VPNSetup Guide For 9600 Series IPTelephones

VPN Setup Guide for 9600 Series IP Telephones
Release 3.1 and 6.2 16-602968 Issue 1 January 2013
2013 Avaya Inc.
All Rights Reserved. Notice While reasonable efforts have been made to ensure that the information in this document is complete and accurate at the time of printing, Avaya assumes no liability for any errors. Avaya reserves the right to make changes and corrections to the information in this document without the obligation to notify any person or organization of such changes. Note Using a cell, mobile, or GSM phone, or a two-way radio in close proximity to an Avaya IP telephone might cause interference. Documentation disclaimer Documentation means information published by Avaya in varying mediums which may include product information, operating instructions and performance specifications that Avaya generally makes available to users of its products. Documentation does not include marketing materials. Avaya shall not be responsible for any modifications, additions, or deletions to the original published version of documentation unless such modifications, additions, or deletions were performed by Avaya. End User agrees to indemnify and hold harmless Avaya, Avaya's agents, servants and employees against all claims, lawsuits, demands and judgments arising out of, or in connection with, subsequent modifications, additions or deletions to this documentation, to the extent made by End User. Link disclaimer Avaya is not responsible for the contents or reliability of any linked websites referenced within this site or documentation provided by Avaya. Avaya is not responsible for the accuracy of any information, statement or content provided on these sites and does not necessarily endorse the products, services, or information described or offered within them. Avaya does not guarantee that these links will work all the time and has no control over the availability of the linked pages. Warranty Avaya provides a limited warranty on its hardware and Software (Product(s)). Refer to your sales agreement to establish the terms of the limited warranty. In addition, Avayas standard warranty language, as well as information regarding support for this Product while under warranty is available to Avaya customers and other parties through the Avaya Support website: http://support.avaya.com. Please note that if you acquired the Product(s) from an authorized Avaya reseller outside of the United States and Canada, the warranty is provided to you by said Avaya reseller and not by Avaya. Software means computer programs in object code, provided by Avaya or an Avaya Channel Partner, whether as stand-alone products or pre-installed on hardware products, and any upgrades, updates, bug fixes, or modified versions. Licenses THE SOFTWARE LICENSE TERMS AVAILABLE ON THE AVAYA WEBSITE, HTTP://SUPPORT.AVAYA.COM/LICENSEINFO ARE APPLICABLE TO ANYONE WHO DOWNLOADS, USES AND/OR INSTALLS AVAYA SOFTWARE, PURCHASED FROM AVAYA INC., ANY AVAYA AFFILIATE, OR AN AUTHORIZED AVAYA RESELLER (AS APPLICABLE) UNDER A COMMERCIAL AGREEMENT WITH AVAYA OR AN AUTHORIZED AVAYA RESELLER. UNLESS OTHERWISE AGREED TO BY AVAYA IN WRITING, AVAYA DOES NOT EXTEND THIS LICENSE IF THE SOFTWARE WAS OBTAINED FROM ANYONE OTHER THAN AVAYA, AN AVAYA AFFILIATE OR AN AVAYA AUTHORIZED RESELLER; AVAYA RESERVES THE RIGHT TO TAKE LEGAL ACTION AGAINST YOU AND ANYONE ELSE USING OR SELLING THE SOFTWARE WITHOUT A LICENSE. BY INSTALLING, DOWNLOADING OR USING THE SOFTWARE, OR AUTHORIZING OTHERS TO DO SO, YOU, ON BEHALF OF YOURSELF AND THE ENTITY FOR WHOM YOU ARE INSTALLING, DOWNLOADING OR USING THE SOFTWARE (HEREINAFTER
REFERRED TO INTERCHANGEABLY AS YOU AND END USER), AGREE TO THESE TERMS AND CONDITIONS AND CREATE A BINDING CONTRACT BETWEEN YOU AND AVAYA INC. OR THE APPLICABLE AVAYA AFFILIATE (AVAYA). Avaya grants you a license within the scope of the license types described below, with the exception of Heritage Nortel Software, for which the scope of the license is detailed below. Where the order documentation does not expressly identify a license type, the applicable license will be a Designated System License. The applicable number of licenses and units of capacity for which the license is granted will be one (1), unless a different number of licenses or units of capacity is specified in the documentation or other materials available to you. Designated Processor means a single stand-alone computing device. Server means a Designated Processor that hosts a software application to be accessed by multiple users. License types Designated System(s) License (DS). End User may install and use each copy of the Software only on a number of Designated Processors up to the number indicated in the order. Avaya may require the Designated Processor(s) to be identified in the order by type, serial number, feature key, location or other specific designation, or to be provided by End User to Avaya through electronic means established by Avaya specifically for this purpose. Shrinkwrap License (SR). You may install and use the Software in accordance with the terms and conditions of the applicable license agreements, such as shrinkwrap or clickthrough license accompanying or applicable to the Software (Shrinkwrap License). Copyright Except where expressly stated otherwise, no use should be made of materials on this site, the Documentation, Software, or hardware provided by Avaya. All content on this site, the documentation and the Product provided by Avaya including the selection, arrangement and design of the content is owned either by Avaya or its licensors and is protected by copyright and other intellectual property laws including the sui generis rights relating to the protection of databases. You may not modify, copy, reproduce, republish, upload, post, transmit or distribute in any way any content, in whole or in part, including any code and software unless expressly authorized by Avaya. Unauthorized reproduction, transmission, dissemination, storage, and or use without the express written consent of Avaya can be a criminal, as well as a civil offense under the applicable law. Third Party Components Third Party Components mean certain software programs or portions thereof included in the Software that may contain software (including open source software) distributed under third party agreements (Third Party Components), which contain terms regarding the rights to use certain portions of the Software (Third Party Terms). Information regarding distributed Linux OS source code (for those Products that have distributed Linux OS source code) and identifying the copyright holders of the Third Party Components and the Third Party Terms that apply is available in the Documentation or on Avayas website at: http:// support.avaya.com/Copyright. You agree to the Third Party Terms for any such Third Party Components. Preventing Toll Fraud Toll Fraud is the unauthorized use of your telecommunications system by an unauthorized party (for example, a person who is not a corporate employee, agent, subcontractor, or is not working on your company's behalf). Be aware that there can be a risk of Toll Fraud associated with your system and that, if Toll Fraud occurs, it can result in substantial additional charges for your telecommunications services. Avaya Toll Fraud intervention If you suspect that you are being victimized by Toll Fraud and you need technical assistance or support, call Technical Service Center Toll Fraud Intervention Hotline at +1-800-643-2353 for the United States and Canada. For additional support telephone numbers, see the Avaya

