RKD; Reviewed:
SPOC 03/02/2012
Solution & Interoperability Test Lab Application Notes
©2012 Avaya Inc. All Rights Reserved.
1 of 17
96xx-VPN-SR2330
Avaya Solution & Interoperability Test Lab
Configuring an IPSec Tunnel between Avaya 96xx Series IP
Phones and the Avaya Secure Router 2330 – Issue 1.0
Abstract
These Application Notes present a sample configuration for a remote user with an Avaya 96xx
Phone with VPN (IPSec). The IPSec Tunnel is terminated in the corporate office location with
an Avaya Secure Router 2330. For the sample configuration, once the Avaya 96xx Series IP
Phone with VPN completes the tunnel negotiation with the SR2330, it will register to Avaya
Aura® Communication Manager 6.01 with H.323 protocol.
Testing was conducted via the Internal Interoperability Program at the Avaya Solution and
Interoperability Test Lab.
RKD; Reviewed:
SPOC 03/02/2012
Solution & Interoperability Test Lab Application Notes
©2012 Avaya Inc. All Rights Reserved.
2 of 17
96xx-VPN-SR2330
1. Introduction The objective of these Application Notes is to verify interoperability between the Avaya 96xx
Series IP phones with VPN mode enabled and the Avaya Secure Router 2330. Another objective
is to confirm that Avaya one-X® Agent can place a call, login to the call center and receive a call
center directed call over a VPN tunnel established between a an Avaya VPN Client and the
Avaya Secure Router 2330. To create a suitable test environment required installation and
configuration of Avaya Aura® Communication Manager, Avaya Aura® Communication
Manager Messaging, an Avaya G450 gateway, the Avaya Secure Router 2330 and two simulated
home office environments. Each home office was equipped with a home router with NAT
enabled, a 96xx Series IP phone with VPN mode enabled and a windows PC capable of running
Avaya one-X® Agent and Avaya VPN Client. The network for the test environment is shown
in Figure 1.
Figure 1: Avaya Secure Router 2330 as a VPN Gateway for Home Office Users
RKD; Reviewed:
SPOC 03/02/2012
Solution & Interoperability Test Lab Application Notes
©2012 Avaya Inc. All Rights Reserved.
3 of 17
96xx-VPN-SR2330
1.1. Observations
The following observation was noted.
• The keepalive for the SR2330 is proprietary. When debug crypto all is set on the
SR2330, the message Invalid Major Version is displayed every 60 seconds. It does not
represent an error condition. It is used as a keepalive mechanism.
2. Equipment and Software Validated The following equipment and software were used for the sample configuration provided:
Equipment Software
Avaya Aura® Communication Manager Release 6.01 R016x.00.1.510.1
Update: Service Pack 4
Avaya Aura® Communication Manager Messaging 6.0.1-8.0
Avaya Secure Router 2330 10.3.2
Avaya 96xx Series H.323 IP Phone 96xx-IPT-H323-R3_1_02_S-
032111
Avaya G450 Gateway Firmware: 30.12.1
Avaya VPN client Release 10.05.012.0
Avaya one-X® Agent Release 2.5.00467.0
Avaya Ethernet Routing Switch 5520-24T-PWR HW: 37 FW:6.0.0.10
SW:v6.2.0.008
3. Configure Avaya Secure Router 2330 This Application Notes assume the SR2330 is installed on the network and is in an operational
state. The SR2330 must have an SR2330 VPN/IPSec card installed. All the configuration steps
are performed on the command line interface with the proper authorization credentials. There is
no web interface for the SR2330. To implement IPSec VPN on the SR2330, perform the
following configuration tasks.
• Assign host name, configure Ethernet ports and default route
• Configure default routing
• Configure Untrusted and Trusted firewall
• Create IKE policies
o Configure remote-id
o Configure proposal 1
o Configure client configuration
3.1. Assign host name, Configure Ethernet ports and Default Route
Change hostname to sr2330-1. Configure trusted and untrusted Ethernet interfaces. Configure
the default route to go out the untrusted interface.
RKD; Reviewed:
SPOC 03/02/2012
Solution & Interoperability Test Lab Application Notes
©2012 Avaya Inc. All Rights Reserved.
4 of 17
96xx-VPN-SR2330
hostname sr2330-1
interface ethernet 0/1 description trusted ip address 10.80.70.254 255.255.255.0 ip proxy-arp crypto trusted exit Ethernet interface ethernet 0/2 description untrusted ip address 192.45.130.1 255.255.255.0 crypto untrusted exit ethernet
3.2. Configure Untrusted (Internet) firewall
This example is a minimal firewall configuration.
firewall internet interface ethernet0/2 policy 110 in permit service ike self exit policy policy 115 in permit protocol udp port any 4500 self exit policy policy 117 in permit address 10.80.70.230 10.80.70.239 any any self exit policy policy 120 in permit address 10.80.70.240 10.80.70.250 any any self exit policy policy 130 in permit protocol tcp port any 17 self exit policy policy 140 in permit protocol icmp self exit policy exit firewall
3.3. Configure Trusted (Corp) firewall
firewall corp interface ethernet0/1 policy 100 in permit exit policy policy 107 out permit address 10.80.70.230 10.80.70.239 any any exit policy
RKD; Reviewed:
SPOC 03/02/2012
Solution & Interoperability Test Lab Application Notes
©2012 Avaya Inc. All Rights Reserved.
