Avatel Technologies

Adtran VPN Setup

NetVanta 3120

Editor

Date

Version

Modifications

Jeff Chancey

8/24/2015

1.0

Created

Jeff Chancey

9/2/2015

1.1

Updated Remote Access in Setup Wizard

Jeff Chancey

9/11/15

1.2

Added addition information regarding Remote IDs for each username

ContentsUpgrading Firmware for Adtran NetVanta 31202Programming Adtran NetVanta 3120 Public IP Address5Programming Adtran NetVanta 3120 for VPN Phones12Programming via CRAFT Menu - VPN Phones22

Upgrading Firmware for Adtran NetVanta 3120

IP Address

10.10.10.1

Username

admin

Password

password

DHCP

Enabled

Power up the Adtran and access it via Firefox. Chrome and Internet Explorer do not work as well. The default information is below to access the Adtran.

*** First step is to upgrade the firmware to the latest version. If firmware is not updated, you will run into issues. ***

To upgrade the firmware, click here. Then select the correct product and download the latest version of firmware.

Browse to Firmware located on the left menu under Utilities. First, delete the secondary firmware so you can free up space for the new.

Once the secondary firmware is deleted you can now upload the new firmware. Be sure to select Replace Primary before clicking Upload. You will see a message stating “Please wait while a file uploads”. Be patient!

Once completed the please wait message changes to green and states that it has been successfully uploaded to flash.

Now set the Primary Firmware to the new version and set the Secondary Firmware to the older version then click Apply. If you forget which is primary and which is secondary, just look at the green success message and it tells you which one was just uploaded.

Now just click Reboot Unit on the left menu and select Save and Reboot. This will save the new configuration and firmware and reboot the Adtran. This process takes about a minute.

Once the Adtran is back up after the reboot, verify that the new firmware is in place on the System Summary.

Programming Adtran NetVanta 3120 Public IP Address

Access the Adtran now that the firmware has been updated at the default IP address, 10.10.10.1, using the default username, admin, and default password, password. Select Setup Wizard on the left menu. Another window will open with the Setup Wizard.

On the Welcome page of the Setup Wizard, select Advanced Configuration and click Next.

Click Next on the Save Configuration window.

On the System Information, fill in the company name and for the system password enter: avatelletava. Set the Time Server to SNTP and use 0.pool.ntp.org for the Time Server Hostname. Click Next.

For the Private Settings, you can leave the IP address and Subnet Mask default unless otherwise instructed. Click Next.

DHCP Server should be disabled if this is going on the customer’s network. If you leave it enabled for whatever reason at this point, be sure to disable it before sending it to the customer.

Click Next on the Public Interface window.

On the next Public Settings window, change the IP Address Type to Static and enter the customers Public IP address information. Click Next.

On the DNS/ Default Gateway window, enter the appropriate information for the customers Public IP. Click Next.

For Remote Access, check the boxes for: HTTP, HTTPS, Ping, and Telnet

Click Next on the Routing window. You should see the Default Gateway of the Public IP address here.

On the Requirements window, check the box that you have read and understand the terms.

Finally on the last page, click Finish. Once you click finish the browser should prompt you for the username and password. Enter admin for the username and avatelletava as the password that we just changed a few steps back in the Setup Wizard.

Enter admin and avatelletava. Click OK

After entering the new password you will get the completed successfully message.

Now you can go back to System Summary and see that the new Public IP address has been programmed.

Programming Adtran NetVanta 3120 for VPN Phones

Before users can authenticate, individual users must be created. To configure these accounts, navigate to the System / Passwords page using the left menu.

Create a unique username for each VPN phone. Easiest way to keep track is using “phone” followed by the next ascending number.

The default password used for all accounts is 12345678.

Click Add.

After adding the user, scroll down and Enable AAA Mode.

Click Apply.

Now that users have been created, we can enable VPN access to the Adtran. Navigate to Data / VPN Peers via the left menu.

A VPN Peer now needs to be defined. This will specify the parameters used for the remote access VPN connection. To add a VPN peer definition, click the Create New VPN Peer button.

Enter the name, set the VPN Interface to Public, and set the Peer Type to Mobile Peer. After you click Apply, you will see the available parameters to be programmed below.

Step 1 of 6:

The Peer configuration needs to be defined.

XAUTH Enabled: Local Userlist

Respond Mode: Aggressive

NAT Traversal: Allow V1

Allow V2

Local ID: IP Address

Public IP Address

Encryption/Hash:

ESP: 3 DES / MD5

Click Apply.

An IKE attribute definition needs to be added in step 2 of 6. This sets the Phase1 policy negotiation parameters. Enter the following parameters and click Add when finished.

