Page 1
VPN Setup Guide for 9600 Series IP Deskphones Release 3.x and 6.x 16-602968 Issue 2 March 2015...
Page 2
Avaya can be a criminal, as well as a civil offense available to Avaya customers and other parties through the Avaya under the applicable law.
Page 3
Hosted Service notices and articles, or to report a problem with your Avaya product or Hosted Service. For a list of support telephone numbers and contact addresses, go to the Avaya Support website: http://support.avaya.com (or such successor site as designated by...
Page 4
This transmitter must not be co-located or operating in conjunction with any other antenna or transmitter. Trademarks All non-Avaya trademarks are the property of their respective owners. ® Linux is the registered trademark of Linus Torvalds in the U.S. and...
Navigating configuration screens and changing data ............ 27 General VPN settings — general screen field descriptions ............... 28 Generic authentication type screen field descriptions ................ 28 User credentials screen field descriptions March 2015 VPN Setup Guide for 9600 Series IP Telephones Comments? infodev@avaya.com...
Page 6
VPN tunnel terminated ........................ 45 SCEP: Failed Appendix A: VPN parameters.................... 46 ...................... 46 VPN configuration profiles ...................... 48 DHCPACK messages .................... 48 Time to service functionality ........................ 49 VPN parameters Glossary........................... 60 VPN Setup Guide for 9600 Series IP Telephones March 2015 Comments? infodev@avaya.com...
Deskphone Edition for 9600 Series IP Telephones Administrator Guide (Document Number 16-300698). Note: This guide applies to versions 3.1 and 6.2 of the 9600 Series IP Telephones. The content is the same for both versions unless otherwise indicated. Note: The 9610 IP Telephone is not VPN-capable you cannot use it as part of your VPN.
9600 Series IP (16-300694) Telephones for use in your environment. Customer support For 9600 Series IP Telephone support, call the Avaya support number provided to you by your Avaya representative or Avaya reseller. support.avaya.com for Information about Avaya products.
VPN-administered solution in the enterprise network. VPNs provide a significant improvement of the communications capabilities of SOHO users. 9600 Series IP Telephone Release 3.1 provides the capability to implement a VPN in Enterprise networks with third-party devices. For more information regarding third-party devices, see...
• 9600 Series IP Telephone VPNs provide longer DNS names, up to 255 characters whereas 4600 Series VPNs limit DNS names to 16 characters. • 9600 Series IP VPN Telephones do not support user entry of an SCEP challenge password. • 9600 Series IP Telephones do not support the NVSECSGIP and NVBACKUPSGIP parameters.
Page 11
• SCEP Note: Refer to Avaya DevConnect for application notes regarding VPN gateways and IP deskphones. Vendors who are not Avaya DevConnect Certified are encouraged to contact Avaya and certify through the program. March 2015 VPN Setup Guide for 9600 Series IP Telephones...
Introduction This section outlines configuration requirements and setup options, and provides administrators with information on how to configure 9600 Series IP Telephones for a VPN. Preliminary configuration requirements The enterprise network must be configured with a security gateway. Corporate firewalls and routers must be configured to allow IPSec tunnels from the remote phone(s) to the security gateway.
Configuration Preparation Configuration preparation To ensure that the end user is able to configure a 9600 Series IP Telephone in their SOHO environment and to connect to the enterprise network, administrators can pre-configure the IP telephone prior to deployment to allow the remote 9600 Series IP Telephone to establish a connection over the VPN tunnel and if applicable, to provide authentication parameter values.
Users with permission to do so can view, add, or change the VPN parameters. Simple Enrollment Certificate Protocol (SCEP) 9600 Series SIP Deskphones support Media Encryption (SRTP) and use built-in Avaya SIP Certificates for trust management. Trust management involves downloading certificates for additional trusted Certificate Authorities (CA) and the policy management of those CAs.
34 for a description of each authentication screen. ® Preparing Avaya Aura Communication Manager A 9600 Series IP Telephone that will be used in your virtual private network is configured the same ® as other IP telephones on the call server running Avaya Aura Communication Manager. Even though the phone is physically located outside of the corporate network, it will behave the same as other LAN-based Avaya IP telephones once the VPN tunnel has been established.
Communication Manager. Installing the 9600 Series IP deskphone Installation of 9600 Series IP Telephones to be used in a VPN network is the same as for any Avaya ® 9600 Series IP Telephone. For detailed installation instructions, see the Avaya one-X...
