Avaya VPNremote for 4600 Series IP Phone Admin Guide
Contents
1. 10 Remote Feature Activation RFA 10 selectable connectivity test 10 SNMP support syslog support 10 third party security devices 10 56 Administrator Guide2. 24 Phone fails to register lt gt corrio rr 24 Error and Status Messages aooaa e 25 SUBIDO ae 29 Appendix C System Parameters Customization 31 MES pai ee ae ee ee ran added AA a ee ae 55 Issue 2 July 2006 3 Contents 4 Administrator Guide About this book The guide provides network administrator and end user configuration information for the Avaya VPNremote for the 4600 Series IP Telephones This document is to be used in conjunction with the Avaya 4600 Series IP Telephone LAN Administrator Guide In the following pages information is provided describing configuration of the Avaya VPNremote for the 4600 Series IP Telephones VPNremote Phone from the Administrator s perspective including items that should be noted as part of installation For more information regarding Administrator configuration see Chapter 2 Configuration In addition end user configuration information is provided to assist the end user in installing and configuring the VPNremote Phone in their small office home office SOHO environment with minimal assistance from corporate IT or Telephony groups For more information regarding end user installation and configuration see VPNremote for 4600 Series IP Telephone User Installation and Configuration Quick Start document number 19 601608 What products are covered The following products is covered in this manual e Avaya VPNremote for the 4600 Series IP Telephones The
3. 1 The security device selects the algorithm mandated by the administrator Priority order of algorithms proposed by the VPNremote Phone is AES 128 3DES DES AES 192 A ES 256 In very rare circumstances the security device may not be able to handle multiple proposals In this cases only try overriding the default behavior This parameter enables ISAKMP configuration mode Values are 1 enable 2 disable This parameter enables the IKE Phase 1 Security Association SA mode Values are 1 Aggressive mode 2 ldentity Protection mode 6of8 Issue 2 July 2006 51 System Parameters Customization Table 6 VPNremote for 4600 Series IP Telephones Specific Customizable System Parameters continued Parameter Name Default Value Description and Value Range Example NVIKEP1AUTHALG NVIKEP2AUTHALG 0 0 This parameter contains the authentication algorithms to propose for IKE phase 1 security association Values are O ANY 1 MD5 2 SHA1 The security device selects the algorithm mandated by the administrator Priority order of algorithms proposed by the VPNremote Phone is MD5 SHA1 In very rare circumstances the security device may not be able to handle multiple proposals In this cases only try overriding the default behavior This parameter contains the authentication algorithms to propose for IKE phase 2 security association Values are 0 ANY 1 MD5 2 SHA1 The security dev
4. The IKE identifier is phones sales com use the used during phase 1 negotiation Length of the string cannot exceed 30 characters The XAuth documentation refer to this parameter as Group Name because IKE Id is shared among a group of user and individual user authentication is done using XAuth after establishing IKE phase 1 security association If this parameter is left uninitialized the VPNremote Phone uses VPNPHONE as the IKE Identifier following command SET NVIKEID phones sales com 2 of 8 Issue 2 July 2006 47 System Parameters Customization Table 6 VPNremote for 4600 Series IP Telephones Specific Customizable System Parameters continued Parameter Name Default Description and Value Range Example Value NVIPSECSUBNET 2 This parameter contains the IP To set the IP subnet and mask subnet and masks that are that are protected by the security protected by the security device device use the following Multiple ie and ie are command separate commas The length of the individual URL PEL NVTESECSUBNET cannot be more than 128 10 1 12 0 24 172 16 0 0 characters The combined length 16 of all the subnet and masks strings cannot be more than 5 OR Description SET NVIPSECSUBNET By default phone assumes that gee i e 0 172 16 0 0 all the network resources are 255 255 0 0 behind the security gateway hence it negotiates for a security association between the IP address or Virtual IP if delivered th
5. the user is allowed to stop the VPN connection 14 of 15 44 Administrator Guide Table 5 VPNremote for 4600 Series IP Telephones Customizable System Parameters continued Parameter Name Default Value Description and Value Range Example ALWSTOPVPN EXTVPNS VPNACTIVE 1 Null This parameter contains the policy that defines if the user is allowed to stop VPN while connected to the call server Values are 1 enable 2 disable This parameter contains the list of security device IP addresses These addresses are used to connect to the Enterprise network from an external source Enter the value in dotted decimal format or DNS name format Valid values are zero or more IP addresses separated by commas without any intervening spaces 0 to 255 ASCII characters including commas or null The length of individual VPN server IP address cannot be exceed 16 characters If the IP address or DNS name of the VPN server to which client is currently connected is included in this list then value of ALWSTOPVPN will be treated as 0 even if it was SET as 1 through SET command in the script file The VPNACTIVE value is 1 This value is read only when the VPN tunnel is active and 0 when the VPN tunnel is not active 15 of 15 Issue 2 July 2006 45 System Parameters Customization The parameters in Table 6 are configurable in the Script File when the parameter NVVPNCFGPROF is set
6. 43 System Parameters Customization Table 5 VPNremote for 4600 Series IP Telephones Customizable System Parameters continued Parameter Name Default Description and Value Range Example Value ALWCLRNOTIFY 0 This parameter contains the policy that defines ISAKMP NOTIFICATION messages These message can be in the clear or encrypted If this value is 0 any notification sent in the clear should be ignored by ISAKNMP FAILOVERDELAYON 300 This parameter contains the HOOK policy that defines the duration in seconds the VPNremote Phone attempts to re establish a tunnel with the currently connected security device This value in seconds must be set before VPNremote Phone attempts to connect to a different security device if the VPNremote Phone is in ON hook FAILOVERDELAYOF This parameter contains the FHOOK policy that defines the duration in seconds the VPNremote Phone attempts to re establish a tunnel with the currently connected security device This value in seconds must be set before VPNremote Phone attempts to connect to a different security device if the VPNremote Phone is in OFF hook ACTIVATEVPN 0 This value is ignored if NVVPNMode is set to 1 or 0 If the value is set to 1 the VPN tunnel setup procedure is invoked prior to starting the system specific procedures ALWSTOPVPN 0 This value contains the policy that defines if user is allowed to stop VPN while connected to the call server If this value is 1
7. Phone features in Release 2 lt 0 10 VPNremote Phone features in Release 1 0 lt lt lt 11 Chapter 2 Configuration lt lt lt 0 eee ss 13 Configuration preparation 4 13 Preparing Communication Manager for the VPNremote Phone 14 VPNremote Phone as a single extension on Communication Manager 14 VPNremote Phone as a bridged appearance on Communication Manager 14 Installing the VPNremote Phone in the enterprise network 14 Preparing the Avaya Security Gateway for the VPNremote Phone 15 Configuring VPNremote Phone system parameters on the devices 15 Converting an IP Telephone to VPN IP Telephone 17 Downloading the VPN firmware lt lt 17 Configuring the VPN Settings ee 18 Deploying the VPNremote Phone 19 Appendix A Avaya VPNremote for 4600 Series IP Telephones Installation CNCCKNS visas ADA a 21 Appendix B Troubleshooting ee eae 23 Eror CONTI 4 ies is AAA AAA AAA 23 Authentication Failures 23 TCP IP Connection Failure 23 SSL Connection Failure 24 General Phone Errors and Behaviors 24 IKE and IPSec Negotiation Failures lt lt
