You are on page 1of 17

Avaya Solution & Interoperability Test Lab

Configuring IPSec Tunnel between Avaya 96xx Series IP Phones and the Avaya Secure Router 4134 Issue 1.0
Abstract
These Application Notes present a sample configuration for a remote user with an Avaya 96xx Phone with VPN (IPSec). The IPSec Tunnel is terminated in the corporate office location with an Avaya Secure Router 4134 VPN gateway. For the sample configuration, once the Avaya 96xx Series IP Phone with VPN completes the tunnel negotiation with the SR4134, it will register to Avaya Aura Communication Manager 6.2 with H.323 protocol. Secure Router 4134 VPN gateway provides secure tunnel over IPSec between Remote 96xx Phone and Avaya Aura Communication Manager. Testing was conducted at the Avaya Solution and Interoperability Test Lab.

RN; Reviewed: SPOC 1/15/2013

Solution & Interoperability Test Lab Application Notes 2013 Avaya Inc. All Rights Reserved.

1 of 17 SR4134_VPN_96xx

1. Introduction
The objective of these Application Notes is to verify interoperability between the Avaya 96xx Series IP phones with VPN mode enabled and the Avaya Secure Router 4134. Another objective is to confirm that Avaya 96xx IP phones can login and place a call and receive a call over a VPN tunnel established via Avaya Secure Router 4134. Creating a suitable test environment requires installation and configuration of Avaya Aura Communication Manager, Avaya Aura Messaging, an Avaya G650 gateway, the Avaya Secure Router 4134 VPN gateway and a simulated home office environment. The home office should be equipped with a home router with NAT enabled, a 96xx Series IP phone with VPN mode enabled. The network for the test environment is shown in Figure 1 in Section 3.

2. Interoperability Testing
User Administration: Remote user Authentication and Registration with Avaya Aura Communication Manager R6.2 SP1 and Avaya Secure Router 4134 R10.3.2 was covered in this testing. This testing exerted the ability of the 96xx series H.323 phones to make use of the Avaya Aura Communication Manager calling features when registered to Avaya Aura Communication Manager over VPN IP Sec tunnel. It also exercised the capabilities of phones at home office to leave and retrieve voicemail to corporate or headquarter users and other branch users, while the VPN tunnel was connected. This test specification document covers the following product interactions for SR4134: - Avaya Aura Messaging 6.2 - Avaya Aura Communication Manager 6.2 SP1 - Avaya Aura System Manager - Avaya Aura Session Manager 6.2 - Avaya Aura Meeting Exchange 6.2 In the Home office Site: VPN enabled, 96xx series phones were used as testing endpoints. In the Corporate Network: The end points at the corporate network were tested for interactions with 96xx, 96x1, One-X Communicator(SIP and H.323) along with 11xx, 12xx (SIP) and ADVD phones. The test scenarios were executed with combinations of IP audio codecs i.e. G.711A/Mu, G.726, G.723.1, G.729AB; along with IP-Shuffling and Direct Media.

RN; Reviewed: SPOC 1/15/2013

Solution & Interoperability Test Lab Application Notes 2013 Avaya Inc. All Rights Reserved.

2 of 17 SR4134_VPN_96xx

2.1. Test Description and Coverage


The interoperability testing focused on the verification of interoperability between the Avaya 96xx Series IP phones with VPN mode enabled and the Avaya Secure Router 4134 with Avaya Aura architecture. Verification of interoperatibility with Avaya Aura architecture included Avaya Aura Communication Manager feature testing and integration with Avaya Aura Messaging and Avaya Aura Meeting Exchange 6.2. The following categories of tests were executed: 1. Calls from home office to other phones in same home office. 2. Calls from home office to phones in corporate network. 3. Voice mail for calls between home office and corporate network when the VPN tunnel is connected. 4. Calls to Meeting Exchange and joining and leaving a conference. Test coverage included basic telephony features (hold, transfer, conference, voice messaging access, call forward, Call Park and bridged call appearance) for phones registered to Avaya Aura Communication Manager Evolution Server over VPN. Limitations: TLS support not available in Avaya Secure Router 4134 Presence Services work only in TLS mode and were therefore not tested with Avaya Secure Router 4134 in this scope

