Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN Phone Issue IKE Phase 1 No Response

Status
Not open for further replies.

gingersnap1027

Technical User
Jan 12, 2007
49
US
Hi All,

I'm trying to get the VPN IP Phone up and running on an Avaya 4621SW and 4610SW telephone to an Avaya Comm Mgr 5.0 8730 PBX. I have loaded VPN software a10bVPN232_4 on the telephones and have the VPNSettings.txt file installed on them but when I try and connect to my Cisco ASA 5520 I get the following:

Exchanging Keys
Encapsulation Method 4
IKE Phase 1 no response
Error Code 3997700:0
Module: IKMPD: 142
Module: IKECFG: 459

My VPN Settings file is configured as follows:
##############################################################################
## Use this template file to build a customized version of 46vpnsetting.txt
## file for your VPN Environment.
##
## Use the customized 46vpnsetting.txt file for setting up the file server for
## VPNremote phones and building VPNremote for 46xx PC Ethernet port based
## installation package.
##
## Before starting the customization, make sure that you have obtained sufficient
## information related to your VPN and phone operating environment.
##
## Note : This template file contains only the most commonly used parameters
## Refer to 46vpnsetting_readme.txt file for a complete list of VPN specific
## parameters and 46xxsettings.txt for parameters related to phone operation
## in general. The latest version of 46xxsettings.txt file can be obtained
## from Avaya support website.
###############################################################################


IF $VPNSWBUILD SEQ 248 GOTO VPNCONFIG_START
GOTO VPNCONFIG_END

# VPNCONFIG_START

SET NVVPNMODE 1
SET NVVPNPSWDTYPE 1
SET NVVPNCONCHECK 2

#####################################################################################
## Next three parameters Are required for all VPN environments.
##
## NVSGIP : IP Address or DNS name of the VPN server to which phone must attempt to
## connect first.
##
## NVBACKUPSGIP : IP Address(es) or DNS name(s) of the VPN server to which phone must
## attempt to connect if connection with NVSGIP VPN server fails. There
## can be a maximum of 5 backup VPN servers.
##
## NVVPNFILESRVR : IP Address or DNS name of the File Server for VPNremote phones.
##
## Note
## Length of the value for these parameters must not exceed 30 characters.
##
## If using DNS name for NVVPNFILESRVR, make sure that the VPN server is configured
## to provide DNS server's IP address to the phone during VPN tunnel setup.
##
#######################################################################################
SET NVSGIP xxx.xxx.xxx.xxx
SET NVBACKUPSGIP xxx.xxx.xxx.xxx
SET NVVPNFILESRVR


#######################################################################################
## Next two parameters Are required for all preshared key based VPN environments.
## For Cisco Certificate based VPN environment NVIKEID must be provided.
##
## Note
## Some VPN vendor documentation refer to NVIKEID as "GROUP NAME" and to NVIKEPSK
## as "GROUP PASSWORD"
#######################################################################################
SET NVIKEID groupname
SET NVIKEPSK groupkey
#######################################################################################
## Next two parameters Are required for all VPN environments with the exception of
## Nortel and Avaya VPN environments.
##
## Note
## Default value for NVIKEDHGRP is 2
## Default value for NVPFSDHGRP is 0
#######################################################################################
SET NVIKEDHGRP 2
SET NVPFSDHGRP 0

##############################################################################
## Next parameter is required for all Certificate based VPN environments and
## Checkpoint VPN environment.
## Provide the name of the file containing VPN server CA certificate. The file
## must be present in the same directory as this file.
##############################################################################
## SET TRUSTCERTS

################################################################################
## Uncomment the "SET" statement below by removing '##' from the begining, if
## you don't want VPNremote phone to save the VPN user password in non-volatile
## memory.
##
## Note
## Users will be prompted to enter for password after every power cycle
#################################################################################
## SET NVVPNPSWDTYPE 2

