Upload
others
View
27
Download
0
Embed Size (px)
Citation preview
Avatel Technologies
Adtran VPN Setup
NetVanta 3120
Editor
Date
Version
Modifications
Jeff Chancey
8/24/2015
1.0
Created
Jeff Chancey
9/2/2015
1.1
Updated Remote Access in Setup Wizard
Jeff Chancey
9/11/15
1.2
Added addition information regarding Remote IDs for each username
ContentsUpgrading Firmware for Adtran NetVanta 31202Programming Adtran NetVanta 3120 Public IP Address5Programming Adtran NetVanta 3120 for VPN Phones12Programming via CRAFT Menu - VPN Phones22
Upgrading Firmware for Adtran NetVanta 3120
IP Address
10.10.10.1
Username
admin
Password
password
DHCP
Enabled
Power up the Adtran and access it via Firefox. Chrome and Internet Explorer do not work as well. The default information is below to access the Adtran.
*** First step is to upgrade the firmware to the latest version. If firmware is not updated, you will run into issues. ***
To upgrade the firmware, click here. Then select the correct product and download the latest version of firmware.
Browse to Firmware located on the left menu under Utilities. First, delete the secondary firmware so you can free up space for the new.
Once the secondary firmware is deleted you can now upload the new firmware. Be sure to select Replace Primary before clicking Upload. You will see a message stating “Please wait while a file uploads”. Be patient!
Once completed the please wait message changes to green and states that it has been successfully uploaded to flash.
Now set the Primary Firmware to the new version and set the Secondary Firmware to the older version then click Apply. If you forget which is primary and which is secondary, just look at the green success message and it tells you which one was just uploaded.
Now just click Reboot Unit on the left menu and select Save and Reboot. This will save the new configuration and firmware and reboot the Adtran. This process takes about a minute.
Once the Adtran is back up after the reboot, verify that the new firmware is in place on the System Summary.
Programming Adtran NetVanta 3120 Public IP Address
Access the Adtran now that the firmware has been updated at the default IP address, 10.10.10.1, using the default username, admin, and default password, password. Select Setup Wizard on the left menu. Another window will open with the Setup Wizard.
On the Welcome page of the Setup Wizard, select Advanced Configuration and click Next.
Click Next on the Save Configuration window.
On the System Information, fill in the company name and for the system password enter: avatelletava. Set the Time Server to SNTP and use 0.pool.ntp.org for the Time Server Hostname. Click Next.
For the Private Settings, you can leave the IP address and Subnet Mask default unless otherwise instructed. Click Next.
DHCP Server should be disabled if this is going on the customer’s network. If you leave it enabled for whatever reason at this point, be sure to disable it before sending it to the customer.
Click Next on the Public Interface window.
On the next Public Settings window, change the IP Address Type to Static and enter the customers Public IP address information. Click Next.
On the DNS/ Default Gateway window, enter the appropriate information for the customers Public IP. Click Next.
For Remote Access, check the boxes for: HTTP, HTTPS, Ping, and Telnet
Click Next on the Routing window. You should see the Default Gateway of the Public IP address here.
On the Requirements window, check the box that you have read and understand the terms.
Finally on the last page, click Finish. Once you click finish the browser should prompt you for the username and password. Enter admin for the username and avatelletava as the password that we just changed a few steps back in the Setup Wizard.
Enter admin and avatelletava. Click OK
After entering the new password you will get the completed successfully message.
Now you can go back to System Summary and see that the new Public IP address has been programmed.
Programming Adtran NetVanta 3120 for VPN Phones
Before users can authenticate, individual users must be created. To configure these accounts, navigate to the System / Passwords page using the left menu.
Create a unique username for each VPN phone. Easiest way to keep track is using “phone” followed by the next ascending number.
The default password used for all accounts is 12345678.
Click Add.
After adding the user, scroll down and Enable AAA Mode.
Click Apply.
Now that users have been created, we can enable VPN access to the Adtran. Navigate to Data / VPN Peers via the left menu.
A VPN Peer now needs to be defined. This will specify the parameters used for the remote access VPN connection. To add a VPN peer definition, click the Create New VPN Peer button.
Enter the name, set the VPN Interface to Public, and set the Peer Type to Mobile Peer. After you click Apply, you will see the available parameters to be programmed below.
Step 1 of 6:
The Peer configuration needs to be defined.
XAUTH Enabled: Local Userlist
Respond Mode: Aggressive
NAT Traversal: Allow V1
Allow V2
Local ID: IP Address
Public IP Address
Encryption/Hash:
ESP: 3 DES / MD5
Click Apply.
