Avaya VPNremote Phone Application Note
Contents
1. Name IP Netmask Zone Type Link PPPoE SC ethernetO O 192 168 1 199 24 Trust Layer3 Up ethernetO 1 172 16 254 118 24 MGT Layer3 Up e ethernetO 2 0 0 0 0 0 Untrust Layer3 Up ez ethernetO 3 0 0 0 0 0 HA Layer3 Down ei E Edit vlani wen 0 0 0 0 0 VLAN Layer3 Down Edit EMH Reviewed Solution amp Interoperability Test Lab Application Notes 8 of 42 SPOC 9 27 06 2006 Avaya Inc All Rights Reserved vpnphone_ssg doc 2 From the Ethernet 0 0 properties page configure the highlighted fields shown below All remaining fields can be left as default Select OK to save Ethernet 0 0 connects to the private corporate network making it a trusted interface It is placed in the Trust security zone of the Juniper SSG The Service Options selected and enabling Manageability are related to the interface being in the Trust zone Interface Name ethernet0 0 0012 1eaa 3c80 As member of group none DI Zone Name Trust D C Obtain IP using DHCP Automatic update DHCP server parameters C Obtain IP using PPPoE None DI Static IP IP Address Netmask 192 168 1 199 4 24 M Manageable Manage IP 192 168 1 199 0012 1eaa 3c80 Interface Mode NAT Route Block Intra Subnet Traffic I Create new pppoe settin Service Options M Web UI M Telnet M SSH Management Services SNMP Vv SSL Other Services M Ping I Path MTUCIPV4 TI Ident reset Maxi Tr2. 1 S 1 as za 3 7 ei lt IPSec Tunnel Voice 4 a Oo Linksys 1 Broad i 3333 band Router yA WAN Interface H R IP Network Region 2 j K Ubtrust Juniper Networks b ic Juniper Networks SSG 520 A 100 2 2 100 Eth 2 Eth 2 130 2 2 100 SSG 520 B 199 IPSec VPN IP Address Pool 50 50 130 1 50 50 130 254 IP Network Region 3 IPSec VPN IP Address Pool 0 50 100 1 50 50 100 254 IP Network Region 2 IP Network Region 1 Main Campus Private Enterprise Network Avaya 192 168 1 0 24 Voice VLAN 192 IP Phones 192 168 1 1 Default GW 1 1 1 0 24 Control Network DNS TFTP 20 Avaya G650 AN Avaya 8710 MedPro 01A03 Communication Manager CLAN 01A07 20 CLAN 01A02 10 IPSI 01A01 7 VW Figure 1 Physical Network EMH Reviewed Solution amp Interoperability Test Lab Application Notes 6 of 42 SPOC 9 27 06 2006 Avaya Inc All Rights Reserved vpnphone_ssg doc 3 Equipment and Software Validated Table 2 lists the equipment and software firmware versions used in the sample configuration provided Device Description Versions Tested Avaya S8710 Media Server oe pee Avaya G650 Media Gateway TN2312BP IPSI FW 22 HV 6 TN799DP CLAN FW 16 HV 1 TN2302AP IP MedPro FW 108 HV 12 Avaya 4610SW IP Telephones R2 3 2 Release 2 al0bVPN232_1 bin Avaya 4620SW IP Telephones R2 3 2
3. Optimized Rekey Cancel EMH Reviewed Solution amp Interoperability Test Lab Application Notes 23 of 42 SPOC 9 27 06 2006 Avaya Inc All Rights Reserved vpnphone_ssg doc 3 The AutoKey IKE list page displays the new IKE VPN 4 8 XAuth Configuration The Juniper SSG has a local XAuth server integrated within the ScreenOS operating system Alternatively an external Radius server can be used These Application Notes implement the local ScreenOS XAuth server The following steps configure the default and IKE gateway specific settings of the local X Auth server 4 8 1 XAuth Server Defaults 1 From the left navigation menu select VPNs gt AutoKey Advanced gt XAuth Settings Configure the highlighted fields shown below All remaining fields can be left as default Select Apply when complete Select the IP Pool Name created in Section 4 3 from the drop down menu This defines the IP Address range used when IP addresses are dynamically assigned to the Avaya VPNremote Phone by the XAuth server during IKE setup DNS and WINS IP addresses are also dynamically assigned by the XAuth server EMH Reviewed Solution amp Interoperability Test Lab Application Notes 24 of 42 SPOC 9 27 06 2006 Avaya Inc All Rights Reserved vpnphone_ssg doc 4 8 2 Enable XAuth Authentication for AutoKey IKE gateway 1 From the left navigation menu select VPNs gt AutoKey Advanced gt Gateway The list
4. Release 2 a20bVPN232_1 bin Avaya 4621SW IP Telephones R2 3 2 Release 2 a20bVPN232_1 bin Avaya 4625SW IP Telephones R2 5 2 Application a25VPN252_1 bin Juniper Networks SSG 520 ScreenOS 5 4 0r1 0 Extreme Alpine 3804 Netgear Broadband Router RP614v3 Firmware V6 0NA 09 03 04 D Link Broadband Router DL 604 Firmware 3 51 11 22 04 Linksys Broadband Router BEFSR41 Ver4 Firmware v1 04 05 07 20 05 Table 2 Equipment and Software Validated 4 Configure Juniper SSG 520 Two Juniper SSG 520 s are included in the sample configuration as described in Section 2 The primary difference in the configuration between these Juniper SSG 520s is IP address assignment and IP Pool address range For brevity purposes only the steps for configuring one of the SSG s SSG 520 A is covered in these Application Notes The configuration steps utilize the Web User Interface WebUI of the Juniper SSG 520 The entire Juniper SSG 520 system CLI configuration is provided as a reference in Appendix A 4 1 Access SSG 520 1 From a serial connection to the Console port of the Juniper SSG log in and access the Command Line Interface using a Terminal Emulation application such as Windows HyperTerm Execute the following commands to configure the Juniper SSG Ethernet interface 0 0 This enables access to the Juniper SSG WebUI SS GOZO Set iniEem tcc thezmecrO O Za 192 168 1 199 24 SSG520 gt set interfac thernet0 0 ip
5. Scie Scie Scie set Scie Scie Scie set Scie inter ZE aL Oe E mp aL Oe fac thernet0 0 manage mtrace rfac thernet0 1 manage snmp inter flow conso pki a pki x addre addre user user user unset use Scie Scie set set Ser DS USEE Dee unset use Scie Scie set set UisSic Uiseic user USS 16 unset use Scie face vlanl manage mtrace nset flow no tcp seq check tcp syn check le timeout 15 uthority default scep mode auto 509 default cert path partial se Vise O 0 0 0 0 0 0 0 ss reuse O 0 0 0 70 0 0 0 evan uid 4 evan type xauth evan password IZ7 4vQeNmFM9MsszyCn JHNzgpnDvp0llg r evan type auth evan enable Joenet et tel 3 garrett type xauth garrett password Gx7kdgYVNa70FRsOCoCF8CtolDnz3cumlg r garrett type auth garrett enable owen uid 2 owen type xauth owen password xOfx89O0CNyMQJ sPQLCWU1rvHGngirErgg r owen type auth OW dl panl O 0000 0 0 0 0 00 050 Scie set set SSE Scie set set set Sec Scie Wisc sie SSE Sor SOE SOT EE EE Sie Sens Es eo eo Jee Ee te te ea ee E vpnphone ike uid 1 vpnphone ike ike id u fqdn vpnphone avaya com share limit vpnphone ike typ ik vpnphone ike enable group remoteuser grp id 3 group remoteuser grp user evan group remoteuser grp user garrett group remoteuser grp user owen
6. Region 1 Location 1 Authoritative Domain avaya com Name Main Campus MEDIA PARAMETERS Intra region IP IP Direct Audio yes Codec Set 1 Inter region IP IP Direct Audio yes UDP Port Min 2048 IP Audio Hairpinning y DIE Ronee Mebxe SS DIFFSERV TOS PARAMETERS RTCP Reporting Enabled y Call Control PHB Value 46 RTCP MONITOR SERVER PARAMETERS Audio PHB Value 46 Use Default Server Parameters y Video PHB Value 26 802 1P Q PARAMETERS Call Gezai G02 je PeLomilcys 6 AUCO GOZ lo Prio eys 6 Vide omo 02r ils ng S AUDIO RESOURCE RESERVATION PARAMETERS H 323 INP ENDEOINES RSVP Enabled n H 323 Link Bounce Recovery y Idle Traffic Interval sec 20 Keep Alive Interval sec 5 Keep Alive Count 5 Page 3 of the IP Network Region form defines the codec set to use for intra region and inter region calls Avaya VPNremote Phones are mapped to Region 2 or 3 Calls within IP Network Region use Codec Set 1 G 711MU while calls from IP Network Region 1 to IP Network Region 2 or 3 use Codec Set 2 G 729 change ip network region 1 Page 3 of 19 Inter Network Region Connection Management src dst codec direct Dynamic CAC rgn rgn Seg WAN WAN BW limits Intervening regions Gateway IGAR 1 1 1 1 2 2 y NoLimit n 1 3 2 y NoLimit n IL 4 EMH Reviewed Solution amp Interoperability Test Lab Application Notes 33 of 42 SPOC 9 27 06 2006 Avaya Inc All Rights Reserved vpnphone_ssg
