Configuring an IPSec Tunnel between Avaya 96xx Series IP

RKD; Reviewed:

SPOC 03/02/2012

Solution & Interoperability Test Lab Application Notes

©2012 Avaya Inc. All Rights Reserved.

1 of 17

96xx-VPN-SR2330

Avaya Solution & Interoperability Test Lab

Configuring an IPSec Tunnel between Avaya 96xx Series IP

Phones and the Avaya Secure Router 2330 – Issue 1.0

Abstract

These Application Notes present a sample configuration for a remote user with an Avaya 96xx

Phone with VPN (IPSec). The IPSec Tunnel is terminated in the corporate office location with

an Avaya Secure Router 2330. For the sample configuration, once the Avaya 96xx Series IP

Phone with VPN completes the tunnel negotiation with the SR2330, it will register to Avaya

Aura® Communication Manager 6.01 with H.323 protocol.

Testing was conducted via the Internal Interoperability Program at the Avaya Solution and

Interoperability Test Lab.

RKD; Reviewed:

SPOC 03/02/2012



2 of 17

96xx-VPN-SR2330

1. Introduction The objective of these Application Notes is to verify interoperability between the Avaya 96xx

Series IP phones with VPN mode enabled and the Avaya Secure Router 2330. Another objective

is to confirm that Avaya one-X® Agent can place a call, login to the call center and receive a call

center directed call over a VPN tunnel established between a an Avaya VPN Client and the

Avaya Secure Router 2330. To create a suitable test environment required installation and

configuration of Avaya Aura® Communication Manager, Avaya Aura® Communication

Manager Messaging, an Avaya G450 gateway, the Avaya Secure Router 2330 and two simulated

home office environments. Each home office was equipped with a home router with NAT

enabled, a 96xx Series IP phone with VPN mode enabled and a windows PC capable of running

Avaya one-X® Agent and Avaya VPN Client. The network for the test environment is shown

in Figure 1.

Figure 1: Avaya Secure Router 2330 as a VPN Gateway for Home Office Users

RKD; Reviewed:

SPOC 03/02/2012



3 of 17

96xx-VPN-SR2330

1.1. Observations

The following observation was noted.

• The keepalive for the SR2330 is proprietary. When debug crypto all is set on the

SR2330, the message Invalid Major Version is displayed every 60 seconds. It does not

represent an error condition. It is used as a keepalive mechanism.

2. Equipment and Software Validated The following equipment and software were used for the sample configuration provided:

Equipment Software

Avaya Aura® Communication Manager Release 6.01 R016x.00.1.510.1

Update: Service Pack 4

Avaya Aura® Communication Manager Messaging 6.0.1-8.0

Avaya Secure Router 2330 10.3.2

Avaya 96xx Series H.323 IP Phone 96xx-IPT-H323-R3_1_02_S-

032111

Avaya G450 Gateway Firmware: 30.12.1

Avaya VPN client Release 10.05.012.0

Avaya one-X® Agent Release 2.5.00467.0

Avaya Ethernet Routing Switch 5520-24T-PWR HW: 37 FW:6.0.0.10

SW:v6.2.0.008

3. Configure Avaya Secure Router 2330 This Application Notes assume the SR2330 is installed on the network and is in an operational

state. The SR2330 must have an SR2330 VPN/IPSec card installed. All the configuration steps

are performed on the command line interface with the proper authorization credentials. There is

no web interface for the SR2330. To implement IPSec VPN on the SR2330, perform the

following configuration tasks.

• Assign host name, configure Ethernet ports and default route

• Configure default routing

• Configure Untrusted and Trusted firewall

• Create IKE policies

o Configure remote-id

o Configure proposal 1

o Configure client configuration

3.1. Assign host name, Configure Ethernet ports and Default Route

Change hostname to sr2330-1. Configure trusted and untrusted Ethernet interfaces. Configure

the default route to go out the untrusted interface.

