VPNremote for the 4600 Series IP Telephones Release 2.
© 2006 Avaya Inc. All Rights Reserved. Notice While reasonable efforts were made to ensure that the information in this document was complete and accurate at the time of printing, Avaya Inc. can assume no liability for any errors. Changes and corrections to the information in this document may be incorporated in future releases. Documentation disclaimer Avaya Inc.
Contents About this book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 What products are covered . . . . . . . . . . . . . . . . . . . . . . . . . . . . Online Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 5 6 Chapter 1: Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 VPNremote Phone overview . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents 4 Administrator Guide
About this book The guide provides network administrator and end-user configuration information for the Avaya VPNremote for the 4600 Series IP Telephones. This document is to be used in conjunction with the Avaya 4600 Series IP Telephone LAN Administrator Guide. In the following pages, information is provided describing configuration of the Avaya VPNremote for the 4600 Series IP Telephones (VPNremote Phone) from the Administrator’s perspective, including items that should be noted as part of installation.
About this book Related Documentation ● Request For Comments (RFC) The following RFCs have been implemented: 2401, 2407, 2408, 2409, 3715, 3947, 3948, 2406, 2411. http://www.ietf.org/html.charters/OLD/ipsec-charter.html The following documents are available on the Web site under Find Documentation and Downloads by Name: ● Avaya VPNremote for the 4600 Series IP Telephones User Installation and Configuration Quick Start (19-601608).
● Remote Feature Activation (RFA) Getting Started with Remote Feature Activation (03-300484) The Getting Started With Remote Feature Activation (RFA) guide has been developed to provide information about products as they pertain to RFA. It is not intended to replace high-level technical information that is available from various documentation guides.
About this book 8 Administrator Guide
Chapter 1: Introduction The Avaya VPNremote for 4600 Series IP Telephones (VPNremote Phone) is an Avaya H.323 IP Telephone with an integrated virtual private network (VPN) client and an advanced web-enabled graphical display. VPNremote Phone overview The VPNremote Phone provides enterprise telephony services at a remote or small office home office (SOHO) location through a secure VPN connection to the user’s Enterprise Communication Manager infrastructure.
Introduction VPNremote Phone features in Release 2 The following summarizes a number of significant feature, performance, and usability enhancements provided by VPNremote Phone, Release 2. ● Third-party devices– Beginning in this release, the VPNremote Phone supports the following third-party devices: Supported Device Minimum Software Requirement Cisco VPN 3000 Series Concentrators Any Cisco PIX 500 Series Security Appliances Any Juniper Networks NetScreen series VPN devices Screen OS 5.1.
VPNremote Phone features in Release 1 The following summarizes a number of significant feature, performance, and usability enhancements provided by VPNremote Phone, Release 1. ● H.323 IP Telephone – The VPNremote Phone is a fully featured Avaya H.323 IP Telephone. The H.323 IP Telephone includes the following features: - A large display area that allows up to 12 application-specific buttons to be presented and labeled at one time.
Introduction 12 Administrator Guide
Chapter 2: Configuration This section provides administrators with information on how to configure the Avaya VPNremote for 4600 Series IP Telephone as a VPNremote Phone. It is recommended that administrators configure the Avaya VPNremote for 4600 Series IP Telephone (VPNremote Phone) for the end user.
Configuration Preparing Communication Manager for the VPNremote Phone A VPNremote Phone is configured the same as other IP telephones on the Avaya Media Server running Avaya Communication Manager. Even though the VPNremote Phone is physically located outside of the corporate network, the VPNremote Phone will behave the same as other Avaya IP telephones located on the LAN once the VPN tunnel has been established.
Configuration preparation Preparing the Avaya Security Gateway for the VPNremote Phone VPNremote Phone users who login to the VPN through the Avaya security gateway must have their user authentication configured on that security gateway. The user authentication configuration allows VPN traffic to flow through the corporate firewalls to the security gateway. VPN traffic is remote traffic that has traversed the VPN tunnel. As a minimum, you must configure a user name and the password for each remote user.