7. NAT Route Block Intra Subnet Traffic l Service Options IT webut T Telnet I SSH Management Services IT SNMP I SSL Other Services Ping I Path MTUCIP 4 J Ident reset Maximum Transfer Unit A 5 MTU Admin MTU Jo Bytes Operating MTU 1500 Default MTU 1500 DNS Proxy E IP wW th 0 0 0 0 ebAu eae IT SSL Only Traffic Bandwidth Egress Maximum Bandwidth Jo Kbps Ingress Maximum Bandwidth Jo Kbps Apply Cancel EMH Reviewed Solution Interoperability Test Lab Application Notes 10 of 42 SPOC 9 27 06 2006 Avaya Inc All Rights Reserved vpnphone_ssg doc 4 3 IP Address Pool The XAuth protocol enables the Juniper SSG to dynamically assign IP addresses from a configured IP Address pool range to IPSec clients such as the Avaya VPNremote Phone Controlling the assignment of IP address ranges to Avaya VPNremote Phones enables Avaya Communication Manager to map the Avaya VPNremote Phones into IP Network Regions as described in Section 7 4 The following steps create the IP Address Pool 1 From the left navigation menu select Objects gt IP Pools On the IP Pools list page select New 2 From the IP Pools Edit page populate the highlighted fields shown below then select OK to save The IP Pool Name is a descriptive name for this IP Pool Once configured this name will appear in the IP Pool Name drop down menu of Section 4 8 Ensure the IP address range does not conflict with addresses
8. Notes 18 of 42 SPOC 9 27 06 2006 Avaya Inc All Rights Reserved vpnphone_ssg doc 4 7 VPN Setting up the VPN tunnel encryption and authentication is a two phase process e Phase 1 covers how the Avaya VPNremote Phone and the Juniper SSG will securely negotiate and handle the building of the tunnel e Phase 2 sets up how the data passing through the tunnel will be encrypted at one end and decrypted at the other This process is carried out on both sides of the tunnel Table 3 provides the IKE Proposals used in the sample configuration including the proposal name used by the Juniper SSG Encryption Diffie 3 Life Phase Authentication Hellman CAE Al gc Time Se Ee Method Grou H H sec EI Pre Shared Key 2 3DES MDS5 28800 pre g2 3des md5 P2 ESP 2 AES128 SHA 1 3600 g2 esp aes128 sha Table 3 IKE P1 P2 Proposals EMH Reviewed Solution amp Interoperability Test Lab Application Notes 19 of 42 SPOC 9 27 06 2006 Avaya Inc All Rights Reserved vpnphone_ssg doc 4 7 1 AutoKey IKE Gateway Configuration Phase 1 1 From the left navigation menu select VPNs gt AutoKey Advanced gt Gateway Select New Configure the highlighted fields shown below All remaining fields can be left as default Provide a descriptive Gateway Name Selecting Custom Security Level provides access to a more complete list of proposals available on this Juniper SSG Selecting Dialup User Group associates the Gro
9. page displays the IKE gateway created in Section 4 7 1 as shown below Select Xauth under the Configure column for the vpnphone gw IKE gateway Peer Type Address ID User Group Local ID Security Level Configure vpnphone grp Custom Edit xauth Remove Name 4 vpnphone gw Dialup 2 Configure the highlighted fields shown below All remaining fields can be left as default Select OK when complete to save settings C None GG XAuth Server C Use Default Xauth Settings Local Authentication Allow Any C user User Group remoteuser qrp Allowed Authentication Type CHAP Only External Authentication None gt 1 Query Remote Setting Allow Any User Name User Group Name Allowed Authentication Type CHAP Only C Bypass Authentication Auth Client User Name Password Allowed Authentication Type T CHAP Only Update DHCP Server J Prefix Delegation to IPv6 Interfaces Interface SLA ID SLA Length Action EI C E No entry available Apply Cancel EMH Reviewed Solution amp Interoperability Test Lab Application Notes 25 of 42 SPOC 9 27 06 2006 Avaya Inc All Rights Reserved vpnphone_ssg doc 4 9 H 323 ALG 1 From the left navigation menu select Configuration gt Advanced gt ALG gt Configure Un check the H323 check box to globally disable the H 323 Application Layer Gateway Basic MGCP H323 I a
10. telephony over any broadband internet connection 10 Definitions and Abbreviations The following terminology is used through out this document CLAN Control LAN IKE Internet Key Exchange An IPSec control protocol ISAKMP Internet Security Association and Key Management Protocol IPSec Internet Protocol Security IPSI IP Services Interface MD5 Message Digest 5 MEDPRO Media Processor NAT Network Address Translation PFS Perfect Forward Secret Phase 1 IKE negotiations used to create an ISAKMP security association Phase 2 IKE negotiations used to create IPSec security associations RTP Real Time Transport Protocol SA Security Association SHA 1 Secure Hash Algorithm 1 VPN Virtual Private Network EMH Reviewed Solution amp Interoperability Test Lab Application Notes 37 of 42 SPOC 9 27 06 2006 Avaya Inc All Rights Reserved vpnphone_ssg doc 11 References Juniper Networks Concepts amp Examples ScreenOS Reference Guide Volume 5 Virtual Private Networks Release 5 4 0 Rev A http www juniper net techpubs software screenos screenos5 4 0 CE_v5 pdf Secure Services Gateway SSG 500 Series Hardware Installation and Configuration Guide ScreenOS Version 5 4 0 http www juniper net techpubs hardware netscreen systems netscreen systems54 SSG_HW_revA pdf Cameron R Cantrell C Killion D Russell K Tam K 2005 Configuring NetScreen Firewalls Rockla
11. 0 However these configuration steps can be applied to Juniper NetScreen and ISG platforms using the ScreenOS version specified in Section 3 1 1 Highlights The sample network provided in these Application Notes implements the following features of the Juniper SSG 520 and Avaya VPNremote Phone e Policy Based IPSec VPN The policy based VPN feature of the Juniper SSG allows a VPN Tunnel to be directly associated with a security policy as opposed to a route based VPN being bound to a logical VPN Tunnel interface Because no network exists beyond a VPN client end point policy based VPN tunnels are a good choice for VPN end point configurations such as with the Avaya VPNremote Phone e XAuth User Authentication The XAuth protocol enables the Juniper SSG to authenticate the individual users of the VPNremote Phone The XAuth user authentication is in addition to the IKE IPSec VPN authentication The IKE and XAuth authentication steps of the Avaya VPNremote Phone are as follows Step 1 Phase 1 negotiations the Juniper SSG authenticates the Avaya VPNremote Phone by matching the IKE ID and Pre SharedKkey sent by the Avaya VPNremote Phone If there is a match the Juniper SSG XAuth process begins EMH Reviewed Solution amp Interoperability Test Lab Application Notes 3 of 42 SPOC 9 27 06 2006 Avaya Inc All Rights Reserved vpnphone_ssg doc Step 2 XAuth the Juniper SSG XAuth server prompts the Avaya VPNremote Phone for user credentials