RKD; Reviewed:

SPOC 03/02/2012



4 of 17

96xx-VPN-SR2330

hostname sr2330-1

interface ethernet 0/1 description trusted ip address 10.80.70.254 255.255.255.0 ip proxy-arp crypto trusted exit Ethernet interface ethernet 0/2 description untrusted ip address 192.45.130.1 255.255.255.0 crypto untrusted exit ethernet

3.2. Configure Untrusted (Internet) firewall

This example is a minimal firewall configuration.

firewall internet interface ethernet0/2 policy 110 in permit service ike self exit policy policy 115 in permit protocol udp port any 4500 self exit policy policy 117 in permit address 10.80.70.230 10.80.70.239 any any self exit policy policy 120 in permit address 10.80.70.240 10.80.70.250 any any self exit policy policy 130 in permit protocol tcp port any 17 self exit policy policy 140 in permit protocol icmp self exit policy exit firewall

3.3. Configure Trusted (Corp) firewall

firewall corp interface ethernet0/1 policy 100 in permit exit policy policy 107 out permit address 10.80.70.230 10.80.70.239 any any exit policy

RKD; Reviewed:

SPOC 03/02/2012



5 of 17

96xx-VPN-SR2330

policy 108 in permit address 10.80.70.230 10.80.70.239 any any exit policy policy 109 out permit address 10.80.70.240 10.80.70.250 any any exit policy policy 110 in permit address 10.80.70.240 10.80.70.250 any any exit policy policy 1024 out permit exit policy exit firewall

3.4. Create IKE Policies

Two IKE policies were configured. The ip9600 policy is for the 96xx series IP phones running

the VPN firmware. The vpnclient policy is used by the Windows VPN client. The ipsec policy

ip9600 and ipsec policy vpnclient are created as a result of the IKE policies.

crypto dynamic exit dynamic contivity-iras ike policy ip9600 local-address 192.45.130.1 remote-id user-name "1adgjm" 1adgjm proposal 1 dh-group group2 encryption-algorithm 3des-cbc exit proposal client configuration address-pool 1 10.80.70.240 10.80.70.250 private-side-address 10.80.70.254 keepalive enable interval 60 exit keepalive split-tunnel mode enabled network 10.80.70.0 24 exit split-tunnel nat-keepalive 20 exit configuration exit policy ike policy vpnclient local-address 192.45.130.1 remote-id user-name "client01" client123

RKD; Reviewed:

SPOC 03/02/2012



6 of 17

96xx-VPN-SR2330

remote-id user-name "client02" client123 proposal 1 dh-group group2 encryption-algorithm 3des-cbc exit proposal client configuration address-pool 1 10.80.70.230 10.80.70.239 private-side-address 10.80.70.254 keepalive enable interval 60 exit keepalive split-tunnel mode enabled network 10.80.70.0 24 exit split-tunnel nat-keepalive 20 exit configuration exit policy ipsec policy ip9600 proposal 1 lifetime seconds 3600 exit proposal exit policy ipsec policy vpnclient proposal 1 lifetime seconds 3600 exit proposal exit policy exit contivity-iras

4. Configure Avaya 96xx Series H.323 IP Phone

4.1. 96xx Series IP Phone Firmware

The Avaya 96xx Series VPN-Enabled IP Phone firmware must be installed on the phone prior to

the phone being deployed in the remote location. The firmware version of Avaya IP telephones

can be identified by viewing the version displayed on the phone upon boot up or when the phone

is operational. Press Mute CRAFT(27238) # and arrow down to View. Press the Start button

and arrow down to Application File. The application file is hb96xxua3_1_02_S.bin. Press

back and exit to return to the screen displaying the extension.

RKD; Reviewed:

SPOC 03/02/2012



7 of 17

96xx-VPN-SR2330

4.2. Configuring Avaya 96xx Series IP Phone

The Avaya 96xx Series IP Phone configuration can be administered centrally from an HTTP

server through the 46xxsettings.txt file or locally on the phone. The parameters that need to be

modified are below. Use the default value for all other VPN parameters.

SET NVVPNMODE = 1 To enable VPN mode

SET NVVPNCFGPROF = 11 for Nortel Contivity

When set to 11, NVIKECONFIGMODE is set to 1 NVIKEEXCHGMODE is set to 1

and NVIKEIDTYPE is set to 11

SET NVSGIP = 192.45.130.1 The IP address of the Secure Gateway

SET NVIKEP1ENCALG = 2 Set IKE Phase 1 encapsulation to 3DES

SET NVIKEP2ENCALG = 2 Set IKE Phase 2 encapsulation to 3DES

SET NVIKEP1AUTHALG = 2 Set IKE Phase 1 authentication to SHA1

SET NVIKEP2AUTHALG=2 Set IKE Phase 2 authentication to SHA1

SET NVMCIPADD = 10.80.70.24 Set the IP address of the Call Server

SET NVHTTPSRVR= 10.80.70.25 Set the IP address of the HTTP server

SET NVVPNSVNEDOR = 5 Set the Vendor to Nortel

RKD; Reviewed:

SPOC 03/02/2012



8 of 17

96xx-VPN-SR2330

5. Configure Avaya VPN Client Double click on the Avaya VPN Client icon. Create a profile by Clicking on Edit the Profile.