# VPNCONFIG_END

IF $VPNACTIVE SEQ 1 GOTO RUNTIME_CONFIG

##################################################################################
# ONETIME_CONFIG
##################################################################################

SET NVVPNENCAPS 4
SET NVVPNCOPYTOS 2

GOTO RUNTIME_CONFIG_END


##################################################################################
# RUNTIME_CONFIG
##################################################################################


##########################################################################
## Following parameter is required for phone to operate after the VPN tunnel
## is setup.
## Provide the IP Address(es) or DNS Name(s) of the call servers.
##########################################################################
SET MCIPADD xxx.xxx.xxx.xxx

#####################################################################################
## Uncomment the "SET" statement below by removing '##' from the begining of the line
## if your VPN environment natively supports QTEST
##
## If you are not sure whether your VPN environment natively supports QTEST or not
## uncomment the lines below and proceed with further customization.
## Configure and deploy a single 46xx phone using this customized file.
## Check if QTEST application is working
##
## To access QTEST application from your 46xx VPNremote phones when connected
## to call server over the VPN tunnel
## Press "Options" Key
## Press "Page Right" untill you see the "VPN Status" line in the display
## Select VPN status
## Select QTEST
## Select START to start QTEST.
## Wait for 5 Secs.
## If "NO DATA" continues to be displayed after 5 secs have elapsed, it
## implies that your VPN environment does not natively supports QTEST.
##
## Following VPN Environments are known to natively support QTEST, provided
## that the VPN configuration allows two IPsec clients to communicate with each
## other directly through the VPN tunnel.
## (1) Avaya Security Gateway.
## (2) Juniper Security Gateways.
## (3) Cisco Systems, Inc./VPN 3000 Concentrator Version 4.7
###################################################################################

## SET QTEST "Enable"


############################################################################
## Provide the IP address in dotted decimal format of the host acting as
## QTEST Server for VPNremote phones.
##
## Any XP/2K based PC can be configured to act as QTEST server for VPNremote
## phones by installing the "Simple TCP/IP service" component.
## To install "Simple TCP/IP Service" on a windows machine
## Start Control Panel
## Double Click on "Add or Remove Programs"
## Click on "Add/Remove Windows Component"
## Select "Networking Services" from the list
## Click on "Details" button.
## Check "Simple TCP/IP Service"
## Click "OK" button.
## Click "Next"
##
## VPNremote phone users can use QTEST application on their VPNremote phones
## to test the VPN tunnel link quality for Voice Over IP.
## To access QTEST application from your 46xx VPNremote phones when connected
## to call server over the VPN tunnel
## Press "Options" Key
## Press "Page Right" untill you see the "VPN Status" line in the display
## Select VPN status
## Select QTEST
## Select START to start QTEST.
##
## Note : Display will show "NO DATA" if no response is recieved from QTEST
## server. This typically implies that QTEST server is not reachable
############################################################################
## SET QTESTRESPONDER


#################################################################################
## Following two parameters are optional and are required only if you wish to use
## QTEST application.
##
## Providing a SNMPSTRING other than "public" will enable you to initiate
## QTEST using QTESTForAvayaVPNremotePhones.exe with multiple VPNremote phones
## simultaneously for extended duration. If you leave SNMPSTRING to default
## values, QTESTForAvayaVPNremotePhones.exe will restrict QTEST duration to 5 mins
## and will not permit more than 1 QTEST at any given time.
##
## Providing LOGSRVR IP address will enable you to centrally collect the QTEST
## results initiated by VPNremote phones.
#################################################################################
## SET SNMPSTRING
## SET LOGSRVR



##################################################################################
# RUNTIME_CONFIG_END
##################################################################################

####################################################################################
## Uncomment the GOTO statement that best describes you VPN environment by removing
## '##' from the begining of the GOTO statement.
####################################################################################

# PROFILE_LIST

#####################################################################################
## VPN environment is built using Avaya VSU/SG series security gateways and VPN users
## are locally configured on the gateway.
#####################################################################################
## GOTO AVAYA