12. 0 30 ethernetO 2 C Root 8 100 2 2 100 32 Tetherneto 2 H 1 Root IR Active route C Connected I Imported eB EBGP OOSPF E1 OSPF external type 1H Host Route P Permanent S Static 4 Auto Exported iB IBGP R RIP E2 OSPF external type 2 D Dynamic EMH Reviewed Solution amp Interoperability Test Lab Application Notes 12 of 42 SPOC 9 27 06 2006 Avaya Inc All Rights Reserved vpnphone_ssg doc 2 Configure the highlighted fields shown below All remaining fields can be left as default Select OK to save The 0 0 0 0 0 network indicates the default route when no other matches existing in the routing table The route is going to the next hop out interface Ethernet 0 2 to the public internet EMH Reviewed Solution amp Interoperability Test Lab Application Notes 13 of 42 SPOC 9 27 06 2006 Avaya Inc All Rights Reserved vpnphone_ssg doc 4 4 2 Configure Route to IP Pool Address range 1 From the Route Entries screen select trust vr from the drop down menu then select New 2 Configure the highlighted fields shown below All remaining fields can be left as default Select OK to save The IP Address Netmask is the network used for the IP Address Pool in Section 4 3 The Gateway IP Address specifies the next hop route of the Trusted corporate network the Extreme 3804 L2 L3 switch in the sample configuration See Section 6 for information on the Extreme 3804 switch 4 5 Local User Configuration The sampl
13. 006 08 11 23 37 48 info lt 32812 gt and lifetime lt 3600 gt seconds lt O0 gt KB 2006 08 11 23 37 48 info IKE lt 2 2 2 2 gt Phase 2 msg id lt S3638e21 gt Completed for user lt vypnphone avaya com gt 2006 08 11 23 37 47 info IKE lt 2 2 2 2 gt Received initial contact notification and removed Phase 1 S s 2006 08 11 23 37 47 info IKE lt 2 2 2 2 gt Received initial contact notification and removed Phase 2 S s 2006 08 11 23 37 47 info IKE lt 2 2 2 2 gt Received a notification message for DOI lt 1 gt lt 24578 gt lt INITIAL CONTACT gt IKE lt 2 2 2 2 gt Phase 2 msg ID lt 53638e21 gt Responded to the peer s first message from user 2006 08 11 23 37 47 info lt vpnphone avaya com gt IKE lt 2 2 2 2 gt XAuth login was passed for gateway lt vpnphone gw gt username lt garrett gt retry 0 2006 08 11 23 37 46 info Client IP Addr lt 50 50 100 1 gt IPPool name lt Remote User IP gt Session Timeout lt Os gt Idle Timeout lt Os gt 2006 08 11 23 37 46 info IKE lt 2 2 2 2 gt XAuth login was refreshed for username lt garrett gt at lt 50 50 100 1 255 255 255 255 gt 2006 08 11 23 37 46 info IKE lt 2 2 2 2 gt Phase 1 Completed Aggressive mode negotiations with a lt 28800 gt second lifetime 2006 08 11 23 37 46 info IKE lt 2 2 2 2 gt Phase 1 Completed for user lt vpnphone avaya com gt 2006 08 11 23 37 46 info IKE lt 2 2 2 2 gt Phase 1 IKE
14. 3 30 YA SE Use the list ip codec set command to verify the codec assignments list ip codec set JET CODE Sig s Codec Codec Codec 2 Codecs Codec 4 Gecken 35 Set 1 G 711MU 2 G 729 3 G 711MU 4 G 711MU 7 3 IP Network Map Configuration Use the change ip network map command to define the IP addresses mapped to Network Region 2 and 3 as shown below Refer to Table 1 Network Region Mappings and Figure 1 Physical Network in Section 2 change ip network map Page Leg 32 IP ADDRESS MAPPING Emergency Subnet Location From IP Address To IP Address or Mask Region VLAN Extension 50 50 100 1 S 24 2 n 50 50 130 1 R 24 3 n n n EMH Reviewed Solution amp Interoperability Test Lab Application Notes 32 of 42 SPOC 9 27 06 2006 Avaya Inc All Rights Reserved vpnphone_ssg doc 7 4 IP Network Regions Configuration Use the change ip network region 1 command to configure Network Region parameters Configure the highlighted fields shown below All remaining fields can be left as default Select a descriptive name for Name Intra region and Inter region IP IP Direct Audio determines the flow of RTP audio packets Setting to yes enables the most efficient audio path be taken Codec Set 1 is used for Network Region as described in Section 7 2 change ip network region 1 Page 1 of 19 IP NETWORK REGION
15. AVAYA Avaya Solution amp Interoperability Test Lab Application Notes for Configuring Avaya VPNremote Phone with Juniper Secure Services Gateway using Policy Based IPSec VPN and XAuth Enhanced Authentication Issue 1 0 Abstract These Application Notes describe the steps for configuring the Juniper Secure Services Gateway 520 Security Platform with a policy based IPSec VPN and XAuth enhanced authentication to support the Avaya VPNremote Phone The sample configuration presented in these Application Notes utilizes a shared IKE Group ID to streamline the VPN configuration and management IP Network Region segmentation to logically group and administer VPNremote Phones and NAT T for IPSec traversal of Network Address Translation devices EMH Reviewed Solution amp Interoperability Test Lab Application Notes 1 of 42 SPOC 9 27 06 2006 Avaya Inc All Rights Reserved vpnphone_ssg doc TABLE OF CONTENTS L INTRODUCTION ai Aa 3 1 1 RIGHT e RE 3 2 NETWORK TOPOLOGY ssessec csnsescsssescactdaceveevenstuastevecvasseuesvsetdecevbesesesssctesessevelvsetdesessesedesusescsebeesdeseesedusstasceebeve 4 3 EQUIPMENT AND SOFTWARE VALIDATED ccsscssscssssscssssssssscsssssssssssscsssssssssssssesssssssssassssssssnssssssees 7 4 CONFIGURE JUNIPER SSG 520 ss sssseeeeeeeeeceee 7 4 1 ACCESS SSG RBE 7 4 2 CONFIGURE JUNIPER SSG ETHERNET
16. B is configured to use SSG 520 A for IPSec tunnel termination SSG 520 A assigns an IP address to the VPNremote Phone mapped to Network Region 2 in Avaya Communication Manager Remote Home Office C consists of a single Avaya VPNremote Phones connected to a Dlink broadband router The Dlink router is configured as a firewall with NAT enabled as well as a local DHCP server The VPNremote phone in Remote Office C is configured to use SSG 520 B for IPSec tunnel termination SSG 520 B assigns an IP address to the VPNremote Phone mapped to Network Region 3 in Avaya Communication Manager Table 1 summarizes the Network Region IP address mappings Network IP Address Juniper Office BE SR SSG 1 192 168 1 0 24 Main Remote SOHO Office A 2 50 50 100 0 24 A Remote Home Office B 3 50 50 130 0 24 B Remote Home Office C Table 1 Network Region Mappings EMH Reviewed Solution amp Interoperability Test Lab Application Notes 5 of 42 SPOC 9 27 06 2006 Avaya Inc All Rights Reserved vpnphone_ssg doc Remote Remote SOHO Office A Home Office C Avaya VPNremote Avaya VPNremote 4610SW 4620SW Avaya VPNremote A 4621SW S 2 192 168 0 0 40 10 10 0 MN e ei Netgear PD evwasrers Router D Link Aa Ges EEE shir 2 2 22 Rover SC 277 WAN Interface 4444 x Le WAN Interface s Le e _IP Network Region 3 KI BE Remote NW BE ag Home Office B Public Avaya VPNremote A Internet 4621SW 192 168 0 0 i v Ze E
17. ID Protection Aggressive M Enable NAT Traversal UDP Checksum Keepalive Frequency s Seconds 0 300 Sec Peer Status Detection C Heartbeat Hello fo Seconds 1 3600 0 disable Reconnect b Seconds 60 9999 Sec Threshold E C DPD Interval Jo Seconds 3 28800 0 disable Retry s 1 128 Always Send Preferred Certificate optional Local Cert None Peer CA None Di Peer Type None gt Use Distinguished Name for Peer ID CN OU Organization Location State Country E mail Container Cancel EMH Reviewed Solution amp Interoperability Test Lab Application Notes 21 of 42 SPOC 9 27 06 2006 Avaya Inc All Rights Reserved vpnphone_ssg doc 3 Because the IKE group was selected in Step 1 above a pop up window similar to the one below is displayed as a reminder to enable the XAuth server Section 4 8 provides the XAuth server configuration Select OK Microsoft Internet Explorer 4 The AutoKey Advanced gt Gateway list page displays the new gateway i ME ke e eer ype JI E ft i 3 2 E 4 7 2 AutoKey IKE VPN Tunnel Configuration Phase 2 1 From the left navigation menu select VPNs gt AutoKey IKE Select New Configure the highlighted fields shown below All remaining fields can be left as default Provide a descriptive VPN Name Selecting Custom Security Level provides access to a more c