IPSec Configuration

· Encryption / Hash = 3 DES / MD5

· Authentication = Preshared Key

· DH Group = 2

· Lifetime = 28800 seconds

A Remote ID definition needs to be added in step 3 of 6. This specifies the ID parameters used to match a VPN client to this peer definition. Enter the following parameters and click Add when finished. If you are adding multiple VPN phones to connect to the Adtran, you must create a new Remote ID for each user. Easiest to just match it with their username: phone1 username with Remote ID phone1@vpn.com; phone2 username with Remote ID phone2@vpn.com; etc…..

· Remote ID Type = Email Address

· Email Address = phone@vpn.com

· Preshared Key = 12345678

· Allow XAUTH = Enabled

· NAT Traversal = Allow V1 / Allow V2

The Remote Addressing parameters need to be defined in step 4 of 6. These settings will be negotiated by the client during Mode Config. Enter the following parameters and click Apply when finished.

NOTE: The IP Address Range defines addresses that will be assigned to client virtual network adapters. Do not use a subnet already in use by the Adtran or by the customer’s network. It is important to use a range that does not overlap any private networks that exist behind the Adtran gateway.

· IP Address Range = 10.10.20.1 – 10.10.20.100 (or your preferred range)

· Primary DNS Server = 4.2.2.2

· Secondary DNS Server = 8.8.8.8

· Primary and Secondary WINS Servers = optional

VPN Peer Policies need to be defined for each network the VPN Client will need to connect to in step 5 of 6. We will assume the client needs to connect to a single private network defined as 10.10.10.0/24. Click the Add New VPN Selector button.

Define the VPN Selector Entry. Enter the following parameters and click Apply when finished.

Filter Type = Permit

Protocol = Any

Source Data

Type = IP Address

Address = 10.10.10.0

Subnet Mask = 255.255.255.0

Destination Data

Type = IP Address

Address = 10.10.20.0

Subnet Mask = 255.255.255.0

Add a second VPN Selector Entry. This is using the same information as the previous but swapping the Source Data and Destination Data to be opposite. Enter the following parameters and click Apply when finished.

Filter Type = Permit

Protocol = Any

Source Data

Type = IP Address

Address = 10.10.20.0

Subnet Mask = 255.255.255.0

Destination Data

Type = IP Address

Address = 10.10.10.0

Subnet Mask = 255.255.255.0

Once both VPN Selector Entries have been completed, you will see both listed as well as a third labeled “Deny”. You must use the green arrows to the left to move deny to the bottom of the list. Not doing so will result in an unsuccessful authentication.

Step 6 or 6 is defaulted with the correct information. Both Public and Private interfaces should allow incoming VPN traffic.

Now back at the main VPN Peer menu, you should see this.

If for any reason you have DHCP enabled, now would be the time to turn it off.

Programming via CRAFT Menu - VPN Phones

You should be able to configure the VPN phone now with the parameters set. Attached below is the settings page by page for Avaya VPN phones.

Boot phone and enter CRAFT menu

First change GROUP to 876

Menu

Settings

Notes

VPN Config. General

 

 

VPN

Enabled

*

VPN Vendor

Other

*

Gateway Address

xxx.xxx.xxx.xxx

Customers Public IP

External Phone IP Address

0.0.0.0

Will be received from Adtran VPN DHCP

External Router

0.0.0.0

External Subnet Mask

0.0.0.0

External DNS Server

0.0.0.0

Encapsulation

4500-4500

*

Copy TOS

No

*

VPN Config. Auth. Type

 

 

Auth. Type

PSK with XAUTH

*

VPN Config. User Cred.

 

 

VPN User Type

Any

*

VPN User…

phone1

User created in Adtran

Password Type

Save in Flash

*

VPN Config. Password Entry

 

 

User Password…

12345678

*

VPN Config. IKE PSK

 

 

IKE ID (Group Name)…

phone@vpn.com

Remote ID in Adtran VPN Peer

Pre-Shared Key (PSK)…

12345678

*

VPN Config. IKE Phase 1

 

 

IKE ID Type

USER_FQDN

*

IKE Xchg Mode

Aggressive

*

IKE DH Group

2

*

IKE Encryption Alg

Any

*

IKE Auth. Alg.

Any

*

IKE Config. Mode

Enabled

*

VPN Config. IKE Phase 2

 

 

IPsec PFS GH Group

No PFS

*

IPsec Encryption Alg.

Any

*

IPsec Auth. Alg.

Any

*

Protected Network…

10.10.10.0/24

Subnet of the Adtran's IP

VPN Config. IKE Over TCP

 

 

IKE Over TCP

Auto

*

Page | 21