VPN enable/disable option?

[gphone]

We have succesfully setup our 96XX sets to work thru a VPN for home users. We're on CM 5.2. However these users use the same phone in the office and at home, working from home one day or so a week then taking thier phone home. What is the best way to program the settings file so that a VPN is not an option when in the office for all other users but an option for only those that are allowed to take them home?

I think I can make it work if I give all in-house only users a group ID and then use a go to statement to bypass the VPN options but since we have 1,000 stations thats a lot of work. I don't think it will work the other way around as the group ID isn't known until the VPN is established.

Basically I don't want a VPN option to appear to in-house only users when they unplug or move thier phones around.
Ideas? How are others setting up thier VPN connection options?
Thanks in advance

 

[kwing112000]

I would use groups and set the users who take their phones home to a group that enables the VPN option. All others have no group. I did this and used group 875 for VPN enabled devices.

Kevin Wing
ACSS Small and Medium Enterprise (SME) Communications
ACS- Implement IP Office
ACA- Implement IP Office
Carousel Industries

 

[gphone]

Maybe I did something wrong in the settings file. I tried that but when the users took thier phone home they didn't have the VPN option. Though that was early on when we were also trying to configure the VPN to work with Fortigate which took a few tries. Can you provide the coding string you used in the settings file so I can just duplicate what you did?
Thanks!

 

[kwing112000]

i can post it later i am out of the office today.

did you ever get it working with fortigate?? i have heard it doesnt work

Kevin Wing
ACSS Small and Medium Enterprise (SME) Communications
ACS- Implement IP Office
ACA- Implement IP Office
Carousel Industries

 

[gphone]

Thanks. Yes, it works great. Just took awhile to customize the settings to get them match up. Once it did, works like a champ.

 

[tlpeter]

I copied this form the ipoffice forum.

Put this in your 46xxsettings.txt file

CODE
IF $GROUP SEQ 0 GOTO NO96XXVPN

IF $GROUP SEQ 876 GOTO 96XXVPN

# 96XXVPN

GET 96xxvpn.txt

# NO96XXVPN

Make a new text file called 96XXVPN.txt and put this in it:

CODE
################################################## #
## VPN Mode
## 0: Disabled, 1: Enabled.
################################################## #

SET NVVPNMODE 1

################################################## #
## Vendor.
## 1: Juniper/Netscreen, 2. Cisco
## 3: CheckPoint/ Nokia 4: Other
## 5: Nortel.
################################################## #

SET NVVPNSVENDOR 1

################################################## #
## Encapsulation Type.
## 0: 4500-4500, 1: Disabled
## 2: 2070-500, 3: ?
## 4: RFC (500-500)
################################################## #

SET NVVPNENCAPS 0

################################################## #
## Copy TOS.
## 1: Yes, 2: No
################################################## #

SET NVVPNCOPYTOS 0

################################################## #
## Authentication Type.
##
## [For Cisco/Juniper/Checkpoint/Other]
## 3: PSK, 4: PSK with Xauth
## 5: RSA signatures with Xauth, 6: Hybrid Xauth
## 7: RSA signatures.
##
## [Nortel Authentication Type]
## 1: Local credentials, 2: Radius Credentials.
## 3: Radius SecureID, 4: Radius Axent.
################################################## #

SET NVVPNAUTHTYPE 4

################################################## #
## VPN User Type.
## 1: Any, 2: User
################################################## #

SET NVVPNUSERTYPE 1

################################################## #
## Password Type.
## 1: Save in Flash, 2: Erase on reset
## 3: Numeric OTP, 4: Alpha-Numeric OTP
## 5: Erase on VPN termination.
################################################## #

SET NVVPNPSWDTYPE 1

################################################## #
## IKE ID (Group Name).
################################################## #

SET NVIKEID vpn_avaya

################################################## #
## IKE ID Type.
## 1: IPv4_ADDR, 2: FQDN
## 3: USER_FQDN, 9: DER_ASN1_DN
## 11: Key ID
################################################## #

SET NVIKEIDTYPE 2

################################################## #
## IKE Xchg Mode.
## 1: Aggressive, 2: Identity Protect.
################################################## #

SET NVIKEXCHGMODE 1

################################################## #
## IKE DH Group.
################################################## #

SET NVIKEDHGRP 2

################################################## #
## IKE Encryption Algo.
## 1: AES-128, 2: 3DES
## 3: DEs 4: AEs-192
## 5: AES-256 0: Any
################################################## #

SET NVIKEP1ENCALG 2

################################################## #
## IKE Auth algo.
## 0: Any, 1: MD5
## 2: sHA-1
################################################## #

SET NVIKEP1AUTHALG 2

################################################## #
## IPsec PFS DH group.
################################################## #

SET NVPFSDHGRP 2

################################################## #
## IPsec Encryption Algo.
## 1: AES-128, 2: 3DES
## 3: DEs 4: AEs-192
## 5: AES-256 6: None
## 0: Any
################################################## #

SET NVIKEP2ENCALG 2

################################################## #
## IPsec Authentication Algo.
## 0: Any, 1: MD5
## 2: sHA-1
################################################## #

SET NVIKEP2AUTHALG 2

################################################## #
## Protected Network.
################################################## #

SET NVIPSECSUBNET 192.168.42.0/24

################################################## #
## IKE Over TCP.
## 0: Never, 1: Auto
## 2: Always
################################################## #

SET NVIKEOVERTCP 0

################################################## #
## Craft access
## 0: Enabled, 1: only view option is available?
################################################## #

SET PROCSTAT 0

################################################## #
## VPN craft access
## 0: disabled, 1: view only
## 2: View and edit.
################################################## #

SET VPNPROC 2

################################################## #
## Call Server address
################################################## #

SET MCIPADD 192.168.42.1

################################################## #
## craft access code
################################################## #

SET PROCPSWD 27238

# END

Start your phone and press * when you can
Then type 27238 (craft)
Go to group and enter 876 and reboot the phone.

Change the settings as you like.

BAZINGA!

I'm not insane, my mother had me tested!

 

[gphone]

Cool. Thank you.

 

[gphone]

Just FYI, instead of having a separate text file. I used:

## Put the following right above the VPN settings section

IF $GROUP SEQ 876 GOTO VPNPUSERS
GOTO NONVPNUSERS
# VPNUSERS

## Put the following right after the VPN settings section

# NONVPNUSERS

Works great. You must manually set the Group to 876 on the phone and I have it in the station screen as well.

 

[tlpeter]

Hi gphone, that is an option too.
It is just what you think is easier or better working.


BAZINGA!

I'm not insane, my mother had me tested!