Page 17
VPN Summary screen instead of the individual filtered screens. • Chapter 6: User Authentication and VPN Sleep Mode if you have established authentication parameters, as covered in Administrative Pre-Requisites for Authentication. March 2015 VPN Setup Guide for 9600 Series IP Telephones Comments? infodev@avaya.com...
18 explains the authentication process. Note: All 9600 Series IP Telephones except the 9670G require you to press a button or softkey to take an action like exiting a screen. On 9670G IP Telephones, all actions are touch-based and are taken or confirmed by touching a softkey on the screen.
VPN settings screen fields Procedure 1. For all 9600 Series IP Telephones except the 9670, press the Avaya (A) Menu button. • For 9600 Series IP Telephones without administered WML applications, select VPN Settings. • For 9600 Series IP Telephones with administered WML applications, select Phone Settings first, then VPN Settings.
Page 20
User Password If a user password exists, it is Blank if user password has no shown here as 8 asterisks value (null), otherwise 8 asterisks (********) Table continues… VPN Setup Guide for 9600 Series IP Telephones March 2015 Comments? infodev@avaya.com...
Page 21
"0", a new Diffie-Hellman exchange will be initiated for each IKE Phase 2 Quick Mode exchange, where the proposed DH group will be as specified by Table continues… March 2015 VPN Setup Guide for 9600 Series IP Telephones Comments? infodev@avaya.com...
Page 22
UDP first, and if that isn’t valid use IKE over TCP. Always = Always use TCP as the transport protocol for IKE. For detailed information regarding system parameters, see Appendix A: VPN Parameters. VPN Setup Guide for 9600 Series IP Telephones March 2015 Comments? infodev@avaya.com...
VPNPROC parameter to "2." • Invoking the VPN Settings option from the Avaya (A) Menu (or the Home screen for a 9670) using the VPN Access Code (if VPNPROC is set to "2").
Chapter 6 -User Authentication and VPN sleeep on page 34 before proceeding. Procedure 1. For all 9600 Series IP Telephones except the 9670, press the Avaya (A) Menu button. • For 9600 Series IP Telephones without administered WML applications, select VPN Settings.
Page 25
Craft Local Procedure screen, "Select procedure and press Start." 4. For all 9600 Series IP Telephones except the 9670G, use the navigation arrows to scroll to and highlight VPN, then press Start or OK. Or scroll to VPN and press the corresponding line button.
All changes are effective and saved when you press/touch the Right Arrow to navigate to the next screen. Navigating Left after making any change to one or more fields/lines on a particular VPN Setup Guide for 9600 Series IP Telephones March 2015...
External Phone IP Address... External ("outer") IP address of NVEXTIPADD the telephone in VPN mode. External Router... External ("outer") router IP EXTGIPADD or NVEXTGIPADD address in VPN mode. Table continues… March 2015 VPN Setup Guide for 9600 Series IP Telephones Comments? infodev@avaya.com...
End user permission to change NVVPNUSERTYPE the VPN username: If the user can change the user name, the description "Any" displays here. If the user cannot change the user Table continues… VPN Setup Guide for 9600 Series IP Telephones March 2015 Comments? infodev@avaya.com...
Either the VPN Settings screen (see Viewing or changing settings using the VPN Special Procedure), the IKE PSK screen, or the IKE Phase 1 screen, whichever is applicable to your VPN structure, opens. March 2015 VPN Setup Guide for 9600 Series IP Telephones Comments? infodev@avaya.com...
2 denotes Second Oakley Group 5 denotes 1536-bit MODP Group 14 denotes 2048-bit MODP Group 15 denotes 3072-bit MODP Group IKE Encryption Algorithm 0 = Any NVIKEP1ENCALG Table continues… VPN Setup Guide for 9600 Series IP Telephones March 2015 Comments? infodev@avaya.com...
The encryption algorithm to NVIKEP2ENCALG propose for use during IKE Phase 2 negotiation. Values are: 0 = Any 1 = AES-CBC-128 2 = 3DES-CBC 3 = DES-CBC Table continues… March 2015 VPN Setup Guide for 9600 Series IP Telephones Comments? infodev@avaya.com...
The VPN Text Entry screen displays the current setting and a blank area for you to enter the new setting 3. Use the dialpad to enter text, as you would on a cellular phone. VPN Setup Guide for 9600 Series IP Telephones March 2015 Comments? infodev@avaya.com...
4. Press/touch Save to post the entry to the screen from which it came and return to that screen. 5. Press the Right Arrow to save the change(s) on that screen and move to the next applicable screen. March 2015 VPN Setup Guide for 9600 Series IP Telephones Comments? infodev@avaya.com...
