Avaya 9600 Series Setup Manual
  1. Manuals
  2. Brands
  3. Avaya Manuals
  4. IP Phone
  5. one-X 9600 Series
  6. Setup manual

Avaya 9600 Series Setup Manual

Vpn setup guide
Hide thumbs Also See for 9600 Series:
Table of Contents

Advertisement

Quick Links

Download this manual
VPN Setup Guide for 9600 Series IP
Deskphones
Release 3.x and 6.x
16-602968
Issue 2
March 2015

Advertisement

Table of Contents
loading

Related Manuals for Avaya 9600 Series

Summary of Contents for Avaya 9600 Series

  • Page 1 VPN Setup Guide for 9600 Series IP Deskphones Release 3.x and 6.x 16-602968 Issue 2 March 2015...
  • Page 2 Avaya can be a criminal, as well as a civil offense available to Avaya customers and other parties through the Avaya under the applicable law.
  • Page 3 Hosted Service notices and articles, or to report a problem with your Avaya product or Hosted Service. For a list of support telephone numbers and contact addresses, go to the Avaya Support website: http://support.avaya.com (or such successor site as designated by...
  • Page 4 This transmitter must not be co-located or operating in conjunction with any other antenna or transmitter. Trademarks All non-Avaya trademarks are the property of their respective owners. ® Linux is the registered trademark of Linus Torvalds in the U.S. and...

  • Page 5: Table Of Contents

    Navigating configuration screens and changing data ............ 27 General VPN settings — general screen field descriptions ...............  28 Generic authentication type screen field descriptions ................ 28 User credentials screen field descriptions March 2015 VPN Setup Guide for 9600 Series IP Telephones Comments? infodev@avaya.com...
  • Page 6 VPN tunnel terminated ........................ 45 SCEP: Failed Appendix A: VPN parameters.................... 46 ...................... 46 VPN configuration profiles ...................... 48 DHCPACK messages .................... 48 Time to service functionality ........................ 49 VPN parameters Glossary........................... 60 VPN Setup Guide for 9600 Series IP Telephones March 2015 Comments? infodev@avaya.com...

  • Page 7: Chapter 1: Introduction

    Deskphone Edition for 9600 Series IP Telephones Administrator Guide (Document Number 16-300698). Note: This guide applies to versions 3.1 and 6.2 of the 9600 Series IP Telephones. The content is the same for both versions unless otherwise indicated. Note: The 9610 IP Telephone is not VPN-capable you cannot use it as part of your VPN.

  • Page 8: Revision History

    9600 Series IP (16-300694) Telephones for use in your environment. Customer support For 9600 Series IP Telephone support, call the Avaya support number provided to you by your Avaya representative or Avaya reseller. support.avaya.com for Information about Avaya products.

  • Page 9: Chapter 2: Vpn Overview

    VPN-administered solution in the enterprise network. VPNs provide a significant improvement of the communications capabilities of SOHO users. 9600 Series IP Telephone Release 3.1 provides the capability to implement a VPN in Enterprise networks with third-party devices. For more information regarding third-party devices, see...

  • Page 10: Differences Between 4600-Series And 9600-Series Ip Deskphone Vpns

    • 9600 Series IP Telephone VPNs provide longer DNS names, up to 255 characters whereas 4600 Series VPNs limit DNS names to 16 characters. • 9600 Series IP VPN Telephones do not support user entry of an SCEP challenge password. • 9600 Series IP Telephones do not support the NVSECSGIP and NVBACKUPSGIP parameters.
  • Page 11 • SCEP Note: Refer to Avaya DevConnect for application notes regarding VPN gateways and IP deskphones. Vendors who are not Avaya DevConnect Certified are encouraged to contact Avaya and certify through the program. March 2015 VPN Setup Guide for 9600 Series IP Telephones...

  • Page 12: Chapter 3: Configuring The Vpn

    Introduction This section outlines configuration requirements and setup options, and provides administrators with information on how to configure 9600 Series IP Telephones for a VPN. Preliminary configuration requirements The enterprise network must be configured with a security gateway. Corporate firewalls and routers must be configured to allow IPSec tunnels from the remote phone(s) to the security gateway.

  • Page 13: Configuration Preparation

    Configuration Preparation Configuration preparation To ensure that the end user is able to configure a 9600 Series IP Telephone in their SOHO environment and to connect to the enterprise network, administrators can pre-configure the IP telephone prior to deployment to allow the remote 9600 Series IP Telephone to establish a connection over the VPN tunnel and if applicable, to provide authentication parameter values.

