42
_____________________________________________________________________________________ www.support.avaya.com , Page: 1 11/18/2009 Avaya Inc. – Proprietary. Use pursuant to Company Instructions. _____________________________________________________________________________________ Avaya CAD-SV Configuring the 96xx VPN enabled phone with Juniper SSG-20 for IPSec Based authentication mechanism – Issue 1.0 10th October 2009 ABSTRACT These Application Notes describe the steps for configuring the Juniper Secure Services Gateway 20 Security Platform with a policy-based IPSec VPN and XAuth enhanced authentication to support the Avaya 96xx VPN enabled Phone. The sample configuration presented in these Application Notes utilizes a shared IKE Group ID to streamline the VPN configuration and management, IP Network Region segmentation to logically group and administer 96xx VPN enabled Phones and NAT-T for IPSec traversal of Network Address Translation devices. ____________________________________________________________________________________

Configuring Avaya 9600 Series Phones With Juniper SSG 20

Embed Size (px)

Citation preview

_____________________________________________________________________________________ www.support.avaya.com, Page: 1 11/18/2009 Avaya Inc. – Proprietary. Use pursuant to Company Instructions. _____________________________________________________________________________________

Avaya CAD-SV Configuring the 96xx VPN enabled phone with Juniper SSG-20 for IPSec Based authentication mechanism – Issue 1.0

10th October 2009

ABSTRACT These Application Notes describe the steps for configuring the Juniper Secure Services Gateway 20 Security Platform with a policy-based IPSec VPN and XAuth enhanced authentication to support the Avaya 96xx VPN enabled Phone. The sample configuration presented in these Application Notes utilizes a shared IKE Group ID to streamline the VPN configuration and management, IP Network Region segmentation to logically group and administer 96xx VPN enabled Phones and NAT-T for IPSec traversal of Network Address Translation devices.

____________________________________________________________________________________

_____________________________________________________________________________________ www.support.avaya.com, Page: 2 11/18/2009 Avaya Inc. – Proprietary. Use pursuant to Company Instructions. _____________________________________________________________________________________

TABLE OF CONTENTS ____________________________________________________________________________________

1. NETWORK TOPOLOGY ----------------------------------------------------------------------------------------------------------- 6 2. EQUIPMENT AND SOFTWARE VALIDATED -------------------------------------------------------------------------------- 8 3. Juniper SSG-20 CONFIGURATION --------------------------------------------------------------------------------------------- 9 3.1 Access SSG 20 -------------------------------------------------------------------------------------------------------------------- 9 3.2 Configure Juniper SSG Ethernet Interfaces-------------------------------------------------------------------------------10 3.3 IP Address Pool ------------------------------------------------------------------------------------------------------------------13 3.4 Routes-------------------------------------------------------------------------------------------------------------------------------13 3.5 Configure Default Route--------------------------------------------------------------------------------------------------------13 3.6 Configure Route to IP Pool Address range--------------------------------------------------------------------------------15 3.7 Local User Configuration-------------------------------------------------------------------------------------------------------15 3.8 XAuth Users -----------------------------------------------------------------------------------------------------------------------17 3.9 Local User Group Configuration----------------------------------------------------------------------------------------------18 3.9.1 IKE User Group-------------------------------------------------------------------------------------------------------------------19 3.9.2 Xauth User Group----------------------------------------------------------------------------------------------------------------19 3.10 VPN ----------------------------------------------------------------------------------------------------------------------------------20 3.10.1 AutoKey IKE Gateway Configuration - Phase 1----------------------------------------------------------------------21 3.10.2 AutoKey IKE VPN Tunnel Configuration - Phase 2 -----------------------------------------------------------------23 3.11 XAuth Configuration -------------------------------------------------------------------------------------------------------------26 3.11.1 XAuth Server Defaults-------------------------------------------------------------------------------------------------------26 3.11.2 Enable XAuth Authentication for AutoKey IKE gateway -----------------------------------------------------------27 3.12 H.323 ALG -------------------------------------------------------------------------------------------------------------------------28 3.13 Security Policies ------------------------------------------------------------------------------------------------------------------28 4. Avaya 96xx VPN Enabled IP Phone CONFIGURATION.-----------------------------------------------------------------31 4.1 96xx series IP Phone Firmware ----------------------------------------------------------------------------------------------31 4.2 Configuring Avaya 96xx series IP Phone ----------------------------------------------------------------------------------31 4.3 “46xxsettings.txt” File------------------------------------------------------------------------------------------------------------34 5. TROUBLE SHOOTING ------------------------------------------------------------------------------------------------------------38 5.1 IKE Phase 1 no response. -----------------------------------------------------------------------------------------------------38 5.2 Incorrect IKE Phase 2-----------------------------------------------------------------------------------------------------------39 5.3 Invalid Username, password: -------------------------------------------------------------------------------------------------39 5.4 Invalid IKEID and PSK: ---------------------------------------------------------------------------------------------------------39 5.5 Phone displaying “connecting…”---------------------------------------------------------------------------------------------39

_____________________________________________________________________________________ www.support.avaya.com, Page: 3 11/18/2009 Avaya Inc. – Proprietary. Use pursuant to Company Instructions. _____________________________________________________________________________________

5.6 No gateway address:------------------------------------------------------------------------------------------------------------40 6. CONCLUSION------------------------------------------------------------------------------------------------------------------------41 7. REFERENCES -----------------------------------------------------------------------------------------------------------------------42

_____________________________________________________________________________________ www.support.avaya.com, Page: 4 11/18/2009 Avaya Inc. – Proprietary. Use pursuant to Company Instructions. _____________________________________________________________________________________

____________________________________________________________________________________

Introduction.

