VPN Phone Issue IKE Phase 1 No Response

[gingersnap1027]

Hi All,

I'm trying to get the VPN IP Phone up and running on an Avaya 4621SW and 4610SW telephone to an Avaya Comm Mgr 5.0 8730 PBX. I have loaded VPN software a10bVPN232_4 on the telephones and have the VPNSettings.txt file installed on them but when I try and connect to my Cisco ASA 5520 I get the following:

Exchanging Keys
Encapsulation Method 4
IKE Phase 1 no response
Error Code 3997700:0
Module: IKMPD: 142
Module: IKECFG: 459

My VPN Settings file is configured as follows:
##############################################################################
## Use this template file to build a customized version of 46vpnsetting.txt
## file for your VPN Environment.
##
## Use the customized 46vpnsetting.txt file for setting up the file server for
## VPNremote phones and building VPNremote for 46xx PC Ethernet port based
## installation package.
##
## Before starting the customization, make sure that you have obtained sufficient
## information related to your VPN and phone operating environment.
##
## Note : This template file contains only the most commonly used parameters
## Refer to 46vpnsetting_readme.txt file for a complete list of VPN specific
## parameters and 46xxsettings.txt for parameters related to phone operation
## in general. The latest version of 46xxsettings.txt file can be obtained
## from Avaya support website.
###############################################################################


IF $VPNSWBUILD SEQ 248 GOTO VPNCONFIG_START
GOTO VPNCONFIG_END

# VPNCONFIG_START

SET NVVPNMODE 1
SET NVVPNPSWDTYPE 1
SET NVVPNCONCHECK 2

#####################################################################################
## Next three parameters Are required for all VPN environments.
##
## NVSGIP : IP Address or DNS name of the VPN server to which phone must attempt to
## connect first.
##
## NVBACKUPSGIP : IP Address(es) or DNS name(s) of the VPN server to which phone must
## attempt to connect if connection with NVSGIP VPN server fails. There
## can be a maximum of 5 backup VPN servers.
##
## NVVPNFILESRVR : IP Address or DNS name of the File Server for VPNremote phones.
##
## Note
## Length of the value for these parameters must not exceed 30 characters.
##
## If using DNS name for NVVPNFILESRVR, make sure that the VPN server is configured
## to provide DNS server's IP address to the phone during VPN tunnel setup.
##
#######################################################################################
SET NVSGIP xxx.xxx.xxx.xxx
SET NVBACKUPSGIP xxx.xxx.xxx.xxx
SET NVVPNFILESRVR


#######################################################################################
## Next two parameters Are required for all preshared key based VPN environments.
## For Cisco Certificate based VPN environment NVIKEID must be provided.
##
## Note
## Some VPN vendor documentation refer to NVIKEID as "GROUP NAME" and to NVIKEPSK
## as "GROUP PASSWORD"
#######################################################################################
SET NVIKEID groupname
SET NVIKEPSK groupkey
#######################################################################################
## Next two parameters Are required for all VPN environments with the exception of
## Nortel and Avaya VPN environments.
##
## Note
## Default value for NVIKEDHGRP is 2
## Default value for NVPFSDHGRP is 0
#######################################################################################
SET NVIKEDHGRP 2
SET NVPFSDHGRP 0

##############################################################################
## Next parameter is required for all Certificate based VPN environments and
## Checkpoint VPN environment.
## Provide the name of the file containing VPN server CA certificate. The file
## must be present in the same directory as this file.
##############################################################################
## SET TRUSTCERTS

################################################################################
## Uncomment the "SET" statement below by removing '##' from the begining, if
## you don't want VPNremote phone to save the VPN user password in non-volatile
## memory.
##
## Note
## Users will be prompted to enter for password after every power cycle
#################################################################################
## SET NVVPNPSWDTYPE 2

# VPNCONFIG_END

IF $VPNACTIVE SEQ 1 GOTO RUNTIME_CONFIG

##################################################################################
# ONETIME_CONFIG
##################################################################################