  • Page 14: Configuring The Vpn Settings

    Users with permission to do so can view, add, or change the VPN parameters. Simple Enrollment Certificate Protocol (SCEP) 9600 Series SIP Deskphones support Media Encryption (SRTP) and use built-in Avaya SIP Certificates for trust management. Trust management involves downloading certificates for additional trusted Certificate Authorities (CA) and the policy management of those CAs.

  • Page 15: Configuring Vpn System Parameters

    34 for a description of each authentication screen. ® Preparing Avaya Aura Communication Manager A 9600 Series IP Telephone that will be used in your virtual private network is configured the same ® as other IP telephones on the call server running Avaya Aura Communication Manager. Even though the phone is physically located outside of the corporate network, it will behave the same as other LAN-based Avaya IP telephones once the VPN tunnel has been established.

  • Page 16: Installing The 9600 Series Ip Deskphone

    Communication Manager. Installing the 9600 Series IP deskphone Installation of 9600 Series IP Telephones to be used in a VPN network is the same as for any Avaya ® 9600 Series IP Telephone. For detailed installation instructions, see the Avaya one-X...
  • Page 17 VPN Summary screen instead of the individual filtered screens. • Chapter 6: User Authentication and VPN Sleep Mode if you have established authentication parameters, as covered in Administrative Pre-Requisites for Authentication. March 2015 VPN Setup Guide for 9600 Series IP Telephones Comments? infodev@avaya.com...

  • Page 18: Chapter 4: Viewing Vpn Settings

    18 explains the authentication process. Note: All 9600 Series IP Telephones except the 9670G require you to press a button or softkey to take an action like exiting a screen. On 9670G IP Telephones, all actions are touch-based and are taken or confirmed by touching a softkey on the screen.

  • Page 19: Vpn Settings Screen Fields

    VPN settings screen fields Procedure 1. For all 9600 Series IP Telephones except the 9670, press the Avaya (A) Menu button. • For 9600 Series IP Telephones without administered WML applications, select VPN Settings. • For 9600 Series IP Telephones with administered WML applications, select Phone Settings first, then VPN Settings.
  • Page 20 User Password If a user password exists, it is Blank if user password has no shown here as 8 asterisks value (null), otherwise 8 asterisks (********) Table continues… VPN Setup Guide for 9600 Series IP Telephones March 2015 Comments? infodev@avaya.com...
  • Page 21 "0", a new Diffie-Hellman exchange will be initiated for each IKE Phase 2 Quick Mode exchange, where the proposed DH group will be as specified by Table continues… March 2015 VPN Setup Guide for 9600 Series IP Telephones Comments? infodev@avaya.com...
  • Page 22 UDP first, and if that isn’t valid use IKE over TCP. Always = Always use TCP as the transport protocol for IKE. For detailed information regarding system parameters, see Appendix A: VPN Parameters. VPN Setup Guide for 9600 Series IP Telephones March 2015 Comments? infodev@avaya.com...

  • Page 23: Chapter 5: Changing Vpn Settings

    VPNPROC parameter to "2." • Invoking the VPN Settings option from the Avaya (A) Menu (or the Home screen for a 9670) using the VPN Access Code (if VPNPROC is set to "2").

  • Page 24: Access Using The Vpn Special Procedure

    Chapter 6 -User Authentication and VPN sleeep on page 34 before proceeding. Procedure 1. For all 9600 Series IP Telephones except the 9670, press the Avaya (A) Menu button. • For 9600 Series IP Telephones without administered WML applications, select VPN Settings.
  • Page 25 Craft Local Procedure screen, "Select procedure and press Start." 4. For all 9600 Series IP Telephones except the 9670G, use the navigation arrows to scroll to and highlight VPN, then press Start or OK. Or scroll to VPN and press the corresponding line button.

  • Page 26: Viewing Or Changing Settings Using The Vpn Special Procedure

    All changes are effective and saved when you press/touch the Right Arrow to navigate to the next screen. Navigating Left after making any change to one or more fields/lines on a particular VPN Setup Guide for 9600 Series IP Telephones March 2015...

  • Page 27: General Vpn Settings - General Screen Field Descriptions

    External Phone IP Address... External ("outer") IP address of NVEXTIPADD the telephone in VPN mode. External Router... External ("outer") router IP EXTGIPADD or NVEXTGIPADD address in VPN mode. Table continues… March 2015 VPN Setup Guide for 9600 Series IP Telephones Comments? infodev@avaya.com...