Configuration Table 1: Supported devices system parameters (continued) Supported Device System Parameter Values Juniper Networks NetScreen series VPN devices Set the following values: Juniper Networks Secure Services Gateway 500 Series devices Set the following values: Juniper Networks Integrated Security Gateway (ISG) Series devices Set the following values: Any Security Device (Generic) with Preshared Key (PSK) Set the following values: Any Security Device (Generic) with IKE Extended Authentica
Configuration preparation Converting an IP Telephone to VPN IP Telephone Use the following procedure and the telephone key pad to convert a non-VPNremote IP telephone into a VPNremote telephone: 1. Allow the telephone to initialize and register with Communication Manager. 2. After the phone is registered, set the GROUP for each phone you want to upgrade to a VPN IP telephone to 876. To initiate the GROUP command from the telephone key pad, press: Mute 4-7-6-8-7 # 3.
Configuration 5. Upon completion of the download, the telephone will restart. Upon restart, the telephone will attempt to establish a VPN connection. To complete the configuration, you must configure the user VPN settings. Configuring the VPN Settings Once the firmware has successfully downloaded to the IP Telephone, you are now ready to configure the VPN settings. The 46XXvpnsettings.txt file is populated with the settings that are used by the VPNremote Phone to create the VPN tunnels.
Configuration preparation 6. Enter the user name using the telephone key pad. Press the alpha-numeric keys until the desired letter appears. Use the Case button, or fifth gray button, to switch between upper-case letters and lower-case letters. Use the left and right arrow keys at the bottom of the display to move left or right in the user name. Press the Done button at the lower left corner of the display to return to the configuration options. 7.
Configuration 20 Administrator Guide
Appendix A: Avaya VPNremote for 4600 Series IP Telephones Installation Checklist The checklist on the following page is provided for your convenience for supplying your users with essential installation information. Table 2: VPNremote Phone Installation Checklist Item Value Description VPNremote Phone IP Address The default value is 0.0.0.0 when using DHCP. In the SOHO network uses DHCP, set this value to 0.0.0.0 # (default value).
Avaya VPNremote for 4600 Series IP Telephones Installation Checklist Table 2: VPNremote Phone Installation Checklist (continued) Item Value Description VPNremote Phone password Depending on the telephony configuration, this password may or may not be the same password as your office telephone. Check with you telephony administrator to confirm your password. VPN server This is the public IP address of the security gateway. VPN user name End user will enter. VPN password End user will enter.
Appendix B: Troubleshooting This chapter describes problems that might occur during installation and configuration of the Avaya VPNremote for 4600 Series IP Telephones and possible ways of resolving these problems. This chapter contains the following sections: ● Descriptions of error conditions and methods for resolving them. ● Error and status messages, and methods for resolving them.
Troubleshooting SSL Connection Failure ● Confirm security device is accepting SSL connections This requires access to the device’s Web interface or SSH access. General Phone Errors and Behaviors ● Contact DHCP/TFTP administrator, L2Q parms in option 43/176 or xxx.SCR script file. The VPNremote Phone is experiencing a looping condition. This condition is caused by the gateway IP address being set to 0.0.0.0. Change the device IP address to the static security device IP address or DHCP. ● Loading …….
Error and Status Messages The 4600 Series IP Telephones issue messages in English only. The IP telephones also display messages from the switch, which can issue messages in the local language outside the United States. Note: Note: The following error messages are for the VPNremote Phone only. For additional information on the 4600 Series IP Telephone error messages, see the 4600 Series IP Telephone, Release 2.2.1, Installation Guide.
Troubleshooting Table 3: VPN Tunnel Setup Failures (continued) Error Message Avaya Profile Third-Party Profile Possible Cause Possible Solution Server authentication mechanism failing Yes N/A An externally configured authentication source (Radius Server) and Security Gateway cannot communicate. Verify communication with external authentication source. IKE Phase 1 no response Yes Yes Security device is busy.