Comments? [email protected]
January 2013
Support website: http://support.avaya.com. Suspected security vulnerabilities with Avaya products should be reported to Avaya by sending mail to: [email protected]. Trademarks All non-Avaya trademarks are the property of their respective owners, and Linux is a registered trademark of Linus Torvalds. Downloading Documentation For the most current versions of Documentation, see the Avaya Support website: http://support.avaya.com. Contact Avaya Support See the Avaya Support website: http://support.avaya.com for product notices and articles, or to report a problem with your Avaya product. For a list of support telephone numbers and contact addresses, go to the Avaya Support website: http://support.avaya.com, scroll to the bottom of the page, and select Contact Avaya Support. Federal Communications Commission (FCC) Interference Statement This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one of the following measures: Reorient or relocate the receiving antenna. Increase the separation between the equipment and receiver. Connect the equipment into an outlet on a circuit different from that to which the receiver is connected. Consult the dealer or an experienced radio/TV technician for help. This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation. FCC Caution: Any changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate this equipment. FCC/Industry Canada Radiation Exposure Statement This device complies with the FCC's and Industry Canada's RF radiation exposure limits set forth for the general population (uncontrolled environment) and must not be co-located or operated in conjunction with any other antenna or transmitter. Warning The handset receiver contains magnetic devices that can attract small metallic objects. Care should be taken to avoid personal injury. Power over Ethernet (PoE) warning This equipment must be connected to PoE networks without routing to the outside plant.
VCCI-Class B statement: This is a Class B product based on the standard of the VCCI Council. If this is used near a radio or television receiver in a domestic environment, it may cause radio interference. Install and use the equipment according to the instruction manual.
January 2013

January 2013
Contents Chapter 1: Introduction...................................................................................................... 7