  • Page 28: Generic Authentication Type Screen Field Descriptions

    End user permission to change NVVPNUSERTYPE the VPN username: If the user can change the user name, the description "Any" displays here. If the user cannot change the user Table continues… VPN Setup Guide for 9600 Series IP Telephones March 2015 Comments? infodev@avaya.com...

  • Page 29: Changing Your Vpn Password

    Either the VPN Settings screen (see Viewing or changing settings using the VPN Special Procedure), the IKE PSK screen, or the IKE Phase 1 screen, whichever is applicable to your VPN structure, opens. March 2015 VPN Setup Guide for 9600 Series IP Telephones Comments? infodev@avaya.com...

  • Page 30: Ike Psk Screen

    2 denotes Second Oakley Group 5 denotes 1536-bit MODP Group 14 denotes 2048-bit MODP Group 15 denotes 3072-bit MODP Group IKE Encryption Algorithm 0 = Any NVIKEP1ENCALG Table continues… VPN Setup Guide for 9600 Series IP Telephones March 2015 Comments? infodev@avaya.com...

  • Page 31: Ike Phase 2 Screen Field Descriptions

    The encryption algorithm to NVIKEP2ENCALG propose for use during IKE Phase 2 negotiation. Values are: 0 = Any 1 = AES-CBC-128 2 = 3DES-CBC 3 = DES-CBC Table continues… March 2015 VPN Setup Guide for 9600 Series IP Telephones Comments? infodev@avaya.com...

  • Page 32: Ike Over Tcp Screen Field Descriptions

    The VPN Text Entry screen displays the current setting and a blank area for you to enter the new setting 3. Use the dialpad to enter text, as you would on a cellular phone. VPN Setup Guide for 9600 Series IP Telephones March 2015 Comments? infodev@avaya.com...

  • Page 33: Ip Address Screen

    4. Press/touch Save to post the entry to the screen from which it came and return to that screen. 5. Press the Right Arrow to save the change(s) on that screen and move to the next applicable screen. March 2015 VPN Setup Guide for 9600 Series IP Telephones Comments? infodev@avaya.com...

  • Page 34: Chapter 6: User Authentication And Vpn Sleep

    Note: All 9600 Series IP Telephones except the 9670G require you to select a line or desired action and press a button/softkey to act upon your selection. On 9670G IP Telephones, all actions are touch-based; for example, text/numeric entry uses an on-screen keyboard, and actions are taken or confirmed by touching the applicable line, feature, icon, or softkey on the screen.

  • Page 35: Vpn Password Reuse Screen

    This screen displays to authenticate an existing password or to allow access to the VPN Password Entry screen for entry of a new password. Related Links Accepting the current password on page 36 Entering a new password on page 36 March 2015 VPN Setup Guide for 9600 Series IP Telephones Comments? infodev@avaya.com...
  • Page 36 When NVPNPSWDTYPE has a value of "3" or "4" the password is deleted from memory immediately after it is used. See VPN parameters on page 49 for an explanation of the NVVPNPSWDTYPE values. Related Links VPN password entry screen on page 35 VPN Setup Guide for 9600 Series IP Telephones March 2015 Comments? infodev@avaya.com...

  • Page 37: Vpn Sleep Mode

    Note: On 9600 Series IP Telephones, you can touch the LightOff softkey at any time to turn off the display backlight, regardless of being connected for VPN operation or not. When you see the VPN Tunnel Failure screen, the right softkey is labeled Sleep. Pressing (or touching if you have a 9670G phone) this softkey turns off the display backlight and displays the message "VPN tunnel terminated."...

  • Page 38: Chapter 7: Troubleshooting

    The value of system parameter NVPNAUTHTYPE is "3" or "4" indicating a Pre-Shared Key but the value of one or both system parameters NVIKEID or NVIKEPSK is null. VPN Setup Guide for 9600 Series IP Telephones March 2015 Comments? infodev@avaya.com...

  • Page 39: Need Phone Certificate

    A configuration problem not covered by the preceding five messages. Resolution Procedure Review settings and reconfigure values as needed. No DNS Server Response Problem description The DNS server is out of service. March 2015 VPN Setup Guide for 9600 Series IP Telephones Comments? infodev@avaya.com...