#####################################################################################
## VPN environment is built using Avaya VSU/SG series security gateways and VPN users
## are authenticated using RSA secureID.
#####################################################################################
## GOTO AVAYA_SECUREID

#####################################################################################
## VPN environment is built using Avaya VSU/SG series security gateways and VPN users
## are authenticated using a Radius server.
#####################################################################################
## GOTO AVAYA_RADIUS


####################################################################################
## IMPORTANT IMPORTANT
## Next 6 choices are for Juniper VPN devices.
##
## You may have to make following configuration changes on Juniper VPN Devices.
##
## The default life of IPSec security association is 60 minutes in Juniper VPN devices.
## For smooth operation of the VPNremote phones please increase the IPSec SA life time
## to 5 days.
####################################################################################


#####################################################################################
## VPN environment is built using Juniper NS/SSG/ISG series VPN servers and users are
## authenticated using a preshared key and XAuth and user passwords are not one time
## use only.
#####################################################################################
## GOTO JNPR_XAUTH_PSK

#####################################################################################
## VPN environment is built using Juniper NS/SSG/ISG series VPN servers and users are
## authenticated using a preshared key and XAuth and user passwords are numeric and
## one time use only, for example RSA SecureId.
#####################################################################################
## GOTO JNPR_XAUTH_PSK_SECUREID


#####################################################################################
## VPN environment is built using Juniper NS/SSG/ISG series VPN servers and users are
## authenticated using a preshared key.
#####################################################################################
## GOTO JNPR_PSK_ONLY


#####################################################################################
## VPN environment is built using Juniper NS/SSG/ISG series VPN servers and users are
## authenticated using a device certificate and Xauth and user passwords are not one
## time use only.
#####################################################################################
## GOTO JNPR_XAUTH_CERT


#####################################################################################
## VPN environment is built using Juniper NS/SSG/ISG series VPN servers and users are
## authenticated using a device certificate and XAuth and user passwords are numeric
## and one time use only, for example RSA SecureId.
#####################################################################################
## GOTO JNPR_XAUTH_CERT_SECUREID


#####################################################################################
## VPN environment is built using Juniper NS/SSG/ISG series VPN servers and users are
## authenticated using a device certificate.
#####################################################################################
## GOTO JNPR_CERT_ONLY


####################################################################################
## IMPORTANT IMPORTANT
## Next 6 choices are for Cisco VPN devices.
##
## You may have to make following configuration changes on Cisco PIX VPN Devices.
##
## If you are using Cisco PIX VPN devices and Client IP Address pool is configured
## please make sure that MODE Config is set to either initiate,respond or both. If
## this is not done phone will fail to download IP address and will abort the VPN
## tunnel setup process.
##
## Use following CLI command on PIX to configure MODE Config
## "crypto map dialinmap client configuration address respond"
####################################################################################

#####################################################################################
## VPN environment is built from Cisco VPN devices and users are authenticated using
## a preshared key and XAuth and user passwords are not one time use only.
#####################################################################################
## GOTO CISCO_XAUTH_PSK


#####################################################################################
## VPN environment is built from Cisco VPN devices and users are authenticated using
## a preshared key and XAuth and user passwords are numeric and one time use only, for
## example RSA SecureId.
#####################################################################################
## GOTO CISCO_XAUTH_PSK_SECUREID

#####################################################################################
## VPN environment is built from Cisco VPN devices and users are authenticated using
## a preshared key.
#####################################################################################
GOTO CISCO_PSK_ONLY


#####################################################################################
## VPN environment is built from Cisco VPN devices and users are authenticated using
## a Device Certificate and XAuth and user passwords are not one time use only.
#####################################################################################
## GOTO CISCO_XAUTH_CERT


#####################################################################################
## VPN environment is built from Cisco VPN devices and users are authenticated using
## a Device Certificate and XAuth and user passwords are numeric and one time use only,
## for example RSA SecureId.
#####################################################################################
## GOTO CISCO_XAUTH_CERT_SECUREID