____________________________________________________________________________________ The Avaya 96xx VPN enabled Phone is software based Virtual Private Network (VPN) client integrated into the firmware of an Avaya 96xx release 3.1 IP Telephone. This enhancement allows the Avaya IP Telephone to be plugged in and used seamlessly over a secure VPN from any broadband Internet connection. Avaya IP Telephone models 9620, 9620C, 9620L, 9630, 9640, 9650, 9650C, 9670 support VPN feature. Avaya 96xx VPN enabled Phone extends the support of head-end VPN gateways to include Juniper security platforms. The configuration steps described in these Application Notes utilize a Juniper Secure Services Gateway (SSG) model 20. However, these configuration steps can be applied to Juniper Netscreen and ISG platforms using the ScreenOS version specified in Section 3. The sample network provided in these Application Notes implements the following features of the Juniper SSG 20 and Avaya 96xx VPN enabled Phone:

• Policy-Based IPSec VPN The policy-based VPN feature of the Juniper SSG allows a VPN Tunnel to be directly associated with a security policy as opposed to a route-based VPN being bound to a logical VPN Tunnel interface. Because no network exists beyond a VPN client end-point, policy-based VPN tunnels are a good choice for VPN end-point configurations such as with the Avaya 96xx VPN enabled Phone.

• XAuth User Authentication The XAuth protocol enables the Juniper SSG to authenticate the individual users of the 96xx VPN enabled Phone. The XAuth user authentication is in addition to the IKE IPSec VPN authentication. The IKE and XAuth authentication steps of the Avaya 96xx VPN enabled Phone is as follows:

Step 1. Phase 1 negotiations: the Juniper SSG authenticates the Avaya 96xx VPN enabled Phone by matching the IKE ID (Group Name) and Pre-Shared key (Group password) sent by the Avaya 96xx VPN enabled Phone. If there is a match, the Juniper SSG XAuth process begins.

Step 2. XAuth: the Juniper SSG XAuth server prompts the Avaya 96xx VPN enabled Phone for user

credentials (Username and Password). If the Avaya 96xx VPN enabled Phone is configured to store user credentials in flash memory, the Avaya 96xx VPN Phone responds to the Juniper SSG with the stored credentials without user involvement. Otherwise the Avaya 96xx Phone displays a prompt for username and password to be manually entered.

Step 3. Phase 2 negotiations: Once the XAuth user authentication is successful, Phase 2 negotiations begin.

_____________________________________________________________________________________ www.support.avaya.com, Page: 5 11/18/2009 Avaya Inc. – Proprietary. Use pursuant to Company Instructions. _____________________________________________________________________________________

• XAuth Dynamic IP Address Assignment The XAuth protocol enables the Juniper SSG appliance to dynamically assign IP addresses from a configured IP Address pool range. The assignment of IP address ranges to Avaya 96xx VPN enabled Phones enables Avaya Communication Manager to map the Avaya 96xx VPN enabled Phones into IP Network Regions.

• Shared IKE Group ID The shared IKE ID feature of the Juniper SSG appliance facilitates the deployment of a large number of dialup IPSec VPN users. With this feature, the security device authenticates multiple dialup VPN users using a single group IKE ID and Preshared key. Thus, it provides IPSec protection for large remote user groups through a common VPN configuration. XAuth user authentication must be used when implementing Shared IKE Group ID.

• IP-Network-Region Segmentation A common deployment for the Avaya 96xx VPN enabled Phones is in a home network environment with limited bandwidth. The G.729 codec with 30 ms is recommended for such bandwidth constrained environments. Avaya Communication Manager IP Network Regions allow IP endpoints to be logically grouped together to apply unique configuration settings, including the assignment of specific codecs.

_____________________________________________________________________________________ www.support.avaya.com, Page: 6 11/18/2009 Avaya Inc. – Proprietary. Use pursuant to Company Instructions. _____________________________________________________________________________________

____________________________________________________________________

1. NETWORK TOPOLOGY

____________________________________________________________________

Fig 1: The sample Test Network diagram for configuring 96xx VPN enabled phones with Juniper SSG20 for Secure IPSec based authentication. The sample network implemented for these Application Notes is shown in Figure 1. The Corporate/Trusted IP Network location contains the Juniper SSG-20 VPN Router functioning as perimeter security device and VPN head-end. The Avaya S8730 Server and Avaya G700 Media Gateway are also located at the Corporate

_____________________________________________________________________________________ www.support.avaya.com, Page: 7 11/18/2009 Avaya Inc. – Proprietary. Use pursuant to Company Instructions. _____________________________________________________________________________________

IP Network. The Avaya 96xx series VPN Enabled IP Phones are located in the Home/Untrusted network and configured to establish an IPSec tunnel to the Public IP address of the Juniper VPN Router. The Juniper VPN Router will assign IP addresses to the 96xx series VPN enabled IP Phones. The assigned IP addresses, also known as the inner addresses, will be used by the 96xx series IP Phones when communicating inside the IPSec tunnel and in the private corporate network to Avaya Communication Manager.

_____________________________________________________________________________________ www.support.avaya.com, Page: 8 11/18/2009 Avaya Inc. – Proprietary. Use pursuant to Company Instructions. _____________________________________________________________________________________

____________________________________________________________________

2. EQUIPMENT AND SOFTWARE VALIDATED

____________________________________________________________________ Table 1 lists the equipment and software/firmware versions used in the sample configuration provided. Equipment Software Version Avaya G700 Media Gateway with S8300. Avaya Communication Manager 3.1 Build 4.0 and above. Avaya 96xx Telephone Release 3.1 Juniper SSG-20 6.1.0r5.0 (Firewall + VPN).