18. INTERFACES csccccccsccecsesssseceeececeeseaececccecsenesnsseeeesesesesssaeeeeseseeensaaes 8 4 3 TP ADIDRESSIROO AAA KA KN E S 11 44 EERSTEN 12 4 5 LOCAL USER CONFIGURATION egen en Eege eet eegen 14 4 6 LOCAL USERGROUP CONFIGURATION EE 17 4 7 VPN aena ee EE EE e 19 4 8 KAUTHI CONFIGURATION wai E S AA E O denge eege A See aah ege Seege 24 4 9 EN E EE 26 4 10 SECURITY POLICIES 453s egener te ebe Bette eebe SSES tee esses lores 26 5 AVAYA VPNREMOTE PHONE CONFIGURATION cccccccssssssssssscccsssscssccsccscsssscssersccscsssscssecsesesseseess 28 Kaf WVPNREMOTE PHONE FIRMWARE Win iececcicesvsetsesceuecdicesseaveascedcdssvesscutacedececavvseteededssasvevededscasv eseeucessdeedsdseoveests 28 5 2 CONFIGURING AVAYA VPNREMOTE DON 28 6 EXTREME 3804 CONFIGURATION ssseseeeeeeeeeeeeeee 30 6 1 ADD IP ROUTE TO VPN IP ADDRESS POOL NETWORK 30 7 AVAYA COMMUNICATION MANAGER CONFIGURATION u ccccccssssscccssssccesssscccssssccccssssccecssseecees 31 7 1 VPNREMOTE PHONE CONPIGURATION wanasemina nannenamm nanenane mnannannemwana 31 T2 IP CODEC SETS CONFIGURATION praen ssh secs EE WAA AAA 31 7 3 IP NETWORK MAP CONFIGURATION ccin iii EE EE RRE EEE E R A A Ei ES 32 74 IP NETWORK REGIONS CONFIGURATION wi iii AN E Ai 33 8 VERTEICATION S TEP E 34 8 1 VPNREMOTE PHONE OTEsr anawaniwa wiwanwia 34 8 2 VPNREMOTE PHONE IPSEC era 35 8 3 JUNIPER SSG DEBUG AND L
19. Ka CO CO a 4 10 Security Policies 1 From the left navigation menu select Policies Any currently configured security policies are displayed Create a security policy for traffic flowing from the Untrust zone to the Trust zone On the top of the Policies page select Untrust on the From drop down menu and Trust on the To drop down menu Select the New button on top right corner of page to create the new security policy List 20 viper page _ Search From To ali zones E es New e ae Sse Fraise ed m r Fdit Clnne Ramnve EMH Reviewed Solution amp Interoperability Test Lab Application Notes 26 of 42 SPOC 9 27 06 2006 Avaya Inc All Rights Reserved vpnphone_ssg doc 2 Configure the highlighted fields shown below All remaining fields can be left as default Select OK when complete to save settings Enter a descriptive policy Name to easily identify this policy in the policy list and logs Selecting Dial Up VPN from the Source Address drop down menu and Any from the Destination Address defines the VPN tunnel as the traffic originator Selecting Tunnel from the Action field drop down menu indicates the action the SSG will take against traffic that matches the first three criteria of the policy Source Address Destination Address and Service All matching traffic will be associated with a particular VPN Tunnel specified in the Tunnel field Selecting vpnphone v
20. OGO 35 8 4 OVERLAPPING NETWORK ADDbRtsgtsg nanena 37 9 CONCEUSION EE 37 10 DEFINITIONS AND ABBREVIATIONS s sssseeeeeeeeeeeeeeeeeeeeece 37 11 MU WAR AA Sa AA AA PA AA PAPA AA AAA AA 38 APPENDIX A SSG 520 A CLI CONFIGURATION essseeeeeeeeeeeeeeeeeeeeeeeeee 39 EMH Reviewed Solution amp Interoperability Test Lab Application Notes 2 of 42 SPOC 9 27 06 2006 Avaya Inc All Rights Reserved vpnphone_ssg doc 1 Introduction These Application Notes describes the steps for configuring the Juniper Secure Services Gateway 520 security appliance to support the Avaya VPNremote Phone The Avaya VPNremote Phone is a software based Virtual Private Network VPN client integrated into the firmware of an Avaya IP Telephone This enhancement allows the Avaya IP Telephone to be plugged in and used seamlessly over a secure VPN from any broadband Internet connection The end user experiences the same IP telephone features as if they were using the phone in the office Avaya IP Telephone models supporting the Avaya VPNremote Phone firmware are the 4610SW 4620SW 4621S W 4622SW and 4625SW Release 2 of the Avaya VPNremote Phone extends the support of head end VPN gateways to include Juniper security platforms The configuration steps described in these Application Notes utilize a Juniper Secure Services Gateway SSG model 52
21. ail address As described in Section 5 2 the Group Name field of the Avaya VPNremote Phone must match this IKE Identity string vpnphone avaya com is used in these Application Notes however any email address string can be used Auth IKE L2TP XAuth User User Name vpnphone ike Status Enable C Disable IKE User Number of Multiple Logins with Same ID o Simple Identity IKE ID Type AUTO DI IKE Identity vpnphone avaya com Use Distinguished Name For ID 1 Authentication User User Password IT XAuth User Confirm Password L2TP User Cancel 2 The local Users list page displays the new IKE user Name Type Group Status Identity Configure vpnphone ike IKE Enabled vpnphone avaya com Edit Remove EMH Reviewed Solution amp Interoperability Test Lab Application Notes 15 of 42 SPOC 9 27 06 2006 Avaya Inc All Rights Reserved vpnphone_ssg doc 4 5 2 XAuth Users Three XAuth user accounts owen garrett and evan are created in the sample configuration for users of the Avaya VPNremote Phones The following steps create a user account for owen Follow the same steps to create accounts for garrett and evan The XAuth server of the Juniper SSG provides the authentication of these users The users of the Avaya VPNremote Phone will need to be supplied with their user name and password Users will be prompted on the phone display to enter this information as the Avaya VPNremote Ph
22. ansfer Unit s S PERE MTU Admin MTU fo Bytes Operating MTU 1500 Default MTU 1500 DNS Proxy T IP WebAuth 0 0 0 0 See F SSL Only Traffic Bandwidth Egress Maximum Bandwidth lo Kbps Ingress Maximum Bandwidth lo Kbps Apply Cancel EMH Reviewed Solution amp Interoperability Test Lab Application Notes 9 of 42 SPOC 9 27 06 2006 Avaya Inc All Rights Reserved vpnphone_ssg doc Configure Ethernet 0 2 Interface 1 From the Network Interfaces List screen select Edit for Ethernet 0 2 Name IP Netmask Zone Type Link PPPOE Configure ethernetO O 192 168 1 199 24 Trust Layer3 Up Edit ethernetO 1 172 16 254 118 24 MGT Layer3 up ethernet0 2 0 0 0 0 0 Untrust Layer3 Up ethernetO 3 0 0 0 0 0 HA Layer3 Down vlani 0 0 0 0 0 VLAN Layer3 Down Edit 2 From the Ethernet 0 2 properties page configure the highlighted fields shown below All remaining fields can be left as default Select OK to save Because Ethernet0 2 is in the Untrust zone and not configured as manageable all service options are disabled Interface Name ethernet0 2 0012 102aa 3c86 As member of group none DI Zone Name Untrust X C Obtain IP using DHCP Automatic update DHCP server parameters C Obtain IP using PPPoE None x Create new pppoe setting Static IP IP Address Netmask 100 2 2 100 zA ES 1 Manageable Manage IP 0 0 0 0 0012 1eaa 3c86 Interface Mode
23. doc Use the change ip network region 2 command to configure Network Region 2 parameters Configure the highlighted fields shown below All remaining fields can be left as default change ip network region 2 Page i ert 19 IP NETWORK REGION Region 2 Location Authoritative Domain Name VPN Users SSG A MEDIA PARAMETERS Intra region IP IP Direct Audio yes Codec Set 2 Inter region IP IP Direct Audio yes UII Rewic Maas 204i IP Audio Hairpinning y UDE Poiwc Masse 3028 Page 3 defines the codec set to use for intra region and inter region calls All calls from IP Network Region 2 will use the G 729 codec as defined by the IP Codec Set in Section 7 2 change ip network region 2 Page 3 Ox 19 Inter Network Region Connection Management SE Cet ano ll eeng Dynamic CAC Zem mm SSE WAN WAN BW limits Intervening regions Gateway IGAR 2 1 2 y NoLimit n 2 2 2 2 3 2 y NoLimit n 2 4 Follow these same steps for configuring IP Network Region 3 8 Verification Steps 8 1 VPNremote Phone Qtest Using a feature of the Avaya VPNremote Phone called Quality test or Qtest the VPNremote Phone can test the network connection to the VPN head end gateway to characterize the voice quality an end user is likely to experience Once the Avaya VPNremote Phone establishes an IPSec tunnel registers with Avaya Communication Manager and becomes functional enter the Avaya VPNremote Phone VPN configurati
