VPN Phone w/Cisco Meraki 1

[indefinitedrums]

Hello, I've setup a 9641G w/pfsense firewall and it's working great. Took longer to reboot the phone than it took to configure both sides.

Anyway, another customer has a Cisco Meraki firewall, and unfortunately I have not been successful in getting the phone to connect. I assume it's because the 'Client VPN' on the Meraki side is L2TP/IPSec and not 'pure' IPSec. The error I'm getting is 'Phase 1 No Response'. The tunnel does connect from PC/cellphone/etc fine, just not the Avaya Phone.

Anyone have experience setting up a VPN phone with Cisco Meraki?

I saw this thread

http://www.tek-tips.com/viewthread.cfm?qid=1661398

so I am not getting my hopes up, but it is several years old so I thought, 'why not ask?'.

The firewall also has a Site-to-Site VPN configuration available, but I don't think that would work in this situation.

Thanks in advance for any replies.

 

[nnaarrnn]

off topic, but do you have any config clues as to your 96xx to pfSense VPN setup?

 

[indefinitedrums]

@nnaarrnn

No problem! Is there something specific you are having issues with pfsense-side or phone-side?

Below was a little cheat sheet I made, but it was mostly for the phone-side... Lemme know what you need on the pfsense side. I pretty much followed this to the letter:

http://blog.benca.net/2012/03/05/serving-ipsec-vpn-with-pfsense/

*VPN Config(Firewall)* 

    Type: IPSec 
    Auth: Mutual PSK + XAuth 
    Network: 172.16.1.0/24 (<- or another unused private network) 
    Set up VPN User(s) 
    Set up IKE('Group Name') & PSK(Pre-Shared Key) 
        i.e. 
            IKE: ${IKE Group ID}  (i.e. vpn@mydomain.com)
            PSK: ${YourPresharedKey}  (i.e. f30S722hd864)


*IP Office Config* 

    IP Route > New 
        IP Address: ${VPN Network} (i.e. 172.16.1.0) 
        IP Mask: 255.255.255.0 
        Gateway: ${your gateway} (i.e. 10.10.10.1) 
        Destination: LAN1 


*VPN Config(IP Phone)* 
  NOTE: most of these settings are default 

    CRAFT menu > VPN 
     
    General(tab) 
        VPN: Enabled 
        VPN Vendor: Cisco 
        Gateway Address: ${Public IP Here} 
External Phone IP Address: BLANK(DHCP) 
        External Router: BLANK(DHCP) 
        External Subnet Mask: BLANK(DHCP) 
External DNS Server: BLANK(DHCP) 
        Encapsulation: 4500-4500 
        Copy TOS: No 

    Auth Type(tab) 
        PSK with XAUTH 

    User Cred.(tab) 
        VPN User Type: Any 
        VPN User: ${VPN Username Here} 
        Password Type: Save in Flash 

    Password Entry(tab) 
        User Password: ${VPN Password Here} 

    IKE PSK(tab) 
IKE ID (Group Name): ${Group Name Here} 
    Pre-Shared Key (PSK): ${Pre-Shared Key Here} 

    IKE Phase 1(tab) 
        IKE ID Type: KEY_ID 
        IKE Xchg Mode: Aggressive 
        IKE DH Group: 2 
        IKE Encryption Alg: Any 
        IKE Auth. Alg.: Any 
        IKE Config. Mode: Enabled 

    IKE Phase 2(tab) 
        IPsec PFS DH Group: No PFS 
        IPSec Encryption Alg: Any 
        IPSec Auth Alg.: Any 
        Protected Network: 0.0.0.0/0

 

[tlpeter]

You will need a real IPSec VPN with group authentication.
L2TP/IPSec won't work.

BAZINGA!

I'm not insane, my mother had me tested!

 

[indefinitedrums]

@tlpeter

Thank you very much for the definitive response. Both the avaya forums and a support contact from avay couldn't give me a solid answer.

I've convinced them to install a pfsense appliance as I know this configuration works. Now to convince them to ditch the Meraki altogether for the pfsense box...

Thank you again, you are always very helpful. Have a great weekend.

 

[derfloh]

presence is a nice one. But make sure you have a partner with solid knowledge of the box. For Cisco and others you can find certified partners that can provide you support.

A productive used firewall is not really a playground to check some options yourself. The firewall is the door into your data network so make sure that it is well locked.

 

[nnaarrnn]

thanks!

NO issues, I just haven't tried it yet.

 

[indefinitedrums]

nnaarrnn:

Cool, let me know if you have any issues. The above is for pfsense 2.1.5, but I just set up the box for this project on 2.2 and it works as well. Just be sure to use "Key Exchange version: V1" and "Mode: aggressive".

derfloh: I see what you mean, but isn't that true for all enterprise firewalls anyway? You don't want to be using an ASA as a playground in a production environment either. Pfsense is arguably an better or easier option for many just because everything can be done in the web gui. It's also nice that there aren't any licensing hassles either - you can make as many IPsec/OpenVPN/L2TP tunnels, networks, etc as you want(or whatever your hardware can handle); it has proxy server + filtering, IDS/IPS, traffic shaping/limiting, bandwidth monitoring, remote logging, UPS monitoring, and a lot more. You can get support directly from the guys that make it if needed(and much cheaper than cisco), and the community is outstanding.

Also, no NSA backdoors...