8. Series IP Telephones Customizable System Parameters Parameter Name Default Description and Value Range Example Value NVVPNMODE 2 This parameter controls when To set the VPN mode to start the VPN Client is started Valid value VPN Client at initialization boot is one ASCII numeric digit O to 2 use the following command Values are SET NVVPNMODE 1 0 VPN is disabled 1 VPN will start after TCP IP initialization and before downloading the script file 2 VPN will start after downloading and processing the script file NVVPNSVENDOR 0 This parameter controls the To set the VPN device vendor to vendor of the security device Valid value is one ASCII numeric digit O to 4 Values are 0 AVAYA 1 NETSCREEN 2 CISCO 3 CHECKPOINT 4 ANY This system initialization parameter cannot be modified by a local procedure Any use the following command SET NVVPNSVENDOR 4 1 of 15 Issue 2 July 2006 31 System Parameters Customization Table 5 VPNremote for 4600 Series IP Telephones Customizable System Parameters continued Parameter Name Default Value Description and Value Range Example NVVPNCFGPROF NONE This parameter controls the VPN configuration profile for the device vendor and device type Valid value is one ASCII numeric digit 1 3 5 6 and NONE Values are 1 Avaya Security Gateway 3 Cisco Xauth with PSK 5 Juniper Netscreen Xauth with PSK 6 Generic PSK Description e Set
9. convert a non VPNremote IP telephone into a VPNremote telephone 1 Allow the telephone to initialize and register with Communication Manager 2 After the phone is registered set the GROUP for each phone you want to upgrade to a VPN IP telephone to 876 To initiate the GROUP command from the telephone key pad press Mute 4 7 6 8 7 3 After the GROUP command is initiated enter 8 7 6 V P N for the New value Use Page LEFT key to erase any errors 4 Press to save the new value Save new value no yes Downloading the VPN firmware Prior to configuring the VPNremote Phone you must first install the VPNremote Phone firmware on an existing internal TFTP server Install the VPNremote Phone firmware files on the same TFTP server that the existing IP telephones 2 3 firmware or higher Note The TFTP server should not be accessible from outside the enterprise network without a VPN connection To download the firmware 1 Verify that the file server is configured to upgrade the telephone firmware 2 Copy the VPNremote Phone software files to the TFTP server The VPNremote Phone firmware files must be on the same TFTP server as the existing IP telephones firmware 3 Create a new 46xxupgrade scr file 4 Add the following lines to the beginning of the new 46XXupgrade scr file IF GROUP SEQ 876 goto DEFVPN GOTO NOVPN DEFVPN GET 46xxvpn scr GOTO END NOVPN Issue 2 July 2006 17 Configuration 5 Upon c
10. method until all the available encapsulation method are attempted or connectivity check is successful To set the connectivity check value to 2 use the following command SET NVVPNCONCHECK 2 12 of 15 42 Administrator Guide Table 5 VPNremote for 4600 Series IP Telephones Customizable System Parameters continued Parameter Name Default Value Description and Value Range Example VPNMONFRQ DROPCLEAR 0 1 This value contains the To set the VPN monitoring frequency of VPN monitoring frequency use the following syslog message in minutes command If a syslog server IP address is BEE VENMONERD 20 specified LOGSRVR and VPNMONFRQ contains a valid value VPNremote Phone sends a syslog message every VPNMONFRQ minutes This message contains following data points e Duration for which phone has been up in minutes e Number of times phone lost contact with the Security Gateway but successfully recovered without rebooting e IP Address of the Security Gateway to which the phone is connected e Cumulative IPsec stats Packets sent received errors encountered Controls the policy that defines the handling on incoming and outgoing clear packets Valid value is one ASCII numeric digit 0 and 1 Values are 0 All clear traffic is accepted 1 All clear traffic will be dropped except for traffic to and from the security gateway and the DHCP server 13 of 15 Issue 2 July 2006
11. of the limited warranty In addition Avaya s standard warranty language as well as information regarding support for this product while under warranty is available through the following Web site Preventing toll fraud Toll fraud is the unauthorized use of your telecommunications system by an unauthorized party for example anyone who is not a corporate employee agent subcontractor or person working on your company s behalf Be aware that there may be a risk of toll fraud associated with your system and that if toll fraud occurs it can result in substantial additional charges for your telecommunications services Avaya fraud intervention If you suspect that you are being victimized by toll fraud and you need technical assistance or support call Technical Service Center Toll Fraud Intervention Hotline at 1 800 643 2353 for the United States and Canada For additional support telephone numbers see the Avaya Web site Providing telecommunications security Telecommunications security of voice data and video communications is the prevention of any type of intrusion to that is either unauthorized or malicious access to or use of your company s telecommunications equipment by some party Your company s telecommunications equipment includes both this Avaya product and any other voice data video equipment that could be accessed via this Avaya product that is networked equipment An outside party is anyone who i
12. this parameter to 1 if Security Gateway vendor is Avaya e Set this parameter to 3 if the device vendor is Cisco and Xauth is used for authenticating phone user e Set this parameter to 5 if device vendor is Juniper Xauth is used for authenticating phone user e Set this parameter to 6 if the device vendor does not support Xauth To set the device VPN configuration profile to the Avaya security gateway use the following command SET NVVPNCFGPROF 1 The following parameters must be set to specified values e If NVVPNCFGPROF 1 then NVIKECONFIGMODE 2 e If NVVPNCFGPROF 3 then NVIKECONFIGMODE 1 NVIKEIDTYPE 11 NVIKEXCHGMODE 1 e If NVVPNCFGPROF 5 then NVIKECONFIGMODE 1 NVIKEIDTYPE 3 NVIKEXCHGMODE 1 e NVVPNCFGPROF 6 then NVIKECONFIGMODE 2 NVIKEIDTYPE 3 NVIKEXCHGMODE 1 20f 15 32 Administrator Guide Table 5 VPNremote for 4600 Series IP Telephones Customizable System Parameters continued Parameter Name Default Value Description and Value Range Example NVVPNAUTTYPE NVSGIP 2 Null This parameter is valid when NVVPNCFGPROF is set to 1 Avaya security gateway If the Avaya security gateway software version is 4 0 or higher the default value does not need to be changed Controls user authentication mode Valid value is one ASCII numeric digit 1 and 2 Values are 1 CHAP 2 PAP The method chosen is dependent on the type of authentication used by the security de
13. 2 FQDN of E Mai NVVP 3 User FQDN E Mail NCFG 9 Directory name PROF 11 KEY ID Opaque 4of 8 Issue 2 July 2006 49 System Parameters Customization Table 6 VPNremote for 4600 Series IP Telephones Specific Customizable System Parameters continued Parameter Name Default Description and Value Range Example Value NVIKEP1ENCALG 0 This parameter contains the To set the encryption algorithm to encryption algorithms to propose AES 128 use the following for IKE phase 1 security command association Values are SET NVIKEPLENCALG 1 O ANY 1 AES 128 2 3DES 3 DES 4 AES 192 5 AES 256 The security device selects the algorithm mandated by the administrator Priority order of algorithms proposed by the VPNremote Phone is AES 128 3DES DES AES 192 A ES 256 In very rare circumstances the security device may not be able to handle multiple proposals In this cases only try overriding the default behavior 50f8 50 Administrator Guide Table 6 VPNremote for 4600 Series IP Telephones Specific Customizable System Parameters continued Parameter Name Default Description and Value Range Example Value NVIKEP2ENCALG 0 This parameter contains the To set the encryption algorithm to encryption algorithms to propose AES 128 use the following for IKE phase 2 security command association Values are SET NVIKEP2ENCALG 1 O ANY 1 AES 128 2 3DES 3 DES 4 AES 192 5 AES 256 NVIKECONFIGMODE NVIKEXCHGMODE 1