SET NVVPNENCAPS 4
SET NVVPNCOPYTOS 2

GOTO RUNTIME_CONFIG_END


##################################################################################
# RUNTIME_CONFIG
##################################################################################


##########################################################################
## Following parameter is required for phone to operate after the VPN tunnel
## is setup.
## Provide the IP Address(es) or DNS Name(s) of the call servers.
##########################################################################
SET MCIPADD xxx.xxx.xxx.xxx

#####################################################################################
## Uncomment the "SET" statement below by removing '##' from the begining of the line
## if your VPN environment natively supports QTEST
##
## If you are not sure whether your VPN environment natively supports QTEST or not
## uncomment the lines below and proceed with further customization.
## Configure and deploy a single 46xx phone using this customized file.
## Check if QTEST application is working
##
## To access QTEST application from your 46xx VPNremote phones when connected
## to call server over the VPN tunnel
## Press "Options" Key
## Press "Page Right" untill you see the "VPN Status" line in the display
## Select VPN status
## Select QTEST
## Select START to start QTEST.
## Wait for 5 Secs.
## If "NO DATA" continues to be displayed after 5 secs have elapsed, it
## implies that your VPN environment does not natively supports QTEST.
##
## Following VPN Environments are known to natively support QTEST, provided
## that the VPN configuration allows two IPsec clients to communicate with each
## other directly through the VPN tunnel.
## (1) Avaya Security Gateway.
## (2) Juniper Security Gateways.
## (3) Cisco Systems, Inc./VPN 3000 Concentrator Version 4.7
###################################################################################

## SET QTEST "Enable"


############################################################################
## Provide the IP address in dotted decimal format of the host acting as
## QTEST Server for VPNremote phones.
##
## Any XP/2K based PC can be configured to act as QTEST server for VPNremote
## phones by installing the "Simple TCP/IP service" component.
## To install "Simple TCP/IP Service" on a windows machine
## Start Control Panel
## Double Click on "Add or Remove Programs"
## Click on "Add/Remove Windows Component"
## Select "Networking Services" from the list
## Click on "Details" button.
## Check "Simple TCP/IP Service"
## Click "OK" button.
## Click "Next"
##
## VPNremote phone users can use QTEST application on their VPNremote phones
## to test the VPN tunnel link quality for Voice Over IP.
## To access QTEST application from your 46xx VPNremote phones when connected
## to call server over the VPN tunnel
## Press "Options" Key
## Press "Page Right" untill you see the "VPN Status" line in the display
## Select VPN status
## Select QTEST
## Select START to start QTEST.
##
## Note : Display will show "NO DATA" if no response is recieved from QTEST
## server. This typically implies that QTEST server is not reachable
############################################################################
## SET QTESTRESPONDER


#################################################################################
## Following two parameters are optional and are required only if you wish to use
## QTEST application.
##
## Providing a SNMPSTRING other than "public" will enable you to initiate
## QTEST using QTESTForAvayaVPNremotePhones.exe with multiple VPNremote phones
## simultaneously for extended duration. If you leave SNMPSTRING to default
## values, QTESTForAvayaVPNremotePhones.exe will restrict QTEST duration to 5 mins
## and will not permit more than 1 QTEST at any given time.
##
## Providing LOGSRVR IP address will enable you to centrally collect the QTEST
## results initiated by VPNremote phones.
#################################################################################
## SET SNMPSTRING
## SET LOGSRVR



##################################################################################
# RUNTIME_CONFIG_END
##################################################################################

####################################################################################
## Uncomment the GOTO statement that best describes you VPN environment by removing
## '##' from the begining of the GOTO statement.
####################################################################################

# PROFILE_LIST

#####################################################################################
## VPN environment is built using Avaya VSU/SG series security gateways and VPN users
## are locally configured on the gateway.
#####################################################################################
## GOTO AVAYA