2.2. Test Results and Observations


1. Interactions with Avaya Aura Messaging and Avaya Aura Conferencing tested with 96xx phones (9620, 9630, 9640 and 9650) over SR4134 VPN were tested successfully. 2. Basic telephony features like hold, un-hold, transfer, conference, call forward, call park, bridge call appearance and voice messaging access tested with phones registered to Avaya Aura Communication Manager over VPN were tested successfully. Issues Encountered: 3. 96x1 Phones (9611, 9608, 9621 and 9641) did not register to Avaya Aura Communication Manager after VPN tunnel was established over SR 4134 V10.3.2. 4. The client-may-store-password parameter for Client Configuration on SR4134 did not cause username password re-entry upon each new VPN connection. 5. Navigation within A Menu on phone freezes after accessing VPN Settings, user had to press Exit and return to the menu.

RN; Reviewed: SPOC 1/15/2013

Solution & Interoperability Test Lab Application Notes 2013 Avaya Inc. All Rights Reserved.

3 of 17 SR4134_VPN_96xx

3. Reference Configuration
The lab test environment to be used for the SR 4134 VPN solution testing is shown in Figure 1. This test bed includes the following components: Corporate o Avaya SR4134 Advanced Gateway configured as VPN gateway o Avaya S8800 Server running Avaya Aura Communication Manager with Avaya G650 Media Gateway o Avaya Aura Session Manager with companion Avaya Aura System Manager o Avaya Aura Messaging o Avaya Aura Meeting Exchange o HTTP File Server for Phone Configuration o Avaya 96xx, 96x1, One-X Communicator, ADVD phones registered to Avaya Aura Communication Manager Home Office o Netgear WNDR3700v2 home router with NAT enabled o 96xx series IP phones with VPN mode enabled

Figure 1: Avaya SR4134 VPN configuration with Home Users

RN; Reviewed: SPOC 1/15/2013

Solution & Interoperability Test Lab Application Notes 2013 Avaya Inc. All Rights Reserved.

4 of 17 SR4134_VPN_96xx

4. Equipment and Software Validated


The following equipment and software were used for the sample configuration provided: Component Avaya Secure Router 4134 S8800 Simplex Servers with G650 Media Gateway S8800 Server S8800 Server Dell R610 Dell R610 Dell R610 Dell R610 Avaya 96XX (9620, 9630, 9640 and 9650) - H.323 Dell R610 Server Avaya 96X1 Series SIP Desk phone (9608, 9611, 9621 and 9641). Avaya 96X1 Series H.323 Desk phone (9608, 9611, 9621 and 9641). Avaya one-X Communicator (H.323) Avaya 11XX/12XX Series IP Deskphone (SIP) Avaya Desktop Video Device (ADVD) Software/Firmware 10.3.2 Avaya Aura Communication Manager R 6.2 SP1 Avaya Aura Session Manager 6.2 Avaya Aura System Manager 6.2 MX 6.2 CRS MX 6.2 Web Portal MX 6.2 Application server (bridge) MX 6.2 Avaya Web Conferencing R3.1 SP4 Avaya Aura Messaging R6.2 Software Release 6.2, 6.0 SP3