Note: All 9600 Series IP Telephones except the 9670G require you to select a line or desired action and press a button/softkey to act upon your selection. On 9670G IP Telephones, all actions are touch-based; for example, text/numeric entry uses an on-screen keyboard, and actions are taken or confirmed by touching the applicable line, feature, icon, or softkey on the screen.
This screen displays to authenticate an existing password or to allow access to the VPN Password Entry screen for entry of a new password. Related Links Accepting the current password on page 36 Entering a new password on page 36 March 2015 VPN Setup Guide for 9600 Series IP Telephones Comments? infodev@avaya.com...
Page 36
When NVPNPSWDTYPE has a value of "3" or "4" the password is deleted from memory immediately after it is used. See VPN parameters on page 49 for an explanation of the NVVPNPSWDTYPE values. Related Links VPN password entry screen on page 35 VPN Setup Guide for 9600 Series IP Telephones March 2015 Comments? infodev@avaya.com...
Note: On 9600 Series IP Telephones, you can touch the LightOff softkey at any time to turn off the display backlight, regardless of being connected for VPN operation or not. When you see the VPN Tunnel Failure screen, the right softkey is labeled Sleep. Pressing (or touching if you have a 9670G phone) this softkey turns off the display backlight and displays the message "VPN tunnel terminated."...
The value of system parameter NVPNAUTHTYPE is "3" or "4" indicating a Pre-Shared Key but the value of one or both system parameters NVIKEID or NVIKEPSK is null. VPN Setup Guide for 9600 Series IP Telephones March 2015 Comments? infodev@avaya.com...
A configuration problem not covered by the preceding five messages. Resolution Procedure Review settings and reconfigure values as needed. No DNS Server Response Problem description The DNS server is out of service. March 2015 VPN Setup Guide for 9600 Series IP Telephones Comments? infodev@avaya.com...
• Check whether the TRUSTCERTS parameter has been configured with the name of a file that contains a PEM-format copy of the Certificate Authority (CA) certificate that signed the server’s identity certificate; or • Check whether the server certificate has expired. VPN Setup Guide for 9600 Series IP Telephones March 2015 Comments? infodev@avaya.com...
Procedure If that is not the cause, check the following IKE Phase 1 parameters for compatibility: • NVVPNSVENDOR • NVVPNAUTHTYPE • NVIKEDHGRP • NVIKEP1AUTHALG • NVIKEP1ENCALG • NVIKEP1LIFESEC March 2015 VPN Setup Guide for 9600 Series IP Telephones Comments? infodev@avaya.com...
A message was not received from the VPN gateway in response to a message sent by the phone. Another cause might be that a Phase 2 parameter is not set correctly, causing the VPN gateway to ignore the message from the phone. VPN Setup Guide for 9600 Series IP Telephones March 2015 Comments? infodev@avaya.com...
An IKE Security Association could not be established between the phone and the VPN gateway. Resolution Procedure Check the following IKE Phase 2 parameters for compatibility: • NVIKEDHGRP • NVIKEP2AUTHALG • NVIKEP2ENCALG • NVIKEP2LIFESEC March 2015 VPN Setup Guide for 9600 Series IP Telephones Comments? infodev@avaya.com...
The IPSec Security Association was not renewed. Resolution Procedure Check the security policy configured in the VPN gateway to ensure that it supports renewals for the desired interval. VPN Setup Guide for 9600 Series IP Telephones March 2015 Comments? infodev@avaya.com...
2. If the SCEP server is outside the corporate firewall, also check WMLPROXY. Next steps If the parameters are properly configured, check that the applicable server is setup and running properly. March 2015 VPN Setup Guide for 9600 Series IP Telephones Comments? infodev@avaya.com...
Time to service functionality Important: Some vendors may have gateways that interfere with TTS functionality. Avaya recommends always setting the system parameter VPNTTS to "1" (On) unless you determine that your gateway interferes with TTS. If you determine that your gateway interferes with TTS, set or leave the VPNTTS default of "0"...
Bit length of the private key to be generated for a certificate request. 4 ASCII numeric digits, "1024" through "2048". MYCERTRENEW Percentage of a certificate's Validity interval after which renewal procedures will be Table continues… March 2015 VPN Setup Guide for 9600 Series IP Telephones Comments? infodev@avaya.com...