5 of 17
96xx-VPN-SR2330
policy 108 in permit address 10.80.70.230 10.80.70.239 any any exit policy policy 109 out permit address 10.80.70.240 10.80.70.250 any any exit policy policy 110 in permit address 10.80.70.240 10.80.70.250 any any exit policy policy 1024 out permit exit policy exit firewall
3.4. Create IKE Policies
Two IKE policies were configured. The ip9600 policy is for the 96xx series IP phones running
the VPN firmware. The vpnclient policy is used by the Windows VPN client. The ipsec policy
ip9600 and ipsec policy vpnclient are created as a result of the IKE policies.
crypto dynamic exit dynamic contivity-iras ike policy ip9600 local-address 192.45.130.1 remote-id user-name "1adgjm" 1adgjm proposal 1 dh-group group2 encryption-algorithm 3des-cbc exit proposal client configuration address-pool 1 10.80.70.240 10.80.70.250 private-side-address 10.80.70.254 keepalive enable interval 60 exit keepalive split-tunnel mode enabled network 10.80.70.0 24 exit split-tunnel nat-keepalive 20 exit configuration exit policy ike policy vpnclient local-address 192.45.130.1 remote-id user-name "client01" client123
RKD; Reviewed:
SPOC 03/02/2012
Solution & Interoperability Test Lab Application Notes
©2012 Avaya Inc. All Rights Reserved.
6 of 17
96xx-VPN-SR2330
remote-id user-name "client02" client123 proposal 1 dh-group group2 encryption-algorithm 3des-cbc exit proposal client configuration address-pool 1 10.80.70.230 10.80.70.239 private-side-address 10.80.70.254 keepalive enable interval 60 exit keepalive split-tunnel mode enabled network 10.80.70.0 24 exit split-tunnel nat-keepalive 20 exit configuration exit policy ipsec policy ip9600 proposal 1 lifetime seconds 3600 exit proposal exit policy ipsec policy vpnclient proposal 1 lifetime seconds 3600 exit proposal exit policy exit contivity-iras
4. Configure Avaya 96xx Series H.323 IP Phone
4.1. 96xx Series IP Phone Firmware
The Avaya 96xx Series VPN-Enabled IP Phone firmware must be installed on the phone prior to
the phone being deployed in the remote location. The firmware version of Avaya IP telephones
can be identified by viewing the version displayed on the phone upon boot up or when the phone
is operational. Press Mute CRAFT(27238) # and arrow down to View. Press the Start button
and arrow down to Application File. The application file is hb96xxua3_1_02_S.bin. Press
back and exit to return to the screen displaying the extension.
RKD; Reviewed:
SPOC 03/02/2012
Solution & Interoperability Test Lab Application Notes
©2012 Avaya Inc. All Rights Reserved.
7 of 17
96xx-VPN-SR2330
4.2. Configuring Avaya 96xx Series IP Phone
The Avaya 96xx Series IP Phone configuration can be administered centrally from an HTTP
server through the 46xxsettings.txt file or locally on the phone. The parameters that need to be
modified are below. Use the default value for all other VPN parameters.
SET NVVPNMODE = 1 To enable VPN mode
SET NVVPNCFGPROF = 11 for Nortel Contivity
When set to 11, NVIKECONFIGMODE is set to 1 NVIKEEXCHGMODE is set to 1
and NVIKEIDTYPE is set to 11
SET NVSGIP = 192.45.130.1 The IP address of the Secure Gateway
SET NVIKEP1ENCALG = 2 Set IKE Phase 1 encapsulation to 3DES
SET NVIKEP2ENCALG = 2 Set IKE Phase 2 encapsulation to 3DES
SET NVIKEP1AUTHALG = 2 Set IKE Phase 1 authentication to SHA1
SET NVIKEP2AUTHALG=2 Set IKE Phase 2 authentication to SHA1
SET NVMCIPADD = 10.80.70.24 Set the IP address of the Call Server
SET NVHTTPSRVR= 10.80.70.25 Set the IP address of the HTTP server
SET NVVPNSVNEDOR = 5 Set the Vendor to Nortel
RKD; Reviewed:
SPOC 03/02/2012
Solution & Interoperability Test Lab Application Notes
©2012 Avaya Inc. All Rights Reserved.
8 of 17
96xx-VPN-SR2330
5. Configure Avaya VPN Client Double click on the Avaya VPN Client icon. Create a profile by Clicking on Edit the Profile.
RKD; Reviewed:
SPOC 03/02/2012
Solution & Interoperability Test Lab Application Notes
©2012 Avaya Inc. All Rights Reserved.
