Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Configuring IPSec Tunnel between Avaya 96xx Series IP Phones and the Avaya Secure Router 4134 Issue 1.0
Abstract
These Application Notes present a sample configuration for a remote user with an Avaya 96xx Phone with VPN (IPSec). The IPSec Tunnel is terminated in the corporate office location with an Avaya Secure Router 4134 VPN gateway. For the sample configuration, once the Avaya 96xx Series IP Phone with VPN completes the tunnel negotiation with the SR4134, it will register to Avaya Aura Communication Manager 6.2 with H.323 protocol. Secure Router 4134 VPN gateway provides secure tunnel over IPSec between Remote 96xx Phone and Avaya Aura Communication Manager. Testing was conducted at the Avaya Solution and Interoperability Test Lab.
Solution & Interoperability Test Lab Application Notes 2013 Avaya Inc. All Rights Reserved.
1 of 17 SR4134_VPN_96xx
1. Introduction
The objective of these Application Notes is to verify interoperability between the Avaya 96xx Series IP phones with VPN mode enabled and the Avaya Secure Router 4134. Another objective is to confirm that Avaya 96xx IP phones can login and place a call and receive a call over a VPN tunnel established via Avaya Secure Router 4134. Creating a suitable test environment requires installation and configuration of Avaya Aura Communication Manager, Avaya Aura Messaging, an Avaya G650 gateway, the Avaya Secure Router 4134 VPN gateway and a simulated home office environment. The home office should be equipped with a home router with NAT enabled, a 96xx Series IP phone with VPN mode enabled. The network for the test environment is shown in Figure 1 in Section 3.
2. Interoperability Testing
User Administration: Remote user Authentication and Registration with Avaya Aura Communication Manager R6.2 SP1 and Avaya Secure Router 4134 R10.3.2 was covered in this testing. This testing exerted the ability of the 96xx series H.323 phones to make use of the Avaya Aura Communication Manager calling features when registered to Avaya Aura Communication Manager over VPN IP Sec tunnel. It also exercised the capabilities of phones at home office to leave and retrieve voicemail to corporate or headquarter users and other branch users, while the VPN tunnel was connected. This test specification document covers the following product interactions for SR4134: - Avaya Aura Messaging 6.2 - Avaya Aura Communication Manager 6.2 SP1 - Avaya Aura System Manager - Avaya Aura Session Manager 6.2 - Avaya Aura Meeting Exchange 6.2 In the Home office Site: VPN enabled, 96xx series phones were used as testing endpoints. In the Corporate Network: The end points at the corporate network were tested for interactions with 96xx, 96x1, One-X Communicator(SIP and H.323) along with 11xx, 12xx (SIP) and ADVD phones. The test scenarios were executed with combinations of IP audio codecs i.e. G.711A/Mu, G.726, G.723.1, G.729AB; along with IP-Shuffling and Direct Media.
Solution & Interoperability Test Lab Application Notes 2013 Avaya Inc. All Rights Reserved.
2 of 17 SR4134_VPN_96xx
Solution & Interoperability Test Lab Application Notes 2013 Avaya Inc. All Rights Reserved.
3 of 17 SR4134_VPN_96xx
3. Reference Configuration
The lab test environment to be used for the SR 4134 VPN solution testing is shown in Figure 1. This test bed includes the following components: Corporate o Avaya SR4134 Advanced Gateway configured as VPN gateway o Avaya S8800 Server running Avaya Aura Communication Manager with Avaya G650 Media Gateway o Avaya Aura Session Manager with companion Avaya Aura System Manager o Avaya Aura Messaging o Avaya Aura Meeting Exchange o HTTP File Server for Phone Configuration o Avaya 96xx, 96x1, One-X Communicator, ADVD phones registered to Avaya Aura Communication Manager Home Office o Netgear WNDR3700v2 home router with NAT enabled o 96xx series IP phones with VPN mode enabled
Solution & Interoperability Test Lab Application Notes 2013 Avaya Inc. All Rights Reserved.