Table 1 – Equipment Version Information

_____________________________________________________________________________________ www.support.avaya.com, Page: 9 11/18/2009 Avaya Inc. – Proprietary. Use pursuant to Company Instructions. _____________________________________________________________________________________

____________________________________________________________________

3. Juniper SSG-20 CONFIGURATION

____________________________________________________________________

Juniper SSG 20 are included in the sample configuration as described in Section 2. The primary difference in the configuration between these Juniper SSG 20s is IP address assignment and IP Pool address range. The configuration steps utilize the Web User Interface (WebUI) of the Juniper SSG 20.

3.1 Access SSG 20

1. From a serial connection to the Console port of the Juniper SSG, log in and access the Command Line Interface using a Terminal Emulation application such as Windows HyperTerm. Execute the following commands to configure the Juniper SSG Ethernet interface 0/0. This enables access to the Juniper SSG WebUI.

SSG20-> set interface ethernet0/0 ip 192.168.14.150/24

SSG20-> set interface ethernet0/0 ip manageable 1 From a web browser, enter the URL of the Juniper SSG WebUI management interface, https://<IP address of the SSG>, and the following login screen appears. Log in using a user name with administrative privileges. 2 The Juniper SSG WebUI administration home page appears upon successful login. Note the ScreenOS Firmware Version in the Device Information section.

_____________________________________________________________________________________ www.support.avaya.com, Page: 10 11/18/2009 Avaya Inc. – Proprietary. Use pursuant to Company Instructions. _____________________________________________________________________________________

3.2 Configure Juniper SSG Ethernet Interfaces

The Juniper SSG 20 has four build-in Ethernet interfaces, Ethernet 0/0 – Ethernet 0/3. The steps below configured Ethernet 0/0 to a Trust security zone facing the internal corporate network and Ethernet 0/1 to an Untrust security zone facing the public internet. The Avaya 96xx VPN enabled Phone will interact with Ethernet 0/1 when establishing an IPSec Tunnel. 3.2.1 Configure Ethernet 0/0: 1 From the left navigation menu, select Network > Interfaces. The Network Interfaces List screen appears. The IP address is already populated for Ethernet0/0 from the basic configuration of Section 4.1. Select Edit for Ethernet 0/0 2 From the Ethernet 0/0 properties page, configure the highlighted fields shown below. All remaining fields can be left as default. Select OK to save.

Ethernet 0/0 connects to the private corporate network making it a trusted interface. It is placed in the Trust security zone of the Juniper SSG. The Service Options selected and enabling Manageability are related to the interface being in the Trust zone.

_____________________________________________________________________________________ www.support.avaya.com, Page: 11 11/18/2009 Avaya Inc. – Proprietary. Use pursuant to Company Instructions. _____________________________________________________________________________________

3.2.2 Configure Ethernet 0/1 Interface:

1 From the Network Interfaces List screen, select Edit for Ethernet 0/1 2 From the Ethernet 0/1 properties page, configure the highlighted fields shown below. All remaining fields can be left as default. Select OK to save.

_____________________________________________________________________________________ www.support.avaya.com, Page: 12 11/18/2009 Avaya Inc. – Proprietary. Use pursuant to Company Instructions. _____________________________________________________________________________________

Because Ethernet0/1 is in the Untrust zone and not configured as manageable, all service options are disabled.

_____________________________________________________________________________________ www.support.avaya.com, Page: 13 11/18/2009 Avaya Inc. – Proprietary. Use pursuant to Company Instructions. _____________________________________________________________________________________

3.3 IP Address Pool The XAuth protocol enables the Juniper SSG to dynamically assign IP addresses from a configured IP Address pool range to IPSec clients such as the Avaya 96xx VPN enabled Phone. The following steps create the IP Address Pool: 1 From the left navigation menu, select Objects > IP Pools. On the IP Pools list page, select New. 2 From the IP Pools Edit page, populate the highlighted fields shown below then select OK to save. The IP Pool Name is a descriptive name for this IP Pool. Once configured, this name will appear in the IP Pool Name drop-down menu of Section 4.8. Ensure the IP address range does not conflict with addresses used throughout the corporate trusted network.

3. The IP Pools list page displays the new address pool entry.

3.4 Routes The sample configuration requires two new route entries be added to the Juniper SSG routing table, one specifying the default route and one specifying the network address range entered for the IP Address Pool in Section 4.3. Although several routing options exist in the Juniper SSG platform, static routes are used for this sample configuration.

3.5 Configure Default Route

_____________________________________________________________________________________ www.support.avaya.com, Page: 14 11/18/2009 Avaya Inc. – Proprietary. Use pursuant to Company Instructions. _____________________________________________________________________________________

1 From the left navigation menu, select Network > Routing > Destination The Route Entries screen similar to the one below appears. 2 Configure the highlighted fields shown below. All remaining fields can be left as default. Select OK to save. Select trust-vr from drop down menu then New The 0.0.0.0/0 network indicates the default route when no other matches existing in the routing table. The route is going to the next hop out interface Ethernet 0/2 to the public internet.

_____________________________________________________________________________________ www.support.avaya.com, Page: 15 11/18/2009 Avaya Inc. – Proprietary. Use pursuant to Company Instructions. _____________________________________________________________________________________

3.6 Configure Route to IP Pool Address range

1 From the Route Entries screen, select trust-vr from the drop down menu then select New. 2 Configure the highlighted fields shown below. All remaining fields can be left as default. Select OK

to save. The IP Address / Netmask is the network used for the IP Address Pool in Section 4.3. The Gateway IP Address specifies the next hop route of the trusted corporate network.

3.7 Local User Configuration The sample configuration includes two different user types; IKE users and XAuth users. IKE users are typically associated with a device such as the Avaya VPN enabled Phone and are used to authenticate the actual device during the establishment of the IPSec tunnel. XAuth users are remotely authenticated users who access a head-end security gateway via an AutoKey IKE VPN tunnel. Whereas the authentication of IKE users is actually the authentication of an individual’s device, Avaya VPN enabled Phone, the authentication of XAuth users is the authentication of the individual

_____________________________________________________________________________________ www.support.avaya.com, Page: 16 11/18/2009 Avaya Inc. – Proprietary. Use pursuant to Company Instructions. _____________________________________________________________________________________

themselves. 3.7.1 IKE User

The following steps create an IKE user to be used by Avaya VPN enabled Phones for IKE authentication.