24. e AvayaVPNremote Phone will behave the same as other Avaya IP telephones located locally on the corporate LAN once the VPN tunnel has been established For additional information regarding Avaya Communication Manager configuration see the Administrator Guide for Avaya Communication Manager 7 2 IP Codec Sets Configuration These Application Notes utilize the G 711 codec for the Main Campus location Network Region 1 and the G 729 codec 3 Frames Per Pkt 30ms for the Remote Office locations with Avaya VPNremote Phones deployed The high compression of the G 729 codec accommodates the limited bandwidth of the remote office WAN connection i e DSL or Cable For more information on configuring codecs please see Setting WAN Bandwidth Limits between Network Regions section of the Administrators Guide for Avaya Communication Manager Use the change ip codec set 1 command to define the G 711 codec as shown below change ip codec set 1 Page Leg 2 Ie Coden See Codec Set 1 Audio Silence Frames Packet Codec Suppression Per Pkt Size ms 1 G 711MU n 2 20 2 Se EMH Reviewed Solution amp Interoperability Test Lab Application Notes 31 of 42 SPOC 9 27 06 2006 Avaya Inc All Rights Reserved vpnphone_ssg doc Use the change ip codec set 2 command to define the G 729 codec as shown below change ip codec set 2 Page Let 2 Iie Care SEA WE Audio Silence Frames Packet Codec Suppression Per Pkt Size ms 1 G 729 n
25. e UC no Seng wee VIVUS EES set zone Trust asymmetric vpn SEC zone Ume ewell OLGE SAE ZOE leur Ce set zone Untrust asymmetric vpn Sec Some MMII lolol set zone DMZ tcp rst set zone VLAN block set zone VLAN tcp rst SE eme leren sereen kana SE Zone Unetuse Geesen agoe set zone Untrust screen ping death set zone Untrust screen ip filter src Sete mme fiers Sa Lemma Set Zone MWi Uncicisic Seweein cear Crop Set Zoe VU rust sem Soco set zone V1 Untrust screen ping death set zone V1 Untrust screen ip filter src Set Zone lee emer sciceeia lamel ser einibeiatAcemuc phere zone ebianis tet set interface ethernet0 1 zone MGT set interface ethernet0 2 zone Untrust unset interface vlanl ip set interfac thernec0 0 io 192 168 1 199 24 set interfac thernet0 0 nat set interfac cehermecO i ij 172 116 254 118 24 set interfac thernet0 1 route EMH Reviewed Solution amp Interoperability Test Lab Application Notes privilege 39 of 42 SPOC 9 27 06 2006 Avaya Inc All Rights Reserved vpnphone_ssg doc nter fac thernet0 2 ip 100 2 2 100 30 nter fac thernet0 2 route nset int nset int inter erface vlanl bypass others ipsec erface vlanl bypass non ip fac thernet0 0 ip manageable TINE rfac thernet0 2 ip manageable rfac thernet0 0 manage snmp We ole E core WU 2 ats n
26. e believed to be accurate and dependable but are presented without express or implied warranty Users are responsible for their application of any products specified in these Application Notes Please e mail any questions or comments pertaining to these Application Notes along with the full title name and filename located in the lower right corner directly to the Avaya Solution amp Interoperability Test Lab at interoplabnotes list avaya com EMH Reviewed Solution amp Interoperability Test Lab Application Notes 42 of 42 SPOC 9 27 06 2006 Avaya Inc All Rights Reserved vpnphone_ssg doc
27. e configuration includes two different user types IKE users and XAuth users IKE users are typically associated with a device such as the Avaya VPNremote Phone and are used to authenticate the actual device during the establishment of the IPSec tunnel XAuth users are remotely authenticated users who access a head end security gateway via an AutoKey IKE VPN tunnel Whereas the authentication of IKE users is actually the authentication of an individual s device Avaya VPNremote Phone the authentication of XAuth users is the authentication of the individual themselves EMH Reviewed Solution amp Interoperability Test Lab Application Notes 14 of 42 SPOC 9 27 06 2006 Avaya Inc All Rights Reserved vpnphone_ssg doc 4 5 1 IKE User The following steps create an IKE user to be used by Avaya VPNremote Phones for IKE authentication 1 From the left navigation menu select Objects gt User gt Local gt New Configure the highlighted fields shown below All remaining fields can be left as default Select OK to save The Number of Multiple Logins with Same ID parameter specifies the number of end points that can concurrently establish IPSec tunnels using this identity This number must equal or exceed the number of Avaya VPNremote Phones accessing this Juniper SSG IKE Identity combined with a Pre Shared Key is used to identify the end point when an initial IKE Phase one dialog begins The format of the IKE Identity used is of an em
28. group vpnphone grp id 1 group vpnphone grp user vpnphone ike set uns uns WREE spond bad spi 1 ic able ikeid enumeration t ips c access session enable SSE ipsec access session maximum 5000 SESE set ipsec access session upper threshold 0 set ipsec access session lower threshold 0 uns uns uns set set set exit ipsec access session dead p2 sa timeout 0 ERPS CG access session log error ic LOS c access session info exch connected ic jos xauth xauth Wiel js c access session use error log default ippool Remote User IP cleirenalke les S26 i 5 SO rotocol websense EMH Reviewed Solution amp Interoperability Test Lab Application Notes SPOC 9 27 06 2006 Avaya Inc All Rights Reserved vpnphone_ssg doc 100 40 of 42 EMH Reviewed Solution amp Interoperability Test Lab Application Notes 41 of 42 SPOC 9 27 06 2006 Avaya Inc All Rights Reserved vpnphone_ssg doc 2006 Avaya Inc All Rights Reserved Avaya and the Avaya Logo are trademarks of Avaya Inc All trademarks identified by and are registered trademarks or trademarks respectively of Avaya Inc All other trademarks are the property of their respective owners The information provided in these Application Notes is subject to change without notice The configurations technical data and recommendations provided in these Application Notes ar
29. ke heartbeat disabled ike heartbeat last rcv time 0 ike heartbeat last snd time 0 XAUTH status 100 DPD seq local 0 peer 0 Se GoZ OR EMH Reviewed Solution amp Interoperability Test Lab Application Notes 36 of 42 SPOC 9 27 06 2006 Avaya Inc All Rights Reserved vpnphone_ssg doc 8 4 Overlapping Network Addresses During the writing of these Application Notes problems were observed if the private IP address range of the residential router is the same as the private IP address range within the corporate network In the sample network configuration of these Application Notes 192 168 1 0 24 is the private corporate network The following characteristics occur if the residential router uses the same 192 168 1 0 24 IP network on the private side of the NAT The IPSec tunnel is successfully established from the Avaya VPNremote Phone to the Juniper SSG and the VPNremote phone is assigned a dynamic IP address from the Juniper SSG IP Address pool However the VPNremote phone is not able to access the corporate TFTP HTTP server or Avaya Communication Manager H 323 GateKeeper and goes into discover mode Changing the private network IP range at the residential router to a range not matching the private corporate network corrects the problem 9 Conclusion The Avaya VPNremote Phone combined with Juniper ScreenOS security appliances SSG NetScreen and ISG provide a secure solution for remote worker