14. AVAYA VPNremote for the 4600 Series IP Telephones Release 2 0 Administrator Guide 19 600753 Issue 2 July 2006 O 2006 Avaya Inc All Rights Reserved Notice While reasonable efforts were made to ensure that the information in this document was complete and accurate at the time of printing Avaya Inc can assume no liability for any errors Changes and corrections to the information in this document may be incorporated in future releases Documentation disclaimer Avaya Inc is not responsible for any modifications additions or deletions to the original published version of this documentation unless such modifications additions or deletions were performed by Avaya Customer and or End User agree to indemnify and hold harmless Avaya Avaya s agents servants and employees against all claims lawsuits demands and judgments arising out of or in connection with subsequent modifications additions or deletions to this documentation to the extent made by the Customer or End User Link disclaimer Avaya Inc is not responsible for the contents or reliability of any linked Web sites and does not necessarily endorse the products services or information described or offered within them We cannot guarantee that these links will work all of the time and we have no control over the availability of the linked pages Warranty Avaya Inc provides a limited warranty on this product Refer to your sales agreement to establish the terms
15. Avaya 4600 Series IP Telephones that support the VPNremote Phone firmware includes the following devices Avaya 4610SW IP Telephone Avaya 4620SW IP Telephone Avaya 4621SW IP Telephone Avaya 4622SW IP Telephone Avaya 4625SW IP Telephone Online Documentation The online documentation for the Avaya VPNremote for the 4600 Series IP Telephones is located at the following URL Issue 2 July 2006 5 About this book Related Documentation Request For Comments RFC The following RFCs have been implemented 2401 2407 2408 2409 3715 3947 3948 2406 2411 The following documents are available on the Web site under Find Documentation and Downloads by Name Avaya VPNremote for the 4600 Series IP Telephones User Installation and Configuration Quick Start 19 601608 This document provides instructions for the end user to install the VPNremote Phone in their SOHO This document also provides information on how to enter their user name and password using the telephone keypad Avaya Administrator Guide for Communication Manager 03 300509 This document provides an overall reference for planning operating and administering your Communication Manager solution Avaya 4600 IP Series Telephone Release 2 4 LAN Administrator Guide 555 233 207 This document provides a description of Voice over IP and describes how to administer the DHCP TFTP and HTTP servers This guide also covers how to troubleshoot operati
16. E Setting the password type to 3 will not let the user select Alpahbets while entering password This might look like an obvious choice when using RSA secure ID tokens However under some conditions the user may need to respond back by entering y Or n in the password field To set the password type to 2 use the following command SET NVVPNPSWDTYPE 2 7 of 15 Issue 2 July 2006 37 System Parameters Customization Table 5 VPNremote for 4600 Series IP Telephones Customizable System Parameters continued Parameter Name Default Description and Value Range Example Value NVVPNFILESRVR Null This parameter contains the URL To set the download method to of the file server A file server URL consist of following components 1 Download Method HTTP HTTPS TFTP 2 FQDN or actual IP address of the file server 3 Service port 80 for HTTP and 443 for HTTPS 4 Path NONE All the components specfied above except for the FQDN IP Address have a default value If download method is omitted from the URL the VPNremote Phone attempts to download the script file using all the methods HTTP use the following command SET NVVPNFILESERVER http 10 1 1 1 8080 phone 8 of 15 38 Administrator Guide Table 5 VPNremote for 4600 Series IP Telephones Customizable System Parameters continued Parameter Name Default Description and Value Range Example Value NVVPNCOPYTOS 2 This parameter conta
17. Issue 2 July 2006 25 Troubleshooting Table 3 VPN Tunnel Setup Failures continued Error Message Avaya Third Party Possible Cause Possible Solution Profile Profile Server Yes N A An externally Verify authentication configured communication mechanism authentication with external failing source Radius authentication Server and source Security Gateway cannot communicate IKE Phase 1 no Yes Yes Security device is For all Profiles response busy For all Profiles Security device cannot be reached because the firewall is blocking incoming UDP packets on port 500 This is on the security device side or home router is blocking outgoing UDP packets on port 500 For third party profile Group Name IKE 1D is incorrect IKE ID type is incorrect Phase 1 proposal mismatch Verify that the firewall accepts UDP packets on port 500 Verify that the security device allows outgoing UDP packets on port 500 For third party profiles Verify group name Verify IKE IK type Verify phase 1 proposal 2 of 4 26 Administrator Guide Table 3 VPN Tunnel Setup Failures continued Error Message Avaya Third Party Possible Cause Possible Solution Profile Profile IKE Phase 2 no No Yes Security device is Verify IKE proposal response busy is correct disable vendor specific ae phare E features and or proposal is mismatched verify protected IP groups Vendor specific features are
18. Nremote for 4600 Series IP Telephones Customizable System Parameters continued Parameter Name Default Value Description and Value Range Example NVWEBLMURL http XX XX X X XX 80 80 WebLM License Server This parameter contains the Web LM licensing server URL information Multiple WebLM licensing server URLs are separated by commas The length of the individual URL cannot be more than 128 characters The combined length of all the URLs cannot be more than 252 characters To set the Web LM value use the following command SET NVWEBLMURL http XX XX XX XX 8080 WebLM LicenseServer Where XX XX XX XX is the IP address or FQDN of the WebLM server 10 of 15 40 Administrator Guide Table 5 VPNremote for 4600 Series IP Telephones Customizable System Parameters continued Parameter Name Default Description and Value Range Example Value NVVPNENCAPS 0 This parameter contains the To set the UDP encapsulation method of UDP encapsulation Values are 0 4500 4500 1 Disable 2 2070 500 4 RFC 3947 and 3948 Description The type of UDP encapsulation method to use when there is a NAT device between the VPNremote Phone and the security device e Set this parameter to O for IKE negotiation to start with source port 2070 and destination port 500 Negotiation switches to port source port 4500 and destination port 4500 if peer supports port floating Ref RFC 3947 3948 Set this
19. O set the user name as the name to be used during device mac address use the Spa following command authentication and VPN tunnel g setup SET NVVPNUSER MACADDR Each VPNremote Phone should To set the user name as the be configured with a unique user device serial number use the name A unique user name can following command be configured during the initial SET NVVPNUSER VPN setup SERIALNUM The VPNremote Phone is capable of using the phone s mac address or serial number as user name This capability eliminates the need to enter the user name by the phone user using the phone keypad In these cases you must add each device mac address or serial number to your authentication database This value range is up to 30 ASCII characters 6 of 15 36 Administrator Guide Table 5 VPNremote for 4600 Series IP Telephones Customizable System Parameters continued Parameter Name Default Value Description and Value Range Example NVVPNPSWDTYPE 1 This parameter controls the type of VPN passwords Valid value is one ASCII numeric digit 1 to 4 Values are 1 The password is saved in non volatile memory 2 The password is erased when you turn off power to the telephone 3 The password is all numeric and is for one time use only 4 The password is alpha numeric and is for one time use only You must set this parameter to 3 or 4 if using one time passwords such as SecurelD from RSA NOT