1. From the left navigation menu, select Objects > User > Local > New. Configure the highlighted fields shown below. All remaining fields can be left as default. Select OK to save.

The Number of Multiple Logins with Same ID parameter specifies the number of end-points that can concurrently establish IPSec tunnels using this identity. This number must equal or exceed the number of Avaya VPN enabled Phones accessing this Juniper SSG. IKE Identity, combined with a Pre-Shared Key, is used to identify the end-point when an initial IKE Phase one dialog begins. The format of the IKE Identity used is of an email address. As described in Section 5.2, the Group Name field of the Avaya VPN enabled Phone must match this IKE Identity string. [email protected] is used in these Application Notes however any email address string can be used.

2. The local Users list page displays the new IKE user:

_____________________________________________________________________________________ www.support.avaya.com, Page: 17 11/18/2009 Avaya Inc. – Proprietary. Use pursuant to Company Instructions. _____________________________________________________________________________________

3.8 XAuth Users Three XAuth user accounts, wasim, ganesh, kdas etc are created in the sample configuration for users of the Avaya 96xx VPN enabled Phones. The following steps create a user account for wasim. Follow the same steps to create accounts for ganesh, kdas etc. The XAuth server of the Juniper SSG provides the authentication of these users. The users of the Avaya 96xx VPN enabled Phone will need to be supplied with their user name and password. Users will be prompted on the phone display to enter this information as the Avaya 96xx VPN enabled Phone establishes the IPSec tunnel or the password can be stored the 96xx VPN enabled Phones flash memory, see Section 5.2 for additional detail.

1. From the left navigation menu, select Objects > User > Local > New. Configure the highlighted fields shown below. All remaining fields can be left as default. Select OK to save.

Follow the same steps for each additional user.

_____________________________________________________________________________________ www.support.avaya.com, Page: 18 11/18/2009 Avaya Inc. – Proprietary. Use pursuant to Company Instructions. _____________________________________________________________________________________

2. The local Users list page displays the new XAuth users:

3.9 Local User Group Configuration User groups have the benefit of being able to create one policy for the user group and that policy automatically applies to all members of a group. This eliminates the need to create polices for each

_____________________________________________________________________________________ www.support.avaya.com, Page: 19 11/18/2009 Avaya Inc. – Proprietary. Use pursuant to Company Instructions. _____________________________________________________________________________________

individual user. The sample configuration includes two different types of User Groups: IKE and XAuth. The IKE users and XAuth users created in Section 4.5 must now be added to an IKE Group and an XAuth Group respectfully.

3.9.1 IKE User Group 1. From the left navigation menu, select Objects > User > Local Groups > New.

Enter a descriptive Group Name. Select the vpnphone-ike user name from the Available Members column on the right. Select the << icon to move the user name to the Group Members column on the left. Select OK to save.

2. The Local Groups list page displays the new IKE group:

3.9.2 Xauth User Group 1 From the left navigation menu, select Objects > User > Local Groups > New. Enter a descriptive Group Name. Select the wasim, ganesh and kdas user names from the Available Members column on the

_____________________________________________________________________________________ www.support.avaya.com, Page: 20 11/18/2009 Avaya Inc. – Proprietary. Use pursuant to Company Instructions. _____________________________________________________________________________________

right. Select the << icon to move the user name to the Group Members column on the left. Select OK to save. 2 The Local Groups list page displays the new XAuth group:

.

3.10 VPN Setting up the VPN tunnel encryption and authentication is a two-phase process. Phase 1 covers how the Avaya 96xx VPN enabled Phone and the Juniper SSG will securely negotiate and handle the building of the tunnel. Phase 2 sets up how the data passing through the tunnel will be encrypted at one end and decrypted at the other. This process is carried out on both sides of the tunnel. Table 3 provides the IKE Proposals used in the sample configuration including the proposal name used by the Juniper SSG.

_____________________________________________________________________________________ www.support.avaya.com, Page: 21 11/18/2009 Avaya Inc. – Proprietary. Use pursuant to Company Instructions. _____________________________________________________________________________________

Phase Encryption/

Authentication Method

Diffie-Hellman Group

Encryption Algorithm

Hash Algorithm

Life Time (sec)

SSG Proposal Name

P1 Pre-Shared Key 2 3DES MD5 28800 pre-g2-3des-md5 P2 ESP 2 AES128 SHA-1 3600 g2-esp-aes128-sha

Table 3 – IKE P1 /P2 Proposals

3.10.1 AutoKey IKE Gateway Configuration - Phase 1

1. From the left navigation menu, select VPNs > AutoKey Advanced > Gateway. Select New. Configure the highlighted fields shown below. All remaining fields can be left as default.

Provide a descriptive Gateway Name. Selecting Custom Security Level provides access to a more complete list of proposals available on this Juniper SSG. Selecting Dialup User Group associates the Group ssg20-grp created in Section 4.6 to this IKE gateway. Enter an ASCII text string for a Preshared Key that will match the text entered on the Avaya 96xx VPN enabled Phone. Outgoing Interface is the interface which terminates the VPN tunnel. Select Advanced to access additional configuration options.

2. Configure the highlighted fields shown on the next page. All remaining fields can be left as default.

_____________________________________________________________________________________ www.support.avaya.com, Page: 22 11/18/2009 Avaya Inc. – Proprietary. Use pursuant to Company Instructions. _____________________________________________________________________________________

Select Return to complete the advanced configuration, and then OK to save.