30. manageable EMH Reviewed Solution amp Interoperability Test Lab Application Notes 7 of 42 SPOC 9 27 06 2006 Avaya Inc All Rights Reserved vpnphone_ssg doc 2 From a web browser enter the URL of the Juniper SSG WebUI management interface https lt IP address of the SSG gt and the following login screen appears Log in using a user name with administrative privileges Admin vane ay Password MAA E Remember my name and password 3 The Juniper SSG WebUI administration home page appears upon successful login Note the ScreenOS Firmware Version in the Device Information section Device Information Hardware Version oo Firmware Version 5 4 0r1 0 Firewall VPN Serial Number 0156042006000452 Host Name SSG6520 4 2 Configure Juniper SSG Ethernet Interfaces The Juniper SSG 520 has four build in Ethernet interfaces Ethernet 0 0 Ethernet 0 3 The steps below configured Ethernet 0 0 to a Trust security zone facing the internal corporate network and Ethernet 0 2 to an Untrust security zone facing the public internet The Avaya VPNremote Phone will interact with Ethernet 0 2 when establishing an IPSec Tunnel Configure Ethernet 0 0 1 From the left navigation menu select Network gt Interfaces The Network Interfaces List screen appears The IP address is already populated for Ethernet0 0 from the basic configuration of Section 4 1 Select Edit for Ethernet 0 0 to configure additional parameters
31. nd Syngress Publishing Inc http juniper net training jnbooks configuring nscn_firewalls html Avaya VPNremote Phone documentation and software download http support avaya com japple css japple 7PAGE Product amp temp productID 280576 amp te mp releaseID 280577 Avaya Administrators Guide for Communication Manager http support avaya com elmodocs2 comm_mer r3 pdfs 03_300509_1 pdf Additional Avaya Application Notes and Resources are available http www avaya com gcm master usa en us resource EMH Reviewed Solution amp Interoperability Test Lab Application Notes 38 of 42 SPOC 9 27 06 2006 Avaya Inc All Rights Reserved vpnphone_ssg doc Appendix A SSG 520 A CLI Configuration set clock timezone 0 set vrouter trust vr sharable Sec Emtee Wana ye exit set vrouter trust vr WASH SUZA KULE EE exit unset alg h323 enable SSE tte eeneg VOCA ae 0 set auth server Local server name Local Sete Avta leen allel seet ien SS Aibicla reclus siccouimeime pore TEL set admin name netscreen set admin password nKVUM2rwMUzPcrkG5SswWIHdCtqkAibn set admin user interop password nANqEgr5A3pAcWOEfs 6NpNBteXJxQn Wett vd set admin http redirect set admin auth timeout 30 set admin auth server Local set admin format dos Sete Zone ies wemmer aina SEC oe VU YOUVE ai Sec ZONE MDMAA Wi VEUSE wae set zone VLAN vrouter trust vr SSC ZONE lee eeng Dani VOCED ai Set em
32. ofile Modify Juniper Xauth with PSK Press Profile softbutton to access Press the gt hard button to access next screen with the following VPN configuration options Password Type Save in Flash User not prompted at phone boot Encapsulation 4500 4500 Syslog Server IKE Parameters DH2 ANY ANY IKE ID Type USER FQDN Diffie Hellman 2 Group Encryption Alg Any Authentication Alg Any IKE Xchg Mode Aggressive IKE Config Mode Enable IPSec Parameters DH2 ANY ANY Encryption Alg Any EMH Reviewed Solution amp Interoperability Test Lab Application Notes 29 of 42 SPOC 9 27 06 2006 Avaya Inc All Rights Reserved vpnphone_ssg doc Authentication Alg Any Diffie Hellman 2 Group Protected Net Remote Net 1 0 0 0 0 0 From the telephone keypad press the telephone gt gt hard button to access the next screen with the following VPN configuration options Copy TOS No File Srvr 192 168 1 30 Connectivity First Time Check When the VPN configuration options have been set press the Done softbutton The following is displayed Select to save the configuration and the reboot phone Save new values no yes 6 Extreme 3804 Configuration The focus of these Application Notes is on the configuration of the Juniper SSG and Avaya VPNremote Phone Therefore the network infrastructure configuration is not described However the addition of route entries for the IP Pool Addresses defined in Section 4 in the private c
33. omplete list of proposals available on the Juniper SSG Select Predefined for Remote Gateway and the select the Remote Gateway name entered in Section 4 7 1 vpnphone gw from the drop down men Select Advanced to access additional configuration options EMH Reviewed Solution amp Interoperability Test Lab Application Notes 22 of 42 SPOC 9 27 06 2006 Avaya Inc All Rights Reserved vpnphone_ssg doc 2 Configure the highlighted fields shown below All remaining fields can be left as default Select Return to complete the advanced configuration and then OK to save Select Security Level of Custom and the appropriate Phase 2 Proposal from the drop down menu Refer to Table 3 IKE P1 P2 Proposals Replay Protection protects the encrypted IPSec traffic from man in the middle replay attacks by including a sequence number with each IKE negotiation between the IKE endpoints Bind to None uses the outgoing interface Ethernet 0 2 for all VPN tunnel traffic Security Level Predefined Standard Compatible Basic User Defined Custom Phase 2 Proposal g2 esp aes128 sha D None DI None None DI Replay Protection M Transport Mode For L2TP over IPSec only Bind to None C Tunnel Interface none D Tunnel Zone Untrust Tun D Proxy ID Local IP Netmask d Remote IP Netmask d Service ANY DI YPN Group None Di Weight P PN Monitor Iv Source Interface default Destination IP
34. on mode as described in Section 5 2 Select the Qtest softbutton to enter the Qtest menu Select the Start softbutton to start Qtest Note the reported statistics to determine the network connection quality EMH Reviewed Solution amp Interoperability Test Lab Application Notes 34 of 42 SPOC 9 27 06 2006 Avaya Inc All Rights Reserved vpnphone_ssg doc 8 2 VPNremote Phone IPSec stats Once the Avaya VPNremote Phone establishes an IPSec tunnel registers with Avaya Communication Manager and becomes functional from the telephone keypad press the OPTIONS hard button V icon From the telephone keypad press the telephone gt hard button to access the next screen Select the VPN Status option There are two screens of IPSec tunnel statistics displayed Use the hard button to access the next screen Press the Refresh softbutton to update the displayed statistics 8 3 Juniper SSG Debug and Logging From the Juniper SSG WebUI select Reports gt System Log gt Event Log Level information from the left navigation menu The Juniper SSG System Log shown below contains the IKE Phasel IKE Phase2 and XAuth events logged as an Avaya VPNremote Phone establishes an IPSec tunnel The screen below shows the events of a single Avaya VPNremote Phone successfully establishing a tunnel Date Time Level Description IKE lt 2 2 2 2 gt Phase 2 msg ID lt 53638e21 gt Completed negotiations with SPI lt 5b163ab2 gt tunnel ID 2