#####################################################################################
## VPN environment is built from Cisco VPN devices and users are authenticated using
## a device certificate.
#####################################################################################
## GOTO CISCO_CERT_ONLY


#####################################################################################
## VPN environment is built from Nortel contivity and users are authenticated using
## local contivity authentication database.
##
## Note : VPNremote phone does not support password expiry. Instruct your phone users
## to use Nortel VPN Client to reset password upon expiry.
#####################################################################################
## GOTO NORTEL_PASSWORD


#####################################################################################
## VPN environment is built from Nortel contivity and users are authenticated using
## RSA SecureID.
#####################################################################################
## GOTO NORTEL_SECUREID


#####################################################################################
## VPN environment is built from Nortel contivity and users are authenticated using
## an external RADIUS authentication server.
#####################################################################################
## GOTO NORTEL_RADIUS

####################################################################################
## IMPORTANT IMPORTANT
## Next 4 choices are for Checkpoint VPN devices.
##
## You may have to make following configuration changes on Checkpoint VPN device.
##
## The default life of IPSec security association is 60 minutes in Checkpoint VPN
## devices. For smooth operation of the VPNremote phones please increase the IPSec SA
## life time to a minimum of 8 hours.
##
## The default lease duration of IP address assigned to IPsec Clients is 15 minutes.
## You must increase the lease duration to match IKE phase 1 Security Association
## life time.
#####################################################################################

#####################################################################################
## VPN environment is built from Checkpoint VPN and user passwords are numeric and one
## time use only, For example RSA SecureID.
#####################################################################################
## GOTO CHECKPOINT_SECUREID


#####################################################################################
## VPN environment is built from Checkpoint VPN and users are authenticated using
## passwords that are not one time use only.
#####################################################################################
## GOTO CHECKPOINT

#####################################################################################
## VPN environment is built from Checkpoint VPN and user passwords are numeric and
## one time use only, For example RSA SecureID, and Office mode is disabled.
#####################################################################################
## GOTO CHECKPOINT_NO_OM_SECUREID


#####################################################################################
## VPN environment is built from Checkpoint VPN and users are authenticated using
## passwords that are not one time use only and office mode is disabled.
#####################################################################################
## GOTO CHECKPOINT_NO_OM

