Avaya Solution & Interoperability Test Lab Configuring a Juniper Networks NetScreen-Remote VPN Client to Support an Avaya IP Softphone Secure Connection to a Samsung UbigateTM iBG3026 Gateway - Issue 1.0 Abstract These Application Notes describe the procedures for configuring a secure VPN connection to the Samsung UbigateTM iBG3026 Gateway using the Juniper Networks NetScreen-Remote VPN Client to support the Avaya IP Softphone. The Samsung iBG3026 functions as a multi-service IP switch/router.
1. Introduction These Application Notes describe the procedures for configuring a secure VPN connection to the Samsung UbigateTM iBG3026 Gateway using the Juniper Networks NetScreen-Remote VPN Client to support the Avaya IP Softphone. The Samsung iBG3026 is designed to provide WAN-connectivity such as T1, E1, T3, and metro Ethernet to a small-to-medium sized office.
An Avaya C364T-PWR Converged Stackable Switch simulates the WAN by routing the IP traffic between the remote user and the HQ Office.
. Configure Avaya Communication Manager and Avaya IP Telephones These application notes assume that the configuration of Avaya Communication Manager and the Avaya IP telephones are already in place. Refer to [1] for detail instructions on the configuration on these components. 5. Configure Microsoft Active Directory 5.1. Create User Accounts The steps below create a new user account for the Juniper NetScreen-Remote user shown in Figure 1.
Step Description 2. Enter the user information as highlighted below. All remaining fields may be left as the defaults. Click Next to continue. 3. Enter the password and the password policy options shown below. Click Next to continue then click Finish (not shown). JC; Reviewed: SPOC 8/6/2007 Solution & Interoperability Test Lab Application Notes ©2007 Avaya Inc. All Rights Reserved. 5 of 27 Ubigate-NetScr.
Step Description 4. To allow the new account to request authentication when connecting via VPN to the Samsung iBG3026, the account’s remote access permission must be enabled. From the Active Directory Users and Computers screen, right click the user name created in Step 2 under the Users folder and select Properties from the pop-up menu. 5. Select the Dial-in tab and then select the Allow access option. All remaining fields can be left as the defaults. Click OK to save.
5.2. Create User Group The steps below create a new user group to allow all Juniper NetScreen-Remote user accounts to be grouped together and allow Microsoft IAS to apply a consistent access policy. Step Description 1. From the Active Directory Users and Computers screen, right click the Users folder and select the New > Group from the pop-up menu as shown below. 2. Enter a descriptive name for Group name field as highlighted below. All remaining fields may be left as the defaults. Click OK.
5.3. Add Users to Group The steps below add the newly created user to the newly created user group. Step Description 1. Edit the properties of the new user group by right clicking the group name under the Users folder. Select Properties from the pop-up menu. 2. Select the Members tab then click Add. JC; Reviewed: SPOC 8/6/2007 Solution & Interoperability Test Lab Application Notes ©2007 Avaya Inc. All Rights Reserved. 8 of 27 Ubigate-NetScr.
Step Description 3. Enter the user name then click Check Names. The user should appear as shown below. Click OK to save. Then click OK again (not shown) to exit the Group Properties screen. 6. Configure Microsoft Internet Authentication Service The steps below add the Samsung iBG3026 to the Microsoft IAS as a Remote Authentication Dial In User Service (RADIUS) client. This enables Microsoft IAS to exchange RADIUS messages with the Samsung iBG3026.
Step Description 2. Enter a descriptive name for Friendly name and the IP address of the Samsung iBG3026 for Client address (IP or DNS). Click Next to continue. 3. Enter a text string for Shared secret. In this configuration, the string is radiussecretkey. This shared secret text is used by the Samsung iBG3026 in Section 6.2 to authenticate with the Microsoft IAS for RADIUS communications. All remaining fields may be left as the defaults. Click Finish.
6.2. Configure Remote Access Policy The steps below create a new access policy to be used for RADIUS requests coming from the Samsung iBG3026 on behalf of NetScreen-Remote users. Step Description 1. From the Internet Authentication Service screen, right click Remote Access Policies and select New > Remote Access Policy from the pop-up menu. 2. From the New Remote Access Policy Wizard screen, select Set up a custom policy and enter a descriptive name for Policy name. Click Next to continue.
Step Description 3. From the Policy Conditions screen, click Add. 4. From the Select Attribute screen, select the attribute types to be applied to this access policy. The Windows-Groups attribute is used in the sample configuration. Select Windows-Groups and click Add. JC; Reviewed: SPOC 8/6/2007 Solution & Interoperability Test Lab Application Notes ©2007 Avaya Inc. All Rights Reserved. 12 of 27 Ubigate-NetScr.
Step Description 5. Click Add to add a new group. 6. The Active Directory Users group created in Section 5.2 is added to this access policy as shown below. Click OK twice to return to the Policy Conditions screen in Step 3 and then click Next to continue. JC; Reviewed: SPOC 8/6/2007 Solution & Interoperability Test Lab Application Notes ©2007 Avaya Inc. All Rights Reserved. 13 of 27 Ubigate-NetScr.
Step Description 7. Select Grant remote access permission and click Next to continue. 8. Click Edit Profile. JC; Reviewed: SPOC 8/6/2007 Solution & Interoperability Test Lab Application Notes ©2007 Avaya Inc. All Rights Reserved. 14 of 27 Ubigate-NetScr.
