Sonicwall TZ215 VPN Phones 2

[teletechman]

I have been trying to get a VPN phone working with a Sonicwall TZ215 FW:Enhance 5.8.1, the phone is a 9608 going to an IPO R:9.1.3. The IT provider that I have been working with has given me this email which states that Sonicwall will not work with the VPN phones.

This is not going to happen this way. The firmware used in your link is much older than what we are using. As stated by SonicWALL this will not work with newer models and firmware. So I cannot spend any more time on trying to get this to work.

There subnet they have for their network 192.168.1.x 255.255.255.0 /24. It is entered as a network. Not a range, not a host.

The log says there VPN log does not meet phase 2. But it’s very limited as they have no view point server for logging, or something similar. You got about 60 seconds worth data saying the same thing on your end.

So you can modify your settings however you want. You have all of the info needed to connect, if the phone is capable.

VPN’s need to renegotiate all the time whenever they come from different routes. So when a route changes your device will not auto negotiate the tunnel again causing us to bounce their VPN tunnel. The Sonicwall will keep trying to communicate on the old tunnel with its initial SA until it’s been bounced.

We are getting past the phase 1 but it fails on phase 2, we have checked this against the Sonicwall and it seem OK but I have been through this before and gotten it working when we get the right person looking at the Sonicwall. Has anyone gotten this working so that I can tell the IT provider to pound sand and fix his settings?
Mike

 

[Ragnorak]

It has been a while since I've set up a VPN with a Sonicwall on a new install, but I have added a few to old installations somewhat recently. The only issue I've had was that sometimes I had was with the Protected Nets entry in the phone. Sometimes I had to leave it blank for the phone to work and sometimes I needed to put in the Remote Net information.

I assume your familiar with the Tech Tip for the VPN phone setup with Sonicwalls, but perhaps one of these which focus on the Sonicwall setup might help your IT vendor.

Application Notes for Configuring a SonicWALL VPN with an Avaya IP Telephony Infrastructure - Issue 1.0

http://downloads.avaya.com/css/P8/documents/003854750

Application Notes for Configuring a SonicWALL VPN solution with an Avaya IP Telephony Infrastructure using Avaya IP Office in a Converged VoIP and Data Network - Issue 1.0

http://devconnectprogram.com/fileMedia/download/dd675fae-dcb1-414d-87bc-eaa89dae9f05

I've always done both the Sonicwall setup and the VPN phones and honestly it was very simple. I actually strongly dislike the Sonicwall programming interface but continued to use it because it was cost effective enough and so simple to setup. Sonicwall still boasts of being an Avaya Devconnect Partner and Avaya is still listed on their website as one of their technology alliance partners. It is possible that they no longer support Avaya VPN phones in their new firmware, but I haven't read or heard anything to that effect. It would also be odd given that they still seem to be an Avaya Devconnect partner.

 

[AvantiWade]

If its failing on Phase 2 then you have a mis match of settings on phase 2 between the sonicwall and your phone.

On the phone verify your VPN Config in the IKE Phase 2 section, one of these settings is not matching.

I have mine set to DH Group 2, 3DES, SHA-1 , 0.0.0.0/0, and Never for IKE over TCP.

 

[Pepp77]

We have hundreds of VPN phones connecting back to Sonicwalls. They are one of the easier ones to setup.

Here is a doc you can pass to the IT guys - this is tried and tested and designed to be simple to follow -

https://www.dropbox.com/s/qnpg0s2ya43qiua/SonicWall VPN Setup.docx?dl=0

Then we give them another document that has the following on it to show what we have to enter onto the phone

Company Name Pinnacle
Phone Type 96xx
CallServer IP address of phone system
Profile Other
Auth Type PSK With Xauth
Server x.x.x.x
Username Username created during previous document
Password Password created during previous document
Group Name GroupVPN
Group PSK Presharedkey
VPN Start Mode Boot
Password Type Save in Flash
Encapsulation 4500-4500
Syslog Server N/a

IKE Parameters
IKE ID Type FQDN
Diffie-Hellman Group 2
Encryption Alg 3DES
Authentication Alg SHA-1
IKE Xchg Mode Aggressive
IKE Config Mode Disabled
Xauth Disabled
Cert Expiry Check Disabled
Cert DN Check Disabled

IPSec Parameters
Encryption Alg 3DES
Authentication Alg SHA-1
Diffie-Hellman Group 2

Protected Nets
Virtual IP
Remote Net #1 192.168.x.0/24
Remote Net #2
Remote Net #3
Remote Net #4
Remote Net #5

Copy TOS No
File Svr 0.0.0.0
Connectivity Check First time
Qtest No


Using this document (with all correct details entered) even our junior engineers can quickly and easily configure a new VPN handset.

| ACSS SME |

 

[tidypants]

Pepp77 you are a legend

 

[TheSmash]

I wouldn't go that far @tidypants!! It'll go to his head ;-)

ACSS (SME)

 

[teletechman]

Thanks for the info Pepp77, I believe that the IT provider missed the enable perfect forwarding secrecy setting. I am having him turn it on now and will let you know.
Thanks Mike

 

[teletechman]

Hey Pepp will this also work with the 46XX series phones?
Mike