20. Topology not supported Empty Gate Keeper Ey User is blocked for x minutes from x number of incorrect logins Incorrect user name or password entered Incorrect phone brand configured on gateway Multiple central site devices configured which is not a supported configuration No call server addresses configured Note All error messages will provide the option to display more information or edit the configuration Syslog Adding the IP address of the SYSLOG server will enable Sysloging of VPN module This SYSLOG server is meant to catch log messages while tunnel setup is in progress hence the syslog server must be accessible without the tunnel Issue 2 July 2006 29 Troubleshooting 30 Administrator Guide Appendix C System Parameters Customization For additional definitions and information on how to change IP telephone parameters see the Avaya 4600 Series IP Telephone Release 2 3 LAN Administrator Guide Server Administration chapter Administering Options for the 4600 Series IP Telephones The parameters in Table 5 are configurable to desired values in the Script File For additional information on the Script File see the Avaya 4600 Series IP Telephone Release 2 4 LAN Administrator Guide Server Administration chapter Contents of the Upgrade Script section We recommend that you administer options on the 4600 Series IP Telephones using script files Table 5 VPNremote for 4600
21. age WML browser e Integrated IPSec Client The VPNremote Phone contains an integrated IPSec VPN Client that supports the following IPSec protocols Internet Protocol Security IPSec VPNremote Phone supports IPSec VPNremote Phone supports IPSec when implemented under an existing implementation of an IP protocol For additional information regarding IPSec protocol support see the Avaya Security Gateway Configuration Guide for VPNos 4 6 Internet Key Exchange IKE VPNremote Phone supports the standard IKE key management protocol for IPSec For additional information regarding IKE protocol support see the Avaya Security Gateway Configuration Guide for VPNos 4 6 Internet Security Association and Key Management ISAKMP VPNremote Phone supports the standard IISAKMP protocol for IPSec For additional information regarding IS AK MP protocol support see the Avaya Security Gateway Configuration Guide for VPNos 4 6 Issue 2 July 2006 11 Introduction 12 Administrator Guide Chapter 2 Configuration This section provides administrators with information on how to configure the Avaya VPNremote for 4600 Series IP Telephone as a VPNremote Phone It is recommended that administrators configure the Avaya VPNremote for 4600 Series IP Telephone VPNremote Phone for the end user Administrators should load the VPNremote Phone with the latest software configure the VPNremote Phone to connect to the Enterprise Communication Manager in
22. de Error and Status Messages The 4600 Series IP Telephones issue messages in English only The IP telephones also display messages from the switch which can issue messages in the local language outside the United States Note The following error messages are for the VPNremote Phone only For additional information on the 4600 Series IP Telephone error messages see the 4600 Series IP Telephone Release 2 2 1 Installation Guide Most of the messages in following tables display only for about 30 seconds and then the telephone resets Table 3 describes the list of all error messages that pertain to the VPN tunnel setup failures that the VPNremote Phone might display Table 3 VPN Tunnel Setup Failures Error Message Avaya Third Party Possible Cause Possible Solution Profile Profile TCP Connection Yes N A Security gateway Verify end user timed out not accessible or login ID and unresponsive to password and that TCP connection the network is up SSL Handshake Yes N A SSL 1443 Verify end user failed connection failed login ID and password Invalid server Yes N A Security device Verify that the certificate certificate issue security device certificate is valid Unknown Yes N A SSL handshake Verify that the certificate issuer during VPN setup failed because the server certificate provided by the gateway is not signed by the appropriate VPNremote Phone is connecting to an Avaya device 1 of 4
23. dged appearance on Communication Manager For additional information regarding Communication Manager configuration see the Administrator Guide for Avaya Communication Manager VPNremote Phone as a bridged appearance on Communication Manager The VPNremote Phone user can have a bridged appearance of the office extension on the Avaya Media Server running Avaya Communication Manager A bridged appearance allows the user to be connected to the Communication Manager from two locations at the same time As a call comes in both telephones ring If a voicemail message is received and the message indicator light is configured the light appears on both telephones The bridged appearance configuration is the most common configuration for VPNremote Phone users For additional information regarding Communication Manager configuration see the Administrator Guide for Avaya Communication Manager Installing the VPNremote Phone in the enterprise network The Avaya VPNremote for 4600 Series IP Telephone is a standard Avaya 4600 Series IP Telephone with an additional VPNremote Client capability The installation of the VPNremote Phone in the enterprise network is the same as the installation of any Avaya 4600 Series IP Telephones For detailed instructions on how to install the VPNremote Phone into the enterprise network see the Avaya 4600 Series IP Telephone Installation Guide 14 Administrator Guide Configuration preparation Preparing t
24. dify OK 2 Press to modify your VPN settings 3 Select the VPN option to change by using the gray buttons on the left of the display Press the Server button or the first gray button to change the VPN server IP address 4 Enter the IP address of the SOHO network Press the Done button at the lower left corner of the display to return to the configuration options The IP address of the SOHO network must be provided by the end user 5 Select the VPN option to change by using the gray buttons on the left of the display Press the User Name button or second gray button to change the VPN user name The user name is the same name used to login to the enterprise network using remote client software 18 Administrator Guide Configuration preparation 6 Enter the user name using the telephone key pad Press the alpha numeric keys until the desired letter appears Use the Case button or fifth gray button to switch between upper case letters and lower case letters Use the left and right arrow keys at the bottom of the display to move left or right in the user name Press the Done button at the lower left corner of the display to return to the configuration options 7 Select the VPN option to change by using the gray buttons on the left of the display Press the Password button or third gray button to change the VPN password The password is the same password used to login to the enterprise network using VPNremote Client 8 Ent
25. e 49 NVIKEP1ENCALG 50 See OMEN s i i Ge ie Sn esa ere a L NUEK oea pren Aui Saco eto ee 46 Downloading the VPN firmware 17 NVIPSECSUBNET 48 NVPFSDHGRP 5 49 E NVSECSGIP 4 34 NVSGIP a ceca ice le a Sa eee Se 33 Error and status Messages 25 NVVPNAUTTYPE 38 Error conditions 23 NVVPNMODE 484 31 NVVPNPSWDTYPE 37 NVVPNUSER a e Gace ee a a ee a a 36 I VPNACTIVE x e soii a a eae es 45 Installation VPNMONFRQ 2 8005 43 CHECKIISE oe ieee a tia ae e ad oe 8 21 Installation checklist 21 T TOS O COPY en ee ee a ee ee a 10 Online Documentation 00 5 Troubleshooting 2 2 ee ee ee eee 23 error and status messages 25 error conditions a o 23 P problem solving 2 5e 505 23 Preparing Avaya Security Gateway syslog 2 ee e 29 configuring VPNremote Phone users 19 Problem solving U troubleshooting o oo a 23 UDP encapsulation automatic discovery 10 R Related Documentation 0 6 Issue 2 July 2006 55 Index V VPNremote Phone features ooo 11 automatic discovery of UDP encapsulation Method ce e a a we 10 Copy TOS o soi a a ee 10 H 323 IP Telephone o o 11 Integrated IPSec Client a oaoa a aaa n Quality test Qtest
26. ectable connectivity test The VPNremote Phone tests connectivity to the known hosts This test can be set to first time always or never e Quality test Qtest The VPNremote Phone tests the connection quality e Remote Feature Activation RFA The VPNremote Phone license file is generated by the Remote Feature Activation RFA process and is managed by the Web Licence Manager WebLM process The license file must be installed for full functionality The VPNremote Phone can function without a license file but only for a 30 day period When this time period expires the VPNremote Phone is non operational and the user must download the previous software for any functionality You must contact your Avaya sales representative or business partner to get your license file 10 Administrator Guide VPNremote Phone features in Release 1 The following summarizes a number of significant feature performance and usability enhancements provided by VPNremote Phone Release 1 e H 323 IP Telephone The VPNremote Phone is a fully featured Avaya H 323 IP Telephone The H 323 IP Telephone includes the following features A large display area that allows up to 12 application specific buttons to be presented and labeled at one time Twelve line feature buttons Four softkeys Fixed buttons that provide access to powerful capabilities such as local telephone and call server based features speed dialing a Call Log and a Wireless Markup Langu