RKD; Reviewed:

SPOC 03/02/2012



9 of 17

96xx-VPN-SR2330

Click on New. The following screen will be displayed.

RKD; Reviewed:

SPOC 03/02/2012



10 of 17

96xx-VPN-SR2330

Create a new VPN client profile. Input a Profile Name. Leave Tunnel Type: IPSec as the

default. Input the (Secure Router) IP address to the Destination field. Under Authentication

Type section, select “Username and Password” (It is actually the default selection). Under

Authentication Information section, Enter Username and Password.

RKD; Reviewed:

SPOC 03/02/2012



11 of 17

96xx-VPN-SR2330

Click Save and Close.

RKD; Reviewed:

SPOC 03/02/2012



12 of 17

96xx-VPN-SR2330

Click Connect to establish a VPN connection.

RKD; Reviewed:

SPOC 03/02/2012



13 of 17

96xx-VPN-SR2330

6. Verification Steps The following steps can be used to verify installation in the field.

1. Verified VPN connections from IP phones

2. Verified VPN connections from Windows VPN clients.

3. Verified a call placed from a home office user was correctly routed to another home

office user.

4. Verified that a message could be left for a home office IP phone and that the message

waiting indicator turned on while the IPSec VPN Tunnel is connected.

5. Verified one-X Agent successfully logged in to Communication Manager with an Agent

ID and a phone extension.

6. Verified that a call from the PSTN to the Call Center routed correctly to an available

agent.

6.1. Verify IP phone VPN Client Connections

Verify the IP phones have established a VPN tunnel by using the SR2330 command,

show cypto clients all.

RKD; Reviewed:

SPOC 03/02/2012



14 of 17

96xx-VPN-SR2330

6.2. Verify Windows VPN Client Connections

Bring up a command prompt windows. Type in ipconfig and find the local and vpn interfaces.

The VPN interface will have an IP address (10.80.70.230) assigned from the IP address pool

configured under the IKE policy client configuration on the SR2330.

RKD; Reviewed:

SPOC 03/02/2012



15 of 17

96xx-VPN-SR2330

The correct operation of the Avaya VPN client can be verified by right clicking on the VPN

client toolbar icon and selecting Status. The duration of the connection as well as the encryption

and authentication algorithms that were negotiated can be seen.

RKD; Reviewed:

SPOC 03/02/2012



16 of 17

96xx-VPN-SR2330

7. Conclusion As illustrated in these Application Notes, Avaya 96xx IP phones with VPN can interoperate with

the Avaya Secure Router 2330. The Avaya VPN client and Avaya one-X Agent interoperate as

well.

8. Additional References Product documentation for Avaya products may be found at http://support.avaya.com

1. Installation – Chassis, Avaya Secure Router 2330 Release 10.3, Doc ID NN47263-304, 02.01

2. Quick Start Avaya Secure Router 2330 Release 10.3, Doc ID NN47263-104 3. Security-Configuration and Management, Avaya Secure Router 2330/2330 Release 10.3,

Doc ID NN47263-600, October 2010

4. 9600 Series H323 Release 6.0 service Pack 4.1 Readme, 15-Jun-2011

5. Installing and Configuring Avaya one-X® Agent, Release 2.5, March 31, 2011

6. Avaya one-X Deskphone Edition for 9600 Series IP Telephones Administrator Guide

Release 3.1, Doc ID 16-300698, Issue 7, November 2009

7. VPN Setup Guide for 9600 Series IP Telephones Release 3.1, Doc ID 16-602968, Issue 1, November 2009

RKD; Reviewed:

SPOC 03/02/2012



17 of 17

96xx-VPN-SR2330


Avaya and the Avaya Logo are trademarks of Avaya Inc. All trademarks identified by ® and

™ are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks

are the property of their respective owners. The information provided in these Application

Notes is subject to change without notice. The configurations, technical data, and

recommendations provided in these Application Notes are believed to be accurate and

dependable, but are presented without express or implied warranty. Users are responsible for

their application of any products specified in these Application Notes.

Please e-mail any questions or comments pertaining to these Application Notes along with the

full title name and filename, located in the lower right corner, directly to the Avaya Solution &

Interoperability Test Lab at [email protected]

Documents

Configuring an IPSec Tunnel between Avaya 96xx Series IP