Table 3: VPN Tunnel Setup Failures (continued) Error Message Avaya Profile Third-Party Profile Possible Cause Possible Solution IKE Phase 2 no response. No Yes Security device is busy. Verify IKE proposal is correct, disable vendor-specific features, and/or verify protected IP groups. IKE phase 2 proposal is mismatched. Vendor-specific features are enabled. List of protected IP groups do not match. Failed to reach known host. IKE Preshared key (PSK) mismatch.
Troubleshooting Table 3: VPN Tunnel Setup Failures (continued) Error Message Avaya Profile Third-Party Profile Possible Cause Possible Solution DNS needed for resolving security device name. Yes Yes The system could not resolve the security device fully qualified domain name (FQDN). Check the DNS server connection. Verify that the FQDN is correct. DNS query sent to resolve security device FQDN failed or has timed out. Security device name resolution failed.
Table 4 describes the list of all error messages that pertain to the VPN tunnel setup failures that the VPNremote Phone might display. Table 4: Authentication Errors Note: Error Message Possible Cause Authentication failure, User Blocked User is blocked for “x” minutes from “x” number of incorrect logins. Invalid password OR user name Incorrect user name or password entered. Phone brand rejected by SG Incorrect phone brand configured on gateway.
Troubleshooting 30 Administrator Guide
Appendix C: System Parameters Customization For additional definitions and information on how to change IP telephone parameters, see the Avaya 4600 Series IP Telephone, Release 2.3, LAN Administrator Guide, Server Administration chapter, Administering Options for the 4600 Series IP Telephones. The parameters in Table 5 are configurable to desired values in the Script File. For additional information on the Script File, see the Avaya 4600 Series IP Telephone, Release 2.
System Parameters Customization Table 5: VPNremote for 4600 Series IP Telephones Customizable System Parameters (continued) Parameter Name Default Value Description and Value Range Example NVVPNCFGPROF NONE This parameter controls the VPN configuration profile for the device vendor and device type. Valid value is one ASCII numeric digit, 1, 3, 5, 6 and NONE.
Table 5: VPNremote for 4600 Series IP Telephones Customizable System Parameters (continued) Parameter Name Default Value Description and Value Range Example NVVPNAUTTYPE 2 This parameter is valid when NVVPNCFGPROF is set to 1 (Avaya security gateway). If the Avaya security gateway software version is 4.0 or higher, the default value does not need to be changed. Controls user authentication mode. Valid value is one ASCII numeric digit, 1 and 2.
System Parameters Customization Table 5: VPNremote for 4600 Series IP Telephones Customizable System Parameters (continued) Parameter Name Default Value Description and Value Range NVSECSGIP “” (Null) This is the secondary IP address or the secondary fully qualified domain name of the Avaya Security Gateway (SG).
Table 5: VPNremote for 4600 Series IP Telephones Customizable System Parameters (continued) Parameter Name Default Value Description and Value Range Example NVBACKUPSGIP “” (Null) This parameter controls the back up IP address or the back up fully qualified domain name of the security device. If the VPN Client could not connect to the primary security device, VPN Client attempts to connect to the security devices in this list. To set the device backup IP address to 10.1.1.2, bk1sg.mycompany.
System Parameters Customization Table 5: VPNremote for 4600 Series IP Telephones Customizable System Parameters (continued) Parameter Name Default Value Description and Value Range Example NVVPNUSER “” (Null) This parameter controls the user name to be used during authentication and VPN tunnel setup. To set the user name as the device mac address, use the following command: Each VPNremote Phone should be configured with a unique user name.
