IP500v2 VPN Phone & Sonicwall 1

[cg11]

Guys and Pros, please help....

I have setup VPN phones in the past with very good results using the old Kentrox routers, and very recently Watchguard.

We cannot get a 9608 vpn phone to work with a newer Sonicwall. We can get the tunnel up and phone then goes to the infamous "Discover". It sometimes will ask for extension, then after entering the extension, phone immediately goes to "Discover". It's like the 9608 does not properly "sit" on the local lan (it gets a local address but can't ping it either) . Phone did come online one time for about 12 hours, then never again.

Everything was triple-checked, IP routes, tried using with/without "Protected Nets" programmed, various Ike Phase 1 & phase 2 settings and much more.

We have 9608s setup in multiple locations running as H.323 without issue on the same Sonicwall hardware (pt-pt gateways).

I found three different sets of Avaya - Sonicwall docs and compared settings, all look right. One tech even mentioned her has hundreds of VPN phones connecting to Soninwall with issues.

What I am missing here? Do I need a VPN license? Our 9608-Watchguard is setup and does not require a VPN licenses. I thought the base IP500 comes with up to 4 free VPN licenses.

It's got to be something very simple, please chime in.


System is IP500v2 R9.1.12. VMpro, PRI & SIP trunks, 9508s, 9608s, etc. We do plan to upgrade to R10 or R11 in near future but customer needs a few remote VPN phones pronto due to this CoVid-19 crap.

 

[icet500]

Avaya VPN phones will take an "IP endpoint" license.
Is this the first IP phone in the system? Is the protected network matches the IPO's network? is the remote lan subnet matches any subnet in the sonicwall?

 

[cg11]

There are plenty of IP Endpoint licenses.
The protected network matches the IPO's network (also tried (0.0.0.0/0).
The remote lan (vpn phone)is a different subnet, when the vpn tunnel is built the phone has 2 IP addresses, one on its local network 192.168.1.101 and one on the IPO's subnet 192.168.10.201.

When the 9608 vpn phone did work for 12 hours, the Sonicwall handed out this address to the phone: 192.168.168.101. The IT tech changed the Sonicwall DHCP scope for the 9608 to hand out 192.168.10.201-205 (local subnet addresses).

 

[TouchToneTommy]

You don't need the SonicWall to hand out an IP address to the VPN phone. Just enable the GroupVVPN with IKE w/PSK, set your Group 1 and 2 proposals, uncheck everything on the Advanced tab, allow Unauthenticated VPN Client Access to LAN subnets, No Virtual Adapter settings, Allow Connections to Split Tunnels.

The VPN phone will obtain a local address (subnet MUST be different from the IPO's subnet), and build the tunnel. You must manually input the IPO's internal address in Call Server and HTTP server. Ensure that there is a return IP route for the VPN phone's subnet to the SonicWall

 

[cg11]

Tommy,

Thanks for suggestions, will try this tomorrow and post results.

 

[cg11]

All,

Got this working (for the moment). It turns out I had a default route of 0.0.0.0 to 192.168.50.1 (router on the IP500 subnet). I had to add a static route in the Ip500 for the remote site (i.e. 192.168.20.0). The default route of 0.0.0.0 should have addressed this but for some reason you have to manually add the static route as Tommy said.

Thank you!

 

[cg11]

One question on this 9608 VPN phone to Sonicwall setup.

Many home users use 192.168.1.x for their home network. What happens when you have multiple VPN phones deployed that use this same subnet? Will the single static IP route of 192.168.1.0 work for all the remote phones?

We will only know for sure as we roll out more of these remote phones. Theoretically, it should work okay.