Software Release 6.2 SP1

Software Release 6.1 SP4 4.3 Software Release 1.1.1

5. Configure Avaya Secure Router 4134


This Application Notes assume the SR4134 is installed on the network and is in operational state. The SR4134 must have an SR4134 VPN/IPSec card installed. All the configuration steps are performed on the command line interface with the proper authorization credentials. There is no web interface for the SR4134. To implement IPSec VPN on the SR4134, perform the following configuration tasks. Assign host name, configure Ethernet ports and default route Configure default routing Configure Untrusted and Trusted firewall Create IKE policies
RN; Reviewed: SPOC 1/15/2013 Solution & Interoperability Test Lab Application Notes 2013 Avaya Inc. All Rights Reserved. 5 of 17 SR4134_VPN_96xx

o Configure remote-id o Configure proposal 1 o Configure client configuration

5.1. Configure hostname, Ethernet ports and Default Route


Change hostname to SR. Configure trusted and un-trusted Ethernet interfaces. Configure the default route to go out the un-trusted interface. hostname SR interface ethernet 0/1 description trusted ip address 172.16.33.101 255.255.255.0 ip proxy-arp crypto trusted exit ethernet interface ethernet 0/2 description untrusted ip address 192.45.130.1 255.255.255.0 crypto untrusted exit ethernet telnet_server ssh_server enable exit ssh_server telnet_banner exit telnet_banner access-list default permit any ip load-balancing per-flow ip route 0.0.0.0/0 172.16.33.1 ip route 192.45.0.0/16 192.45.130.10

5.2. Configure Trusted (Corp) Firewall


The IPsec VPN tunnel carries protected traffic from one trusted network to another trusted network. Avaya Secure Router 4134 provides the crypto command to configure policies and parameters for IKE and IPsec used for the creation of VPNs. firewall global algs sip 600 sip-p2p-media dns exit dns
RN; Reviewed: SPOC 1/15/2013 Solution & Interoperability Test Lab Application Notes 2013 Avaya Inc. All Rights Reserved. 6 of 17 SR4134_VPN_96xx

exit algs max-connection-limit self 2048 exit firewall firewall corp interface ethernet0/1 policy 100 in permit exit policy policy 107 out permit address 172.16.33.130 172.16.33.140 any any exit policy policy 108 in permit address 172.16.33.130 172.16.33.140 any any exit policy policy 109 out permit address 172.16.33.110 172.16.33.120 any any exit policy policy 110 in permit address 172.16.33.110 172.16.33.120 any any exit policy policy 1024 out permit exit policy exit firewall

5.3. Configure Untrusted (Internet) Firewall


To create the VPN, you must identify one un-trusted interface that serves as the local endpoint for the creation of the VPN tunnel (using the crypto untrusted command). To allow VPN connections, you must configure an inbound firewall policy in the internet zone for IKE negotiation that allows self connections to UDP port specified. firewall internet interface ethernet0/2 policy 110 in permit service ike self exit policy policy 115 in permit protocol udp port any 4500 self exit policy policy 117 in permit address 172.16.33.130 172.16.33.140 any any self exit policy policy 120 in permit address 172.16.33.110 172.16.33.120 any any self exit policy policy 130 in permit protocol tcp port any 17 self exit policy policy 140 in permit protocol icmp self exit policy exit firewall

RN; Reviewed: SPOC 1/15/2013

Solution & Interoperability Test Lab Application Notes 2013 Avaya Inc. All Rights Reserved.

