VPN convert from 56xx to 96xx

[TDMorIP]

so i am using 56xx VPN phones connected to Netgear 338 as per the Avaya Tech Note with Option 1 (XAUTH) and works like a charm.

we are now looking to add more phones but go with 9630's and 50's
IPO is at 6.1 and phones are at NOV build 3.1
it looks like the tunnel connects but the phone but is stuck on discover the IP of IPO. so with the new phones i see where the protected networks are added and i put that IPO mask in there but where in the new phones are the settings for the virtual IP being 0.0.0.0?? maybe thats not my problem, but is the only thing i cant find in comapring the new vs. old phones

has anyone made the conversion and got them working?

if i change the protected Net to 0.0.0.0/0 it never gets past Phase 2.

Thanks,

 

[tlpeter]

The protected net is the same as the local iprange in the mode config.
So when your ipo is 192.168.42.1 then both local ans protected network should be 192.168.42.0/24

BAZINGA!

I'm not insane, my mother had me tested!

 

[TDMorIP]

which is what i have but phone is stuck on discover...what else could be different on these phones? there is an option for 1 user or any. i tried both but no luck.

thanks,

 

[tlpeter]

Here an example


IPO settings

Lan1 192.168.42.1, 255.255.255.0
iproute 172.16.22.0, 255.255.255.0, 192.168.42.254

Router

lan 192.168.42.254, 255.255.255.0
Wan 88.88.88.88

vpn settings on router

Mode config

Recordname: vpnphone
First pool: 172.16.22.1 -> 172.16.22.50
DHGroup 2
SA lifetime 3600
3DES
SHA-1
Local ipaddress: 192.168.42.0
Local subnet: 255.255.255.0

IKE Policy

Mode config: yes
Select mode config record: vpnphone
Policy name: vpnphone
Exchange mode: aggressive

Select local gateway: Wan1
Identifier type: Local wan ip

Identifier type: FQDN
Identifier: vpnphone

3DES
SHA-1
Presahred key
1234567890
SA lifetime: 28800
Deadpeer: no

Xauth: edge device
User database

Make users

Username: vpnphone1
Password: vpnphone1


Phone settings

Set the callserver before anything else!!!

ipaddress: 192.168.42.1

Gateway ipaddress: 88.88.88.88

juniper with xuath and psk

User type: Any
Save password: flash

Username: vpnphone1
password: phnphone1


ike group: phnphone
psk: 1234567890

DH2
3DES
SHA-1
Mode config enabled

DH2
3DES
SHA-1
Protected network: 192.168.42.0/24



I probably forgot some because this is all from my memory





BAZINGA!

I'm not insane, my mother had me tested!

 

[kholladay]

I have the exact same issue. I've setup dozens of different sites wiht 5600 phones and SonicWALL (plus countless other types) and have never had an issue. For the past several days I have struggled to get a 9620 to work with either a Fortigate, a pfSense or a SonicWALL. The first two don't surprise me but the SonicWALL should have been cake and I can't get past Discover. Tried a 5610 and it came right up. Something is definately different about these two devices because I didn't change the SonicWALL but the 5610 is up and running with an extensio and the 9620 is not.

Kyle Holladay
ACSS & APSS SME Communications
MCP/MCTS Exchange 2007
Adtran ATSA, Aruba ACMA

"Thinking is the hardest work there is, which is the probable reason why so few engage in it." - Henry Ford

 

[tlpeter]

Kyle, i tried both phones just acouple of weeks ago on a netgear 336 (similar to the 338)

Perhaps a 6.1 issue?


BAZINGA!

I'm not insane, my mother had me tested!

 

[TDMorIP]

im using 3.1 with SP1 from Nov for the phone, how about you? have you tried it as h323 locally and not VPN? our system here is 6.0 so it can connect to the IPO but it doesnt come up all the way until i roll back the phone. im gonna upgrade to 6.1 and see if it will even work locally.

 

[tlpeter]

All ipo versions are the 3.1 firmware.
Do not use any other then provided on the AdminCD!!!

I have done it on 6.0, 6.1 and 7.0 so it should work well.


BAZINGA!

I'm not insane, my mother had me tested!

 

[kholladay]

I am using the 9620 firmware from the 6.1(12) admin CD along with a 9608 with R27 with similar results.

Kyle Holladay
ACSS & APSS SME Communications
MCP/MCTS Exchange 2007
Adtran ATSA, Aruba ACMA

"Thinking is the hardest work there is, which is the probable reason why so few engage in it." - Henry Ford

 

[TDMorIP]

i was actually using the 3.1SP1 from 9600 downloads.....im updating firmware now from admin CD....well see what that does. keep you posted. thanks!

 

[tlpeter]

Kyle, try firmware from the 6.0 releases.
The 9608 did not work for me either.
NPI told me that the vpn in the new 9600 phone is not supported yet(not in the tech bully)
I could not connect the 9608 and 9641 while a 9620 did connect.
I saw that the protected network ipaddress was not correct.
In the phone it was 172.16.22.0/24 and in the vpn log of the router i saw 0.16.22.0/24
The 172 part was changed in to a 0
Perhaps this happens too with the 9620???


BAZINGA!

I'm not insane, my mother had me tested!

 

[kholladay]

I got that same thing! My first octet was changed to a 0 on the 9620.

Kyle Holladay
ACSS & APSS SME Communications
MCP/MCTS Exchange 2007
Adtran ATSA, Aruba ACMA

"Thinking is the hardest work there is, which is the probable reason why so few engage in it." - Henry Ford

 

[tlpeter]

Cool

Then this must be a firmware issue.
Then you should try to downgrade it to an older version and then upgrade it back to a 6.0 release firmware.



BAZINGA!

I'm not insane, my mother had me tested!

 

[tlpeter]

Kyle, you have access to NPI too right?
Perhaps we both should log the issue so that it can be fixed in the GA release.


BAZINGA!

I'm not insane, my mother had me tested!

 

[kholladay]

Yea I am gathering logs now.

Kyle Holladay
ACSS & APSS SME Communications
MCP/MCTS Exchange 2007
Adtran ATSA, Aruba ACMA

"Thinking is the hardest work there is, which is the probable reason why so few engage in it." - Henry Ford

 

[kholladay]

Funny, didn't really notice this before:

10.254.100.120/32 -> 0.23.22.0/24

Should be 10.23.22.0/24

Kyle Holladay
ACSS & APSS SME Communications
MCP/MCTS Exchange 2007
Adtran ATSA, Aruba ACMA

"Thinking is the hardest work there is, which is the probable reason why so few engage in it." - Henry Ford

 

[tlpeter]

I already mentioned it to Brad and he told me that the 9608,9621 and 9641 vpn is not supported yet because it was unstable
I will log it too when i find some time to do it


BAZINGA!

I'm not insane, my mother had me tested!

 

[tlpeter]

Kyle, there is a R28 firmware now for the new phones.
Did you try that one or the 27?
I did not test the 28 yet.


BAZINGA!

I'm not insane, my mother had me tested!

 

[kholladay]

I noticed they changed the builds to 7.0(3) and 7.0(14) rather than 7.0(30xxx) etc so I am going to assume they are wrapping it up and this will go untouched before GA.

Kyle Holladay
ACSS & APSS SME Communications
MCP/MCTS Exchange 2007
Adtran ATSA, Aruba ACMA

"Thinking is the hardest work there is, which is the probable reason why so few engage in it." - Henry Ford

 

[tlpeter]

Could be but i guess this is a major issue.
There are no other phones that can do vpn anymore (new sold)
I have placed several the last couple of months.


BAZINGA!

I'm not insane, my mother had me tested!