Select Security Level of Custom and the appropriate Phase 1 Proposal from the drop down menu. Refer to Table 3 – IKE P1 / P2 Proposals. Aggressive Mode must be used for end-point negotiation such as the Avaya 96xx VPN enabled Phone. Enable NAT-Traversal allows IPSec traffic after Phase 2 negotiations are complete to traverse a Network Address Translation (NAT) device The Juniper SSG first checks if a NAT device is present in the path between itself and the Avaya 96xx VPN enabled Phone. If a NAT device is detected, the Juniper SSG uses UDP to encapsulate each IPSec packet.

_____________________________________________________________________________________ www.support.avaya.com, Page: 23 11/18/2009 Avaya Inc. – Proprietary. Use pursuant to Company Instructions. _____________________________________________________________________________________

1 Because the IKE group was selected in Step 1 above, a pop-up window similar to the one below is displayed as a reminder to enable the XAuth server. Section 4.8 provides the XAuth server configuration. Select OK. 2 The AutoKey Advanced > Gateway list page displays the new gateway.

3.10.2 AutoKey IKE VPN Tunnel Configuration - Phase 2

1. From the left navigation menu, select VPNs > AutoKey IKE. Select New. Configure the

highlighted fields shown below. All remaining fields can be left as default.

Provide a descriptive VPN Name. Selecting Custom Security Level provides access to a more complete list of proposals available on the Juniper SSG. Select Predefined for Remote Gateway and the select the Remote Gateway name entered in Section 4.7.1, vpnphone-gw, from the drop-down menu. Select Advanced to access additional configuration options.

_____________________________________________________________________________________ www.support.avaya.com, Page: 24 11/18/2009 Avaya Inc. – Proprietary. Use pursuant to Company Instructions. _____________________________________________________________________________________

2. Configure the highlighted fields shown below. All remaining fields can be left as default. Select Return to complete the advanced configuration, and then OK to save.

Select Security Level of Custom and the appropriate Phase 2 Proposal from the drop down menu. Refer to Table 3 – IKE P1 / P2 Proposals. Replay Protection protects the encrypted IPSec traffic from man-in-the-middle replay attacks by including a sequence number with each IKE negotiation between the IKE endpoints. Bind to None uses the outgoing interface, Ethernet 0/2, for all VPN tunnel traffic.

_____________________________________________________________________________________ www.support.avaya.com, Page: 25 11/18/2009 Avaya Inc. – Proprietary. Use pursuant to Company Instructions. _____________________________________________________________________________________

3. The AutoKey IKE list page displays the new IKE VPN:

_____________________________________________________________________________________ www.support.avaya.com, Page: 26 11/18/2009 Avaya Inc. – Proprietary. Use pursuant to Company Instructions. _____________________________________________________________________________________

3.11 XAuth Configuration

The Juniper SSG has a “local” XAuth server integrated within the ScreenOS operating system. Alternatively, an external Radius server can be used. These Application Notes implement the “local” ScreenOS XAuth server. The following steps configure the default and IKE gateway specific settings of the local XAuth server.

3.11.1 XAuth Server Defaults

1. From the left navigation menu, select VPNs > AutoKey Advanced > XAuth Settings. Configure the highlighted fields shown below. All remaining fields can be left as default. Select Apply when complete. Select the IP Pool Name created in Section 4.3 from the drop down menu. This defines the IP Address range used when IP addresses are dynamically assigned to the Avaya VPN enabled Phone by the XAuth server during IKE setup. DNS and WINS IP addresses are also dynamically assigned by the XAuth server.

_____________________________________________________________________________________ www.support.avaya.com, Page: 27 11/18/2009 Avaya Inc. – Proprietary. Use pursuant to Company Instructions. _____________________________________________________________________________________

3.11.2 Enable XAuth Authentication for AutoKey IKE gateway

1. From the left navigation menu, select VPNs > AutoKey Advanced > Gateway. The list page displays the IKE gateway created in Section 4.7.1 as shown below. Select Xauth under the Configure column for the vpnphone-gw IKE gateway. 2 Configure the highlighted fields shown below. All remaining fields can be left as default. Select OK when complete to save settings.

_____________________________________________________________________________________ www.support.avaya.com, Page: 28 11/18/2009 Avaya Inc. – Proprietary. Use pursuant to Company Instructions. _____________________________________________________________________________________

3.12 H.323 ALG

1. From the left navigation menu, select Configuration > Advanced > ALG > Configure. Un-

check the H323 check box to globally disable the H.323 Application Layer Gateway.

3.13 Security Policies

1. From the left navigation menu select Policies. Any currently configured security policies are displayed. Create a security policy for traffic flowing from the Untrust zone to the Trust zone. On the top of the Policies page select Untrust on the From drop-down menu and Trust on the To drop-down menu. Select the New button on top right corner of page to create the new security policy. 2 Configure the highlighted fields shown below. All remaining fields can be left as default. Select OK when complete to save settings. Enter a descriptive policy Name to easily identify this policy in the policy list and logs.

_____________________________________________________________________________________ www.support.avaya.com, Page: 29 11/18/2009 Avaya Inc. – Proprietary. Use pursuant to Company Instructions. _____________________________________________________________________________________

Selecting Dial-Up VPN from the Source Address drop down menu and Any from the Destination Address defines the VPN tunnel as the traffic originator. Selecting Tunnel from the Action field drop down menu indicates the action the SSG will take against traffic that matches the first three criteria of the policy: Source Address, Destination Address, and Service. All matching traffic will be associated with a particular VPN Tunnel specified in the Tunnel field. Selecting vpnphone-vpn from the Tunnel VPN drop down menu associates the VPN enabled Phone VPN tunnel to the Action. Check the Modify matching bidirectional VPN policy to have the SSG create a matching VPN policy for traffic flowing in the opposite direction.