#####################################################################################
## VPN environment is built using Avaya VSU/SG series security gateways and VPN users
## are authenticated using RSA secureID.
#####################################################################################
## GOTO AVAYA_SECUREID

#####################################################################################
## VPN environment is built using Avaya VSU/SG series security gateways and VPN users
## are authenticated using a Radius server.
#####################################################################################
## GOTO AVAYA_RADIUS


####################################################################################
## IMPORTANT IMPORTANT
## Next 6 choices are for Juniper VPN devices.
##
## You may have to make following configuration changes on Juniper VPN Devices.
##
## The default life of IPSec security association is 60 minutes in Juniper VPN devices.
## For smooth operation of the VPNremote phones please increase the IPSec SA life time
## to 5 days.
####################################################################################


#####################################################################################
## VPN environment is built using Juniper NS/SSG/ISG series VPN servers and users are
## authenticated using a preshared key and XAuth and user passwords are not one time
## use only.
#####################################################################################
## GOTO JNPR_XAUTH_PSK

#####################################################################################
## VPN environment is built using Juniper NS/SSG/ISG series VPN servers and users are
## authenticated using a preshared key and XAuth and user passwords are numeric and
## one time use only, for example RSA SecureId.
#####################################################################################
## GOTO JNPR_XAUTH_PSK_SECUREID


#####################################################################################
## VPN environment is built using Juniper NS/SSG/ISG series VPN servers and users are
## authenticated using a preshared key.
#####################################################################################
## GOTO JNPR_PSK_ONLY


#####################################################################################
## VPN environment is built using Juniper NS/SSG/ISG series VPN servers and users are
## authenticated using a device certificate and Xauth and user passwords are not one
## time use only.
#####################################################################################
## GOTO JNPR_XAUTH_CERT


#####################################################################################
## VPN environment is built using Juniper NS/SSG/ISG series VPN servers and users are
## authenticated using a device certificate and XAuth and user passwords are numeric
## and one time use only, for example RSA SecureId.
#####################################################################################
## GOTO JNPR_XAUTH_CERT_SECUREID


#####################################################################################
## VPN environment is built using Juniper NS/SSG/ISG series VPN servers and users are
## authenticated using a device certificate.
#####################################################################################
## GOTO JNPR_CERT_ONLY


####################################################################################
## IMPORTANT IMPORTANT
## Next 6 choices are for Cisco VPN devices.
##
## You may have to make following configuration changes on Cisco PIX VPN Devices.
##
## If you are using Cisco PIX VPN devices and Client IP Address pool is configured
## please make sure that MODE Config is set to either initiate,respond or both. If
## this is not done phone will fail to download IP address and will abort the VPN
## tunnel setup process.
##
## Use following CLI command on PIX to configure MODE Config
## "crypto map dialinmap client configuration address respond"
####################################################################################

#####################################################################################
## VPN environment is built from Cisco VPN devices and users are authenticated using
## a preshared key and XAuth and user passwords are not one time use only.
#####################################################################################
## GOTO CISCO_XAUTH_PSK


#####################################################################################
## VPN environment is built from Cisco VPN devices and users are authenticated using
## a preshared key and XAuth and user passwords are numeric and one time use only, for
## example RSA SecureId.
#####################################################################################
## GOTO CISCO_XAUTH_PSK_SECUREID

#####################################################################################
## VPN environment is built from Cisco VPN devices and users are authenticated using
## a preshared key.
#####################################################################################
GOTO CISCO_PSK_ONLY


#####################################################################################
## VPN environment is built from Cisco VPN devices and users are authenticated using
## a Device Certificate and XAuth and user passwords are not one time use only.
#####################################################################################
## GOTO CISCO_XAUTH_CERT


#####################################################################################
## VPN environment is built from Cisco VPN devices and users are authenticated using
## a Device Certificate and XAuth and user passwords are numeric and one time use only,
## for example RSA SecureId.
#####################################################################################
## GOTO CISCO_XAUTH_CERT_SECUREID


