96XX
IF $MODEL4 SEQ 9640 goto BACKUPAPP96XX
IF $MODEL4 SEQ 9650 goto BACKUPAPP96XX
goto END
# BACKUPAPP96XX
IF $VPNACTIVE SEQ 1 GOTO PHONEAPP96XX
IF $BOOTNAME SEQ hb96xxua3_11.bin goto PHONEAPP96XX
SET APPNAME hb96xxua3_11.bin
goto GETSET
# PHONEAPP96XX
SET APPNAME ha96xxua3_186aS.bin
goto GETSET
# GETSET
GET 46xxsettings.txt
# END


And then I changed the GROUP on the 9620L to 876 and reboot it a couple times, making sure I see successful "http 1 200" result of the 96xxupgrade.txt. However the darn VPN option still says Disabled. Any idea guys?

 

[tlpeter]

Hire a certified engineer.
This is really basic stuff.
You are doing something wrong i guess

BAZINGA!

I'm not insane, my mother had me tested!

 

[jyang12]

Well that's why I'm here I agree this is really basic stuff and there must be something I did wrong - I hope experts here can point that out easily.

Believe me that phone is not worth of hiring an engineer, worst case I'll just use it as a regular phone.

 

[holdmusic34]

The questions you're asking shouldn't really have to be asked.

This site is for questions from professionals in the field.

 

[jyang12]

Well I'm the only person who manages 4 sites of over 100 phones, would you categorize that as professionals in the field? I'm not pretending I know everything so I'm trying to get help here. Of course some questions here would seem too easy to answer, but I'm sure there's always others could benefit from as well.