_____________________________________________________________________________________ www.support.avaya.com, Page: 30 11/18/2009 Avaya Inc. – Proprietary. Use pursuant to Company Instructions. _____________________________________________________________________________________

4. The Policies list page displays the new Dial-Up VPN policy:

_____________________________________________________________________________________ www.support.avaya.com, Page: 31 11/18/2009 Avaya Inc. – Proprietary. Use pursuant to Company Instructions. _____________________________________________________________________________________

____________________________________________________________________

4. Avaya 96xx VPN Enabled IP Phone CONFIGURATION.

____________________________________________________________________

4.1 96xx series IP Phone Firmware

The Avaya 96xx series (3.1) VPN-Enabled IP Phone firmware must be installed on the phone prior to the phone being deployed in the remote location. The firmware version of Avaya IP telephones can be identified by viewing the version displayed on the phone upon boot up or when the phone is operational by selecting the Options hard button à View IP Settings à soft button Miscellaneous à soft button à Right arrow hard button. The Application file name displayed denotes the installed firmware version. As displayed in Table 1, 96xx series IP Phone firmware includes “3_1” in the name. This allows for easy identification of firmware versions incorporating VPN capabilities.

4.2 Configuring Avaya 96xx series IP Phone

The Avaya 96xx series IP Phone configuration can be administered centrally from an HTTP server through 46xxsettings.txt file (mentioned in section 5.3) or locally on the phone. These Application Notes utilize the local phone configuration method. Refer to [1] and [2] for details on a centralized configuration. 1. There are two methods available to access the VPN Configuration Options menu from the 96xx series IP Phone. [A]. During Telephone Boot: - During the 96xx series IP Phone boot up, “*” key can be used to enter the Configuration mode is displayed on the telephone screen as shown below.

100 Mbps Ethernet * to program

(Please note that the “*” key can also be used to enter the configuration mode till tunnel building procedures is not complete). When the * key is pressed, it will ask for “Enter Code:” we need to Press Mute Button + PROCPSWD (default 27238) (Mute + 2-7-2-3-8 + #) and then press # to Enter into the phone configuration mode. Go to “ADDR” (Address Procedures) and update it with the below details.

_____________________________________________________________________________________ www.support.avaya.com, Page: 32 11/18/2009 Avaya Inc. – Proprietary. Use pursuant to Company Instructions. _____________________________________________________________________________________

Phones IP Address 0.0.0.0 (Will be assigned from the IP pool configured on the VPN gateway or by the Internal DHCP server if the VPN gateway is configured as DHCP Relay).

Call Servers IP Address 192.168.1.201 (Avaya Communication manager IP address).

Router IP Address 0.0.0.0 (Will be assigned by the VPN gateway or by the Internal DHCP server if the VPN gateway is configured as DHCP Relay).

Subnet Mask 0.0.0.0 (Will be assigned by the VPN gateway or by the Internal DHCP server if the VPN gateway is configured as DHCP Relay).

Http Server A.B.C.D (Internal HTTP server IP address in dotted decimal format from the network which contains the Avaya Communication Manager).

Https Server IP Address A.B.C.D (Internal HTTPS server IP address in dotted decimal format from the network which contains the Avaya Communication Manager).

802.1Q Auto

VLAN ID 0

VLAN Test 60

Press Exit to come out of the “ADDR” procedures.

2. Scroll down to the last option VPN. Note that the VPN configuration parameters will not be edited until the value of “VPNPROC” parameter is set to 2. (To do this open the upload directory of file server, open the file 46xxsettings.txt file and append it with “SET VPNPROC 2” and upload this new 46xxsettings.txt file into the avaya 96xx IP phone). It is recommended to set the value of VPNPROC to 2 while uploading the VPN enabled binary into the phone. Use Right Navigation key to go to the next screen options. (Note that the values will not be saved until Right-Navigation key is pressed even if “Save button is pressed”). The External addresses will be reflected only after rebooting the phone. The configuration values of one of the 96xx series IP Phones used in the sample configurations are shown in Table 2 below. No. Option Value

1 VPN : Enabled

2 VPN Vendor: Cisco

3 Gateway Address:

192.168.8.150 (Outside/Untrust interface IP address of VPN gateway)

4 External Router: 192.168.1.1 (Or provided by dhcp from home Network).

5 External Phone IP Address: 192.168.1.2 (Or Same as

_____________________________________________________________________________________ www.support.avaya.com, Page: 33 11/18/2009 Avaya Inc. – Proprietary. Use pursuant to Company Instructions. _____________________________________________________________________________________

above).

6 External Subnet Mask: 255.255.255.0 (Or Same as above).

7 External DNS Server: (Provided by Service provider).

8 Encapsulation : 4500-4500

9 Copy TOS: No

10 Auth. Type: PSK with XAUTH

11 VPN User Type: 1 User

12 VPN User: (VPN username i.e. ganesh as per our notes)

13 Password Type: Save in Flash

14 User Password: ********* (I.e. Remote password i.e. ganesh as per our notes).

15 IKE ID (Group Name): (Group name i.e. [email protected] as per our notes).

16 IKE ID Type: User_FQDN

17 IKE Xchg Mode: Aggressive.

18 IKE DH Group: 2

19 IKE Encryption Alg: Any

20 IKE Auth. Alg. : Any

21 IKE Config. Mode: Enabled

22 IPsec PFS DH Group: 2

23 IPsec Encryption Alg: Any

24 IPsec Auth. Alg.: Any

25 Protected Network: 0.0.0.0/0

26 IKE Over TCP: Never [B] While phone is operational in VPN enabled Mode.

_____________________________________________________________________________________ www.support.avaya.com, Page: 34 11/18/2009 Avaya Inc. – Proprietary. Use pursuant to Company Instructions. _____________________________________________________________________________________

Press “Mute button + procpswd + #” to enter the craft procedures and follow the above steps to program the VPN enabled phone.

