Avaya Solution & Interoperability Test Lab Application Notes for Configuring Avaya VPNremote™ Phone with Juniper Secure Services Gateway using PolicyBased IPSec VPN and XAuth Enhanced Authentication – Issue 1.0 Abstract These Application Notes describe the steps for configuring the Juniper Secure Services Gateway 520 Security Platform with a policy-based IPSec VPN and XAuth enhanced authentication to support the Avaya VPNremote™ Phone.
TABLE OF CONTENTS 1. INTRODUCTION..............................................................................................................................................3 1.1. HIGHLIGHTS ................................................................................................................................................3 2. NETWORK TOPOLOGY ................................................................................................................................4 3.
1. Introduction These Application Notes describes the steps for configuring the Juniper Secure Services Gateway 520 security appliance to support the Avaya VPNremote™ Phone. The Avaya VPNremote™ Phone is a software based Virtual Private Network (VPN) client integrated into the firmware of an Avaya IP Telephone. This enhancement allows the Avaya IP Telephone to be plugged in and used seamlessly over a secure VPN from any broadband Internet connection.
Step 2. XAuth: the Juniper SSG XAuth server prompts the Avaya VPNremote Phone for user credentials (username and password). If the Avaya VPNremote Phone is configured to store user credentials in flash memory, the Avaya VPNremote Phone responds to the Juniper SSG with the stored credentials without user involvement. Otherwise the Avaya VPNremote Phone displays a prompt for username and password to be manually entered. Step 3.
Remote SOHO Office A consists of two Avaya VPNremote Phones connected to a Netgear broadband router. The Netgear router is configured as a firewall with NAT enabled as well as a local DHCP server. The VPNremote phones in Remote Office A are configured to use SSG 520 A for IPSec tunnel termination. SSG 520 A assigns an IP address to the VPNremote Phones mapped to Network Region 2 in Avaya Communications Manager.
Figure 1: Physical Network EMH; Reviewed: SPOC 9/27/06 Solution & Interoperability Test Lab Application Notes ©2006 Avaya Inc. All Rights Reserved. 6 of 42 vpnphone_ssg.
3. Equipment and Software Validated Table 2 lists the equipment and software/firmware versions used in the sample configuration provided.
2. From a web browser, enter the URL of the Juniper SSG WebUI management interface, https://, and the following login screen appears. Log in using a user name with administrative privileges. 3. The Juniper SSG WebUI administration home page appears upon successful login. Note the ScreenOS Firmware Version in the Device Information section. 4.2. Configure Juniper SSG Ethernet Interfaces The Juniper SSG 520 has four build-in Ethernet interfaces, Ethernet 0/0 – Ethernet 0/3.
2. From the Ethernet 0/0 properties page, configure the highlighted fields shown below. All remaining fields can be left as default. Select OK to save. Ethernet 0/0 connects to the private corporate network making it a trusted interface. It is placed in the Trust security zone of the Juniper SSG. The Service Options selected and enabling Manageability are related to the interface being in the Trust zone. EMH; Reviewed: SPOC 9/27/06 Solution & Interoperability Test Lab Application Notes ©2006 Avaya Inc.
Configure Ethernet 0/2 Interface: 1. From the Network Interfaces List screen, select Edit for Ethernet 0/2 2. From the Ethernet 0/2 properties page, configure the highlighted fields shown below. All remaining fields can be left as default. Select OK to save. Because Ethernet0/2 is in the Untrust zone and not configured as manageable, all service options are disabled. EMH; Reviewed: SPOC 9/27/06 Solution & Interoperability Test Lab Application Notes ©2006 Avaya Inc. All Rights Reserved.
4.3. IP Address Pool The XAuth protocol enables the Juniper SSG to dynamically assign IP addresses from a configured IP Address pool range to IPSec clients such as the Avaya VPNremote Phone. Controlling the assignment of IP address ranges to Avaya VPNremote Phones enables Avaya Communication Manager to map the Avaya VPNremote Phones into IP Network Regions as described in Section 7.4. The following steps create the IP Address Pool: 1. From the left navigation menu, select Objects > IP Pools.