  • Page 40: Bad Gateway Dns Name

    • Check whether the TRUSTCERTS parameter has been configured with the name of a file that contains a PEM-format copy of the Certificate Authority (CA) certificate that signed the server’s identity certificate; or • Check whether the server certificate has expired. VPN Setup Guide for 9600 Series IP Telephones March 2015 Comments? infodev@avaya.com...

  • Page 41: Phone Certificate Invalid

    Procedure If that is not the cause, check the following IKE Phase 1 parameters for compatibility: • NVVPNSVENDOR • NVVPNAUTHTYPE • NVIKEDHGRP • NVIKEP1AUTHALG • NVIKEP1ENCALG • NVIKEP1LIFESEC March 2015 VPN Setup Guide for 9600 Series IP Telephones Comments? infodev@avaya.com...

  • Page 42: Ike Id/Psk Invalid

    A message was not received from the VPN gateway in response to a message sent by the phone. Another cause might be that a Phase 2 parameter is not set correctly, causing the VPN gateway to ignore the message from the phone. VPN Setup Guide for 9600 Series IP Telephones March 2015 Comments? infodev@avaya.com...

  • Page 43: Ike Phase 2 Failure

    An IKE Security Association could not be established between the phone and the VPN gateway. Resolution Procedure Check the following IKE Phase 2 parameters for compatibility: • NVIKEDHGRP • NVIKEP2AUTHALG • NVIKEP2ENCALG • NVIKEP2LIFESEC March 2015 VPN Setup Guide for 9600 Series IP Telephones Comments? infodev@avaya.com...

  • Page 44: Ike Keep-Alive Failure

    The IPSec Security Association was not renewed. Resolution Procedure Check the security policy configured in the VPN gateway to ensure that it supports renewals for the desired interval. VPN Setup Guide for 9600 Series IP Telephones March 2015 Comments? infodev@avaya.com...

  • Page 45: Vpn Tunnel Terminated

    2. If the SCEP server is outside the corporate firewall, also check WMLPROXY. Next steps If the parameters are properly configured, check that the applicable server is setup and running properly. March 2015 VPN Setup Guide for 9600 Series IP Telephones Comments? infodev@avaya.com...

  • Page 46: Appendix A: Vpn Parameters

    • NVVPNAUTHTYPE (4) • NVVPNSVENDOR (2) Cisco Cert with XAUTH (NVVPNCFGPROF = 8) Sets the following values (to): • NVIKECONFIGMODE (1) • NVIKEID ("" - Null String) Table continues… VPN Setup Guide for 9600 Series IP Telephones March 2015 Comments? infodev@avaya.com...
  • Page 47 Sets the following values (to): (PSK) (NVVPNCFGPROF = 6) • NVIKECONFIGMODE (2) • NVIKEID ("" - Null String) • NVIKETYPE (3) • NVIKEXCHANGEMODE (1) • NVVPNAUTHTYPE (3) • NVVPNSVENDOR (4) March 2015 VPN Setup Guide for 9600 Series IP Telephones Comments? infodev@avaya.com...

  • Page 48: Dhcpack Messages

    Time to service functionality Important: Some vendors may have gateways that interfere with TTS functionality. Avaya recommends always setting the system parameter VPNTTS to "1" (On) unless you determine that your gateway interferes with TTS. If you determine that your gateway interferes with TTS, set or leave the VPNTTS default of "0"...