7 of 17 SR4134_VPN_96xx

5.4. Create IKE Policies


One IKE policy was configured. The ip9600 policy is for the 96xx series IP phones running the VPN firmware. An IKE policy can also be created for client PCs it is used by the Windows VPN client. The ipsec policy ip9600 and ipsec policy VPN client policy are created as a result of the IKE policies. Create VPN users that are used by Home users for authentication on SR4134. A SR4134 VPN client requires an IP address from the server before maturing a connection. In the client configuration menu, specify an IP address range in the address-pool. The home users will be allocated a private IP address from this address-pool once VPN authentication is complete. crypto dynamic exit dynamic contivity-iras ike policy ip9600 local-address 192.45.130.1 remote-id user-name "1adgjm" 1adgjm remote-id user-name "2adgjm" 2adgjm remote-id user-name "3adgjm" 3adgjm remote-id user-name "4adgjm" 4adgjm proposal 1 dh-group group2 encryption-algorithm 3des-cbc exit proposal client configuration address-pool 1 172.16.33.110 172.16.33.120 private-side-address 172.16.33.101 banner-enable banner-text keepalive enable interval 20 exit keepalive split-tunnel mode enabled network 172.16.33.0 24 network 172.16.0.0 16 network 10.0.0.0 16 exit split-tunnel nat-keepalive 120 exit configuration exit policy ipsec policy ip9600
RN; Reviewed: SPOC 1/15/2013 Solution & Interoperability Test Lab Application Notes 2013 Avaya Inc. All Rights Reserved. 8 of 17 SR4134_VPN_96xx

proposal 1 lifetime seconds 3600 exit proposal exit policy exit contivity-iras exit crypto Please find below the SR 4134 configurations used for this testing for reference. system logging console priority crit exit console syslog module alarms local0 none module dos local0 none module forwarding local0 none module voip-ssm-cdr local0 none module voip-cdr local0 none module voip-gwy local0 none exit syslog exit logging hostname SR log utc event exit event usb exit usb terminal exit terminal qos module exit module chassis exit chassis exit qos aaa tacacs exit tacacs radius primary_server exit primary_server secondary_server exit secondary_server exit radius
RN; Reviewed: SPOC 1/15/2013 Solution & Interoperability Test Lab Application Notes 2013 Avaya Inc. All Rights Reserved. 9 of 17 SR4134_VPN_96xx

exit aaa vlan database exit database vlan classification exit classification bridge mstp exit mstp exit bridge lacp exit lacp interface ethernet 0/1 description trusted ip address 172.16.33.101 255.255.255.0 ip proxy-arp aaa exit aaa crypto trusted qos chassis exit chassis exit qos exit ethernet interface ethernet 0/2 description untrusted ip address 192.45.130.1 255.255.255.0 aaa exit aaa crypto untrusted qos chassis exit chassis exit qos exit ethernet interface console aaa exit aaa exit console gvrp exit gvrp snmp-server engine-id local 0000000c000000007f000001 exit engine-id chassis-id SR
RN; Reviewed: SPOC 1/15/2013 Solution & Interoperability Test Lab Application Notes 2013 Avaya Inc. All Rights Reserved. 10 of 17 SR4134_VPN_96xx

enable traps exit traps exit snmp-server rmon exit rmon oam cfm enable ethtype 88e6 exit cfm exit oam icmp_timestamp telnet_server ssh_server enable exit ssh_server telnet_banner exit telnet_banner sntp exit sntp reverse_telnet set_baud_rate 56000 exit reverse_telnet access-list default permit any ip proxy-dns exit proxy-dns ip load-balancing per-flow ip route 0.0.0.0/0 172.16.33.1 ip route 192.45.0.0/16 192.45.130.10 ipv6 unicast-routing ipv6 load-balancing per-flow mpls tunnel-mode uniform firewall global algs sip 600 sip-p2p-media dns exit dns exit algs max-connection-limit self 2048 exit firewall firewall internet interface ethernet0/2 policy 110 in permit service ike self exit policy
RN; Reviewed: SPOC 1/15/2013 Solution & Interoperability Test Lab Application Notes 2013 Avaya Inc. All Rights Reserved. 11 of 17 SR4134_VPN_96xx

