topic Re: Avaya 9611G/4610SW VPN to PA-500 in General Topics

Avaya 9611G/4610SW VPN to PA-500

itmanager — Tue, 06 Nov 2012 19:34:16 GMT

Has anyone had success connecting Avaya IP phones via VPN to PA devices? I am able to complete IKE Phase 1 authentication, but fail Phase 2 due to local/remote proxy IDs not found:

'IKE phase-2 negotiation failed when processing proxy ID. cannot find matching phase-2 tunnel for received proxy ID. received local id: 192.168.50.0/24 type IPv4_subnet protocol 0 port 0, received remote id: 172.16.33.2/32 type IPv4_address protocol 0 port 0.' )

I'm not sure where to configure the phase 2 parameters as the phase 1 connection occurs using a Global-Protect Portal/Gateway. The remote ID matches the address received by the client from the G-P Gateway pool.

If you have had any success with these devices, please help!

Thanks,

Steve

First Annapolis

Re: Avaya 9611G/4610SW VPN to PA-500

sdurga — Tue, 06 Nov 2012 20:14:54 GMT

I did not quite get what you meant by"the phase 1 connection occurs using Global-protect Portal/Gateway". The errors that your are seeing are due to IPSEC tunnels and you can get rid of those errors by configuring Proxy IDS in the IPSEC tunnel configuration. Let me know if I am missing something.

Re: Avaya 9611G/4610SW VPN to PA-500

itmanager — Tue, 06 Nov 2012 21:35:31 GMT

Above is an image of our G-P gateway settings. The Group Name = IKE ID for phase 1, Group Password = Pre-shared Key.

The G-P gateway with these settings is processing phase 1 authentication successfully. I cannot setup an ipsec tunnel config associated with the G-P gateway as it is not recognized as an IKE gateway on the PA-500. So my question is, what Phase 2 settings is the PA-500 looking for (DH Group, Encryption Algorithm, Authentication Algorithm), and where are they set?

Hopefully that adds some clarity.

Re: Avaya 9611G/4610SW VPN to PA-500

apasupulati — Wed, 12 Dec 2012 07:18:02 GMT

Hello,

Currently Avaya's VPN client is not supported with Global protect yet, based on 'Section 10' of this document: Troubleshooting GlobalProtect, PAN-OS 4.1

You may try configuring an site-to-site IPsec tunnel for dynamic remote peer IP's to see if that helps.

Regards,

Aditi

Re: Avaya 9611G/4610SW VPN to PA-500

mario11584 — Wed, 12 Dec 2012 18:01:29 GMT

Maybe I am using an older version of firmware than you but my GP Gateway configuration window doesn't show fields for Group Name and password. I am using 4.0.8. Any ideas?

Re: Avaya 9611G/4610SW VPN to PA-500

mario11584 — Mon, 22 Apr 2013 23:08:37 GMT

I can't even get my Avaya 9602L unit to complete phase 1. I've configured the IKE ID as Group Name and the PSK as Group Password, but which VPN Vendor are you using, auth type, and IKE ID type?

Re: Avaya 9611G/4610SW VPN to PA-500

itmanager — Tue, 23 Apr 2013 12:31:54 GMT

These are the settings we use in our 46xxsettings.txt file (see the Avaya config doc for code translations and note some values are set generic as they cannot be shared publicly):

SET NVIKECONFIGMODE 1

SET NVIKEDHGRP 2

SET NVIKEID name@domain.com

SET NVIKEIDTYPE 11

SET NVIKEP1AUTHALG 2

SET NVIKEP1ENCALG 1

SET NVIKEP1LIFESEC 43200

SET NVIKEP2AUTHALG 2

SET NVIKEP2ENCALG 1

SET NVIKEP2LIFESEC 43200

SET NVIKEPSK psk

SET NVIKEEXCHGMODE 1

SET NVMCIPADD callserverip

SET NVPFSDHGRP 0

SET NVSGIP GPgatewayip

SET NVVPNAUTHTYPE 4

SET NVVPNMODE 1

SET NVVPNPSWDTYPE 1

SET NVVPNSVENDOR 4

SET NVVPNUSERTYPE 1

SET NVXAUTH 1

SET VPNPROC 2

Re: Avaya 9611G/4610SW VPN to PA-500

mario11584 — Tue, 11 Jun 2013 22:49:47 GMT

To date have you been able to successfully connect?