About this guide........................................................................................................................................ 7 Intended audience.................................................................................................................................... 7 Revision history......................................................................................................................................... 8 Online documentation............................................................................................................................... 8 Related documentation............................................................................................................................. 8 Customer support...................................................................................................................................... 9 Chapter 2: VPN overview.................................................................................................... 11 Introduction............................................................................................................................................... 11 Differences between 4600series and 9600series IP deskphone VPNs................................................ 12 Third-Party Security Gateways interoperability limitations........................................................................ 13 Chapter 3: Configuring the VPN........................................................................................ 15 Introduction............................................................................................................................................... 15 Preliminary configuration requirements..................................................................................................... 15 Configuration Preparation......................................................................................................................... 16 Configuration preparation................................................................................................................. 16 Preparing the Security Gateway....................................................................................................... 17 Configuring the VPN settings........................................................................................................... 17 Simple Enrollment Certificate Protocol (SCEP)................................................................................ 17 Configuring VPN system parameters............................................................................................... 18 Administrative Pre-requisites for authentication............................................................................... 18 Preparing Avaya Aura Communication Manager........................................................................... 19 Installing the 9600 Series IP deskphone.......................................................................................... 19 Deploying the VPN-ready 9600Series IP deskphone..................................................................... 20 Chapter 4: Viewing VPN settings....................................................................................... 21 Introduction............................................................................................................................................... 21 Access using the Avaya (A) menu............................................................................................................ 21 VPN settings screen fields........................................................................................................................ 22 Chapter 5: Changing VPN settings.................................................................................... 27 Introduction............................................................................................................................................... 27 Accessing VPN settings............................................................................................................................ 28 Access using the Avaya (A) menu.................................................................................................... 28 Access using the VPN special procedure........................................................................................ 28 Access using the Local Administrative (Craft) procedure menu....................................................... 29 Viewing or changing settings using the VPN special procedure............................................................... 30 Navigating configuration screens and changing data....................................................................... 31 General VPN settings general screen field descriptions...................................................................... 32 Generic authentication type screen field descriptions............................................................................... 33 User credentials screen field descriptions................................................................................................ 33 Changing your VPN password.................................................................................................................. 34 IKE PSK screen........................................................................................................................................ 35 IKE Phase 1 screen field descriptions...................................................................................................... 35 IKE Phase 2 screen field descriptions...................................................................................................... 36 IKE over TCP screen field descriptions..................................................................................................... 37
January 2013
VPN text entry screen............................................................................................................................... 38 IP address screen..................................................................................................................................... 38 Chapter 6: User Authentication and VPN Sleep............................................................... 41 Introduction............................................................................................................................................... 41 User Authentication................................................................................................................................... 41 VPN user name entry screen........................................................................................................... 41 VPN Password Reuse screen.......................................................................................................... 42 VPN password entry screen............................................................................................................. 43 VPN sleep mode....................................................................................................................................... 44 VPN sleep mode keys...................................................................................................................... 45 Chapter 7: Troubleshooting............................................................................................... 47 VPN Authentication Failed........................................................................................................................ 47 VPN Tunnel Failure................................................................................................................................... 47 Need IKE ID/PSK...................................................................................................................................... 48 Need phone certificate.............................................................................................................................. 48 Invalid Configuration................................................................................................................................. 48 No DNS Server Response........................................................................................................................ 49 Bad Gateway DNS Name......................................................................................................................... 49 Gateway certificate invalid........................................................................................................................ 50 Phone certificate invalid............................................................................................................................ 50 IKE Phase 1 No Response....................................................................................................................... 50 IKE ID/PSK invalid.................................................................................................................................... 51 IKE Phase 1 failure................................................................................................................................... 52 IKE Phase 2 No Response....................................................................................................................... 52 IKE Phase 2 failure................................................................................................................................... 53 IKE keep-alive failure................................................................................................................................ 54 IKE SA expired.......................................................................................................................................... 54 IPSec SA expired...................................................................................................................................... 54 VPN tunnel terminated.............................................................................................................................. 55 SCEP: Failed............................................................................................................................................. 55 Appendix A: VPN parameters............................................................................................ 57 VPN configuration profiles......................................................................................................................... 57 DHCPACK messages............................................................................................................................... 59 Time to service functionality...................................................................................................................... 59 VPN parameters........................................................................................................................................ 60 Glossary............................................................................................................................... 75 Index..................................................................................................................................... 79
January 2013
Chapter 1: Introduction
About this guide

This guide provides information describing VPN configuration, use, and troubleshooting from both the Administrators and end users perspective, including items that should be noted as part of installation. For more information regarding administrative configuration, see Chapter 2 - VPN Overview on page 11. End-user configuration information is provided to assist the end user in installing and configuring a 9600 Series IP Telephone in their small office home office (SOHO) environment with minimal assistance from corporate IT or Telephony groups. Procedures for end user viewing and updating VPN settings are also provided. Use this setup guide in conjunction with the standard setup instructions in the Avaya one-X Deskphone Edition for 9600 Series IP Telephones Administrator Guide (Document Number 16-300698). Note: This guide applies to versions 3.1 and 6.2 of the 9600 Series IP Telephones. The content is the same for both versions unless otherwise indicated. Note: The 9610 IP Telephone is not VPN-capable you cannot use it as part of your VPN.
Intended audience
This guide provides network administrator and end-user information for a Virtual Private Network (VPN) for 9600 Series IP Telephones. If you are an administrator, use this document in conjunction with the Avaya one-X Deskphone Edition for 9600 Series IP Telephones Administrator Guide (Document Number 16-300698). Caution: Avaya does not provide product support for many of the products mentioned in this document, including security gateways, remote Internet access devices such as DSL or
January 2013
Introduction
cable modems, file servers, DNS servers, or DHCP servers. Take care to ensure that there is adequate technical support available for these products and that they are properly configured, otherwise the IP telephones might not be able to operate correctly.
Revision history
Issue 1 2 Date 11/2009 10/2012 Summary of changes This is the first release of this document, issued in November 2009 as part of Software Release 3.1. This release is updated for 9600series phones Software Release 6.2.
Online documentation
Related documentation
Administering Avaya Aura Communication Manager (03-300509) Avaya one-X Deskphone Edition for 9600 Series IP Telephones Administrator Guide (16-300698)
This document provides an overall reference for planning, operating, and administering your Communication Manager solution. This document provides a detailed description of how to administer the 9600 Series IP Telephones for use in your Enterprise environment, including VPN administration. This document provides a detailed description of how to install and maintain the 9600 Series IP Telephones for use in your environment.
Avaya one-X Deskphone Edition for 9600 Series IP Telephones Installation and Maintenance Guide (16-300694)

January 2013
Customer support
Customer support
For 9600 Series IP Telephone support, call the Avaya support number provided to you by your Avaya representative or Avaya reseller. See support.avaya.com for Information about Avaya products.
January 2013
Introduction
10