#####################################################################################
## VPN environment is built from Cisco VPN devices and users are authenticated using
## a device certificate.
#####################################################################################
## GOTO CISCO_CERT_ONLY


#####################################################################################
## VPN environment is built from Nortel contivity and users are authenticated using
## local contivity authentication database.
##
## Note : VPNremote phone does not support password expiry. Instruct your phone users
## to use Nortel VPN Client to reset password upon expiry.
#####################################################################################
## GOTO NORTEL_PASSWORD


#####################################################################################
## VPN environment is built from Nortel contivity and users are authenticated using
## RSA SecureID.
#####################################################################################
## GOTO NORTEL_SECUREID


#####################################################################################
## VPN environment is built from Nortel contivity and users are authenticated using
## an external RADIUS authentication server.
#####################################################################################
## GOTO NORTEL_RADIUS

####################################################################################
## IMPORTANT IMPORTANT
## Next 4 choices are for Checkpoint VPN devices.
##
## You may have to make following configuration changes on Checkpoint VPN device.
##
## The default life of IPSec security association is 60 minutes in Checkpoint VPN
## devices. For smooth operation of the VPNremote phones please increase the IPSec SA
## life time to a minimum of 8 hours.
##
## The default lease duration of IP address assigned to IPsec Clients is 15 minutes.
## You must increase the lease duration to match IKE phase 1 Security Association
## life time.
#####################################################################################

#####################################################################################
## VPN environment is built from Checkpoint VPN and user passwords are numeric and one
## time use only, For example RSA SecureID.
#####################################################################################
## GOTO CHECKPOINT_SECUREID


#####################################################################################
## VPN environment is built from Checkpoint VPN and users are authenticated using
## passwords that are not one time use only.
#####################################################################################
## GOTO CHECKPOINT

#####################################################################################
## VPN environment is built from Checkpoint VPN and user passwords are numeric and
## one time use only, For example RSA SecureID, and Office mode is disabled.
#####################################################################################
## GOTO CHECKPOINT_NO_OM_SECUREID


#####################################################################################
## VPN environment is built from Checkpoint VPN and users are authenticated using
## passwords that are not one time use only and office mode is disabled.
#####################################################################################
## GOTO CHECKPOINT_NO_OM