27. enabled List of protected IP groups do not match Failed to reach Yes N A VPNphone was Verify that the known host unable to reach TFTP server known host such address is correct eee Lae Verify that the call Conan adnieee server address is correct IKE Preshared No Yes PKS Group Verify that the IKE key PSK password is PSK is correct mismatch incorrect 3 of 4 Issue 2 July 2006 27 Troubleshooting Table 3 VPN Tunnel Setup Failures continued Error Message Avaya Third Party Possible Cause Possible Solution Profile Profile DNS needed for Yes Yes The system could Check the DNS resolving security not resolve the server connection device name o e Verify that the H uang FQDN is correct domain name FQDN DNS query sent to resolve security device FQDN failed or has timed out Security device Yes Yes The system could Check the DNS name resolution not resolve the server connection failed security device fully qualified domain name FQDN DNS query sent to resolve security device FQDN failed or has timed out Verify that the FQDN is correct 4of4 28 Administrator Guide Table 4 describes the list of all error messages that pertain to the VPN tunnel setup failures that the VPNremote Phone might display Table 4 Authentication Errors Error Message Possible Cause Authentication failure User Blocked Invalid password OR user name Phone brand rejected by SG VPN
28. er the password using the telephone key pad Press the alpha numeric keys until the desired letter appears Use the Case button or fifth gray button to switch between upper case letters and lower case letters Use the left and right arrow keys at the bottom of the display to move left or right in the user name Press the Done button at the lower left corner of the display to return to the configuration options 9 Select the VPN option to change by using the gray buttons on the left of the display Press the Authentication mode button or forth gray button to change the authentication mode 10 Select the VPN option to change by using the gray buttons on the left of the display Press the Password Type button or fifth gray button to change the password type 11 Press the fifth button on the right side of the display to scroll through the password type options 12 Select the VPN option to change by using the gray buttons on the left of the display Press the VPN Start Mode button or sixth gray button to change the VPN start mode 13 Press the sixth button on the right side of the display to scroll through the VPN start mode options Select Boot and press 14 Press the right arrow key to move to the next display 15 Select the VPN option to change by using the gray buttons on the left of the display Press the Encapsulation button or the first gray button to change the encapsulation option 16 Press the first button on the righ
29. es NVVPNCFGPROF 3 NVVPNSVENDOR 2 NVVPNAUTHTYPE 4 NVIKEXCHGMODE 1 NVIKEIDTYPE 11 NVIKECONFIGMODE 1 10f2 Issue 2 July 2006 15 Configuration Table 1 Supported devices system parameters continued Supported Device System Parameter Values Juniper Networks NetScreen series VPN devices Juniper Networks Secure Services Gateway 500 Series devices Juniper Networks Integrated Security Gateway ISG Series devices Any Security Device Generic with Preshared Key PSK Any Security Device Generic with IKE Extended Authentication Xauth Set the following values NVVPNCFGPROF 5 NVVPNSVENDOR 1 NVVPNAUTHTYPE 4 NVIKEIDTYPE 3 NVIKEXCHGMODE 1 NVIKECONFIGMODE 1 Set the following values NVVPNCFGPROF 5 NVVPNSVENDOR 1 NVVPNAUTHTYPE 4 NVIKEIDTYPE 3 NVIKEXCHGMODE 1 NVIKECONFIGMODE 1 Set the following values NVVPNCFGPROF 5 NVVPNSVENDOR 1 NVVPNAUTHTYPE 4 NVIKEIDTYPE 3 NVIKEXCHGMODE 1 NVIKECONFIGMODE 1 Set the following values NVVPNCFGPROF 6 NVVPNSVENDOR 4 NVVPNAUTHTYPE 3 NVIKECONFIGMODE 2 NVIKEXCHGMODE 1 NVIKEIDTYPE 3 Set the following values NVVPNCFGPROF 7 NVVPNSVENDOR 4 NVVPNAUTHTYPE 4 NVIKEIDTYPE 3 NVIKEXCHGMODE 1 NVIKECONFIGMODE 1 2 of 2 16 Administrator Guide Configuration preparation Converting an IP Telephone to VPN IP Telephone Use the following procedure and the telephone key pad to
30. frastructure and provide the end users with information for configuration in their small office home office SOHO environment the security device through the internet and must allow telephony traffic between the security device and Communication Manager Configuration preparation To insure that the end user is able to configure VPNremote Phone in their SOHO environment and to connect to the enterprise network administrators must preconfigure the IP telephone prior to deployment The initial configuration is to be completed by the administrator while the IP telephone is connected to the enterprise network and prior to deployment to the end user By using this method the administrator maximizes their configuration time and minimizes end user configuration requirements that are entered using the telephone keypad This preconfiguration method also protects the end user s login ID and password Following is the recommended preconfiguration method including the sequence and procedures 1 Create and administer a new extension with Communication Manager Release 2 3 or higher For additional information see Preparing Communication Manager for the VPNremote Phone 2 Install and test the IP telephone on the enterprise network For additional information see the Avaya 4600 Series IP Telephone Installation Guide 3 Allow access into and out of the corporate firewall through VPN tunnels see Preparing the Avaya Security Gateway for t
31. he Avaya Security Gateway for the VPNremote Phone VPNremote Phone users who login to the VPN through the Avaya security gateway must have their user authentication configured on that security gateway The user authentication configuration allows VPN traffic to flow through the corporate firewalls to the security gateway VPN traffic is remote traffic that has traversed the VPN tunnel As a minimum you must configure a user name and the password for each remote user User names can be up to 128 characters long and can contain any character except a comma Note that once you add a user name you cannot change the name For additional information regarding configuring the security gateway for the VPNremote Phone see the Avaya Security Gateway Configuration Guide for VPNos 4 6 Configuring VPNremote Phone system parameters on the devices Table 1 lists the configurable system parameters for the supported devices For more information regarding system parameters see Appendix C System Parameters Customization Table 1 Supported devices system parameters Supported Device System Parameter Values Avaya Security Gateway Set the following values NVVPNCFGPROF 1 NVCERTUNK 2 NVIKECONFIGMODE 2 Cisco VPN 3000 Series Concentrators Set the following values NVVPNCFGPROF 3 NVVPNSVENDOR 2 NVVPNAUTHTYPE 4 NVIKEXCHGMODE 1 NVIKEIDTYPE 11 NVIKECONFIGMODE 1 Cisco PIX 500 Series Security Appliances Set the following valu
32. he VPNremote Phone 4 Convert the 4600 Series IP Telephone see Converting an IP Telephone to VPN IP Telephone 5 Download the VPN firmware from the TFTP server see Downloading the VPN firmware 6 Configure the VPN settings to meet the configuration parameters for each VPNremote Phone site see Configuring the VPN Settings 7 Ship preconfigured device to the end user Issue 2 July 2006 13 Configuration Preparing Communication Manager for the VPNremote Phone A VPNremote Phone is configured the same as other IP telephones on the Avaya Media Server running Avaya Communication Manager Even though the VPNremote Phone is physically located outside of the corporate network the VPNremote Phone will behave the same as other Avaya IP telephones located on the LAN once the VPN tunnel has been established VPNremote Phone as a single extension on Communication Manager The VPNremote Phone user can have a single extension on the Avaya Media Server running Avaya Communication Manager A single extension allows the user to be connected to the Communication Manager from one location at a time either the office or the SOHO If the desired configuration is to connect to Communication Manager from both the office and the SOHO you must configure VPNremote Phone as a separate extension that has a bridged appearance of the office extension For more information on a bridged appearance on Communication Manager see VPNremote Phone as a bri