4 of 17 SR4134_VPN_96xx
exit algs max-connection-limit self 2048 exit firewall firewall corp interface ethernet0/1 policy 100 in permit exit policy policy 107 out permit address 172.16.33.130 172.16.33.140 any any exit policy policy 108 in permit address 172.16.33.130 172.16.33.140 any any exit policy policy 109 out permit address 172.16.33.110 172.16.33.120 any any exit policy policy 110 in permit address 172.16.33.110 172.16.33.120 any any exit policy policy 1024 out permit exit policy exit firewall
Solution & Interoperability Test Lab Application Notes 2013 Avaya Inc. All Rights Reserved.
7 of 17 SR4134_VPN_96xx
proposal 1 lifetime seconds 3600 exit proposal exit policy exit contivity-iras exit crypto Please find below the SR 4134 configurations used for this testing for reference. system logging console priority crit exit console syslog module alarms local0 none module dos local0 none module forwarding local0 none module voip-ssm-cdr local0 none module voip-cdr local0 none module voip-gwy local0 none exit syslog exit logging hostname SR log utc event exit event usb exit usb terminal exit terminal qos module exit module chassis exit chassis exit qos aaa tacacs exit tacacs radius primary_server exit primary_server secondary_server exit secondary_server exit radius
RN; Reviewed: SPOC 1/15/2013 Solution & Interoperability Test Lab Application Notes 2013 Avaya Inc. All Rights Reserved. 9 of 17 SR4134_VPN_96xx
exit aaa vlan database exit database vlan classification exit classification bridge mstp exit mstp exit bridge lacp exit lacp interface ethernet 0/1 description trusted ip address 172.16.33.101 255.255.255.0 ip proxy-arp aaa exit aaa crypto trusted qos chassis exit chassis exit qos exit ethernet interface ethernet 0/2 description untrusted ip address 192.45.130.1 255.255.255.0 aaa exit aaa crypto untrusted qos chassis exit chassis exit qos exit ethernet interface console aaa exit aaa exit console gvrp exit gvrp snmp-server engine-id local 0000000c000000007f000001 exit engine-id chassis-id SR
RN; Reviewed: SPOC 1/15/2013 Solution & Interoperability Test Lab Application Notes 2013 Avaya Inc. All Rights Reserved. 10 of 17 SR4134_VPN_96xx
enable traps exit traps exit snmp-server rmon exit rmon oam cfm enable ethtype 88e6 exit cfm exit oam icmp_timestamp telnet_server ssh_server enable exit ssh_server telnet_banner exit telnet_banner sntp exit sntp reverse_telnet set_baud_rate 56000 exit reverse_telnet access-list default permit any ip proxy-dns exit proxy-dns ip load-balancing per-flow ip route 0.0.0.0/0 172.16.33.1 ip route 192.45.0.0/16 192.45.130.10 ipv6 unicast-routing ipv6 load-balancing per-flow mpls tunnel-mode uniform firewall global algs sip 600 sip-p2p-media dns exit dns exit algs max-connection-limit self 2048 exit firewall firewall internet interface ethernet0/2 policy 110 in permit service ike self exit policy
RN; Reviewed: SPOC 1/15/2013 Solution & Interoperability Test Lab Application Notes 2013 Avaya Inc. All Rights Reserved. 11 of 17 SR4134_VPN_96xx
policy 115 in permit protocol udp port any 4500 self exit policy policy 117 in permit address 172.16.33.130 172.16.33.140 any any self exit policy policy 120 in permit address 172.16.33.110 172.16.33.120 any any self exit policy policy 130 in permit protocol tcp port any 17 self exit policy policy 140 in permit protocol icmp self exit policy exit firewall firewall corp interface ethernet0/1 policy 100 in permit exit policy policy 107 out permit address 172.16.33.130 172.16.33.140 any any exit policy policy 108 in permit address 172.16.33.130 172.16.33.140 any any exit policy policy 109 out permit address 172.16.33.110 172.16.33.120 any any exit policy policy 110 in permit address 172.16.33.110 172.16.33.120 any any exit policy policy 1024 out permit exit policy exit firewall crypto dynamic exit dynamic contivity-iras ike policy ip9600 local-address 192.45.130.1 remote-id user-name "1adgjm" 1adgjm remote-id user-name "2adgjm" 2adgjm remote-id user-name "3adgjm" 3adgjm proposal 1 dh-group group2 encryption-algorithm 3des-cbc exit proposal client configuration address-pool 1 172.16.33.110 172.16.33.120 private-side-address 172.16.33.101 banner-enable banner-text "Hi this is my VPN!! - Renuka. Click link:
Solution & Interoperability Test Lab Application Notes 2013 Avaya Inc. All Rights Reserved.