Table 5: VPNremote for 4600 Series IP Telephones Customizable System Parameters (continued) Parameter Name Default Value Description and Value Range Example NVVPNPSWDTYPE 1 This parameter controls the type To set the password type to 2, use of VPN passwords. Valid value is the following command: one ASCII numeric digit, 1 to 4. SET NVVPNPSWDTYPE 2 Values are: 1 = The password is saved in non-volatile memory. 2 = The password is erased when you turn off power to the telephone.
System Parameters Customization Table 5: VPNremote for 4600 Series IP Telephones Customizable System Parameters (continued) Parameter Name Default Value Description and Value Range Example NVVPNFILESRVR Null ("") This parameter contains the URL of the file server.
Table 5: VPNremote for 4600 Series IP Telephones Customizable System Parameters (continued) Parameter Name Default Value Description and Value Range Example NVVPNCOPYTOS 2 This parameter contains whether TOS bits should be copied from the inner header to the outer header, or not copied at all.
System Parameters Customization Table 5: VPNremote for 4600 Series IP Telephones Customizable System Parameters (continued) Parameter Name Default Value Description and Value Range Example NVWEBLMURL http:// XX.XX.X X.XX:80 80/ WebLM/ License Server This parameter contains the Web To set the Web LM value, use the LM licensing server URL following command: information. SET NVWEBLMURL http:// XX.XX.XX.XX:8080/WebLM/ Multiple WebLM licensing server LicenseServer URLs are separated by commas.
Table 5: VPNremote for 4600 Series IP Telephones Customizable System Parameters (continued) Parameter Name Default Value Description and Value Range Example NVVPNENCAPS 0 This parameter contains the method of UDP encapsulation. Values are: 0=4500-4500 1=Disable 2=2070-500 4= RFC (3947 and 3948) To set the UDP encapsulation value to 1 when the script file is not downloaded through the VPN tunnel, use the following command: IF $VPNACTIVE SEQ 1 goto skipencaps SET NVVPNENCAPS 1 # skipencaps .
System Parameters Customization Table 5: VPNremote for 4600 Series IP Telephones Customizable System Parameters (continued) Parameter Name Default Value Description and Value Range Example NVVPNCONCHECK 1 This parameter decides if the connectivity check should be performed after establishing the VPN tunnel, and how it should behave in the event of connectivity check failure.
Table 5: VPNremote for 4600 Series IP Telephones Customizable System Parameters (continued) Parameter Name Default Value Description and Value Range Example VPNMONFRQ 0 This value contains the frequency of VPN monitoring syslog message in minutes. To set the VPN monitoring frequency, use the following command: SET VPNMONFRQ 20 If a syslog server IP address is specified (LOGSRVR) and VPNMONFRQ contains a valid value, VPNremote Phone sends a syslog message every VPNMONFRQ minutes.
System Parameters Customization Table 5: VPNremote for 4600 Series IP Telephones Customizable System Parameters (continued) Parameter Name Default Value Description and Value Range ALWCLRNOTIFY 0 This parameter contains the policy that defines ISAKMP NOTIFICATION messages. These message can be in the clear or encrypted. If this value is 0, any notification sent in the clear should be ignored by ISAKNMP.
Table 5: VPNremote for 4600 Series IP Telephones Customizable System Parameters (continued) Parameter Name Default Value Description and Value Range ALWSTOPVPN 1 This parameter contains the policy that defines if the user is allowed to stop VPN while connected to the call server. Values are: 1=enable 2=disable EXTVPNS Null ("") This parameter contains the list of security device IP addresses. These addresses are used to connect to the Enterprise network from an external source.
System Parameters Customization The parameters in Table 6 are configurable in the Script File when the parameter NVVPNCFGPROF is set to 1. For additional information on the Script File, see the Avaya 4600 Series IP Telephone, Release 2.4, LAN Administrator Guide, Server Administration chapter, Contents of the Upgrade Script section. We recommend that you administer options on the 4600 Series IP Telephones using script files.