GOTO PROFILE_CFG_END

# PROFILE_CFG_START

# AVAYA
SET NVVPNCFGPROF 1
SET NVVPNAUTHTYPE 1
goto PROFILE_CFG_END

# AVAYA_SECUREID
SET NVVPNCFGPROF 1
SET NVVPNPSWDTYPE 3
SET NVVPNAUTHTYPE 2
goto PROFILE_CFG_END

# AVAYA_RADIUS
SET NVVPNCFGPROF 1
SET NVVPNAUTHTYPE 2
goto PROFILE_CFG_END

# JNPR_XAUTH_PSK
SET NVVPNCFGPROF 5
goto PROFILE_CFG_END

# JNPR_XAUTH_PSK_SECUREID
SET NVVPNCFGPROF 5
SET NVVPNPSWDTYPE 3
goto PROFILE_CFG_END

# JNPR_PSK_ONLY
SET NVVPNCFGPROF 5
SET NVXAUTH 2
goto PROFILE_CFG_END

# JNPR_XAUTH_CERT
SET NVVPNCFGPROF 9
goto PROFILE_CFG_END

# JNPR_XAUTH_CERT_SECUREID
SET NVVPNCFGPROF 9
SET NVVPNPSWDTYPE 3
goto PROFILE_CFG_END

# JNPR_CERT_ONLY
SET NVVPNCFGPROF 9
SET NVXAUTH 2
goto PROFILE_CFG_END

# CISCO_XAUTH_PSK
SET NVVPNCFGPROF 3
goto PROFILE_CFG_END

# CISCO_XAUTH_PSK_SECUREID
SET NVVPNCFGPROF 3
SET NVVPNPSWDTYPE 3
goto PROFILE_CFG_END

# CISCO_PSK_ONLY
SET NVVPNCFGPROF 9
SET NVXAUTH 2
goto PROFILE_CFG_END

# CISCO_XAUTH_CERT
SET NVVPNCFGPROF 8
goto PROFILE_CFG_END

# CISCO_XAUTH_CERT_SECUREID
SET NVVPNCFGPROF 8
SET NVVPNPSWDTYPE 3
goto PROFILE_CFG_END

# CISCO_CERT_ONLY
SET NVVPNCFGPROF 8
SET NVXAUTH 2
goto PROFILE_CFG_END

# NORTEL_PASSWORD
SET NVVPNCFGPROF 11
SET NORTELAUTH 1
goto PROFILE_CFG_END

# NORTEL_SECUREID
SET NVVPNCFGPROF 11
SET NVVPNPSWDTYPE 3
SET NORTELAUTH 3
goto PROFILE_CFG_END

# NORTEL_RADIUS
SET NVVPNCFGPROF 11
SET NORTELAUTH 2
goto PROFILE_CFG_END

# CHECKPOINT_SECUREID
SET NVVPNCFGPROF 2
SET NVVPNPSWDTYPE 3
goto PROFILE_CFG_END

# CHECKPOINT
SET NVVPNCFGPROF 2
goto PROFILE_CFG_END

# CHECKPOINT_NO_OM_SECUREID
SET NVVPNCFGPROF 2
SET NVVPNPSWDTYPE 3
SET NVIKECONFIGMODE 2
goto PROFILE_CFG_END

# CHECKPOINT_NO_OM
SET NVVPNCFGPROF 2
SET NVIKECONFIGMODE 2
goto PROFILE_CFG_END

# PROFILE_CFG_END

################################################################################
## Uncomment the "SET" statement below by removing the '##' from begining of the
## line if your VPN environment does not support IP address pool.
## This is a very uncommon VPN environment.
################################################################################
## SET NVIKECONFIGMODE 2


################################################################################
## Uncomment the "GOTO" statement below by removing the '##' from begining of the
## line if your VPN environment requires a Device Certificate for phones.
################################################################################
## GOTO MYCERT_ENROLLSTART

GOTO MYCERT_ENROLLEND

# MYCERT_ENROLLSTART

################################################################################
## Uncomment the "SET" statement below by removing the '##' from begining of the
## line if your Certificate Enrollment environment requires phone users to enter
## a pass phrase.
################################################################################
## SET SCEPPASSWORDREQ 1


################################################################################
## Provide the passphrase that phone should use for Certificate enrollment in the
## "SET" statement below.
## If no passphrase is provided phone uses the serial number as passphrase.
################################################################################
SET SCEPPASSWORD


SET POLLINGINTERVALMINS 2
SET POLLINGRETRIES 65535

IF $MYCERTEXPIRING SEQ 1 GOTO MYCERT_RENEW
IF $MYCERTID SEQ 1 GOTO MYCERT_ENROLLEND
GOTO MYCERT_ENROLL

# MYCERT_RENEW
SET POLLINGINTERVALMINS 1
SET POLLINGRETRIES 0

# MYCERT_ENROLL

###################################################################################
## Provide the URL for certificate enrollment in the "SET" statement below.
## You must provide this information if your VPN environment requires a Device
## certificate for phones.
###################################################################################
SET MYCERTURL ""

SET MYCERTCN $MACADDR
SET MYCERTKEYLEN 1024
SET MYCERTID 1

# MYCERT_ENROLLEND

IF $VPNACTIVE SEQ 1 GOTO DISABLE_L2Q
GOTO END

# DISABLE_L2Q
SET L2Q 2

# END
GET 46xxsettings.txt

We only use the group name and group key to get in no individual passwords. Any help would make you my hero.

Thanks,

 

[mgraval]

IKE Phase 1 No Response errors indicates an authentication problem from the VPN Concentrator. Did you register the serial number of the phone into the concentrator?