4.3 “46xxsettings.txt” File

The 46xxsetting.txt file contains variable values used by the 96xx phone during the setup of the IPSec VPN tunnel. The variables specific Nortel for Local credentials authentication are listed below. Descriptions of each variable and the values used in the sample configuration are shown. ########################################################################################## ## VPN Mode ## 0: Disabled, 1: Enabled. ########################################################################################## SET NVVPNMODE 1 ########################################################################################## ## Vendor. ## 1: Juniper/Netscreen, 2. Cisco ## 3: Checkpoint/ Nokia 4: Other ## 5: Nortel. ########################################################################################## SET NVVPNSVENDOR 1 ########################################################################################## ## Encapsulation Type. ## 0: 4500-4500, 1: Disabled ## 2: 2070-500, ## 4: RFC (500-500) ########################################################################################## SET NVVPNENCAPS 0 ########################################################################################## ## Copy TOS. ## 1: Yes, 2: No ########################################################################################## SET NVVPNCOPYTOS 2 ########################################################################################## ## Authentication Type. ## ## [For Cisco/Juniper/Checkpoint/Other] ## 3: PSK, 4: PSK with Xauth ## 5: RSA signatures with Xauth, 6: Hybrid Xauth ## 7: RSA signatures. ## ## [Nortel Authentication Type] ## 1: Local credentials, 2: Radius Credentials. ## 3: Radius SecureID, 4: Radius Axent. ########################################################################################## SET NVVPNAUTHTYPE 1 ########################################################################################## ## VPN User Type. ## 1: Any, 2: User ########################################################################################## SET NVVPNUSERTYPE 2

_____________________________________________________________________________________ www.support.avaya.com, Page: 35 11/18/2009 Avaya Inc. – Proprietary. Use pursuant to Company Instructions. _____________________________________________________________________________________

########################################################################################## ## VPN User name. ########################################################################################## SET NVVPNUSER ganesh ########################################################################################## ## Password Type. ## 1: Save in Flash, 2: Erase on reset ## 3: Numeric OTP, 4: Alpha-Numeric OTP ## 5: Erase on VPN termination. ########################################################################################## SET NVVPNPSWDTYPE 1 ########################################################################################## ## User Password. ########################################################################################## SET NVVPNPSWD ganesh ########################################################################################## ## IKE ID (Group Name). ########################################################################################## SET NVIKEID [email protected] ########################################################################################## ## Preshared Key (Group Password). ########################################################################################## SET NVIKEPSK avaya123 ########################################################################################## ## IKE ID Type. ## 1: IPv4_ADDR, 2: FQDN ## 3: USER_FQDN, 9: DER_ASN1_DN ## 11: Key ID ########################################################################################## SET NVIKEIDTYPE 3 ########################################################################################## ## IKE Xchg Mode. ## 1: Aggressive, 2: Identity Protect. ########################################################################################## SET NVIKEXCHGMODE 1 ########################################################################################## ## IKE DH Group. ########################################################################################## SET NVIKEDHGRP 2 ########################################################################################## ## IKE Encryption Algo. ## 1: AES-128, 2: 3DES ## 3: DEs 4: AEs-192 ## 5: AES-256 0: Any ########################################################################################## SET NVIKEP1ENCALG 0 ########################################################################################## ## IKE Auth algo. ## 0: Any, 1: MD5 ## 2: SHA-1 ########################################################################################## SET NVIKEP1AUTHALG 0 ########################################################################################## ## IKE Config Mode. ## 0: Enabled, 1: Disabled.

_____________________________________________________________________________________ www.support.avaya.com, Page: 36 11/18/2009 Avaya Inc. – Proprietary. Use pursuant to Company Instructions. _____________________________________________________________________________________

########################################################################################## SET NVIKECONFIGMODE 0 ########################################################################################## ## IPsec PFS DH group. ########################################################################################## SET NVPFSDHGRP 2 ########################################################################################## ## IPsec Encryption Algo. ## 1: AES-128, 2: 3DES ## 3: DES 4: AEs-192 ## 5: AES-256 6: None ## 0: Any ########################################################################################## SET NVIKEP2ENCALG 0 ########################################################################################## ## IPsec Authentication Algo. ## 0: Any, 1: MD5 ## 2: SHA-1 ########################################################################################## SET NVIKEP2AUTHALG 0 ########################################################################################## ## Protected Network. ########################################################################################## SET NVIPSECSUBNET 0.0.0.0/24 ########################################################################################## ## IKE Over TCP. ## 0: Never, 1: Auto ## 2: Always ########################################################################################## SET NVIKEOVERTCP 0 ########################################################################################## ## Craft access ## 0: Enabled, 1: only view option is available? ########################################################################################## SET PROCSTAT 0 ########################################################################################## ## VPN craft access ## 0: disabled, 1: view only ## 2: View and edit. ########################################################################################## SET VPNPROC 2 ########################################################################################## ## Call Server address ########################################################################################## ##SET MCIPADD 192.168.1.162 ########################################################################################## ## Craft code ########################################################################################## SET PROCPSWD 27238 ########################################################################################## ## VPN craft access code ########################################################################################## SET NVVPNCODE 876 ########################################################################################## ## SNMP String ##########################################################################################

_____________________________________________________________________________________ www.support.avaya.com, Page: 37 11/18/2009 Avaya Inc. – Proprietary. Use pursuant to Company Instructions. _____________________________________________________________________________________

##SET SNMPSTRING public ##########################################################################################

_____________________________________________________________________________________ www.support.avaya.com, Page: 38 11/18/2009 Avaya Inc. – Proprietary. Use pursuant to Company Instructions. _____________________________________________________________________________________

____________________________________________________________________

5. TROUBLE SHOOTING

____________________________________________________________________ This section offers some common configuration mismatches between the 96xx series IP Phone and the Juniper VPN Router to assist in troubleshooting. The key events of the logs are highlighted in bold. Juniper VPN Router log messages can be access through REPORTS -- > SYSTEM LOG -- > EVENT from the main web management interface.