4.4. Routes The sample configuration requires two new route entries be added to the Juniper SSG routing table, one specifying the default route and one specifying the network address range entered for the IP Address Pool in Section 4.3. Although several routing options exist in the Juniper SSG platform, static routes are used for this sample configuration. 4.4.1. Configure Default Route 1.
2. Configure the highlighted fields shown below. All remaining fields can be left as default. Select OK to save. The 0.0.0.0/0 network indicates the default route when no other matches existing in the routing table. The route is going to the next hop out interface Ethernet 0/2 to the public internet. EMH; Reviewed: SPOC 9/27/06 Solution & Interoperability Test Lab Application Notes ©2006 Avaya Inc. All Rights Reserved. 13 of 42 vpnphone_ssg.
4.4.2. Configure Route to IP Pool Address range 1. From the Route Entries screen, select trust-vr from the drop down menu then select New. 2. Configure the highlighted fields shown below. All remaining fields can be left as default. Select OK to save. The IP Address / Netmask is the network used for the IP Address Pool in Section 4.3. The Gateway IP Address specifies the next hop route of the Trusted corporate network, the Extreme 3804 L2/L3 switch in the sample configuration.
4.5.1. IKE User The following steps create an IKE user to be used by Avaya VPNremote Phones for IKE authentication. 1. From the left navigation menu, select Objects > User > Local > New. Configure the highlighted fields shown below. All remaining fields can be left as default. Select OK to save. The Number of Multiple Logins with Same ID parameter specifies the number of end-points that can concurrently establish IPSec tunnels using this identity.
4.5.2. XAuth Users Three XAuth user accounts, owen, garrett, and evan are created in the sample configuration for users of the Avaya VPNremote Phones. The following steps create a user account for owen. Follow the same steps to create accounts for garrett and evan. The XAuth server of the Juniper SSG provides the authentication of these users. The users of the Avaya VPNremote Phone will need to be supplied with their user name and password.
2. The local Users list page displays the new XAuth users: 4.6. Local User Group Configuration User groups have the benefit of being able to create one policy for the user group and that policy automatically applies to all members of a group. This eliminates the need to create polices for each individual user. The sample configuration includes two different types of User Groups: IKE and XAuth. The IKE users and XAuth users created in Section 4.
2. The Local Groups list page displays the new IKE group: 4.6.2. Xauth User Group 1. From the left navigation menu, select Objects > User > Local Groups > New. Enter a descriptive Group Name. Select the owen, garrett and evan user names from the Available Members column on the right. Select the << icon to move the user name to the Group Members column on the left. Select OK to save. 2.
4.7. VPN Setting up the VPN tunnel encryption and authentication is a two-phase process. • Phase 1 covers how the Avaya VPNremote Phone and the Juniper SSG will securely negotiate and handle the building of the tunnel. • Phase 2 sets up how the data passing through the tunnel will be encrypted at one end and decrypted at the other. This process is carried out on both sides of the tunnel.
4.7.1. AutoKey IKE Gateway Configuration - Phase 1 1. From the left navigation menu, select VPNs > AutoKey Advanced > Gateway. Select New. Configure the highlighted fields shown below. All remaining fields can be left as default. Provide a descriptive Gateway Name. Selecting Custom Security Level provides access to a more complete list of proposals available on this Juniper SSG. Selecting Dialup User Group associates the Group vpnphone-grp created in Section 4.6 to this IKE gateway.
Aggressive Mode must be used for end-point negotiation such as the Avaya VPNremote Phone. Enable NAT-Traversal allows IPSec traffic after Phase 2 negotiations are complete to traverse a Network Address Translation (NAT) device The Juniper SSG first checks if a NAT device is present in the path between itself and the Avaya VPNremote Phone. If a NAT device is detected, the Juniper SSG uses UDP to encapsulate each IPSec packet.