  • Page 49: Vpn Parameters

    Bit length of the private key to be generated for a certificate request. 4 ASCII numeric digits, "1024" through "2048". MYCERTRENEW Percentage of a certificate's Validity interval after which renewal procedures will be Table continues… March 2015 VPN Setup Guide for 9600 Series IP Telephones Comments? infodev@avaya.com...
  • Page 50 As of Software Release 6.1, NVHTTPSRVR is provided for VPN mode so that a file server IP address can be preconfigured and saved in non-volatile memory. Table continues… VPN Setup Guide for 9600 Series IP Telephones March 2015 Comments? infodev@avaya.com...
  • Page 51 4 in RFC 3526. NVIKEID "VPNPHONE" Specifies the identity to be used during IKE Phase 1 negotiation (also called the group name in XAUTH). 0 to 30 ASCII characters. Table continues… March 2015 VPN Setup Guide for 9600 Series IP Telephones Comments? infodev@avaya.com...
  • Page 52 • 2 = 3DES-CBC (per RFC 2451) • 3 = DES-CBC (per RFC 2405) • 4 = AES-CBC-192 (per RFC 3602) • 5 = AES-CBC-256 (per RFC 3602) Table continues… VPN Setup Guide for 9600 Series IP Telephones March 2015 Comments? infodev@avaya.com...
  • Page 53 • 2 = Main Mode Identity Protection. (Per Section 5 in RFC 2409.) NVIPSECSUBNET 0.0.0.0/0 Specifies IP address ranges that will use the VPN tunnel. 0 to 255 Table continues… March 2015 VPN Setup Guide for 9600 Series IP Telephones Comments? infodev@avaya.com...
  • Page 54 NVVPNAUTHTYPE Specifies the user authentication method. 1 ASCII numeric digit. Valid values are: • 3 = Pre-Shared Key (PSK) • 4 = PSK with XAUTH Table continues… VPN Setup Guide for 9600 Series IP Telephones March 2015 Comments? infodev@avaya.com...
  • Page 55 IETF RFC 3947 will not be supported. • 2 = Procedures for the negotiation of NAT traversal will be supported as specified in IETF RFC 3947, except that IKE Table continues… March 2015 VPN Setup Guide for 9600 Series IP Telephones Comments? infodev@avaya.com...
  • Page 56 VPN user password will be stored. 1 ASCII numeric digit. Valid values are: • 1 = Password can be alphanumeric and is stored in reprogrammable non-volatile memory as the NVVPNPSWD value. Table continues… VPN Setup Guide for 9600 Series IP Telephones March 2015 Comments? infodev@avaya.com...
  • Page 57 " " (Null) Specifies the user name to use during authentication. 0 to 30 ASCII characters. NVVPNUSERTYPE Specifies whether the user can change the VPN username. 1 Table continues… March 2015 VPN Setup Guide for 9600 Series IP Telephones Comments? infodev@avaya.com...
  • Page 58 • 0 = VPN tunnel not established. • 1 = VPN tunnel established. If an existing VPN tunnel fails, VPNACTIVE will be set to "0", IPADD will be set to "0.0.0.0", Table continues… VPN Setup Guide for 9600 Series IP Telephones March 2015 Comments? infodev@avaya.com...
  • Page 59 • 0 = TTS is not supported by the security gateway; turn off TTS functionality for VPN operation. • 0 = TTS is not supported by the security gateway; turn off TTS functionality for VPN operation. March 2015 VPN Setup Guide for 9600 Series IP Telephones Comments? infodev@avaya.com...

  • Page 60: Glossary

    Hypertext Transfer Protocol, used to request and transmit pages on the World Wide Web. HTTPS A secure version of HTTP. IETF Internet Engineering Task Force, the organization that produces standards for communications on the Internet. VPN Setup Guide for 9600 Series IP Telephones March 2015 Comments? infodev@avaya.com...
  • Page 61 Encryption of the signaling protocol exchanged between the IP telephone Encryption and the call server. Signaling channel encryption provides additional security to the security provided by media channel encryption. March 2015 VPN Setup Guide for 9600 Series IP Telephones Comments? infodev@avaya.com...
  • Page 62 SRTP Secure Real-time Transport Protocol. system -specific Specific to a particular type of call server. For example, Avaya Communication Manager or SIP Enablement Services (SES). System- specific signaling refers to messages specific to the signaling protocol used by the system. For example, H.323 and/or CCMS messages used by CM and IP Office, or SIP messages that possibly include system-specific headers used by SES.
  • Page 63 ..............Installing the 9600–Series IP deskphone ......Accepting the current password ........Intended audience ..............Customer support ..............Invalid certificate ..............Invalid configuration .............39 IP address screen ..............33 March 2015 VPN Setup Guide for 9600 Series IP Telephones Comments? infodev@avaya.com...
  • Page 64 VPN settings screen general VPN settings ............27 viewing ................19 Generic authentication type ..........28 VPN sleep mode ............34, IKE over TCP ..............32 VPN special procedure ............IKE Phase 1 ..............30 VPN Setup Guide for 9600 Series IP Telephones March 2015 Comments? infodev@avaya.com...
  • Page 65 Index VPN system parameters configuring ..............VPN text entry screen ............32 VPN tunnel failure ................38 terminated ..............45 VPN user name entry screen ..........34 March 2015 VPN Setup Guide for 9600 Series IP Telephones Comments? infodev@avaya.com...

Table of Contents