policy 115 in permit protocol udp port any 4500 self exit policy policy 117 in permit address 172.16.33.130 172.16.33.140 any any self exit policy policy 120 in permit address 172.16.33.110 172.16.33.120 any any self exit policy policy 130 in permit protocol tcp port any 17 self exit policy policy 140 in permit protocol icmp self exit policy exit firewall firewall corp interface ethernet0/1 policy 100 in permit exit policy policy 107 out permit address 172.16.33.130 172.16.33.140 any any exit policy policy 108 in permit address 172.16.33.130 172.16.33.140 any any exit policy policy 109 out permit address 172.16.33.110 172.16.33.120 any any exit policy policy 110 in permit address 172.16.33.110 172.16.33.120 any any exit policy policy 1024 out permit exit policy exit firewall crypto dynamic exit dynamic contivity-iras ike policy ip9600 local-address 192.45.130.1 remote-id user-name "1adgjm" 1adgjm remote-id user-name "2adgjm" 2adgjm remote-id user-name "3adgjm" 3adgjm proposal 1 dh-group group2 encryption-algorithm 3des-cbc exit proposal client configuration address-pool 1 172.16.33.110 172.16.33.120 private-side-address 172.16.33.101 banner-enable banner-text "Hi this is my VPN!! - Renuka. Click link:

RN; Reviewed: SPOC 1/15/2013

Solution & Interoperability Test Lab Application Notes 2013 Avaya Inc. All Rights Reserved.

12 of 17 SR4134_VPN_96xx

http://www.google.com" keepalive enable interval 20 exit keepalive split-tunnel mode enabled network 172.16.33.0 24 network 172.16.0.0 16 network 10.0.0.0 16 exit split-tunnel nat-keepalive 120 exit configuration exit policy ike policy vpnclient local-address 192.45.130.1 remote-id user-name "client01" client123 remote-id user-name "client02" client123 proposal 1 dh-group group2 encryption-algorithm 3des-cbc exit proposal client configuration address-pool 1 172.16.33.130 172.16.33.180 private-side-address 172.16.33.101 no client-may-store-password banner-text "Welcome To SR4134 VPN World" keepalive enable interval 20 exit keepalive split-tunnel mode enabled network 172.16.0.0 16 network 10.0.0.0 16 exit split-tunnel nat-keepalive 120 exit configuration exit policy ipsec policy ip9600 proposal 1 lifetime seconds 3600 exit proposal exit policy ipsec policy vpnclient
RN; Reviewed: SPOC 1/15/2013 Solution & Interoperability Test Lab Application Notes 2013 Avaya Inc. All Rights Reserved. 13 of 17 SR4134_VPN_96xx

proposal 1 lifetime seconds 3600 exit proposal exit policy exit contivity-iras pmtu exit pmtu qos chassis exit chassis exit qos exit crypto dst no enable exit dst

6. Configure Avaya 96xx Series H.323 IP Phones


Avaya recommends that administrators perform these preliminary configuration steps: Load the 96xx Series IP Telephone with the latest software. Configure the phone to connect to the Enterprise infrastructure Provide the end users with information for VPN access from their small office home office (SOHO) environment. At startup, the phone will attempt to establish a VPN connection using the configured VPN parameters. Users with permission to do so can view, add, or change the VPN parameters

6.1. 96xx Series IP Phone Firmware


Avaya 96xx Series VPN-Enabled IP Phone firmware must be installed on the phone prior to the phone being deployed in the remote location, the firmware can be upgraded at the remote location after VPN tunnel with the corporate environment. The firmware version of Avaya IP telephones can be identified by viewing the version displayed on the phone upon boot up or when the phone is operational. Press Mute CRAFT or 27238 # and arrow down to View. Press the Start button and arrow down to Application File. The application file is hb96xxua3_1_02_S.bin. Press back and exit to return to the screen displaying the extension. Alternately the firmware details can also be viewed by pressing the A menu.

RN; Reviewed: SPOC 1/15/2013

Solution & Interoperability Test Lab Application Notes 2013 Avaya Inc. All Rights Reserved.

