VoIP PBX Carroll Communications is an authorized Avaya business partner
  IP Office Platform
  Carroll Communications Home
  Avaya IP Office 500
  IP Office 406 r2
  IP Office 412
  Avaya IP Office Telephones
  Avaya Voice Mail Pro
  Phone Manager Pro
  IP Office Manager
  IP Office Soft Console
  Avaya Conferencing Center
  Compact Business Center
  Short Codes
  Avaya Data Networking
  IP Office Expansion Modules
  IP Office Licenses
  Centrales Telefonicas
  Voice over IP Phone Systems
  IP Office 403
  Phone System Quote

Business VoIP PBX Telephone Systems
Panasonic Headsets
 
IP Office Tek Tips 1-100
IP Office Tek Tips 101-200
 
IP Office telephone systems
about us | phone equipment | voip solutions | avaya partner acs telephone systems | site map | contact us

Avaya IP Office

The Avaya IP Office platform is the ultimate in converged voice and data technology. IP Office brings a combination of voice and data applications formerly reserved for only the largest corporations. Cutting edge customer service with easy to use tools is now available to the smallest of businesses.

Avaya IP Office Technical Tips
 
732-280-3200
   

Global IP Office Technical Tip
185: Configuring a VPN Remote IP Phone with a Kentrox Q2300 VPN
Router
*Release Date: September 12, 2007

The following document assumes that the user/installer is familiar with configuring both the IP Office and VPN devices, as well as manually configuring IP hard phones. This document is for reference purposes only when creating the VPN tunnels and does not provide any details on how to configure any other aspect of either device.

Test Systems Software Versions and Basic Phone Settings

IP Office Core Software 4.0.7
Netgear FVS338 Router Software 1.35.17 [Apr 25 2006]
IP Phone Model 5610
IP Phone Firmware 2.3.249
IP Office IP Address 192.168.2.5
TFTP/File Server 192.168.2.10
IP Phone IP Address DHCP
IP Phone CallSV 192.168.2.5
IP Phone CallSVPort 1719 [Default]
IP Phone Router DHCP
IP Phone Mask DHCP
IP Phone FileSv 192.168.2.10
IP Phone 802.1Q Auto
IP Phone VLAN ID 0
Password used during testing 1234567890
Remote ID used for Option1 test vpnphone
Remote ID used for Option2 test vpnphone2


Notes
1. The IP Phones may require a Virtual IP Address to be configured in the VPN settings. Please take care in choosing a Virtual IP Range. Consider where the phone is most likely to be used and ensure that the Virtual IP Range selected will not conflict. For instance, many VPN IP Phones may be installed at user’s homes. Typically a Home Router uses 192.168.0.x or 192.168.1.x as its internal
network range therefore it is recommended that this is not used as a Virtual IP Address Range.

2. IMPORTANT: Many VPN Routers will not allow a direct media path to be established between two VPN Endpoints. It will be necessary to uncheck the Direct Media Path checkbox in the Extension Configuration in IP Office. Failure to
do so will result in No Speech path when two VPN extensions try and establish a call.

3. Review the Sample 46vpnsetting.txt file for simplifying configuration settings on the IP Phones.

4. While the defaults for Encryption are set at 4500-4500 and these settings are preferred, there may be instances where (depending on what the Home router supports) the user may need to either disable this setting, or change to one of the other options.

5. If manually configuring a Virtual IP Address on the IP Hard-phone, ensure that accurate records are kept of IP Address allocations to avoid IP Address conflicts. IP Office Configuration

Using IP Office Manager, Open the Configuration and Select IP Routes.

Add a New IP Route for the Virtual LAN Network to be used in the environment.

Modify the Extensions – VoIP Tab for those extensions that will be VPN Extensions, and uncheck the Direct Media Path Check Box.

Networking Scenario:

Kentrox Q2300 VPN Router VPN Configuration settings

There are two methods that can be used to connect a VPN Remote Phone providing the customer with different options for installation and management of the remote phone users.

Option 1 – Using Dynamic VPN
This is the simplest and quickest method of implementation allowing multiple clients to connect.


Option 2 – Using IKE and VPN Policy
This option provides more configuration options so far as defining the Client policy to be used, more control over the algorithms to be used etc, it also has more steps to setup and configure.