January 2013
Chapter 2: VPN overview
Introduction
Setting up a virtual private network provides enterprise telephony services for remote or small office home office (SOHO) locations through a secure VPN connection to the users Enterprise Communication Manager infrastructure. A VPN uses a high-speed connection to the Internet and then to the VPN-administered solution in the enterprise network. VPNs provide a significant improvement of the communications capabilities of SOHO users. 9600 Series IP Telephone Release 3.1 provides the capability to implement a VPN in Enterprise networks with third-party devices. For more information regarding third-party devices, see Third-Party Security Gateways interopability limitations on page 13 Figure 1 illustrates a possible corporate network configuration with three 9600 Series IP Telephones connected through secure VPN connections.
Figure 1: VPN configuration
January 2013
11
VPN overview
Differences between 4600series and 9600series IP deskphone VPNs

Review this section if you already have a VPN in place for 4600 Series IP Telephones. There are several differences between the structure and administration for each type of telephone series, namely: A 9600 Series VPN telephone is administered by setting the applicable system parameters using the 46xxsettings.txt file. This is the same settings file you already use for the non-VPN system parameters you currently customize for both 9600 Series and 4600 Series IP Telephones. A 4600 Series VPN uses a unique settings file (46vpnsetting.txt) to administer applicable system parameters instead of the 46xxsettings.txt file. 9600 Series IP VPN Telephones do not support the Avaya SG203 security gateway, whereas 4600 Series IP VPN Telephones do. 9600 Series IP Telephone VPNs use an enhanced security process: - End users have a separate access code and permission settings that allow access only to VPN settings rather than general access to all local administrative (Craft) procedures. - VPN users are assigned a unique VPN password which can be administered to be erased on VPN termination or telephone reset; this measure prevents unauthorized users from automatically re-establishing a VPN tunnel. - Users with valid VPN credentials can be prevented from using each others telephones by setting the NVVPNUSERTYPE parameter to allow the VPN user name to be changed only through the settings file or the VPN Settings Craft procedure. 9600 Series IP Telephone VPNs provide longer DNS names, up to 255 characters whereas 4600 Series VPNs limit DNS names to 16 characters. 9600 Series IP VPN Telephones do not support user entry of an SCEP challenge password. 9600 Series IP Telephones do not support the NVSECSGIP and NVBACKUPSGIP parameters. See Appendix A: VPN Parameters on page 60 for a detailed list of the VPN system parameters applicable to a 9600 Series IP Telephone.
12

January 2013
Third-Party Security Gateways interoperability limitations
Third-Party Security Gateways interoperability limitations

Third-party devices by the following vendors interoperate with Avaya VPN phones and may have certain limitations as per the note below: Checkpoint Cisco Juniper Nokia Nortel Note: Avaya does not guarantee compatibility with all security gateway devices or software provided by a particular vendor, nor is every possible configuration of such devices supported. In general, the following capabilities interoperate: Integrated IPSec VPN Client that supports these IPSec protocols: - Internet Protocol Security (IPSec), - Internet Key Exchange (IKE), and - Internet Security Association and Key Management (ISAKMP) Pre-Shared Key (PSK) with or without XAUTH RSA (Rivest-Shamir-Adleman) signatures with or without XAUTH NAT traversal, and SCEP Note: Refer to Avaya DevConnect for application notes regarding VPN gateways and IP deskphones. Vendors who are not Avaya DevConnect Certified are encouraged to contact Avaya and certify through the program.
January 2013
13
VPN overview
14

January 2013
Chapter 3: Configuring the VPN
Introduction
This section outlines configuration requirements and setup options, and provides administrators with information on how to configure 9600 Series IP Telephones for a VPN.
Preliminary configuration requirements

The enterprise network must be configured with a security gateway. Corporate firewalls and routers must be configured to allow IPSec tunnels from the remote phone(s) to the security gateway. See Third-Party Security Gateways operability limitations on page 13. For a list of configuration system parameters, see VPN parameters on page 60. Technicians or administrators can stage phones centrally and pass an administered phone to an end user, or use the standard settings file. In the latter case, place VPN parameters in the beginning of the 46xxsettings.txt file before model-specific settings. The possible VPN configuration methods are: Centralized administration of some or all VPN functionality by trained technicians/ administrators, using either the settings file and/or the local (Craft) procedure for VPNs. The administered telephone is then passed to the user. Remote administration of VPN functionality by users who are either trained in, or who have been provided specific documentation to guide them in the administration process, generally involving the VPN Special Procedure. Avaya recommends that administrators perform these preliminary configuration steps: Load the 9600 Series IP Telephone with the latest software, Configure the phone to connect to the Enterprise infrastructure, and Provide the end users with information for VPN access from their small office home office (SOHO) environment. Important: Never "downgrade" a telephone on your VPN to a software release prior to R3.1, as VPN operation will either fail or not operate properly.
January 2013
15
Configuring the VPN
Configuration Preparation
Configuration preparation
To ensure that the end user is able to configure a 9600 Series IP Telephone in their SOHO environment and to connect to the enterprise network, administrators can pre-configure the IP telephone prior to deployment to allow the remote 9600 Series IP Telephone to establish a connection over the VPN tunnel and if applicable, to provide authentication parameter values. The administrator completes the initial configuration while the IP telephone is connected to the enterprise network and prior to deployment to the end user. When more than five or six phones require configuration, Avaya recommends the administrator use the settings file for configuring the VPN telephones, with the exception of the User Name and User Password. This is the recommended pre configuration method, including the sequence and procedures: Related topics: Configuration preparation procedure on page 16
Configuration preparation procedure