An IKE attribute definition needs to be added in step 2 of 6. This sets the Phase1 policy negotiation parameters. Enter the following parameters and click Add when finished.
IPSec Configuration
· Encryption / Hash = 3 DES / MD5
· Authentication = Preshared Key
· DH Group = 2
· Lifetime = 28800 seconds
A Remote ID definition needs to be added in step 3 of 6. This specifies the ID parameters used to match a VPN client to this peer definition. Enter the following parameters and click Add when finished. If you are adding multiple VPN phones to connect to the Adtran, you must create a new Remote ID for each user. Easiest to just match it with their username: phone1 username with Remote ID [email protected]; phone2 username with Remote ID [email protected]; etc…..
· Remote ID Type = Email Address
· Email Address = [email protected]
· Preshared Key = 12345678
· Allow XAUTH = Enabled
· NAT Traversal = Allow V1 / Allow V2
The Remote Addressing parameters need to be defined in step 4 of 6. These settings will be negotiated by the client during Mode Config. Enter the following parameters and click Apply when finished.
NOTE: The IP Address Range defines addresses that will be assigned to client virtual network adapters. Do not use a subnet already in use by the Adtran or by the customer’s network. It is important to use a range that does not overlap any private networks that exist behind the Adtran gateway.
· IP Address Range = 10.10.20.1 – 10.10.20.100 (or your preferred range)
· Primary DNS Server = 4.2.2.2
· Secondary DNS Server = 8.8.8.8
· Primary and Secondary WINS Servers = optional
VPN Peer Policies need to be defined for each network the VPN Client will need to connect to in step 5 of 6. We will assume the client needs to connect to a single private network defined as 10.10.10.0/24. Click the Add New VPN Selector button.
Define the VPN Selector Entry. Enter the following parameters and click Apply when finished.
Filter Type = Permit
Protocol = Any
Source Data
Type = IP Address
Address = 10.10.10.0
Subnet Mask = 255.255.255.0
Destination Data
Type = IP Address
Address = 10.10.20.0
Subnet Mask = 255.255.255.0
Add a second VPN Selector Entry. This is using the same information as the previous but swapping the Source Data and Destination Data to be opposite. Enter the following parameters and click Apply when finished.
Filter Type = Permit
Protocol = Any
Source Data
Type = IP Address
Address = 10.10.20.0
Subnet Mask = 255.255.255.0
Destination Data
Type = IP Address
Address = 10.10.10.0
Subnet Mask = 255.255.255.0
Once both VPN Selector Entries have been completed, you will see both listed as well as a third labeled “Deny”. You must use the green arrows to the left to move deny to the bottom of the list. Not doing so will result in an unsuccessful authentication.
Step 6 or 6 is defaulted with the correct information. Both Public and Private interfaces should allow incoming VPN traffic.
Now back at the main VPN Peer menu, you should see this.
If for any reason you have DHCP enabled, now would be the time to turn it off.
Programming via CRAFT Menu - VPN Phones
You should be able to configure the VPN phone now with the parameters set. Attached below is the settings page by page for Avaya VPN phones.
Boot phone and enter CRAFT menu
First change GROUP to 876
Menu
Settings
Notes
VPN Config. General
VPN
Enabled
*
VPN Vendor
Other
*
Gateway Address
xxx.xxx.xxx.xxx
Customers Public IP
External Phone IP Address
0.0.0.0
Will be received from Adtran VPN DHCP
External Router
0.0.0.0
External Subnet Mask
0.0.0.0
External DNS Server
0.0.0.0
Encapsulation
4500-4500
*
Copy TOS
No
*
VPN Config. Auth. Type
Auth. Type
PSK with XAUTH
*
VPN Config. User Cred.
VPN User Type
Any
*
VPN User…
phone1
User created in Adtran
Password Type
Save in Flash
*
VPN Config. Password Entry
User Password…
12345678
*
VPN Config. IKE PSK
IKE ID (Group Name)…
Remote ID in Adtran VPN Peer
Pre-Shared Key (PSK)…
12345678
*
VPN Config. IKE Phase 1
IKE ID Type
USER_FQDN
*
IKE Xchg Mode
Aggressive
*
IKE DH Group
2
*
IKE Encryption Alg
Any
*
IKE Auth. Alg.
Any
*
IKE Config. Mode
Enabled
*
VPN Config. IKE Phase 2
IPsec PFS GH Group
No PFS
*
IPsec Encryption Alg.
Any
*
IPsec Auth. Alg.
Any
*
Protected Network…
10.10.10.0/24
Subnet of the Adtran's IP
VPN Config. IKE Over TCP
IKE Over TCP
Auto
*
Page | 21