33. ice selects the algorithm mandated by the administrator Priority order of algorithms proposed by the VPNremote Phone is MD5 SHA1 In very rare circumstances the security device may not be able to handle multiple proposals In this cases only try overriding the default behavior To set the authentication algorithm to SHA 1 use the following command SET NVIKEP1AUTHALG 1 To set the authentication algorithm to SHA 1 use the following command SET NVIKEP2AUTHALG 1 7 of 8 52 Administrator Guide Table 6 VPNremote for 4600 Series IP Telephones Specific Customizable System Parameters continued Parameter Name Default Description and Value Range Example Value NVVPNENCAPS 0 This parameter contains the To set the UDP encapsulation method of UDP encapsulation Values are 0 4500 4500 1 Disable 2 2070 500 4 RFC 3947 and 3948 Description The type of UDP encapsulation method to use when there is a NAT device between the VPNremote Phone and the security device e Set this parameter to 0 for IKE negotiation to start with source port 2070 and destination port 500 Negotiation switches to port source port 4500 and destination port 4500 if peer supports port floating Ref RFC 3947 3948 Set this parameter to 1 to disable IKE NAT traversal Set this parameter to 2to disable port floating during IKE NAT traversal Set this parameter to 4 for IKE negotiation to start with source port 500 and des
34. ins the following sections e Descriptions of error conditions and methods for resolving them e Error and status messages and methods for resolving them e Syslog Error Conditions The following information describes some of the most common issues that may be seen and how to trouble shoot them Authentication Failures e Check User ID and password configured on phone e Check Event log on Security gateway e Check Configured User ID and password on Gateway e f external authentication is used such as Radius check connectivity between SG and Radius and Radius User configuration TCP IP Connection Failure e Confirm VPN server address is correct e Confirm the Gateway is available e Confirm VPNPhone has internet connectivity e Confirm TCP port 1443 is not blocked by any external device between phone and the security gateway The SOHO router may be configured to allow only outgoing TCP connection on port 80 for HTTP and port 443 for HTTPS There may also be a firewall in front of security gateway that may not be configured to allow an incoming TCP connection on port 1443 Issue 2 July 2006 23 Troubleshooting SSL Connection Failure e Confirm security device is accepting SSL connections This requires access to the device s Web interface or SSH access General Phone Errors and Behaviors e Contact DHCP TFTP administrator L2Q parms in option 43 176 or xxx SCR script file The VPNremote Phone is experiencing a looping condi
35. ins whether To set the copy TOS value to 1 TOS bits should be copied from the inner header to the outer header or not copied at all Values are 1 YES 2 NO Description If the value is 1 TOS bits are copied By default TOS bits are not copied from the inner header to the outer header Some Internet Service Provider do not route the IP packets properly if TOS bits are set to anything other than 0 use the following command SET NVVPNCOPYTOS 1 Avaya recommends that this value is not changed when the telephone phone is downloading the script over the VPN tunnel This recommendation avoids overriding end user settings that can occur due to ISP specific issues For example you can set this value to 1 while provisioning the telephone with the VPNremote Phone software so that the telephone can take advantage of the QOS service provided by the home router However if the telephone s ISP does not properly handle the packets with non zero TOS bits in IP header the telephone user needs to change this value back to 2 Due to specific ISP limitations Avaya recommends that the user s choice are not overwritten each time the script file is downloaded To set the copy TOS value to 1 when the script file is not downloaded over the VPN use the following command IF VPNACTIVE SEQ 1 goto skipcopytos SET NVVPNCOPYTOS 1 skipcopytos 9 of 15 Issue 2 July 2006 39 System Parameters Customization Table 5 VP
36. more than 24 characters 4of 15 34 Administrator Guide Table 5 VPNremote for 4600 Series IP Telephones Customizable System Parameters continued Parameter Name Default Value Description and Value Range Example NVBACKUPSGIP gt Null This parameter controls the back up IP address or the back up fully qualified domain name of the security device If the VPN Client could not connect to the primary security device VPN Client attempts to connect to the security devices in this list A maximum of 4 back up security gateways can be configured Enter the value in dotted decimal format or DNS name format Valid values are zero or more IP Addresses in dotted decimal or DNS name format separated by commas without any intervening spaces 0 to 255 ASCII characters including commas Null is a valid value but the value may not contain spaces This value cannot be more than 30 characters To set the device backup IP address to 10 1 1 2 bk1sg mycompany com and bk2 mycompany com as backup security devices use the following command SET NVBACKUPSGIP 10 1 1 2 bk1sg mycompay com bk2 mycompany com 5 of 15 Issue 2 July 2006 35 System Parameters Customization Table 5 VPNremote for 4600 Series IP Telephones Customizable System Parameters continued Parameter Name Default Description and Value Range Example Value NVVPNUSER Null This parameter controls the user T
37. ompletion of the download the telephone will restart Upon restart the telephone will attempt to establish a VPN connection To complete the configuration you must configure the user VPN settings Configuring the VPN Settings Once the firmware has successfully downloaded to the IP Telephone you are now ready to configure the VPN settings The 46XXvpnsettings txt file is populated with the settings that are used by the VPNremote Phone to create the VPN tunnels It is recommended that the administrator edit the VPN settings files to set the configuration parameters for VPNremote Phone users Note For a detailed list of VPN settings in the 46XXvpnsetting txt file see Appendix C System Parameters Customization At startup the phone will attempt to establish a VPN connection using the configured VPN parameters The user is given the option to change the VPN parameters To change the VPN parameters the user can press the Edit button indicated on the VPN startup screen The Edit button gives the user a screen that can be used to change the VPN parameters If the phone is up and registered with Communication Manager the user may also edit the VPN parameters by entering the VPNMOD command as detailed below Use the following procedure and the telephone key pad to configure or edit the VPN Settings 1 To initiate the VPNMOD command from the telephone key pad press Mute V P N M O D or Mute 8 7 6 6 6 3 VPN Start Mode BOOT Mo
38. onal problems with the 4600 Series IP Telephones and the servers Avaya 4600 Series IP Telephone Release 2 2 1 Installation Guide 555 223 128 This document provides detailed information on how to install the 4600 Series IP Telephone product line and troubleshoot problems with the telephones Avaya VPNremote Client 4 1 Administrator Guide June 2002 This document provides a description of the VPNremote Client software and describes how to administer the software Avaya Security Gateway Configuration Guide for VPNos 4 6 670 100 602 This document provides configuration and administration information for the Avaya SG5 SG5X SG200 SG203 and SG208 Security Gateway that are upgraded to VPNos 4 6 and Avaya VSU devices that are upgraded to VPNos 3 X Avaya Remote Feature Acitivation RFA User Guide 03 300149 The guide provides general remote feature activation RFA information as well as step by step processes on how to create modify and install a license and or an authentication file 6 Administrator Guide e Remote Feature Activation RFA Getting Started with Remote Feature Activation 03 300484 The Getting Started With Remote Feature Activation RFA guide has been developed to provide information about products as they pertain to RFA It is not intended to replace high level technical information that is available from various documentation guides Issue 2 July 2006 7 About this book 8 Administrator Guide Chapte