3. Because the IKE group was selected in Step 1 above, a pop-up window similar to the one below is displayed as a reminder to enable the XAuth server. Section 4.8 provides the XAuth server configuration. Select OK. 4. The AutoKey Advanced > Gateway list page displays the new gateway. 4.7.2. AutoKey IKE VPN Tunnel Configuration - Phase 2 1. From the left navigation menu, select VPNs > AutoKey IKE. Select New. Configure the highlighted fields shown below. All remaining fields can be left as default.
2. Configure the highlighted fields shown below. All remaining fields can be left as default. Select Return to complete the advanced configuration, and then OK to save. Select Security Level of Custom and the appropriate Phase 2 Proposal from the drop down menu. Refer to Table 3 – IKE P1 / P2 Proposals. Replay Protection protects the encrypted IPSec traffic from man-in-the-middle replay attacks by including a sequence number with each IKE negotiation between the IKE endpoints.
3. The AutoKey IKE list page displays the new IKE VPN: 4.8. XAuth Configuration The Juniper SSG has a “local” XAuth server integrated within the ScreenOS operating system. Alternatively, an external Radius server can be used. These Application Notes implement the “local” ScreenOS XAuth server. The following steps configure the default and IKE gateway specific settings of the local XAuth server. 4.8.1. XAuth Server Defaults 1.
4.8.2. Enable XAuth Authentication for AutoKey IKE gateway 1. From the left navigation menu, select VPNs > AutoKey Advanced > Gateway. The list page displays the IKE gateway created in Section 4.7.1 as shown below. Select Xauth under the Configure column for the vpnphone-gw IKE gateway. 2. Configure the highlighted fields shown below. All remaining fields can be left as default. Select OK when complete to save settings.
4.9. H.323 ALG 1. From the left navigation menu, select Configuration > Advanced > ALG > Configure. Un-check the H323 check box to globally disable the H.323 Application Layer Gateway. 4.10. Security Policies 1. From the left navigation menu select Policies. Any currently configured security policies are displayed. Create a security policy for traffic flowing from the Untrust zone to the Trust zone.
2. Configure the highlighted fields shown below. All remaining fields can be left as default. Select OK when complete to save settings. Enter a descriptive policy Name to easily identify this policy in the policy list and logs. Selecting Dial-Up VPN from the Source Address drop down menu and Any from the Destination Address defines the VPN tunnel as the traffic originator.
4. The Policies list page displays the new Dial-Up VPN policy: 5. Avaya VPNremote Phone Configuration 5.1. VPNremote Phone Firmware The Avaya VPNremote Phone firmware must be installed on the phone prior to the phone being deployed in the remote location. See VPNremote for the 4600 Series IP Telephones Release 2.0 Administrator Guide for details on installing VPNremote Phone firmware.
option shown below. Press the * key to enter the VPN Options menu. VPN Start Mode: Boot *=Modify #=OK b. During Telephone Operation: While the VPNremote Phone is in an operational state, i.e. registered with Avaya Communication Manager, press the following key sequence on the telephone to enter VPN configuration mode: Mute-V-P-N-M-O-D-# (Mute-8-7-6-6-6-3-#) The follow is displayed: VPN Start Mode: Boot *=Modify #=OK Press the * key and the VPN Options menu to enter the VPN Options menu. 2.
Authentication Alg: Diffie-Hellman Group: Protected Net: Remote Net #1: Any 2 0.0.0.0/0 From the telephone keypad, press the telephone ► hard button to access the next screen with the following VPN configuration options. Copy TOS: File Srvr: Connectivity Check: No 192.168.1.30 First Time When the VPN configuration options have been set, press the Done softbutton. The following is displayed. Select # to save the configuration and the reboot phone. Save new values ? *=no #=yes 6.
7. Avaya Communication Manager Configuration All the commands discussed in this section are executed on Avaya Communication Manager using the System Access Terminal (SAT). This section assumes that basic configuration on Avaya Communication Manager has been already completed. 7.1. VPNremote Phone Configuration An Avaya VPNremote Phone is configured the same as other IP telephones within Avaya Communication Manager.