9 of 17
96xx-VPN-SR2330
Click on New. The following screen will be displayed.
RKD; Reviewed:
SPOC 03/02/2012
Solution & Interoperability Test Lab Application Notes
©2012 Avaya Inc. All Rights Reserved.
10 of 17
96xx-VPN-SR2330
Create a new VPN client profile. Input a Profile Name. Leave Tunnel Type: IPSec as the
default. Input the (Secure Router) IP address to the Destination field. Under Authentication
Type section, select “Username and Password” (It is actually the default selection). Under
Authentication Information section, Enter Username and Password.
RKD; Reviewed:
SPOC 03/02/2012
Solution & Interoperability Test Lab Application Notes
©2012 Avaya Inc. All Rights Reserved.
11 of 17
96xx-VPN-SR2330
Click Save and Close.
RKD; Reviewed:
SPOC 03/02/2012
Solution & Interoperability Test Lab Application Notes
©2012 Avaya Inc. All Rights Reserved.
12 of 17
96xx-VPN-SR2330
Click Connect to establish a VPN connection.
RKD; Reviewed:
SPOC 03/02/2012
Solution & Interoperability Test Lab Application Notes
©2012 Avaya Inc. All Rights Reserved.
13 of 17
96xx-VPN-SR2330
6. Verification Steps The following steps can be used to verify installation in the field.
1. Verified VPN connections from IP phones
2. Verified VPN connections from Windows VPN clients.
3. Verified a call placed from a home office user was correctly routed to another home
office user.
4. Verified that a message could be left for a home office IP phone and that the message
waiting indicator turned on while the IPSec VPN Tunnel is connected.
5. Verified one-X Agent successfully logged in to Communication Manager with an Agent
ID and a phone extension.
6. Verified that a call from the PSTN to the Call Center routed correctly to an available
agent.
6.1. Verify IP phone VPN Client Connections
Verify the IP phones have established a VPN tunnel by using the SR2330 command,
show cypto clients all.
RKD; Reviewed:
SPOC 03/02/2012
Solution & Interoperability Test Lab Application Notes
©2012 Avaya Inc. All Rights Reserved.
14 of 17
96xx-VPN-SR2330
6.2. Verify Windows VPN Client Connections
Bring up a command prompt windows. Type in ipconfig and find the local and vpn interfaces.
The VPN interface will have an IP address (10.80.70.230) assigned from the IP address pool
configured under the IKE policy client configuration on the SR2330.
RKD; Reviewed:
SPOC 03/02/2012
Solution & Interoperability Test Lab Application Notes
©2012 Avaya Inc. All Rights Reserved.
15 of 17
96xx-VPN-SR2330
The correct operation of the Avaya VPN client can be verified by right clicking on the VPN
client toolbar icon and selecting Status. The duration of the connection as well as the encryption
and authentication algorithms that were negotiated can be seen.
RKD; Reviewed:
SPOC 03/02/2012
Solution & Interoperability Test Lab Application Notes
©2012 Avaya Inc. All Rights Reserved.
16 of 17
96xx-VPN-SR2330
7. Conclusion As illustrated in these Application Notes, Avaya 96xx IP phones with VPN can interoperate with
the Avaya Secure Router 2330. The Avaya VPN client and Avaya one-X Agent interoperate as
well.
8. Additional References Product documentation for Avaya products may be found at http://support.avaya.com
1. Installation – Chassis, Avaya Secure Router 2330 Release 10.3, Doc ID NN47263-304, 02.01
2. Quick Start Avaya Secure Router 2330 Release 10.3, Doc ID NN47263-104 3. Security-Configuration and Management, Avaya Secure Router 2330/2330 Release 10.3,
Doc ID NN47263-600, October 2010
4. 9600 Series H323 Release 6.0 service Pack 4.1 Readme, 15-Jun-2011
5. Installing and Configuring Avaya one-X® Agent, Release 2.5, March 31, 2011
6. Avaya one-X Deskphone Edition for 9600 Series IP Telephones Administrator Guide
Release 3.1, Doc ID 16-300698, Issue 7, November 2009
7. VPN Setup Guide for 9600 Series IP Telephones Release 3.1, Doc ID 16-602968, Issue 1, November 2009
RKD; Reviewed:
SPOC 03/02/2012
Solution & Interoperability Test Lab Application Notes
©2012 Avaya Inc. All Rights Reserved.
17 of 17
96xx-VPN-SR2330
©2012 Avaya Inc. All Rights Reserved.
Avaya and the Avaya Logo are trademarks of Avaya Inc. All trademarks identified by ® and
™ are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks
are the property of their respective owners. The information provided in these Application
Notes is subject to change without notice. The configurations, technical data, and
recommendations provided in these Application Notes are believed to be accurate and
dependable, but are presented without express or implied warranty. Users are responsible for
their application of any products specified in these Application Notes.
Please e-mail any questions or comments pertaining to these Application Notes along with the
full title name and filename, located in the lower right corner, directly to the Avaya Solution &
Interoperability Test Lab at [email protected]