GOTO PROFILE_CFG_END

# PROFILE_CFG_START

# AVAYA
SET NVVPNCFGPROF 1
SET NVVPNAUTHTYPE 1
goto PROFILE_CFG_END

# AVAYA_SECUREID
SET NVVPNCFGPROF 1
SET NVVPNPSWDTYPE 3
SET NVVPNAUTHTYPE 2
goto PROFILE_CFG_END

# AVAYA_RADIUS
SET NVVPNCFGPROF 1
SET NVVPNAUTHTYPE 2
goto PROFILE_CFG_END

# JNPR_XAUTH_PSK
SET NVVPNCFGPROF 5
goto PROFILE_CFG_END

# JNPR_XAUTH_PSK_SECUREID
SET NVVPNCFGPROF 5
SET NVVPNPSWDTYPE 3
goto PROFILE_CFG_END

# JNPR_PSK_ONLY
SET NVVPNCFGPROF 5
SET NVXAUTH 2
goto PROFILE_CFG_END

# JNPR_XAUTH_CERT
SET NVVPNCFGPROF 9
goto PROFILE_CFG_END

# JNPR_XAUTH_CERT_SECUREID
SET NVVPNCFGPROF 9
SET NVVPNPSWDTYPE 3
goto PROFILE_CFG_END

# JNPR_CERT_ONLY
SET NVVPNCFGPROF 9
SET NVXAUTH 2
goto PROFILE_CFG_END

# CISCO_XAUTH_PSK
SET NVVPNCFGPROF 3
goto PROFILE_CFG_END

# CISCO_XAUTH_PSK_SECUREID
SET NVVPNCFGPROF 3
SET NVVPNPSWDTYPE 3
goto PROFILE_CFG_END

# CISCO_PSK_ONLY
SET NVVPNCFGPROF 9
SET NVXAUTH 2
goto PROFILE_CFG_END

# CISCO_XAUTH_CERT
SET NVVPNCFGPROF 8
goto PROFILE_CFG_END

# CISCO_XAUTH_CERT_SECUREID
SET NVVPNCFGPROF 8
SET NVVPNPSWDTYPE 3
goto PROFILE_CFG_END

# CISCO_CERT_ONLY
SET NVVPNCFGPROF 8
SET NVXAUTH 2
goto PROFILE_CFG_END

# NORTEL_PASSWORD
SET NVVPNCFGPROF 11
SET NORTELAUTH 1
goto PROFILE_CFG_END

# NORTEL_SECUREID
SET NVVPNCFGPROF 11
SET NVVPNPSWDTYPE 3
SET NORTELAUTH 3
goto PROFILE_CFG_END

# NORTEL_RADIUS
SET NVVPNCFGPROF 11
SET NORTELAUTH 2
goto PROFILE_CFG_END

# CHECKPOINT_SECUREID
SET NVVPNCFGPROF 2
SET NVVPNPSWDTYPE 3
goto PROFILE_CFG_END

# CHECKPOINT
SET NVVPNCFGPROF 2
goto PROFILE_CFG_END

# CHECKPOINT_NO_OM_SECUREID
SET NVVPNCFGPROF 2
SET NVVPNPSWDTYPE 3
SET NVIKECONFIGMODE 2
goto PROFILE_CFG_END

# CHECKPOINT_NO_OM
SET NVVPNCFGPROF 2
SET NVIKECONFIGMODE 2
goto PROFILE_CFG_END

# PROFILE_CFG_END

################################################################################
## Uncomment the "SET" statement below by removing the '##' from begining of the
## line if your VPN environment does not support IP address pool.
## This is a very uncommon VPN environment.
################################################################################
## SET NVIKECONFIGMODE 2


################################################################################
## Uncomment the "GOTO" statement below by removing the '##' from begining of the
## line if your VPN environment requires a Device Certificate for phones.
################################################################################
## GOTO MYCERT_ENROLLSTART

GOTO MYCERT_ENROLLEND

# MYCERT_ENROLLSTART

################################################################################
## Uncomment the "SET" statement below by removing the '##' from begining of the
## line if your Certificate Enrollment environment requires phone users to enter
## a pass phrase.
################################################################################
## SET SCEPPASSWORDREQ 1


################################################################################
## Provide the passphrase that phone should use for Certificate enrollment in the
## "SET" statement below.
## If no passphrase is provided phone uses the serial number as passphrase.
################################################################################
SET SCEPPASSWORD


SET POLLINGINTERVALMINS 2
SET POLLINGRETRIES 65535

IF $MYCERTEXPIRING SEQ 1 GOTO MYCERT_RENEW
IF $MYCERTID SEQ 1 GOTO MYCERT_ENROLLEND
GOTO MYCERT_ENROLL

# MYCERT_RENEW
SET POLLINGINTERVALMINS 1
SET POLLINGRETRIES 0

# MYCERT_ENROLL

###################################################################################
## Provide the URL for certificate enrollment in the "SET" statement below.
## You must provide this information if your VPN environment requires a Device
## certificate for phones.
###################################################################################
SET MYCERTURL ""

SET MYCERTCN $MACADDR
SET MYCERTKEYLEN 1024
SET MYCERTID 1

# MYCERT_ENROLLEND

IF $VPNACTIVE SEQ 1 GOTO DISABLE_L2Q
GOTO END

# DISABLE_L2Q
SET L2Q 2

# END
GET 46xxsettings.txt

We only use the group name and group key to get in no individual passwords. Any help would make you my hero.

Thanks,
 
IKE Phase 1 No Response errors indicates an authentication problem from the VPN Concentrator. Did you register the serial number of the phone into the concentrator?
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top