IPSEC with Avaya 9600 VPN phone

Question

I am trying to connect an AVAYA 9600 IP Phone via VPN to Astaro. The phone is not connected and it is giving my an error on IKE Phase 2. On the Astaro site I am getting the attached error log.

Do you have any idea what is causing the problem?

This thread was automatically locked due to age.

PL101 · Answer

SOPHOS -- Create a New IPsec Policy  Sorry in advance for the formatting... I attempted to upload a ZIP file that contained a formatted PDF file multiple times, but the file continued to get corrupt.   **** META DATA *******  1. Configure Avaya 9611 IPsec VPN client   2. Configure Remote IPsec on SOPHOS UTM 9.x for Avaya 9600 VPN clients   Keywords Avaya 9600 VPN, Avaya 9611 VPN, Avaya IPsec VPN configuration, Configure Avaya Phone with SOPHOS VPN, Configuring Avaya 9611 IPsec VPN w/ Remote SOPHOS IPsec VPN -- IP Office 8.1   ******** DOC ***********  Configuring Avaya 9611 VPN for IP Office w/ SOPHOS UTM 9.x Overview Some Avaya 9600 phones, such as the 9611, have a native IPsec VPN client that can be used to connect remote workers to the corporate phone system when other options just won’t cut it. Online documentation is poor and often differs for each firewall vendor. Please note that this configuration is functional, but it may or may not comply with the security requirements of your business. Please discuss them with your security team and try other settings if necessary.  We are testing this option now to hopefully rid our environment of softphones. We’re also testing the “Telecommuter Option” of one-X. This allows our remote workers to use their home phones and proxy everything through the IP Office server, but it comes with the cost of chewing up 2 SIP channels for each call. Don’t forget to buy power injectors!  High Level Network Design Object	Network/Connection Type	Comment  IPO 8.1	DC Voice Network	 9611 Phones	HQ Voice, Sat Voice, *Home Offices	*This doc… Soft Phones	HQ Data, Sat Data, *Remote Office	A handful of users… SOPHOS Firewall	DC	Virtual interfaces for DC Voice and DC Data vLANs  Sat Office Connection	StS IPsec VPN	ASA 5510 – SOPHOS UTM 9.x VM HQ Office Connection	Gig Fiber – MPLS	Direct Connect from HQ to DC DC Connection	Dual 10G Fiber	IP Transit secured by SOPHOS HA pair  Remote Workers	Several	Personal connections not managed by IT   Known Issue The “Enable Direct Media Path” extension option must be unchecked for all extensions participating in a call. Some Avaya documentation says to disable this for “VPN to VPN phone calls”, but we experienced the problem with ALL phone calls to/from a VPN phone. Disabling the option for the extension associated with just the VPN phone was not enough. Attempts were made to open firewall rules, verify routes, etc, but nothing yielded the desired result. Talk to your phone support team and ask them if it’s okay to disable direct media path for anyone and everyone that will send/receive calls with VPN phones.  o	10 digit extension calls do not experience the issue above because they loop through the outside. However, attempting this is not a good workaround and will only confuse users. o	Every firewall/network configuration will differ. You may not experience the issue, but if you do, try the workaround with a handful of users.  Remote SOPHOS IPsec VPN Setup 1. Create a New IPsec Policy  Description	Setting	Note Name	VPNPHONE	 IKE encryption algorithm	3DES	 IKE authentication algorithm	SHA1	 IKE SA lifetime	7800	 IKE DH group	Group 2: MODP 1024	  IPsec encryption algorithm	3DES	 IPsec authentication algorithm	SHA1	 IPsec SA lifetime	3600	 IPsec PFS group	Group 2: MODP 1024	 Strict Policy	Unchecked	 Compression	Unchecked	  2. Create a New IPsec Remote Access Rule  Description	Setting	Note Name	VPNPHONE	 Interface	External (WAN)	Depends on config, but will be the most common selection Local Networks	***	Add all networks – IP Office & each network w/ phones Virtual IP Pool VPN Pool (IPsec)	Defaults to 10.242.4.0/24 Policy	VPNPHONE	 Authentication Type	Preshared Key	Document the key. It will be used for the 9611 too. Enable XAUTH	SELECTED	 Allowed Users	**	Create new Users – ext01, ext02, etc.  3. Configure Required Firewall ACLs  a.	Outside the scope of this document, but make sure your IPsec VPN group can minimally talk to the network where the IPO(s) server is. Depending on your network and firewall configuration, and the requirements of your security department, one or more simple rules from the IPO network to the IPsec VPN group (and back) might be enough. If you can get direct media access to work you may need to supply all networks where phones are located.  4.	Configure the 9611 Phone a.	Enter the OPTIONS tab on boot up. Our code to enter was 27238. This may or may not be different for you. b.	Go to the VPN setup and supply the following values:  Phone Option	Value VPN	Enabled VPN Vendor	OTHER Gateway Address	The public IP address applied to the interface of the SOPHOS IPsec VPN Encapsulation	4500-4500 Copy TOS	Yes External Phone IP Address	** Typically done by your DHCP server External Router	** Typically done by your DHCP server External Subnet Mask	** Typically done by your DHCP server External DNS Server	** Typically done by your DHCP server  Auth Type	PSK with XAUTH VPN User Type	Any VPN User	The VPN user(s) account you created above Password Type	Save in Flash User Password	The VPN user(s) account password  IKE ID (Group Name)	VPNPHONE Pre-Shared Key (PSK)	The PSK you entered for the SOPHOS “IPsec Remote Access Rule”  IKE ID Type	USER_FQDN IKE Xchg Mode	ID Protect IKE DH Group	2 IKE Encryption Alg.	3DES IKE Auth. Alg.	SHA1 IKE Config. Mode	Enabled  IKE PFS DH Group	2 IPsec Encryption Alg	3DES IPsec Auth. Alg. SHA-1 Protected Network..	** See extended comments below  IKE over TCP	Auto    ** 9611 Protected Network Comments •	You should supply all networks that were included in the “Local Networks” of the SOPHOS “IPsec Remote Access Rule”. A lot of confusing documentation, partially accurate, is floating around on the Internet. Some of it even says to use the IP Pool network associated with your VPN group. If you don’t have one or more correct networks listed you will fail on “IKE PHASE 2”. We were getting this error message o	cannot respond to IPsec SA request because no connection is known for 10.x.x.x/24===209.x.x.x:4500[209.x.x.x]...4.x.x.x:4500[VPNPHONE]===192.x.x.x/32 &#61607;	***Actual addresses were removed…   •	If you do not have “Direct Media Path” enabled on your extensions then you really only need to supply the network(s) where the IPO server(s) is located. See the notes on “Direct Media Path” above for more info.  •	Some Avaya documentation says to use 0.0.0.0/0, which means any addressable network. This does not work.  •	Multiple networks can be defined in the 9611. Simply list each one with commas and do not use spaces. o	Example: 192.168.10.0/24,172.16.0.0/16,192.168.30.0/24

Argo · Answer

I have completed this and found that if you do not have access to the phone, the best way to enable VPN on the phone, is to amend the 46xxsettings.txt file this is store on the Avaya, and when the phone initially configures it self from the Avaya, this file will provide the defaults for the phone when connecting to the Avaya PBX.

XG & UTM Architect (Systems: XG v18 & UTM 9.7 - Virtual, HW & SW)
Curious enough to take it apart, skilled enough to put it back together, Clever enough to hide the extra parts when I'm Done!