My problem seems to be with the "SET NVIKEIDTYPE". The PA logs show a mismatch key ID when my Avaya phone tries to connect. Where is that configured on the phone and more importantly, within Global Protect? Is it possible? I know where in an IPsec tunnel.

It's kind of disappointing that phones that are so widely used like Avaya are not supported on these firewalls.

I'm hoping these posts and thoughts will help others successfully connect so the knowledge can be shared.

Re: Avaya 9611G/4610SW VPN to PA-500

ericgearhart — Wed, 12 Jun 2013 01:18:42 GMT

Did you ever try to change over to a Site-to-Site IPsec tunnel style config on the PA? I would think the Avaya might need to support X-Auth in order to be a "normal" IPSec client.

Try building an IKE Gateway and an IPSec tunnel on the PA, and configure Proxy-IDs as well.

Have you seen this thread by the way?

https://live.paloaltonetworks.com/message/21633

Re: Avaya 9611G/4610SW VPN to PA-500

mario11584 — Mon, 17 Jun 2013 21:16:23 GMT

I've thought of doing this but building an IPSec tunnel for each remote user would be unmanageable. This is why we have been attempting to go the GlobalProtect route, but I'm losing hope that it will ever work. The firewall is trying to match a KeyID. The Avaya seems to be sending this KeyID to the PA and I think the PA isn't sure what to do with it. I don't configure a KeyID on my Mac when setting up a VPN or within the GlobalProtect software, so I think this is more of an issue with how Avaya manages the connectiong and not the Palo Alto.

Re: Avaya 9611G/4610SW VPN to PA-500

itmanager — Tue, 18 Jun 2013 13:51:48 GMT

We currently have 5 or 6 9611G models operating without issue. What model are you working with?

On the phone itself, our settings of note are:

VPN Vendor is set to Other

Encapsulation is set to 4500-4500 (this caused issues if set otherwise)

IKE ID is KEY_ID

We never had any success with the 4600 series IP phones, so if you are using these, you may be out of luck. As long as you have the VPN version of the firmware on the 9600s, you can navigate the settings by pressing * to program and then VPN for the access code, or the default Avaya security code of 27238.

Re: Avaya 9611G/4610SW VPN to PA-500

ericgearhart — Tue, 18 Jun 2013 14:19:56 GMT

I got you, I was more or less suggesting that just to see if it'd work at all, I understand that's not really a palatable long term solution.

Re: Avaya 9611G/4610SW VPN to PA-500

mario11584 — Tue, 18 Jun 2013 14:50:48 GMT

Thanks for the response and the help. That's good to hear you have some working. I was beginning to think it wasn't possible. We are using the 9620L model. I changed the Encapsulation to 4500-4500 as you suggested. It wasn't previously set that way though. Didn't seem to do the trick unfortunately. The firewall shows me the error I have attached. I am not sure how to configure the KeyID in the PA's Global Protect configurations to match the phone. How did you handle that?

Re: Avaya 9611G/4610SW VPN to PA-500

mario11584 — Wed, 03 Jul 2013 20:33:39 GMT

Well, I finally threw in the towel. After many days (probably more like weeks) of troubleshooting and testing we just decided to purchase a firewall from a different vendor. From firewall install to working phone was about 3 hours. Too bad I couldn't get this working on Palo Alto, that's one of the reasons we bought them. Thanks to those who offered help.

Re: Avaya 9611G/4610SW VPN to PA-500

Retired Member — Fri, 20 Dec 2013 03:23:15 GMT

Hi - did you try disabling "Skip Auth on IKE Rekey" under the Gateway --> Client Configuration --> Tunnel Settings

Re: Avaya 9611G/4610SW VPN to PA-500

kashanakins — Fri, 09 Jan 2015 19:10:59 GMT

Hello, was there every any discussion about making GlobalProtect compatible with the Avaya phones. Just recently tried it with the settings discussed in the forums, but could not get past Phase 1.