Use the change ip-codec-set 2 command to define the G.729 codec as shown below. change ip-codec-set 2 Page 1 of 2 IP Codec Set Codec Set: 2 Audio Codec 1: G.729 2: 3: Silence Suppression n Frames Per Pkt 3 Packet Size(ms) 30 Use the list ip-codec-set command to verify the codec assignments. list ip-codec-set IP CODEC SETS Codec Set Codec 1 1 2 3 4 G.711MU G.729 G.711MU G.711MU Codec 2 Codec 3 Codec 4 Codec 5 7.3.
7.4. IP Network Regions Configuration Use the change ip-network-region 1 command to configure Network Region 1 parameters. Configure the highlighted fields shown below. All remaining fields can be left as default. Select a descriptive name for Name. Intra-region and Inter-region IP-IP Direct Audio determines the flow of RTP audio packets. Setting to yes enables the most efficient audio path be taken. Codec Set 1 is used for Network Region 1 as described in Section 7.2.
Use the change ip-network-region 2 command to configure Network Region 2 parameters. Configure the highlighted fields shown below. All remaining fields can be left as default.
8.2. VPNremote Phone IPSec stats Once the Avaya VPNremote Phone establishes an IPSec tunnel, registers with Avaya Communication Manager and becomes functional, from the telephone keypad, press the OPTIONS hard button (√ icon). From the telephone keypad, press the telephone ► hard button to access the next screen. Select the VPN Status… option. There are two screens of IPSec tunnel statistics displayed. Use the ► hard button to access the next screen.
From the Juniper SSG CLI, the ScreenOS debug ike basic and debug ike detail commands are useful for troubleshooting ISAKMP (IKE) tunnel setup (e.g., detect mis-matched proposals, can't find gateway, etc.). The get ike cookies command is also useful in getting status on existing IKE negotiations by displaying the completed IKE Phase 1 negotiations as shown below.
8.4. Overlapping Network Addresses During the writing of these Application Notes problems were observed if the private IP address range of the residential router is the same as the private IP address range within the corporate network. In the sample network configuration of these Application Notes, 192.168.1.0 /24 is the private corporate network. The following characteristics occur if the residential router uses the same 192.168.1.
11. References 1. Juniper Networks: Concepts & Examples ScreenOS Reference Guide; Volume 5: Virtual Private Networks Release 5.4.0, Rev. A http://www.juniper.net/techpubs/software/screenos/screenos5.4.0/CE_v5.pdf 2. Secure Services Gateway (SSG) 500 Series Hardware Installation and Configuration Guide ScreenOS Version 5.4.0 http://www.juniper.net/techpubs/hardware/netscreen-systems/netscreensystems54/SSG_HW_revA.pdf 3. Cameron R., Cantrell C., Killion D., Russell K., Tam K.
Appendix A: SSG 520 A CLI Configuration set clock timezone 0 set vrouter trust-vr sharable set vrouter "untrust-vr" exit set vrouter "trust-vr" unset auto-route-export exit unset alg h323 enable set auth-server "Local" id 0 set auth-server "Local" server-name "Local" set auth default auth server "Local" set auth radius accounting port 27911 set admin name "netscreen" set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn" set admin user "interop" password "nANqEgr5A3pAcWOEfs6NpNBteXJxQn" privilege "all" set adm
set interface ethernet0/2 ip 100.2.2.
set monitor cpu 100 set nsmgmt bulkcli reboot-timeout 60 set ssh version v2 set ssh enable set config lock timeout 5 set snmp port listen 161 set snmp port trap 162 set vrouter "untrust-vr" exit set vrouter "trust-vr" unset add-default-route set route 0.0.0.0/0 interface ethernet0/2 gateway 100.2.2.1 preference 20 permanent set route 50.50.100.
©2006 Avaya Inc. All Rights Reserved. Avaya and the Avaya Logo are trademarks of Avaya Inc. All trademarks identified by ® and ™ are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners. The information provided in these Application Notes is subject to change without notice.