IPSec VPN Setup for Avaya Phone

Reply
L4 Transporter

IPSec VPN Setup for Avaya Phone

I am attempting to setup an IPSec VPN tunnel to connect to remote Avaya phones. I am not sure if I am doing it correctly. I've set up a new IPSec tunnel and configured it to use dynamic IP for remote peers. I am not sure if this is correct or not. It seems to me this would be for a site-to-site VPN. I believe I am looking for more of a client VPN tunnel to connect the Avaya phone to. Any thoughts or ideas would be appreciated.

L4 Transporter

Re: IPSec VPN Setup for Avaya Phone

Hello,

Yes, you probably may test the site-to-site VPN by configuring the PAN to use dynamic peer IP, but I'm not sure it will work since I haven't tested this. To be able to  connect as a client VPN, we don't support the VPN client on the Avaya phones via Global Protect yet.

You may refer to 'Section 10' of this document: Troubleshooting GlobalProtect, PAN-OS 4.1

Hope that helps!

Thanks,

Aditi

L4 Transporter

Re: IPSec VPN Setup for Avaya Phone

Thank you,

I understand you may not support it yet but the concept should be the same if I am connecting via the built in IPSec client on the Avaya phone versus the PA IPSec client. It's the same protocol, using the same encryption and authentication methods. I do think you answered my question though. If I am attempting to connect multiple remote devices to the PA over an IPsec VPN connection then Global Protect is the way to go. Correct? I will attempt to get this working using the PA client. Once I confirm that is working I will move over to the Avaya phone and see if I can get that working.

Thanks again! :smileyhappy:

Not applicable

Re: IPSec VPN Setup for Avaya Phone

where you able to get this working?  I am trying to setup up multiple avaya phone but the vpn keeps droppig

L4 Transporter

Re: IPSec VPN Setup for Avaya Phone

Unfortunately, I have not. I have mostly given up on it for the time being. We have another firewall that actually supports the Avaya phones (although it's not an ideal setup). I couldn't even get the phone to connect to the VPN. Which method are you trying? GlobalProtect or IPSec tunnels? If you can get the tunnel working but have disconnect issues maybe I'll give it another try and see what we can figure out.

Not applicable

Re: IPSec VPN Setup for Avaya Phone

I am using traditional IPSec tunnels.  I will continue to troubleshoot and if I find anything I will let you know. 

L4 Transporter

Re: IPSec VPN Setup for Avaya Phone

I finally got this working and then it stopped working. I used it connected to the GP Portal for a while. I reset it to make sure it would reconnect and it didn't....hmmm...but I did get it to connect!! That's progress!!

On the Palo Alto side under the Client Configuration > Tunnel Settings I enabled IPSec and XAuth Support (of course, I have LDAP up and running). I have the Group Name and Group password configured.

On my Avaya 9602L model phone I have the following configs:

GENERAL menu

VPN: Enabled

VPN Vendor: Other

Gateway Address...

(your GP Gateway IP address here)

External Phone IP Address...

(pulled via DHCP)

External Router...

(pulled via DHCP)

External Subnet Mask...

(pulled via DHCP)

External DNS Server...

(pulled via DHCP)

Encapsulation: RFC(500-500)

Copy TOS: NO

AUTH. TYPE menu

Auth. Type: PSK

IKE PSK menu

IKE ID (Group Name)...

(your group name goes here)

Pre-Shared Key (PSK)...

(your group password goes here)

IKE PHASE 1 menu

*Used Avaya phone defaults

(Make sure IKE Xchg Mode is aggressive)

IKE PHASE 2 menu

*Used Avaya phone defaults

IKE Over TCP menu

*Used the Avaya phone default (never)

L4 Transporter

Re: IPSec VPN Setup for Avaya Phone

did you try configuring a tunnel monitor for the device? I noticed that tunnels would go down and not come back up on PA devices I was configuring IPsec tunnels on when I didn't configure a tunnel monitor. I guess for the tunnel monitor you might try configuring only one IP address for the phone itself inside the tunnel, and then for the tunnel monitor plug in the phone's only IP address as the IP to 'monitor'.

The big clue that the issue was specifically related to tunnel monitoring was that I could clear the IPSec/IKE SAs on the PA CLI and then the tunnel would come back in... maybe the issue is basically the same for you?

Highlighted
L1 Bithead

Re: IPSec VPN Setup for Avaya Phone

Hi - did you try disabling "Skip Auth on IKE Rekey" under the Gateway --> Client Configuration --> Tunnel Settings

L4 Transporter

Re: IPSec VPN Setup for Avaya Phone

Egearhart, thanks for the response and sorry for my late response. Apparently I missed your reply. The short answer to your question is I tried this. I've tried removing the tunnels and rebuilding literally dozens of times with dozens of different configurations. I could never get it to come back up.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!