14 of 17 SR4134_VPN_96xx

6.2. Settings used for Avaya 96xx Series VPN IP phones


The Avaya 96xx Series IP Phone configuration can be administered centrally from an HTTP server through the 46xxsettings.txt file or locally on the phone. The parameters that need to be modified are below. Use the default value for all other VPN parameters. SET NVVPNMODE = 1 SET NVVPNCFGPROF = 11 To enable VPN mode For Nortel Contivity When set to 11, NVIKECONFIGMODE is set to 1 NVIKEEXCHGMODE is set to 1 and NVIKEIDTYPE is set to 11 SET NVSGIP = 192.45.130.1 The IP address of the Secure Gateway SET NVIKEP1ENCALG = 2 Set IKE Phase 1 encapsulation to 3DES SET NVIKEP2ENCALG = 2 Set IKE Phase 2 encapsulation to 3DES SET NVIKEP1AUTHALG = 2 Set IKE Phase 1 authentication to SHA1 SET NVIKEP2AUTHALG=2 Set IKE Phase 2 authentication to SHA1 SET NVMCIPADD = 172.16.1.152 Set the IP address of the Call Server SET NVHTTPSRVR= 172.16.11.10 Set the IP address of the HTTP server SET NVVPNSVNEDOR = 5 Set the Vendor to Nortel

7. Verification Steps
The following steps can be used to verify installation in the field. 1. Verify VPN connections from IP phones. 2. Verify a call can placed from a home office user to a user in the corporate network. 3. Verify a call placed from a home office user was correctly routed to another home office user. 6. Verify that a message can be left for a home office IP phone and that the message waiting indicator turns on while the IPSec VPN Tunnel is connected. 7. Verify that home office IP phone can dial Conference bridge number on Meeting Exchange and join conference.

7.1. Verify IP Phone VPN Client Connections


Verify the IP phones have established a VPN tunnel by using the SR4134 command, show crypto clients all.

RN; Reviewed: SPOC 1/15/2013

Solution & Interoperability Test Lab Application Notes 2013 Avaya Inc. All Rights Reserved.

15 of 17 SR4134_VPN_96xx

8. Conclusion
As illustrated in these Application Notes, Avaya 96xx IP phones with VPN can interoperate with the Avaya Secure Router 4134. 96x1 series IP phones do not interoperate with SR4134 10.3.2 VPN gateway due to issue with phone registration.

9. Additional References
Product documentation for Avaya products may be found at http://support.avaya.com Hardware Installation: 1. Commissioning Avaya Secure Router 2330/4134 https://downloads.avaya.com/css/P8/documents/100120411 2. Installation Hardware Components Avaya Secure Router 2330/4134 https://downloads.avaya.com/css/P8/documents/100120410 3. Quick Start Avaya Secure Router 4134 https://downloads.avaya.com/css/P8/documents/100120404 4. Installation Chassis Avaya Secure Router 4134 https://downloads.avaya.com/css/P8/documents/100120409 VPN Configuration: 5. Configuring an IPSec Tunnel between Avaya 96xx Series IP Phones and the Avaya Secure Router 4134 Issue 1.0 https://downloads.avaya.com/css/P8/documents/100158184

RN; Reviewed: SPOC 1/15/2013

Solution & Interoperability Test Lab Application Notes 2013 Avaya Inc. All Rights Reserved.

16 of 17 SR4134_VPN_96xx

2013

Avaya Inc. All Rights Reserved. Avaya and the Avaya Logo are trademarks of Avaya Inc. All trademarks identified by and are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners. The information provided in these Application Notes is subject to change without notice. The configurations, technical data, and recommendations provided in these Application Notes are believed to be accurate and dependable, but are presented without express or implied warranty. Users are responsible for their application of any products specified in these Application Notes. Please e-mail any questions or comments pertaining to these Application Notes along with the full title name and filename, located in the lower right corner, directly to the Avaya Solution & Interoperability Test Lab at interoplabnotes@list.avaya.com

RN; Reviewed: SPOC 1/15/2013

Solution & Interoperability Test Lab Application Notes 2013 Avaya Inc. All Rights Reserved.

17 of 17 SR4134_VPN_96xx