Kentrox Q2300 Option 1: Using a Dynamic VPN Policy
Once logged into the router, Select the VPN Option, then Select Global Settings

Global Settings – Option 1
VPN Interface Ipwan [71.10.10.4]
Local ID VPN Interface
ipwan
Egress TOS Action Copy
Ingress TOS Action Copy
Egress DF Bit Action clear
Enable Strict Encryption Checked
Enable Dynamic VPN Checked
VPN Preshared Key 1234567890

Kentrox Option 1: VPN Remote Phone Settings

VPN Remote Phone Configuration – Option 1
VPN Profile Generic PSK
Server 71.10.10.4
IKE ID vpnphone
PSK – (Pre Shared Key) 1234567890

IKE Parameters
IKE ID Type FQDN
Diffie Hellman Group 2
Encryption ALG 3Des
Authentication ALG Sha1
IKE Xchange Mode Aggressive
IKE Config Mode Disabled

IPSEC Parameters
Encryption ALG 3DES
Authentication ALG Sha1
Diffie Hellman Group 2

VPN Start Mode Boot
Password Type Save in Flash
Encapsulation 4500 – 4500

Protected Nets
Virtual IP 172.16.22.5
Remote Net #1 192.168.2.0/24
Remote Net #2
Remote Net #3

Copy TOS Yes
Connectivity Check Always
Kentrox Q2300 Option 2: Using a VPN Gateway Client and Tunnel Policy

Once logged into the Router, Select the VPN Option, then Select Global Settings

Global Settings – Option 2
VPN Interface Ipwan [71.10.10.4]
Local ID VPN Interface
ipwan
Egress TOS Action Copy
Ingress TOS Action Copy
Egress DF Bit Action clear
Enable Strict Encryption Checked
Enable Dynamic VPN Unchecked

Once Configured, Select and Add a Client Gateway

Client Gateway Client Configuration – Option 2
Gateway ipo [Name must start with a letter]
Remote ID Type Email
Email vpnphone2
Authentication Type Pre Shared Key
Pre Shared Key 1234567890
Negotiation Mode Aggressive **
Diffie Hellman Group 2 **
Phase 1 Encryption Hash 3DES-Sha **
Lifetime Format Secs
Lifetime [secs] 432000 [Important] **
Enable Gateway Checked

NAT Traversal Configuration

Enable NAT Traversal Checked
Enable UDP Checksum Checked
** The Kentrox Router requires that all these values match. If these do not match, you will receive a No_Proposal_Chosen Error in the Kentrox Logs. The VPN Remote Phone does not have a configuration option for the Lifetime value. This value can usually be viewed in the Kentrox VPN Log.

Once the Client Gateway has been added Add a Tunnel to the Client Gateway Profile

Tunnel Configuration
Tunnel Name ipot [Name must start with a letter]
Local Address User Defined
192.168.2.0/24
Enable Tunnel Checked

Phase 2 Configuration
Transform ESP **
Authentication Sha **
Encryption 3DES
Diffie Hellman Group 2 **
Lifetime Format Secs
Lifetime [secs] 432000 [Important] **

Kentrox Option 2: VPN Remote Phone Settings

VPN Remote Phone Configuration – Option 2
VPN Profile Generic PSK
Server 71.10.10.4
IKE ID Vpnphone2
PSK – (Pre Shared Key) 1234567890

IKE Parameters
IKE ID Type User-FQDN
Diffie Hellman Group 2
Encryption ALG 3DES
Authentication ALG Sha1
IKE Xchange Mode Aggressive
IKE Config Mode Disabled

IPSEC Parameters
Encryption ALG 3DES
Authentication ALG Sha1
Diffie Hellman Group 2

VPN Start Mode Boot
Password Type Save in Flash
Encapsulation 4500 – 4500

Protected Nets
Virtual IP 172.16.22.5
Remote Net #1 192.168.2.0/24
Remote Net #2
Remote Net #3

Copy TOS Yes
Connectivity Check Always


 


Avaya IP Office

1-800-429-0077

Avaya 4630 IP Telephone Compact business center: one of many tools for use with the IP Office Another great telephone by Avaya

 
about | telecommunications consulting | avaya one x quick edition | Florida phone systems | vm pro | contact us
PO BOX 186 Spring Lake, New Jersey 07762
1-800-429-0077 ::: 732-280-3200
Copyright 2006 CarrollCommunications.com All Rights Reserved.