Re: Avaya 9611G/4610SW VPN to PA-500

JBarbera-Medifast — Tue, 31 Oct 2017 15:18:14 GMT

In order to get the Avaya 96xx IP phones to connect to a GlobalProtect gateway, I found there are certain settings that need to be configured on the phone in order to make it work. I spent about 3 days going through different configuration setups and what I found was that the phones will auto-negotiate the IKE Phase-1 parameters, but for some reason will not negotiate the Phase-2 parameters automatically. The solution that worked for me was setting the following parameters in the 46xxsettings.txt file used to program the phones via http.

SET NVVPNMODE 1

SET NVIKECONFIGMODE 1
SET NVIKEIDTYPE 11
SET NVIKEXCHGMODE 1

SET NVVPNAUTHTYPE 4

SET NVSGIP "vphone.yourdomain.com" (I recommend using FQDN if possible. Static IP can cause challenges later if ISP changes)

SET NVVPNPSWDTYPE 1

SET NVVPNENCAPS 0

SET NVIKEPSK "your-psk-password-here"

SET NVIKEID "vpnphone@yourdomain.com" (This is also referred to as the Group Name)

SET NVIKEDHGRP 2

SET NVIKEP1ENCALG 0

SET NVIKEP1AUTHALG 0

SET NVIKEP2ENCALG 5 (manually sets Phase-2 IKE to aes-256)

SET NVIKEP2AUTHALG 2 (manually sets Phase-2 auth to SHA-1)

SET NVPFSDHGRP 0 (this is important - none of the P2 settings above would have any effect until PFS was disabled)

SET NVIKEP1LIFESEC 86400 (phone defaults to 432,000s, which is 5 days - I set here to 1 day or you can keep default)

SET NVIKEP2LIFESEC 86400

This will work with the 96xx series of Avaya IP phones and I can provide additional details/notes in case anyone is looking to connect one over a VPN connection to a GlobalProtect gateway. I had to migrate the configuration from a Juniper SSG firewall to Palo Alto PA-850 , which provided some challenges since there really is no Avaya documentation or support information available that discusses setting up a VPN phone on the Palo Alto platform. Good Luck!!

Re: Avaya 9611G/4610SW VPN to PA-500

Stuart_Walton — Thu, 12 Mar 2020 12:00:52 GMT

I was interested to read your post about connecting Avaya 96xx phones to a Global Protect Gateway ovewr VPN.

We are looking to do something similar and wondered if you could share your notes and in particular the configuration of the PA gateway?

Regards

Stuart

Re: Avaya 9611G/4610SW VPN to PA-500

juanromero1 — Wed, 25 Mar 2020 13:13:13 GMT

Any information about this I am trying to do the VPN too

Re: Avaya 9611G/4610SW VPN to PA-500

JBarbera-Medifast — Wed, 01 Apr 2020 21:05:41 GMT

Sure. Here are some screenshots from my gateway configuration if that helps. Don't forget you will need rules to allow traffic between zones and you will also need an internal route pointing to the Palo Alto firewall for whatever IP pool you assign that will issue IPs to the phones.

For the interface, I have a public IP assigned to the loopback interface but you could also use your gateway interface, whatever is easier. I have a block of IPs I use outside of the main gateway interface, which is why I am using loopback.

For the authentication page, you can select an existing or create an SSL/TLS Service Profile. For client authentication, you will want to set the OS type to X-Auth as shown here. The next screenshot shows the Client Authentication settings.

For the GlobalProtect Agent tab, you'll select a tunnel interface, enable IPSec, enable X-Auth support and set the Group Name parameters as shown. This is what will need to match in the Avaya configuration I detailed in my post above.

Next click on the Client Settings tab and setup the IP Pool you will assign to the phones. You'll also need to split-tunnel your internal routes for the Avaya phone system and other user VoIP subnets.

I'm not 100% sure these settings are required unless you are doing FQDN for the Avaya system. Our Telecom team has everything going to host IPs so we really don't use any DNS on the phones. I just included for reference.

That's really all there is to it really. I setup a completely separate GP gateway just for the phones and I have all of my regular VPN users connecting on a different gateway but I also have a pool of public IPs to pull from where as that may not be an option.