Procedure
1. Allow access into and out of the corporate firewall through VPN tunnels, see Preparing the Security Gateway on page 17. 2. Configure the VPN parameters to meet the configuration parameters for each remote site, see Configuring VPN system parameters on page 18. 3. If necessary, create and administer a new extension on , Avaya Aura Communication Manager Release 5.1 or higher. For additional information see Preparing Avaya Aura Communication Manager on page 19. 4. Install and test the IP telephone on the enterprise network. For additional information, see the Avaya one-X Deskphone Edition for 9600 Series IP Telephones Installation and Maintenance Guide (Document Number 16-600394). 5. Send the pre-configured telephone to the end user with specific instructions for VPN remote setup.
16

January 2013
Preparing the Security Gateway

At a minimum, you must configure a user name and password for each remote user. User names can be up to 16 characters long and can contain any character except a comma (,).
Procedure
1. Install the security gateway in accordance with the vendors instructions. 2. Configure authentication credentials to allow users to establish a VPN connection.
Configuring the VPN settings

The administrator can populate the 46xxsettings.txt file with all or some of the settings that are used to create the VPN tunnels and for authentication, depending on whether or not end users will be given permission to add/change settings. Note: For a detailed list of VPN settings in the 46xxsettings.txt file, see Appendix A: VPN Parameters. At startup, the phone will attempt to establish a VPN connection using the configured VPN parameters. Users with permission to do so can view, add, or change the VPN parameters.
Simple Enrollment Certificate Protocol (SCEP)

9600 Series SIP Deskphones support Media Encryption (SRTP) and use built-in Avaya SIP Certificates for trust management. Trust management involves downloading certificates for additional trusted Certificate Authorities (CA) and the policy management of those CAs. Identity management is handled by Simple Certificate Enrollment Protocol (SCEP) with phone certificates and private keys. SCEP can apply to your VPN operation or to standard enterprise network operation. SCEP is described in the Avaya one-X Deskphone Edition for 9600 Series IP Telephones Administrator Guide (Document Number 16-300698), however for ease of VPN setup, the applicable parameters are also included this guide, in Appendix A - VPN parameters on page 60. A few pointers regarding SCEP follow: If the SCEP server is outside of the corporate firewall, telephones connecting to the corporate network over a VPN connection can be configured to establish the SCEP
January 2013
17
Configuring the VPN
connection using an HTTP proxy server to reach the SCEP server. In this instance, use the WMLPROXY system parameter to configure the HTTP proxy server. When SCEP is initiated the telephone will attempt to contact an SCEP server via HTTP, using the value of the configuration parameter MYCERTURL as the URI. SCEP supports the use of an HTTP proxy server. The telephone creates a private/public key pair, where each key has a length equal to the value of the configuration parameter MYCERTKEYLEN. The public key and the values of the configuration parameters MYCERTCAID, MYCERTCN, MYCERTDN and SCEPPASSWORD are used in the certificate request.
Configuring VPN system parameters

Appendix A: VPN Parameters lists the system parameters that you need to configure for VPN tunnel establishment, and in general. Certain parameters will be set automatically based on the VPN security gateway you indicate in the NVVPNCFGPROF parameter in the 46xxsettings.txt file or using the Special VPN procedure; see VPN Configuration Profiles in Appendix A: VPN parameters on page 60 for information on these automatically-set configuration parameters. Important: When using the settings file to establish VPN values, place all of your VPN parameters before any model-specific parameters. For detailed information regarding system parameters, see Appendix A: VPN parameters on page 60.
Administrative Pre-requisites for authentication

Authentication is performed during VPN tunnel initialization only if the NVXAUTH parameter is set to "enabled." The following system parameters are used for authentication and are described in detail in Appendix A: VPN Parameters: NVXAUTH - Specifies whether XAUTH user authentication is enabled or disabled; must be enabled for authentication. NVVPNUSER - Specifies the user name to use during VPN authentication; can be null and entered on the VPN User Name Entry screen. NVVPNPSWD - Specifies the users VPN password; can initially be null and entered on the VPN Password Entry screen if NVVPNUSER contains a non-null value and NVVPNUSERTYPE is set to "1" (user can edit the user name).
18

January 2013
NVVPNPSWDTYPE - Specifies whether the VPN user password will be stored, and if so, how it is stored. NVVPNUSERTYPE - Specifies whether the end user can ("1") or cannot ("2") change the VPN user name. When authentication is enabled, three potential authentication entry screens display, depending on the values of these VPN authentication parameters. See Chapter 6 -User Authentication and VPN Sleep on page 41 for a description of each authentication screen.
Preparing Avaya Aura Communication Manager