5.1 IKE Phase 1 no response. If we given user name are incorrect we will get VPN Tunnel Failure Message.

VPN tunnel failure Retry Details Sleep

If we press Retry Soft key again it will retry to establish the tunnel. If we press Details Soft key. We can see IKE Phase 1 no response

IKE Phase 1 no response Restart Program Back

Press Program soft key it will redirect to Craft Code Screen Give Craft Code and it will redirect to Craft Procedures Screen here select VPN and press Start soft key. Press forward soft key on the phone and check the IKE Exchange mode, Check IKE Phase1 parameters on VPN gateway and phone is correct or not, Check the IP pool is configured properly and also same pool name it is mentioned in Profiles -- >Groups -- > Base -- > Edit -- > Connectivity -- > Address pool.

Enter Code: # = OK

_____________________________________________________________________________________ www.support.avaya.com, Page: 39 11/18/2009 Avaya Inc. – Proprietary. Use pursuant to Company Instructions. _____________________________________________________________________________________

5.2 Incorrect IKE Phase 2 If we given incorrect IKE Phase 2 Settings then we will get VPN Tunnel Failure Message

VPN tunnel failure Retry Details Sleep

If we press Retry soft key again it will retry to establish the tunnel. If we press Details soft key we can see Invalid configuration screen.

Invalid configuration Restart Program Back

Press Program soft key it will redirect to Craft Code Screen

Enter Code: # = OK

Give procpswd and it will redirect to local configuration Procedures Screen here select VPN and press Start soft key Press forward soft key on the phone and it will go to IKE Phase 2 Screen, here check the IKE Phase 2 Screen Settings is correct or not.

5.3 Invalid Username, password: Re-enter the correct VPN Username (as configured in the user database) and correct VPN user password.

5.4 Invalid IKEID and PSK: Goto the local procedure configuration page (using details Softkey -- > program -- > procpswd) on the phone and re-enter the correct (configured on the VPN gateway) group name and group password. Group name should be of the form [email protected]. Check the Group password.

5.5 Phone displaying “connecting…” This issue can be resolved by the administrators who have access to the Avaya Communication manager and Nortel VPN Gateway. Open the web interface of the Nortel VPN gateway. Check the entered routes are

_____________________________________________________________________________________ www.support.avaya.com, Page: 40 11/18/2009 Avaya Inc. – Proprietary. Use pursuant to Company Instructions. _____________________________________________________________________________________

correct. Check that the phone requests are able to reach the ACM and also phone gets response from the ACM (Trace using any sniffing software e.g. Ethereal/Wireshark). Open up the 46xxsettings.txt file and enter “SET VPNTTS 0”. Reboot the phone with the correct file server IP address.

5.6 No gateway address: Goto to the local procedures configuration page (using details Softkey -- > program -- > procpswd) -- > ADDR -- > Enter the valid Gateway (Avaya Communication Manager) address.

_____________________________________________________________________________________ www.support.avaya.com, Page: 41 11/18/2009 Avaya Inc. – Proprietary. Use pursuant to Company Instructions. _____________________________________________________________________________________

____________________________________________________________________

6. CONCLUSION

____________________________________________________________________

The Avaya 96xx series IP Phone combined with Juniper SSG VPN Gateway security appliance provides a secure solution for remote worker telephony over any broadband Internet connection. These Application Notes demonstrate the interoperability of the Avaya 96xx Phone with the Juniper VPN Gateway using Secure IPSec method.

_____________________________________________________________________________________ www.support.avaya.com, Page: 42 11/18/2009 Avaya Inc. – Proprietary. Use pursuant to Company Instructions. _____________________________________________________________________________________

____________________________________________________________________

7. REFERENCES

[1] Avaya solutions and Interoperability Test labs. Application Notes for Configuring Avaya VPN enabled™ Phone with Juniper Secure Services Gateway using Policy-Based IPSec VPN and XAuth Enhanced Authentication – Issue 1.0 [2] Juniper Networks: Concepts & Examples ScreenOS Reference Guide; Volume 5: Virtual Private Networks Release 5.4.0, Rev. A

http://www.juniper.net/techpubs/software/screenos/screenos5.4.0/CE_v5.pdf

[3] Secure Services Gateway (SSG) 500 Series Hardware Installation and Configuration Guide ScreenOS Version 5.4.0 http://www.juniper.net/techpubs/hardware/netscreen-systems/netscreensystems54/SSG_HW_revA.pdf [4] Cameron R., Cantrell C., Killion D., Russell K., Tam K. (2005) Configuring NetScreen Firewalls. Rockland: Syngress Publishing, Inc.

http://juniper.net/training/jnbooks/configuring_nscn_firewalls.html [5] Avaya VPN enabled Phone documentation and software download.

http://support.avaya.com/japple/css/japple?PAGE=Product&temp.productID=280576&temp.releaseID=280577

[6] Additional Avaya Application Notes and Resources are available, http://www.avaya.com/gcm/master-usa/en-us/resource/

Avaya Inc. All Rights Reserved. Avaya and the Avaya Logo are trademarks of Avaya Inc. All trademarks identified by ® and ™ are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners. The information provided in these Application Notes is subject to change without notice. The configurations, technical data, and recommendations provided in these Application Notes are believed to be accurate and dependable, but are presented without express or implied warranty. Users are responsible for their application of any products specified in these Application Notes.