Page 50
As of Software Release 6.1, NVHTTPSRVR is provided for VPN mode so that a file server IP address can be preconfigured and saved in non-volatile memory. Table continues… VPN Setup Guide for 9600 Series IP Telephones March 2015 Comments? infodev@avaya.com...
Page 51
4 in RFC 3526. NVIKEID "VPNPHONE" Specifies the identity to be used during IKE Phase 1 negotiation (also called the group name in XAUTH). 0 to 30 ASCII characters. Table continues… March 2015 VPN Setup Guide for 9600 Series IP Telephones Comments? infodev@avaya.com...
Page 53
• 2 = Main Mode Identity Protection. (Per Section 5 in RFC 2409.) NVIPSECSUBNET 0.0.0.0/0 Specifies IP address ranges that will use the VPN tunnel. 0 to 255 Table continues… March 2015 VPN Setup Guide for 9600 Series IP Telephones Comments? infodev@avaya.com...
Page 54
NVVPNAUTHTYPE Specifies the user authentication method. 1 ASCII numeric digit. Valid values are: • 3 = Pre-Shared Key (PSK) • 4 = PSK with XAUTH Table continues… VPN Setup Guide for 9600 Series IP Telephones March 2015 Comments? infodev@avaya.com...
Page 55
IETF RFC 3947 will not be supported. • 2 = Procedures for the negotiation of NAT traversal will be supported as specified in IETF RFC 3947, except that IKE Table continues… March 2015 VPN Setup Guide for 9600 Series IP Telephones Comments? infodev@avaya.com...
Page 56
VPN user password will be stored. 1 ASCII numeric digit. Valid values are: • 1 = Password can be alphanumeric and is stored in reprogrammable non-volatile memory as the NVVPNPSWD value. Table continues… VPN Setup Guide for 9600 Series IP Telephones March 2015 Comments? infodev@avaya.com...
Page 57
" " (Null) Specifies the user name to use during authentication. 0 to 30 ASCII characters. NVVPNUSERTYPE Specifies whether the user can change the VPN username. 1 Table continues… March 2015 VPN Setup Guide for 9600 Series IP Telephones Comments? infodev@avaya.com...
Page 58
• 0 = VPN tunnel not established. • 1 = VPN tunnel established. If an existing VPN tunnel fails, VPNACTIVE will be set to "0", IPADD will be set to "0.0.0.0", Table continues… VPN Setup Guide for 9600 Series IP Telephones March 2015 Comments? infodev@avaya.com...
Page 59
• 0 = TTS is not supported by the security gateway; turn off TTS functionality for VPN operation. • 0 = TTS is not supported by the security gateway; turn off TTS functionality for VPN operation. March 2015 VPN Setup Guide for 9600 Series IP Telephones Comments? infodev@avaya.com...
Hypertext Transfer Protocol, used to request and transmit pages on the World Wide Web. HTTPS A secure version of HTTP. IETF Internet Engineering Task Force, the organization that produces standards for communications on the Internet. VPN Setup Guide for 9600 Series IP Telephones March 2015 Comments? infodev@avaya.com...
Page 61
Encryption of the signaling protocol exchanged between the IP telephone Encryption and the call server. Signaling channel encryption provides additional security to the security provided by media channel encryption. March 2015 VPN Setup Guide for 9600 Series IP Telephones Comments? infodev@avaya.com...
Page 62
SRTP Secure Real-time Transport Protocol. system -specific Specific to a particular type of call server. For example, Avaya Communication Manager or SIP Enablement Services (SES). System- specific signaling refers to messages specific to the signaling protocol used by the system. For example, H.323 and/or CCMS messages used by CM and IP Office, or SIP messages that possibly include system-specific headers used by SES.
Page 63
..............Installing the 9600–Series IP deskphone ......Accepting the current password ........Intended audience ..............Customer support ..............Invalid certificate ..............Invalid configuration .............39 IP address screen ..............33 March 2015 VPN Setup Guide for 9600 Series IP Telephones Comments? infodev@avaya.com...
Page 64
VPN settings screen general VPN settings ............27 viewing ................19 Generic authentication type ..........28 VPN sleep mode ............34, IKE over TCP ..............32 VPN special procedure ............IKE Phase 1 ..............30 VPN Setup Guide for 9600 Series IP Telephones March 2015 Comments? infodev@avaya.com...
Page 65
Index VPN system parameters configuring ..............VPN text entry screen ............32 VPN tunnel failure ................38 terminated ..............45 VPN user name entry screen ..........34 March 2015 VPN Setup Guide for 9600 Series IP Telephones Comments? infodev@avaya.com...