A 9600 Series IP Telephone that will be used in your virtual private network is configured the same as other IP telephones on the call server running Avaya Aura Communication Manager. Even though the phone is physically located outside of the corporate network, it will behave the same as other LAN-based Avaya IP telephones once the VPN tunnel has been established. Note: The end user can have either a single extension or a bridged extension on the server running Avaya Communication Manager. A single extension allows the user to be connected to Avaya Aura Communication Manager from one location at a time - either the office or the SOHO. To connect to Avaya Aura Communication Manager from both the office and the SOHO, configure the telephone as a separate extension that has a bridged appearance of the office extension. For information regarding Avaya Aura Communication Manager configuration, see Administering Avaya Aura Communication Manager.
Installing the 9600 Series IP deskphone

Installation of 9600 Series IP Telephones to be used in a VPN network is the same as for any Avaya 9600 Series IP Telephone. For detailed installation instructions, see the Avaya one X Deskphone Edition for 9600 Series IP Telephones Installation and Maintenance Guide (Document Number 16-600394). If you are staging the telephones centrally before deploying them to the users, install and test the IP telephone on the enterprise network. Important: Telephones will attempt to establish a VPN connection only if the system parameter NVVPNMODE is set to "1" (Enabled). You can choose to permit your end users to change this value if a remote telephone will also be used within the enterprise environment.
January 2013
19
Configuring the VPN
Deploying the VPN-ready 9600Series IP deskphone

Deploy the telephone to the end user. When the end user installs the phone in the home network, what displays is dependent on the authentication policy you have set up and on the permission you have assigned to VPN users in the VPNPROC parameter. Typically, users of a centrally-staged telephone will see a screen requesting the VPN User Name and/or Password; once the VPN tunnel is established, the user experience is essentially the same as for a non-VPN phone: If you have set the VPNPROC parameter to "1" or "2", the Avaya Menu (or, for 9670G phones, the Home Screen) your VPN users see has a VPN Settings option. Users can either view (if VPNPROC = 1) or change (if VPNPROC=2) VPN settings. If you have set the VPNPROC parameter to "0", the VPN Settings option does not display as an Avaya Menu (or Home screen) option. Your users cannot view or change VPN settings. Communicate the VPN Access Code (VPNCODE) to those users you have assigned permission to view or change VPN settings. While not recommended for security reasons, you can set VPNCODE to null (" ") to allow anyone you have given permission to view or change settings via VPNPROC to bypass access code entry when they want to view or update VPN settings. Also provide each user with the appropriate chapter(s) in this guide describing how to access VPN Settings screen(s) as follows: Chapter 4: Viewing VPN Settings for those users you are permitting view-only access. Chapter 5: Changing VPN Settings for those users you are permitting to change VPN settings. Although these users can use the procedures in Chapter 5 to view settings as well, you may also want to provide them with Chapter 4: Viewing VPN Settings to allow them to view the VPN Summary screen instead of the individual filtered screens. Chapter 6: User Authentication and VPN Sleep Mode if you have established authentication parameters, as covered in Administrative Pre-Requisites for Authentication.
20

January 2013
Chapter 4: Viewing VPN settings
Introduction
Two methods are available to view VPN settings: Using the VPN Settings screen, available through the Avaya (A) Menu for all but the 9670G IP Telephone, and available through the Home Screen for the 9670. Typically, users without authorization to change settings use this screen to view VPN settings. Using the VPN Configuration screen, available through the VPN Settings Craft (local administrative) procedure. This screen is also used to change settings and requires special authorization; therefore, viewing settings using the VPN Configuration screen is described in Chapter 5: Changing VPN Settings on page 27. Your administrator must authorize your ability to change VPN settings. This includes providing you with a VPN Access Code and applicable procedures describing how to change the settings. If you have the proper authorization to change VPN settings, see Chapter 5: Changing VPN Settings on page 27 for information. Note: As a security feature, the first time you use your remote phone over the Virtual Private Network or following a telephone reset or reboot, you may be asked to identify yourself so that you can be verified as a valid user and your user credentials can be validated. Chapter 6: User Authentication and VPN Sleep Mode on page 21 explains the authentication process. Note: All 9600 Series IP Telephones except the 9670G require you to press a button or softkey to take an action like exiting a screen. On 9670G IP Telephones, all actions are touch-based and are taken or confirmed by touching a softkey on the screen.
Access using the Avaya (A) menu

Use this procedure If your administrator has instructed you to use the Avaya (A) Menu to access VPN settings and has provided you with a VPN Access Code.
January 2013
21
Viewing VPN settings
Before you begin

If your VPN administration requires authentication of your user name and password, follow the steps in Chapter 6 -User Authentication and VPN sleeep on page 41 before proceeding.
Procedure
1. For all 9600 Series IP Telephones except the 9670, press the Avaya (A) Menu button. 2. For 9600 Series IP Telephones without administered WML applications, select VPN Settings. For 9600 Series IP Telephones with administered WML applications, select Phone Settings first, then VPN Settings. For the 9670, touch Settings, then VPN Settings. 3. If the phone prompts you to "Enter Password and press Enter (or OK)" use the dialpad to enter the VPN Access Code assigned by the administrator and press Enter or OK. On a 9670, enter the VPN Access Code and touch Enter. When the access code is validated the VPN Settings screen displays. See Viewing the VPN Settings Screen for a description of this screen.
VPN settings screen fields

