IPSec VPN Setup for Avaya Phone

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

IPSec VPN Setup for Avaya Phone

L4 Transporter

I am attempting to setup an IPSec VPN tunnel to connect to remote Avaya phones. I am not sure if I am doing it correctly. I've set up a new IPSec tunnel and configured it to use dynamic IP for remote peers. I am not sure if this is correct or not. It seems to me this would be for a site-to-site VPN. I believe I am looking for more of a client VPN tunnel to connect the Avaya phone to. Any thoughts or ideas would be appreciated.

1 accepted solution

Accepted Solutions

L4 Transporter

Hello,

Yes, you probably may test the site-to-site VPN by configuring the PAN to use dynamic peer IP, but I'm not sure it will work since I haven't tested this. To be able to  connect as a client VPN, we don't support the VPN client on the Avaya phones via Global Protect yet.

You may refer to 'Section 10' of this document: Troubleshooting GlobalProtect, PAN-OS 4.1

Hope that helps!

Thanks,

Aditi

View solution in original post

16 REPLIES 16

L4 Transporter

Hello,

Yes, you probably may test the site-to-site VPN by configuring the PAN to use dynamic peer IP, but I'm not sure it will work since I haven't tested this. To be able to  connect as a client VPN, we don't support the VPN client on the Avaya phones via Global Protect yet.

You may refer to 'Section 10' of this document: Troubleshooting GlobalProtect, PAN-OS 4.1

Hope that helps!

Thanks,

Aditi

Thank you,

I understand you may not support it yet but the concept should be the same if I am connecting via the built in IPSec client on the Avaya phone versus the PA IPSec client. It's the same protocol, using the same encryption and authentication methods. I do think you answered my question though. If I am attempting to connect multiple remote devices to the PA over an IPsec VPN connection then Global Protect is the way to go. Correct? I will attempt to get this working using the PA client. Once I confirm that is working I will move over to the Avaya phone and see if I can get that working.

Thanks again! Smiley Happy

where you able to get this working?  I am trying to setup up multiple avaya phone but the vpn keeps droppig

Unfortunately, I have not. I have mostly given up on it for the time being. We have another firewall that actually supports the Avaya phones (although it's not an ideal setup). I couldn't even get the phone to connect to the VPN. Which method are you trying? GlobalProtect or IPSec tunnels? If you can get the tunnel working but have disconnect issues maybe I'll give it another try and see what we can figure out.

Not applicable

I am using traditional IPSec tunnels.  I will continue to troubleshoot and if I find anything I will let you know. 

I finally got this working and then it stopped working. I used it connected to the GP Portal for a while. I reset it to make sure it would reconnect and it didn't....hmmm...but I did get it to connect!! That's progress!!

On the Palo Alto side under the Client Configuration > Tunnel Settings I enabled IPSec and XAuth Support (of course, I have LDAP up and running). I have the Group Name and Group password configured.

On my Avaya 9602L model phone I have the following configs:

GENERAL menu

VPN: Enabled

VPN Vendor: Other

Gateway Address...

(your GP Gateway IP address here)

External Phone IP Address...

(pulled via DHCP)

External Router...

(pulled via DHCP)

External Subnet Mask...

(pulled via DHCP)

External DNS Server...

(pulled via DHCP)

Encapsulation: RFC(500-500)

Copy TOS: NO

AUTH. TYPE menu

Auth. Type: PSK

IKE PSK menu

IKE ID (Group Name)...

(your group name goes here)

Pre-Shared Key (PSK)...

(your group password goes here)

IKE PHASE 1 menu

*Used Avaya phone defaults

(Make sure IKE Xchg Mode is aggressive)

IKE PHASE 2 menu

*Used Avaya phone defaults

IKE Over TCP menu

*Used the Avaya phone default (never)

did you try configuring a tunnel monitor for the device? I noticed that tunnels would go down and not come back up on PA devices I was configuring IPsec tunnels on when I didn't configure a tunnel monitor. I guess for the tunnel monitor you might try configuring only one IP address for the phone itself inside the tunnel, and then for the tunnel monitor plug in the phone's only IP address as the IP to 'monitor'.

The big clue that the issue was specifically related to tunnel monitoring was that I could clear the IPSec/IKE SAs on the PA CLI and then the tunnel would come back in... maybe the issue is basically the same for you?

Hi - did you try disabling "Skip Auth on IKE Rekey" under the Gateway --> Client Configuration --> Tunnel Settings

Egearhart, thanks for the response and sorry for my late response. Apparently I missed your reply. The short answer to your question is I tried this. I've tried removing the tunnels and rebuilding literally dozens of times with dozens of different configurations. I could never get it to come back up.

Angelo, thank you as well for your response. Yes, I've tried this. Honestly, I gave up on trying to do this with the PAs. We just bought a different firewall for the phones. We still use the PAs for our primary firewalls because I love them. This is the only problem I've had with them, although, I probably can't consider it a problem because they've said they don't support Avaya...yet. If they release firmware that supports them I'll probably switch back to the PAs. Then I can kick the other firewall to the curb because those I don't love. Smiley Wink

L1 Bithead

Anybody know if this is now supported on the 6.0 PA firewalls?

I'm facing as well issues setting up remote Avaya ip_Phones to work over the PA.

Have anybody ever managed to have this up and running?

I am also having the same issue, did anyone ever get it setup ?

 

regards,

Don

Nope, told it was not supported by Palo Alto and that it is a feature request. From my understanding, bunch of people have voted for it.

 

Feature request #1844 --- Avaya IP Phones and VPN with PAN

 

Have your SE vote for it everyone!!

  • 1 accepted solution
  • 21552 Views
  • 16 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!