12 of 17 SR4134_VPN_96xx
http://www.google.com" keepalive enable interval 20 exit keepalive split-tunnel mode enabled network 172.16.33.0 24 network 172.16.0.0 16 network 10.0.0.0 16 exit split-tunnel nat-keepalive 120 exit configuration exit policy ike policy vpnclient local-address 192.45.130.1 remote-id user-name "client01" client123 remote-id user-name "client02" client123 proposal 1 dh-group group2 encryption-algorithm 3des-cbc exit proposal client configuration address-pool 1 172.16.33.130 172.16.33.180 private-side-address 172.16.33.101 no client-may-store-password banner-text "Welcome To SR4134 VPN World" keepalive enable interval 20 exit keepalive split-tunnel mode enabled network 172.16.0.0 16 network 10.0.0.0 16 exit split-tunnel nat-keepalive 120 exit configuration exit policy ipsec policy ip9600 proposal 1 lifetime seconds 3600 exit proposal exit policy ipsec policy vpnclient
RN; Reviewed: SPOC 1/15/2013 Solution & Interoperability Test Lab Application Notes 2013 Avaya Inc. All Rights Reserved. 13 of 17 SR4134_VPN_96xx
proposal 1 lifetime seconds 3600 exit proposal exit policy exit contivity-iras pmtu exit pmtu qos chassis exit chassis exit qos exit crypto dst no enable exit dst
Solution & Interoperability Test Lab Application Notes 2013 Avaya Inc. All Rights Reserved.
14 of 17 SR4134_VPN_96xx
7. Verification Steps
The following steps can be used to verify installation in the field. 1. Verify VPN connections from IP phones. 2. Verify a call can placed from a home office user to a user in the corporate network. 3. Verify a call placed from a home office user was correctly routed to another home office user. 6. Verify that a message can be left for a home office IP phone and that the message waiting indicator turns on while the IPSec VPN Tunnel is connected. 7. Verify that home office IP phone can dial Conference bridge number on Meeting Exchange and join conference.
Solution & Interoperability Test Lab Application Notes 2013 Avaya Inc. All Rights Reserved.
15 of 17 SR4134_VPN_96xx
8. Conclusion
As illustrated in these Application Notes, Avaya 96xx IP phones with VPN can interoperate with the Avaya Secure Router 4134. 96x1 series IP phones do not interoperate with SR4134 10.3.2 VPN gateway due to issue with phone registration.
9. Additional References
Product documentation for Avaya products may be found at http://support.avaya.com Hardware Installation: 1. Commissioning Avaya Secure Router 2330/4134 https://downloads.avaya.com/css/P8/documents/100120411 2. Installation Hardware Components Avaya Secure Router 2330/4134 https://downloads.avaya.com/css/P8/documents/100120410 3. Quick Start Avaya Secure Router 4134 https://downloads.avaya.com/css/P8/documents/100120404 4. Installation Chassis Avaya Secure Router 4134 https://downloads.avaya.com/css/P8/documents/100120409 VPN Configuration: 5. Configuring an IPSec Tunnel between Avaya 96xx Series IP Phones and the Avaya Secure Router 4134 Issue 1.0 https://downloads.avaya.com/css/P8/documents/100158184
Solution & Interoperability Test Lab Application Notes 2013 Avaya Inc. All Rights Reserved.
16 of 17 SR4134_VPN_96xx
2013
Avaya Inc. All Rights Reserved. Avaya and the Avaya Logo are trademarks of Avaya Inc. All trademarks identified by and are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners. The information provided in these Application Notes is subject to change without notice. The configurations, technical data, and recommendations provided in these Application Notes are believed to be accurate and dependable, but are presented without express or implied warranty. Users are responsible for their application of any products specified in these Application Notes. Please e-mail any questions or comments pertaining to these Application Notes along with the full title name and filename, located in the lower right corner, directly to the Avaya Solution & Interoperability Test Lab at interoplabnotes@list.avaya.com
Solution & Interoperability Test Lab Application Notes 2013 Avaya Inc. All Rights Reserved.
17 of 17 SR4134_VPN_96xx