Line/Field VPN Description If "1" the Virtual Private Network is enabled. If "0" VPN is disabled. Name of the security gateway vendor. IP address of the VPN security gateway. This value allows the telephone to access the VPN tunnel. Associated System Parameter NVVPNMODE
VPN Vendor Gateway Address
NVVPNSVENDOR NVSGIP
External Phone IP Address
External ("outer") IP address NVEXTIPADD of the telephone in VPN mode. External ("outer") router IP address in VPN mode. EXTGIPADD or NVEXTGIPADD
External Router
22

January 2013
Line/Field External Subnet Mask External DNS Server
Description External ("outer") subnet mask in VPN mode. External ("outer") DNS server IP address in VPN mode. The port numbers used for IKE and IPsec UDP encapsulation, and support for NAT traversal.
Associated System Parameter NVEXTSUBNETMASK EXTDNSSRVR or NVEXTDNSSRVR NVVPNENCAPS
Encapsulation
Copy TOS
Indicates whether to copy the NVVPNCOPYTOS TOS bits from the tunneled (inner) IP header to the tunnel (outer) IP header. User authentication method NORTELAUTH (for Nortel for non-Nortel gateways: 3 = gateways only), otherwise Pre-Shared Key (PSK) 4 = NVVPNAUTHTYPE PSK with XAUTH 5 = RSA signatures with XAUTH 6 = Hybrid XAUTH 7 = RSA Signatures User authentication method for Nortel gateways: 1= Local credentials 2 = RADIUS credentials 3 = RADIUS SecurID 4 = RADIUS Axent End user permission to NVVPNUSERTYPE change the VPN username: 1 = User can change the user name 2 = User cannot change the user name The user name used for authentication. NVVPNUSER
Auth Type
VPN User Type
VPN User Password Type
Indicates if the VPN user NVVPNPSWDTYPE password will be stored and how: 1 = Password can be alphanumeric and is stored in reprogrammable non-volatile memory as the NVVPNPSWD value. 2 = Password can be alphanumeric and is stored in volatile memory but will be cleared when the phone resets. 3 = Password can be
January 2013
23
Line/Field
Description numeric only and is stored in volatile memory that is cleared immediately after first-time password use. 4 = Password can be alphanumeric and is stored in volatile memory that is cleared immediately after first-time password use. 5 = Password can be alphanumeric and is stored in volatile memory that is cleared when the user invokes VPN Sleep Mode and when the telephone resets.
Associated System Parameter
User Password
If a user password exists, it is Blank if user password has shown here as 8 asterisks no value (null), otherwise 8 (********) asterisks This field and the next three NVIKEID fields display only if your VPN meets the conditions for displaying IKE PSK. Pre-Shared Key. Blank if PSK has no value (null), otherwise 8 asterisks.
IKE ID (Group Name)
Pre-Shared Key (PSK) IKE ID type
This field and the next five NVIKEIDTYPE fields display only if your VPN meets the conditions for displaying IKE Phase 1. Values are: 1 = ID_IPV4_ADDR 2 = ID_FQDN 3 = ID_USER_FQDN 9 = ID_DER_ASN1_DN 11 = ID_KEY_ID 1 = Aggressive Mode 2 = Main Mode Identity Protection 1 = Aggressive Mode 2 = Main Mode Identity Protection 1 = First Oakley Group 2 = Second Oakley Group 5 = 1536-bit MODP Group 14 = NVIKEXCHGMODE
IKE Xchg Mode
IKE Xchg Mode
NVIKEXCHGMODE
IKE DH Group
NVIKEDHGRP
24

January 2013
Line/Field
Description 2048-bit MODP Group 15 = 3072-bit MODP Group
IKE Encryption Alg
Algorithm 0 = Any 1 = AES- NVIKEP1ENCALG CBC-128 2 = 3DES-CBC 3 = DES-CBC 4 = AES-CBC-192 5 = AES-CBC-256 Authentication algorithm for IKE: 0 = Any 1 = MD5 2 = SHA NVIKEP1AUTHALG
IKE Auth. Alg
IKE Config Mode
1 = Use the ISAKMP NVIKECONFIGMODE configuration method for setting certain applicable values. 2 = This setting is turned off (disabled) because a generic PSK profile is in effect. This field and the next four NVPFSDHGRP fields display only if your VPN meets the conditions for displaying IKE Phase 2. This field specifies the DiffieHellman Group to be used for establishing the IPsec SA (also known as PFS). If this value is not "0", a new DiffieHellman exchange will be initiated for each IKE Phase 2 Quick Mode exchange, where the proposed DH group will be as specified by the value of NVPFSDHGRP, and the meaning of the values will be the same as those specified above for NVIKEDHGRP. The encryption algorithm to NVIKEP2ENCALG propose for use during IKE Phase 2 negotiation. Values are: 0 = Any 1 = AESCBC-128 2 = 3DES-CBC 3 = DES-CBC 4 = AES-CBC-192 5 = AES-CBC-256 6 = Null The authentication algorithm NVIKEP2AUTHALG to propose for use during IKE
IPsec PFS DH Group
IPsec Encryption Alg
IPsec Auth. Alg
January 2013
25
Line/Field
Description Phase 2 negotiation. Values are: 0 = Any 1 = MD5 2 = SHA
Protected Network
Specifies the IP address range that will use the VPN tunnel.
If a list, the (first) value of NVIPSECSUBNET
IKE over TCP
This field displays only if your NVIKEOVERTCP VPN meets the conditions for displaying IKE Over TCP. Specifies whether and when to use TCP as a transport protocol for IKE: Never = Never use TCP as a transport protocol for IKE. Auto = Use IKE over UDP first, and if that isnt valid use IKE over TCP. Always = Always use TCP as the transport protocol for IKE.
For detailed information regarding system parameters, see Appendix A: VPN Parameters.
26