Table 6: VPNremote for 4600 Series IP Telephones Specific Customizable System Parameters (continued) Parameter Name Default Value Description and Value Range Example NVIKEID VPNPH ONE This parameter controls the IKE identifier. The IKE identifier is used during phase 1 negotiation. Length of the string cannot exceed 30 characters. To set the IKE identifier as phones@sales.
System Parameters Customization Table 6: VPNremote for 4600 Series IP Telephones Specific Customizable System Parameters (continued) Parameter Name Default Value Description and Value Range Example NVIPSECSUBNET 2 This parameter contains the IP subnet and masks that are protected by the security device. Multiple subnet and masks are separated by commas. The length of the individual URL cannot be more than 128 characters. The combined length of all the subnet and masks strings cannot be more than 5.
Table 6: VPNremote for 4600 Series IP Telephones Specific Customizable System Parameters (continued) Parameter Name Default Value Description and Value Range Example NVIKEDHGRP 2 This parameter contains the value of Diffe-Hellman (DH) group. The DH group is used during phase 1 negotiation.
System Parameters Customization Table 6: VPNremote for 4600 Series IP Telephones Specific Customizable System Parameters (continued) Parameter Name Default Value Description and Value Range Example NVIKEP1ENCALG 0 This parameter contains the encryption algorithms to propose for IKE phase 1 security association.
Table 6: VPNremote for 4600 Series IP Telephones Specific Customizable System Parameters (continued) Parameter Name Default Value Description and Value Range Example NVIKEP2ENCALG 0 This parameter contains the encryption algorithms to propose for IKE phase 2 security association.
System Parameters Customization Table 6: VPNremote for 4600 Series IP Telephones Specific Customizable System Parameters (continued) Parameter Name Default Value Description and Value Range Example NVIKEP1AUTHALG 0 This parameter contains the authentication algorithms to propose for IKE phase 1 security association. Values are: 0=ANY 1=MD5 2=SHA1 The security device selects the algorithm mandated by the administrator. Priority order of algorithms proposed by the VPNremote Phone is MD5,SHA1.
Table 6: VPNremote for 4600 Series IP Telephones Specific Customizable System Parameters (continued) Parameter Name Default Value Description and Value Range Example NVVPNENCAPS 0 This parameter contains the method of UDP encapsulation. Values are: 0=4500-4500 1=Disable 2=2070-500 4= RFC (3947 and 3948) To set the UDP encapsulation value to 1 when the script file is not downloaded through the VPN tunnel, use the following command: IF $VPNACTIVE SEQ 1 goto skipencaps SET NVVPNENCAPS 1 # skipencaps .
System Parameters Customization 54 Administrator Guide
Index Index A S About this book . . . . . . . . . . . . . . . . . . . 5 Avaya VPNremote for 4600 Series IP Telephones installation checklist . . . . . . . . . . . . . . . 21 Syslog . . . . . . . . . System Parameter NVIKEP1AUTHALG . NVIKEP2AUTHALG . NVIKEP2ENCALG . System parameters . . . ACTIVATEVPN . . . ALWSTOPVPN . . . DROPCLEAR . . . . NVBACKUPSGIP . . NVIKEDHGRP . . . NVIKEID . . . . . . NVIKEIDTYPE . . . NVIKEP1ENCALG . NVIKESK . . . . . . NVIPSECSUBNET . NVPFSDHGRP . . . NVSECSGIP . . . .
Index V VPNremote Phone features. . . . . . . . . automatic discovery of UDP encapsulation method . . . . . . . . . . . . . . . . Copy TOS . . . . . . . . . . . . . . . H.323 IP Telephone. . . . . . . . . . . Integrated IPSec Client . . . . . . . . . Quality test (Qtest) . . . . . . . . . . . Remote Feature Activation (RFA) . . . . selectable connectivity test . . . . . . . SNMP support, syslog support . . . . . . third-party security devices . . . . . . . 56 Administrator Guide . . . . .11 . . . . . . .