35. one establishes the IPSec tunnel or the password can be stored the VPNremote Phones flash memory see Section 5 2 for additional detail 1 From the left navigation menu select Objects gt User gt Local gt New Configure the highlighted fields shown below All remaining fields can be left as default Select OK to save Follow the same steps for each additional user Auth IKE L2TP XAuth User User Name owen Status Enable Disable 1 IKE User Number of Multiple Logins with Same ID ji Simple Identity Use Distinguished Name For ID Authentication User User Password V XAuth User Confirm Password L2TP User L2TP xXAuth Remote Settings Remote IP 0 0 0 0 3 IP Pool None be Static IP 0 0 0 0 Primary DNS IP 0 0 0 0 Primary WINS IP 0 0 0 0 Secondary DNS IP 0 0 0 0 Secondary WINS IP 0 0 0 0 Cancel EMH Reviewed Solution amp Interoperability Test Lab Application Notes 16 of 42 SPOC 9 27 06 2006 Avaya Inc All Rights Reserved vpnphone_ssg doc The local Users list page displays the new XAuth users Auth Enabled garrett XAuth Enabled Edit Remove owen XAuth Enabled Edit Remove vpnphone ike IKE Enabled vpnphone avaya com Edit Remove 4 6 Local User Group Configuration User groups have the benefit of being able to create one policy for the user group and that policy automatically applies to all members of a group Thi
36. orporate network is required 6 1 Add IP Route to VPN IP Address Pool network Although the Extreme 3804 supports several dynamic routing protocols static routes have been utilized these Application Notes The config iproute add CLI command is used to add the static route entries for the IP Pool Address ranges defined in the Juniper SSG A and Juniper SSG B The sh iproute command confirms the two new entries are in the route table lpine3804 4 config iproute add 50 50 100 0 24 192 168 1 199 ASEAN Alpine3804 4 config iproute add 50 50 130 0 24 192 168 1 196 Alpine3804 11 sh iproute Ori Destination Gateway Mtr Flags VLAN Duration ss S0 50 100 0 24 I92 168 1 198 T D ppe Od 0h 00m 18s ze 50 50 130 0 24 U2 1681 19 A Ditt VO CE Od 0h 00m 18s EMH Reviewed Solution amp Interoperability Test Lab Application Notes 30 of 42 SPOC 9 27 06 2006 Avaya Inc All Rights Reserved vpnphone_ssg doc 7 Avaya Communication Manager Configuration All the commands discussed in this section are executed on Avaya Communication Manager using the System Access Terminal SAT This section assumes that basic configuration on Avaya Communication Manager has been already completed 7 1 VPNremote Phone Configuration An Avaya VPNremote Phone is configured the same as other IP telephones within Avaya Communication Manager Even though the Avaya VPNremote Phone is physically located outside of the corporate network th
37. pn from the Tunnel VPN drop down menu associates the VPNremote Phone VPN tunnel to the Action Check the Modify matching bidirectional VPN policy to have the SSG create a matching VPN policy for traffic flowing in the opposite direction Name optional VPNphones New Address z Source Address Address Book Entry Dial Up VPN DI Multiple New Address D Destination Address Address Book Entry Any D Multiple Service ANY D Multiple Application None DI IT WEB Filtering Action Tunnel D Deep Inspection Tunnel vpn vpnphone vpn Di MV Modify matching bidirectional YPN policy L2TP None D Logging at Session Beginning I Position at Top Cancel Advanced EMH Reviewed Solution amp Interoperability Test Lab Application Notes 27 of 42 SPOC 9 27 06 2006 Avaya Inc All Rights Reserved vpnphone_ssg doc 4 The Policies list page displays the new Dial Up VPN policy From Untrust To Trust total policy 1 ID Source Destination Service Action Options Configure Enable Move 1 Sch Any ANY E Edit Clone Remove M b From Trust To Untrust total policy 1 ID Source Destination Service Action Options Configure Enable Move 2 Any Dial Up YPN ANY oa Edit Clone Remove kW gt p 5 Avaya VPNremote Phone Configuration 5 1 VPNremote Phone Firmware The Avaya VPNremote Phone firmware must be installed on the phone prio
38. r to the phone being deployed in the remote location See VPNremote for the 4600 Series IP Telephones Release 2 0 Administrator Guide for details on installing VPNremote Phone firmware The firmware version of Avaya IP telephones can be identified by viewing the version displayed on the phone upon boot up or when the phone is operational by selecting the Options hard button gt View IP Settings soft button gt Miscellaneous soft button gt Right arrow hard button The Application file name displayed denotes the installed firmware version As displayed in Table 2 Equipment and Software Validated VPNremote Phone firmware includes the letters VPN in the name This allows for easy identification of firmware versions incorporating VPN capabilities 5 2 Configuring Avaya VPNremote Phone The Avaya VPNremote Phone configuration can be administered centrally from an HTTP TFTP server or locally on the phone These Application Notes utilize the local phone configuration method See Section 11 VPNremote for the 4600 Series IP Telephones Release 2 0 Administrator Guide for details on centralized configuration 1 There are two methods available to access the VPN Configuration Options menu from the VPNremote Phone a During Telephone Boot During the VPNremote Phone boot up the option to press the key to enter the local configuration mode is displayed on the telephones screen as shown below DHCP CO sO acm When the key is pressed
39. responder has detected NAT in front of the remote device 2006 08 11 23 37 45 info IKE lt 2 2 2 2 gt Phase 1 Responder starts AGGRESSIVE mode negotiations EMH Reviewed Solution amp Interoperability Test Lab Application Notes 35 of 42 SPOC 9 27 06 2006 Avaya Inc All Rights Reserved vpnphone_ssg doc From the Juniper SSG CLI the ScreenOS debug ike basic and debug ike detail commands are useful for troubleshooting ISAKMP IKE tunnel setup e g detect mis matched proposals can t find gateway etc The get ike cookies command is also useful in getting status on existing IKE negotiations by displaying the completed IKE Phase 1 negotiations as shown below No active Phase 1 Security Associations SSG520 gt get ike cookies Active 0 Dead 0 Total 0 One active Phase 1 Security Association SSG520 gt get ike cookies Active al Dead Ol aorealll IL LOMPIGZ OOO0G 2Zo2Q 2 2232831110022 L0Oca 500 EE EE EE xchg 4 vpnphone gw grp6 usr13 resent tmr 605536 lifetime 300 lt recv 86400 nxt_rekey 44 cert expire 0 BES PONG Srk ent JL eech t 2 enert O5 lt 0 nat traversal map keepalive frequency 5 sec nat t udp checksum disabled local pra ajo 1OO 2 2 i100 local pri ike port 4500 lO all jowlo ajo O 0 0 0 local pub ike port 0 LEMOS jor ao O 0 0 0 remote pri ike port 4500 remote pub ip 2 2 2 2 remote pub ike port 32831 iimeeremell sje 0 0 0 0 internal port 0 narve eene 17 i
40. s allow IP endpoints to be logically grouped together to apply unique configuration settings including the assignment of specific codecs 2 Network Topology The sample network implemented for these Application Notes is shown in Figure 1 Three office locations are included a Main Campus and three Remote Offices The Main Campus consists of two Juniper SSG 520 s named SSG 520 A and SSG 520 B functioning as perimeter security devices and IPSec VPN head ends The Avaya S8710 Media Server and Avaya G650 Media Gateway are also located at the Main Campus The Main Campus is mapped to Network Region 1 in Avaya Communication Manager EMH Reviewed Solution amp Interoperability Test Lab Application Notes 4 of 42 SPOC 9 27 06 2006 Avaya Inc All Rights Reserved vpnphone_ssg doc Remote SOHO Office A consists of two Avaya VPNremote Phones connected to a Netgear broadband router The Netgear router is configured as a firewall with NAT enabled as well as a local DHCP server The VPNremote phones in Remote Office A are configured to use SSG 520 A for IPSec tunnel termination SSG 520 A assigns an IP address to the VPNremote Phones mapped to Network Region 2 in Avaya Communications Manager Remote Home Office B consists of a single Avaya VPNremote Phones connected to a Linksys broadband router The Linksys router is configured as a firewall with NAT enabled as well as a local DHCP server The VPNremote phone in Remote Office
