- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
12-07-2012 03:24 PM
I am attempting to setup an IPSec VPN tunnel to connect to remote Avaya phones. I am not sure if I am doing it correctly. I've set up a new IPSec tunnel and configured it to use dynamic IP for remote peers. I am not sure if this is correct or not. It seems to me this would be for a site-to-site VPN. I believe I am looking for more of a client VPN tunnel to connect the Avaya phone to. Any thoughts or ideas would be appreciated.
12-11-2012 11:01 PM
Hello,
Yes, you probably may test the site-to-site VPN by configuring the PAN to use dynamic peer IP, but I'm not sure it will work since I haven't tested this. To be able to connect as a client VPN, we don't support the VPN client on the Avaya phones via Global Protect yet.
You may refer to 'Section 10' of this document: Troubleshooting GlobalProtect, PAN-OS 4.1
Hope that helps!
Thanks,
Aditi
12-11-2012 11:01 PM
Hello,
Yes, you probably may test the site-to-site VPN by configuring the PAN to use dynamic peer IP, but I'm not sure it will work since I haven't tested this. To be able to connect as a client VPN, we don't support the VPN client on the Avaya phones via Global Protect yet.
You may refer to 'Section 10' of this document: Troubleshooting GlobalProtect, PAN-OS 4.1
Hope that helps!
Thanks,
Aditi
12-12-2012 08:52 AM
Thank you,
I understand you may not support it yet but the concept should be the same if I am connecting via the built in IPSec client on the Avaya phone versus the PA IPSec client. It's the same protocol, using the same encryption and authentication methods. I do think you answered my question though. If I am attempting to connect multiple remote devices to the PA over an IPsec VPN connection then Global Protect is the way to go. Correct? I will attempt to get this working using the PA client. Once I confirm that is working I will move over to the Avaya phone and see if I can get that working.
Thanks again!
01-17-2013 07:06 PM
where you able to get this working? I am trying to setup up multiple avaya phone but the vpn keeps droppig
01-18-2013 07:37 AM
Unfortunately, I have not. I have mostly given up on it for the time being. We have another firewall that actually supports the Avaya phones (although it's not an ideal setup). I couldn't even get the phone to connect to the VPN. Which method are you trying? GlobalProtect or IPSec tunnels? If you can get the tunnel working but have disconnect issues maybe I'll give it another try and see what we can figure out.
01-18-2013 09:11 AM
I am using traditional IPSec tunnels. I will continue to troubleshoot and if I find anything I will let you know.
04-25-2013 01:46 PM
I finally got this working and then it stopped working. I used it connected to the GP Portal for a while. I reset it to make sure it would reconnect and it didn't....hmmm...but I did get it to connect!! That's progress!!
On the Palo Alto side under the Client Configuration > Tunnel Settings I enabled IPSec and XAuth Support (of course, I have LDAP up and running). I have the Group Name and Group password configured.
On my Avaya 9602L model phone I have the following configs:
GENERAL menu
VPN: Enabled
VPN Vendor: Other
Gateway Address...
(your GP Gateway IP address here)
External Phone IP Address...
(pulled via DHCP)
External Router...
(pulled via DHCP)
External Subnet Mask...
(pulled via DHCP)
External DNS Server...
(pulled via DHCP)
Encapsulation: RFC(500-500)
Copy TOS: NO
AUTH. TYPE menu
Auth. Type: PSK
IKE PSK menu
IKE ID (Group Name)...
(your group name goes here)
Pre-Shared Key (PSK)...
(your group password goes here)
IKE PHASE 1 menu
*Used Avaya phone defaults
(Make sure IKE Xchg Mode is aggressive)
IKE PHASE 2 menu
*Used Avaya phone defaults
IKE Over TCP menu
*Used the Avaya phone default (never)
06-11-2013 07:21 PM
did you try configuring a tunnel monitor for the device? I noticed that tunnels would go down and not come back up on PA devices I was configuring IPsec tunnels on when I didn't configure a tunnel monitor. I guess for the tunnel monitor you might try configuring only one IP address for the phone itself inside the tunnel, and then for the tunnel monitor plug in the phone's only IP address as the IP to 'monitor'.
The big clue that the issue was specifically related to tunnel monitoring was that I could clear the IPSec/IKE SAs on the PA CLI and then the tunnel would come back in... maybe the issue is basically the same for you?
12-19-2013 07:22 PM
Hi - did you try disabling "Skip Auth on IKE Rekey" under the Gateway --> Client Configuration --> Tunnel Settings
12-20-2013 07:30 AM
Egearhart, thanks for the response and sorry for my late response. Apparently I missed your reply. The short answer to your question is I tried this. I've tried removing the tunnels and rebuilding literally dozens of times with dozens of different configurations. I could never get it to come back up.
12-20-2013 07:36 AM
Angelo, thank you as well for your response. Yes, I've tried this. Honestly, I gave up on trying to do this with the PAs. We just bought a different firewall for the phones. We still use the PAs for our primary firewalls because I love them. This is the only problem I've had with them, although, I probably can't consider it a problem because they've said they don't support Avaya...yet. If they release firmware that supports them I'll probably switch back to the PAs. Then I can kick the other firewall to the curb because those I don't love.
05-15-2014 09:41 AM
Anybody know if this is now supported on the 6.0 PA firewalls?
10-02-2015 04:38 AM
I'm facing as well issues setting up remote Avaya ip_Phones to work over the PA.
Have anybody ever managed to have this up and running?
07-26-2016 12:13 PM
I am also having the same issue, did anyone ever get it setup ?
regards,
Don
07-28-2016 01:41 PM
Nope, told it was not supported by Palo Alto and that it is a feature request. From my understanding, bunch of people have voted for it.
Feature request #1844 --- Avaya IP Phones and VPN with PAN
Have your SE vote for it everyone!!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!