39. ons Figure 1 VPNphone in a corporate network with an Avaya SG203 as the headend device SG203 w public IP address See ee a PBX Corporate Network SG203 w private IP address routers VLAN assignmen ACLs etc SOHO Network SOHO Network h2ernvp02 LAO 120705 s AAYA Issue 2 July 2006 9 Introduction VPNremote Phone features in Release 2 The following summarizes a number of significant feature performance and usability enhancements provided by VPNremote Phone Release 2 e Third party devices Beginning in this release the VPNremote Phone supports the following third party devices Supported Device Minimum Software Requirement Cisco VPN 3000 Series Concentrators Any Cisco PIX 500 Series Security Appliances Any Juniper Networks NetScreen series VPN Screen OS 5 1 0 and higher devices Juniper Networks Secure Services Gateway Screen OS 5 1 0 and higher 500 Series devices Juniper Networks Integrated Security Gateway Screen OS 5 1 0 and higher ISG Series devices e Automatic discovery of UDP encapsulation method The VPNremote Phone will automatically select the correct UDP encapsulation mode during the connection process e SNMP and syslog support through the VPN tunnel The VPNremote Phone can be SNMP polled through the VPN tunnel and syslog messages can be securely sent through the VPN tunnel e Copy TOS Allows TOS to be copied to ESP header packets e Sel
40. parameter to 1 to disable IKE NAT traversal e Set this parameter to 2to disable port floating during IKE NAT traversal e Set this parameter to 4 for IKE negotiation to start with source port 500 and destination port 500 Negotiation switches to port source port 4500 and destination port 4500 if peer supports port floating Ref RFC 3947 and 3948 Finally IPsec traffic is sent inside UDP packets from and to port 4500 if supported by peer or port 2070 lt gt 500 if port floating is not supported and UDP encapsulation is supported as published in the initial draft value to 1 when the script file is not downloaded through the VPN tunnel use the following command IF VPNACTIVE SEQ 1 goto skipencaps SET NVVPNENCAPS 1 skipencaps versions of RFC 3947 and 3948 11 of 15 Issue 2 July 2006 41 System Parameters Customization Table 5 VPNremote for 4600 Series IP Telephones Customizable System Parameters continued Default Value Parameter Name Description and Value Range Example NVVPNCONCHECK 1 This parameter decides if the connectivity check should be performed after establishing the VPN tunnel and how it should behave in the event of connectivity check failure Values are 1 First time 2 Never 3 Always Description The tunnel connectivity check is performed after the VPN tunnel is established If connectivity check fails the tunnel is established with a different encapsulation
41. r 1 Introduction The Avaya VPNremote for 4600 Series IP Telephones VPNremote Phone is an Avaya H 323 IP Telephone with an integrated virtual private network VPN client and an advanced web enabled graphical display VPNremote Phone overview The VPNremote Phone provides enterprise telephony services at a remote or small office home office SOHO location through a secure VPN connection to the user s Enterprise Communication Manager infrastructure The VPNremote Phone uses a high speed connection to the Internet and then to the VPN solution in the enterprise network The Avaya VPNremote for 4600 Series IP Telephones provides a significant improvement on communications capabilities of SOHO users The VPNremote Phone provides users with an extension on an enterprise PBX over a secure VPN connection in a single box solution For additional information regarding the 4600 Series IP Telephones see the Avaya 4600 Series IP Telephone Release 2 4 LAN Administrator Guide Beginning with Release 2 the VPNremote Phone is capable of implementation in Enterprise networks with third party devices For more information regarding supported third party devices see VPNremote Phone features in Release 2 The VPNremote Phone is targeted to work with most SOHO network configurations Figure 1 illustrates a possible corporate network configuration with an Avaya SG203 at the headend device with three VPNremote Phones connected through secure VPN connecti
42. rough the IKE Config mode and 0 0 0 0 with the security device If your security device is configured to allow building security association for selected subnets you can specify them here NVVPNSYSLOG 0 0 0 0 This parameter allows the VPNremote Phone to send operational information to a syslog server that is specified by the respective IP address 30f8 48 Administrator Guide Table 6 VPNremote for 4600 Series IP Telephones Specific Customizable System Parameters continued Parameter Name Default Description and Value Range Example Value NVIKEDHGRP 2 This parameter contains the To set the DH group to group 1 value of Diffe Hellman DH use the following command group The DH group is used SET NVIKEDHGRP 1 during phase 1 negotiation Values are 1 DH group 1 2 DH group 2 5 DH group 5 14 DH group 14 15 DH group 15 NVPFSDHGRP 0 This parameter contains the To set the DH group to group 2 for value of Diffe Hellman DH phase T use the following group The DH group is used SS during phase 2 negotiation for SET NVPFSDHGRP establishing IPsec security associations also known as perfect forward secrecy PFS Values are 0 No PFS 1 DH group 1 2 DH group 2 5 DH group 5 NVIKEIDTYPE The This parameter contains the To set the IKE identifier type to default IKE Identifier type for the IKE ID TE the following value specified in the NVIKEID j depend parameter Values are SET NVIKEIDTYPE 2 gt on 1 IP address the value
43. s not a corporate employee agent subcontractor or person working on your company s behalf Whereas a malicious party is anyone including someone who may be otherwise authorized who accesses your telecommunications equipment with either malicious or mischievous intent Such intrusions may be either to through synchronous time multiplexed and or circuit based or asynchronous character message or packet based equipment or interfaces for reasons of Use of capabilities special to the accessed equipment Theft such as of intellectual property financial assets or toll facility access Eavesdropping privacy invasions to humans Mischief troubling but apparently innocuous tampering Harm such as harmful tampering data loss or alteration regardless of motive or intent Be aware that there may be a risk of unauthorized intrusions associated with your system and or its networked equipment Also realize that if such an intrusion should occur it could result in a variety of losses to your company including but not limited to human and data privacy intellectual property material assets financial resources labor costs and legal costs Your responsibility for your company s telecommunications security The final responsibility for securing both this system and its networked equipment rests with you an Avaya customer s system administrator your telecommunications peers and your managers Base the fulfillment of
44. t side of the display to scroll through the encapsulation options Select Disable and press 17 The Syslog Server option is not configured 18 Press Done to complete the configuration Deploying the VPNremote Phone Deploy the VPNremote Phone to the end user When the end user installs the VPNremote Phone in their home network the telephone will initialize and display a user ID and password error The end user must enter their user name and password that they use to login to their enterprise network using remote client software Issue 2 July 2006 19 Configuration 20 Administrator Guide Appendix A Avaya VPNremote for 4600 Series IP Telephones Installation Checklist The checklist on the following page is provided for your convenience for supplying your users with essential installation information Table 2 VPNremote Phone Installation Checklist Item Value Description VPNremote The default value is 0 0 0 0 In the SOHO network uses Phone IP Address when using DHCP DHCP set this value to 0 0 0 0 default value Otherwise enter the IP address used by the VPNremote Phone in the SOHO network Call Server Port The default value is 1719 This IP address is the IP Address unless otherwise stated by address of the CLAN inside your administrator the enterprise Gateway IP If DHCP is being used press This IP address is the IP Address to accept the default values address of the SOHO router Other