41. s eliminates the need to create polices for each individual user The sample configuration includes two different types of User Groups IKE and XAuth The IKE users and XAuth users created in Section 4 5 must now be added to an IKE Group and an XAuth Group respectfully 4 6 1 IKE User Group 1 From the left navigation menu select Objects gt User gt Local Groups gt New Enter a descriptive Group Name Select the vpnphone ike user name from the Available Members column on the right Select the lt lt icon to move the user name to the Group Members column on the left Select OK to save lt Available Members gt owen garrett evan EMH Reviewed Solution amp Interoperability Test Lab Application Notes 17 of 42 SPOC 9 27 06 2006 Avaya Inc All Rights Reserved vpnphone_ssg doc 2 The Local Groups list page displays the new IKE group vpnphone grp 4 6 2 Xauth User Group 1 From the left navigation menu select Objects gt User gt Local Groups gt New Enter a descriptive Group Name Select the owen garrett and evan user names from the Available Members column on the right Select the lt lt icon to move the user name to the Group Members column on the left Select OK to save ees E lt Group Members gt lt Available Members gt owen owen garrett garrett evan SET 2 vpnphone grp i vpnphone ike Edit Remove EMH Reviewed Solution amp Interoperability Test Lab Application
42. several configuration parameters are presented such as the phones IP Address the Call Servers IP Address etc Press to accept the current settings or set to an appropriate value The final configuration option displayed is the VPN Start EMH Reviewed Solution amp Interoperability Test Lab Application Notes 28 of 42 SPOC 9 27 06 2006 Avaya Inc All Rights Reserved vpnphone_ssg doc Mode option shown below Press the key to enter the VPN Options menu VPN Start Mode Boot Modify OK b During Telephone Operation While the VPNremote Phone is in an operational state i e registered with Avaya Communication Manager press the following key sequence on the telephone to enter VPN configuration mode Mute V P N M O D Mute 8 7 6 6 6 3 The follow is displayed VEN Since Mode aE oor Modify OK Press the key and the VPN Options menu to enter the VPN Options menu 2 The following VPN configuration options are displayed The settings highlighted below are from the VPNremote Phone of user owen For detailed description of each VPN configuration option see Section 11 VPNremote for the 4600 Series IP Telephones Release 2 0 Administrator Guide Server 100 2 2 100 Public Eth2 address of SSG A User Name owen Password xxxxx Must match XAuth user password entered in Section 4 5 2 Group Name vpnphone avaya com Group PSK xxxxx Must match PreShared Key entered in Section 4 7 1 VPN Start Mode BOOT Pr
43. up vpnphone grp created in Section 4 6 to this IKE gateway Enter an ASCII text string for a Preshared Key that will match the text entered on the Avaya VPNremote Phone Outgoing Interface is the interface which terminates the VPN tunnel Select Advanced to access additional configuration options Gateway Name vpnphone aw ecurity Leve zana Ss a jail P Configure the highlighted fields shown on the next page All remaining fields can be left as default Select Return to complete the advanced configuration and then OK to save Select Security Level of Custom and the appropriate Phase 1 Proposal from the drop down menu Refer to Table 3 IKE P1 P2 Proposals EMH Reviewed Solution amp Interoperability Test Lab Application Notes 20 of 42 SPOC 9 27 06 2006 Avaya Inc All Rights Reserved vpnphone_ssg doc Aggressive Mode must be used for end point negotiation such as the Avaya VPNremote Phone Enable NAT Traversal allows IPSec traffic after Phase 2 negotiations are complete to traverse a Network Address Translation NAT device The Juniper SSG first checks if a NAT device is present in the path between itself and the Avaya VPNremote Phone If a NAT device is detected the Juniper SSG uses UDP to encapsulate each IPSec packet Security Level Predefined Standard C Compatible Basic User Defined Custom Phase 1 Proposal pre q2 3des md5 Di None None D Mode Initiator Main
44. used throughout the corporate trusted network IP Pool Name Remote User IP Start IP 50 50 100 1 End IP 50 50 100 100 CS 3 The IP Pools list page displays the new address pool entry Name Ste IF Enc P n use Co Remote User IP 0 50 100 1 0 50 100 100 0 Edit emove EMH Reviewed Solution amp Interoperability Test Lab Application Notes 11 of 42 SPOC 9 27 06 2006 Avaya Inc All Rights Reserved vpnphone_ssg doc 4 4 Routes The sample configuration requires two new route entries be added to the Juniper SSG routing table one specifying the default route and one specifying the network address range entered for the IP Address Pool in Section 4 3 Although several routing options exist in the Juniper SSG platform static routes are used for this sample configuration 4 4 1 Configure Default Route 1 From the left navigation menu select Network gt Routing gt Destination The Route Entries screen similar to the one below appears Select trust vr from drop down menu then New List 20 7 per page List route entries for All virtual routers DI trust vr New trust vr IP Netmask Gateway Interface Protocol Preference Metric Ysys Configure 192 168 1 0 24 ethernet0 0 C Root 192 168 1 199 32 ethernet0 0 H Root 8 172 16 254 0 24 ethernetO 1 C Root 172 16 254 118 32 ethernet0 1 H Root ji 100 2 2 10
45. username and password If the Avaya VPNremote Phone is configured to store user credentials in flash memory the Avaya VPNremote Phone responds to the Juniper SSG with the stored credentials without user involvement Otherwise the Avaya VPNremote Phone displays a prompt for username and password to be manually entered Step 3 Phase 2 negotiations Once the XAuth user authentication is successful Phase 2 negotiations begin e XAuth Dynamic IP Address Assignment The XAuth protocol enables the Juniper SSG appliance to dynamically assign IP addresses from a configured IP Address pool range The assignment of IP address ranges to Avaya VPNremote Phones enables Avaya Communication Manager to map the Avaya VPNremote Phones into IP Network Regions e Shared IKE Group ID The shared IKE ID feature of the Juniper SSG appliance facilitates the deployment of a large number of dialup IPSec VPN users With this feature the security device authenticates multiple dialup VPN users using a single group IKE ID and preshared key Thus it provides IPSec protection for large remote user groups through a common VPN configuration XAuth user authentication must be used when implementing Shared IKE Group ID e IP Network Region Segmentation A common deployment for the Avaya VPNremote Phones is in a home network environment with limited bandwidth The G 729 codec is recommended for such bandwidth constrained environments Avaya Communication Manager IP Network Region
Download Pdf Manuals
Related Search