Step Description 9. In the Authentication tab, ensure that the field Unencrypted authentication (PAP, SPAP) is checked. All other authentication methods can be unchecked. Click OK to return to the screen in Step 7, followed by Next and then Finished (not shown) to complete the wizard. 7. Configure Samsung iBG3026 The Samsung iBG3026 provides both browser-based and command-line-based (telnet or console port access) administrative interfaces.
7.1. Configure Ethernet and VLAN Interfaces Step Description 1. Connect to the Samsung iBG3026 command line interface via a terminal emulation program (e.g., HyperTerminal) using the serial cable provided for the console port at the back of the machine. Enter the username (samsung) and default password (see [4]) to log in. Enter configure terminal to access the configure mode. #----------------------------------------------------------------------# SAMSUNG ELECTRONICS CO., LTD.
Step Description 4. Add a default route to the router on the public Internet. sarak2/configure# ip route 0.0.0.0/0 2.2.2.254 sarak2/configure# 7.2. Configure RADIUS Configure the Samsung iBG3026 as a RADIUS client to the Microsoft IAS for the authentication of remote VPN users. Step Description 1. Configure the Samsung iBG3026 to connect to the Microsoft IAS with the secret key as radiussecretkey.
7.3. Configure VPN Remote Access Policy Create the VPN Remote Access Policy to support remote users. Step Description 1. Configure dynamic Phase 1 IKE policy for a group of remote users. The pre-shared key is set to interoptest in this configuration. For dynamic policy, set the mode to aggressive. Configure the IKE phase 1 proposal as described in Section 3.
Step Description sarak2/configure/crypto# dynamic sarak2/configure/crypto/dynamic# ipsec policy remusers modecfg-group sarak2/configure/crypto/dynamic/ipsec/policy remusers# match address 192.168.1.
Step Description sarak2/configure# firewall corp sarak2/configure/firewall corp# policy 1000 in address 192.168.11.101 192.168.11 .120 192.168.1.0 24 sarak2/configure/firewall corp/policy 1000 in# exit sarak2/configure/firewall corp# exit sarak2/configure# 8. Configure Juniper NetScreen-Remote This section shows the configuration of the Juniper NetScreen-Remote on a single remote user machine. Step Description 1.
Step Description 2. Expand the ToHQOffice folder and select My Identity. Configure the highlighted fields shown below. Select Domain Name for ID Type field and enter avaya.com. Select Preferred for Virtual Adapter field. All remaining fields can be left as the defaults. Click Pre-Shared Key to continue. 3. Click Enter Key and type the Pre-Shared Key interoptest. Click OK. JC; Reviewed: SPOC 8/6/2007 Solution & Interoperability Test Lab Application Notes ©2007 Avaya Inc. All Rights Reserved.
Step Description 4. Select Security Policy. Configure the highlighted fields shown below. Select Aggressive Mode for Select Phase 1 Negotiation Mode. Uncheck Enable Perfect Forward Secrecy (PFS). Check Enable Replay Detection field. 5. Expand folder Security Policy > Authentication (Phase 1) and select Proposal 1. Configure the highlighted fields shown below. Select Pre-Shared Key; Extended Authentication for Authentication Method field.
Step Description 6. Expand folder Security Policy > Key Exchange (Phase 2) and select Proposal 1. Configure the highlighted fields shown below. All remaining fields can be left as the defaults. • Check Encapsulation Protocol (ESP) field. • Select AES-128 for Encrypt Alg field. • Select SHA-1 for Hash Alg field. • Select Tunnel for Encapsulation field. From the menu, select File > Save to save the configuration.
9. Verification Steps The following steps can be used to verify that the configuration steps documented in these Application Notes have been done correctly. 9.1. Verify Juniper NetScreen-Remote Step Description 1. Right-click on the NetScreen-Remote icon and select Connect > My Connections\ ToHQOffice. 2. Enter the username and password created in the Microsoft Active Directory in Section 5.1. JC; Reviewed: SPOC 8/6/2007 Solution & Interoperability Test Lab Application Notes ©2007 Avaya Inc.
Step Description 3. Verify that the Manual Connection Status screen is displayed and shows that the connection is successful. Launch Avaya IP Softphone and verify that it can register with Avaya Communication Manager successfully. 9.2. Verify Samsung iBG3026 9.2.1. Verify Client Connections Enter the command show crypto dynamic clients using the Samsung iBG3026 CLI. Verify that the client is connected as shown below. sarak2/configure# show crypto dynamic clients Client Address -------------7.7.7.
9.2.3. Verify Phase 2 Status Enter the command show crypto ipsec sa all using the Samsung iBG3026 CLI. Verify that the IPSec policies for the tunnels going to and coming from the Juniper NetScreen-Remote are created. sarak2/configure# show crypto ipsec sa all Policy -----INremusers remusers Dest IP ------2.2.2.1 7.7.7.7 Spi --0xbb3d0e65 0xea2383bf Packets -----1121 1322 Transform --------esp-aes-sha1-tunl esp-aes-sha1-tunl sarak2/configure# 10.
©2007 Avaya Inc. All Rights Reserved. Avaya and the Avaya Logo are trademarks of Avaya Inc. All trademarks identified by ® and ™ are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners. The information provided in these Application Notes is subject to change without notice.