45. tination port 500 Negotiation switches to port source port 4500 and destination port 4500 if peer supports port floating Ref RFC 3947 and 3948 Finally IPsec traffic is sent inside UDP packets from and to port 4500 if supported by peer or port 2070 lt gt 500 if port floating is not supported and UDP encapsulation is supported as published in the initial draft versions of RFC 3947 and 3948 value to 1 when the script file is not downloaded through the VPN tunnel use the following command IF VPNACTIVE SEQ 1 goto skipencaps SET NVVPNENCAPS 1 skipencaps 8 of 8 Issue 2 July 2006 53 System Parameters Customization 54 Administrator Guide Index Index A S About this book o 5 SYVSIOG A i S Gas ar al as Ge A i r 29 Avaya VPNremote for 4600 Series IP Telephones System Parameter installation checklist 21 NVIKEP1AUTHALG o o 52 NVIKEP2AUTHALG 52 NVIKEP2ENCALG 51 C System parameters 2 5 reall Configuration preparation 13 ACTIVATEVPN aoaaa ee 44 Configuring the VPN settings 18 ALWSTOPVPN ooo o 44 Converting an IP Telephone to VPN IP Telephone 17 DROPCLEAR ooo 43 Coverting an IP Telephone to a VPN IP Telephone 17 NVBACKUPSGIP ooo ooo 35 NVIKEDHGRP 5 49 NVIKEID 0 o e eo 47 D NVIKEIDTYPE
46. tion This condition is caused by the gateway IP address being set to 0 0 0 0 Change the device IP address to the static security device IP address or DHCP e Loading is not seen during startup and mute light flashes Check the bootcode version Older version such as 1 9x is not compatible with the latest software version IKE and IPSec Negotiation Failures e Enable IKE Logging on the security device e Perform TCP dumps from the security device console SSH connection Phone fails to register e Confirm the VPN tunnel was built 1 Check if the security associations SA are built on security device under Monitor VPN from the Web interface 2 When the VPN Phone starts does it access the TFTP server through the VPN tunnel If it does then the tunnel is up to that network Check to see if the call server is on the same subnet as the TFTP server If configured IP group in SG covers both address then access should be available e Perform atTCP dump on interfaces of the central security device Check to see if the esp packets are arriving from the phone during the time it should be registering 1 If not Check the L3 Audio and Signaling values If set to 46 34 change to zero and restart phone and check tcpdump 2 If TOS bits are being copied to esp packet on the security device side Communication Manager configuration may need to be changed The above may be require when ISPs block TOS marked packets 24 Administrator Gui
47. to 1 For additional information on the Script File see the Avaya 4600 Series IP Telephone Release 2 4 LAN Administrator Guide Server Administration chapter Contents of the Upgrade Script section We recommend that you administer options on the 4600 Series IP Telephones using script files Table 6 VPNremote for 4600 Series IP Telephones Specific Customizable System Parameters Parameter Name Default Description and Value Range Example Value NVIKEPSK 2 This value controls the To set the preshared key as preshared key PSK The abc1234 use the following preshared key is used during command phase 1 negotiation The length SET NVIKEPSK abc1234 of the preshared key string cannot exceed 30 characters Avaya recommends that the user enter the preshared key using the telephone keypad However if you do not want to share PSK with the end user because it is common for multiple users you can use this parameter to push the PSK Group password to each telephone If you are pushing the PSK to the telephone make sure that the file server is on an isolated network and is used only for provision in VPN parameters to the telephones 1 of 8 46 Administrator Guide Table 6 VPNremote for 4600 Series IP Telephones Specific Customizable System Parameters continued Parameter Name Default Description and Value Range Example Value NVIKEID VPNPH This parameter controls the IKE To set the IKE identifier as ONE identifier
48. vice This parameter controls the primary IP address or the fully qualified domain name of the security device Valid values are zero or more IP Addresses in dotted decimal or fully qualified domain name format separated by commas without any intervening spaces 0 to 255 ASCII characters including commas Null is a valid value but the value may not contain spaces This value cannot be more than 30 characters To set the device authentication type to CHAP use the following command SET NVVPNAUTHTYPE 1 To set the device primary IP address to 10 1 1 1 use the following command SET NVSGIP 10 1 1 1 To set the device fully qualified domain name to primarysg mycompany com use the following command SET NVSGIP primarysg mycompany com 3 of 15 Issue 2 July 2006 33 System Parameters Customization Table 5 VPNremote for 4600 Series IP Telephones Customizable System Parameters continued Parameter Name Default Description and Value Range Example Value NVSECSGIP Null This is the secondary IP address or the secondary fully qualified domain name of the Avaya Security Gateway SG Valid values are zero or more IP Addresses in dotted decimal or fully qualified domain name format separated by commas without any intervening spaces 0 to 255 ASCII characters including commas Null is a valid value but the value may not contain spaces The VPN server IP address cannot be
49. wise end user will confirm address Network Mask If DHCP is being used press This IP address is the to accept the default values network mask for SOHO Otherwise end user will network confirm address TFTP File Server This IP address is the TFTP file server inside the enterprise that contains the configuration and update files Extension of your Depending on the telephony VPNremote configuration this extension Phone may or may not be the same extension as your office telephone Check with you telephony administrator to confirm your extension 1 of 2 Issue 2 July 2006 21 Avaya VPNremote for 4600 Series IP Telephones Installation Checklist Table 2 VPNremote Phone Installation Checklist continued Item Value Description VPNremote Phone password Depending on the telephony configuration this password may or may not be the same password as your office telephone Check with you telephony administrator to confirm your password VPN server This is the public IP address of the security gateway VPN user name End user will enter VPN password End user will enter 2 of 2 22 Administrator Guide Appendix B Troubleshooting This chapter describes problems that might occur during installation and configuration of the Avaya VPNremote for 4600 Series IP Telephones and possible ways of resolving these problems This chapter conta
50. your responsibility on acquired knowledge and resources from a variety of sources including but not limited to Installation documents System administration documents Security documents Hardware software based security tools Shared information between you and your peers Telecommunications security experts To prevent intrusions to your telecommunications equipment you and your peers should carefully program and configure Your Avaya provided telecommunications systems and their interfaces Your Avaya provided software applications as well as their underlying hardware software platforms and interfaces Any other equipment networked to your Avaya products Trademarks Avaya is a trademark of Avaya Inc All non Avaya trademarks are the property of their respective owners Avaya support Avaya provides a telephone number for you to use to report problems or to ask questions about your contact center The support telephone number is 1 800 242 2121 in the United States For additional support telephone numbers see the Avaya Web site Contents About this book 24 6h 6 hte dG as SHEE BSS SOG 5 What products are covered 22 2 ee eee 5 Online Documentation 5 Related Documentation lt lt lt o ew seb eek Or ESS ee eer eS 6 Chapter 1 Introduction lt 4 aks Ree ae ee eR a BRO 9 VPNremote Phone overview 2 2 eee 9 VPNremote
Download Pdf Manuals
Related Search