January 2013
Chapter 5: Changing VPN settings
Introduction
Prior to performing any of the procedures in this section, and based on whether the telephones will be set up centrally or remotely, the administrator should establish appropriate values for VPN tunnel connection and user authentication. Applicable VPN system parameters are listed in Appendix A: VPN Parameters. Three methods are available to change VPN settings: Invoking the VPN Special Procedure from the local administrative (Craft) procedure menu using the same access method as you would for any local procedure. This method requires that the person accessing the local procedure knows the local procedure access password set in the PROCPSWD parameter. Invoking the VPN Special Procedure using the VPN Access Code, when administrative permission to change settings has been granted by setting the VPNPROC parameter to "2." Invoking the VPN Settings option from the Avaya (A) Menu (or the Home screen for a 9670) using the VPN Access Code (if VPNPROC is set to "2"). Note: All 9600 Series IP Telephones except the 9670G require you to select a line or desired action and press a button/softkey to act upon your selection. On 9670G IP Telephones, all actions are touch-based; for example, text/numeric entry uses an on-screen keyboard, and actions are taken or confirmed by touching the applicable line, feature, icon, or softkey on the screen. The procedures that follow apply to non-9670G phones and should be adjusted accordingly for the 9670s touch screen.
January 2013
27
Changing VPN settings
Accessing VPN settings

Access using the Avaya (A) menu
Use this procedure If your administrator has instructed you to use the Avaya (A) Menu to access VPN settings and has provided you with a VPN Access Code.
Before you begin

If your VPN administration requires authentication of your user name and password, follow the steps in Chapter 6 -User Authentication and VPN sleeep on page 41 before proceeding.
Procedure
1. For all 9600 Series IP Telephones except the 9670, press the Avaya (A) Menu button. 2. For 9600 Series IP Telephones without administered WML applications, select VPN Settings. For 9600 Series IP Telephones with administered WML applications, select Phone Settings first, then VPN Settings. For the 9670, touch Settings, then VPN Settings. 3. If the phone prompts you to "Enter Password and press Enter (or OK)" use the dialpad to enter the VPN Access Code assigned by the administrator and press Enter or OK. On a 9670, enter the VPN Access Code and touch Enter. When the access code is validated the VPN Settings screen displays. See Viewing the VPN Settings Screen for a description of this screen.
Access using the VPN special procedure

Use this procedure if your administrator has instructed you to use the VPN Special Procedure to update VPN settings. The VPN Special Procedure is a series of filtered screens showing settings applicable to your specific VPN setup.
Procedure
1. At any time following telephone login, press Mute.
28

January 2013
Accessing VPN settings
2. Enter the VPN Access Code provided by your administrator. 3. Press #.
Next steps
Proceed to Viewing or changing settings using the VPN Special Procedure on page 28.
Access using the Local Administrative (Craft) procedure menu

Use this procedure if your administrator has instructed you to use the Craft (local administrative) procedure to update VPN settings. This access method allows you to access the VPN Special Procedure, to change VPN settings. Related topics: During telephone startup on page 29 During normal telephone operation on page 30
During telephone startup

Procedure
1. During startup, invoke local procedures by pressing * to display the Craft Access Code Entry screen. 2. Enter the local dialpad procedure password (0 to 7 numeric digits), as specified by the system administrator in the system value PROCPSWD. For security purposes, the telephone displays an asterisk for each numeric dialpad press. If you are using a 9670G IP Telephone, and need to backspace during password entry, use the Contacts button; for other 9600 Series phones, use the left arrow button or the designated softkey. 3. Press # when password entry is complete. The entry is compared to the PROCPSWD value. If they match, the telephone displays the Craft Local Procedure screen, "Select procedure and press Start." 4. For all 9600 Series IP Telephones except the 9670G, use the navigation arrows to scroll to and highlight VPN, then press Start or OK. Or scroll to VPN and press the corresponding line button. For the 9670G IP Telephone, scroll to VPN if it not already displayed; touch the line on which VPN appears.
January 2013
29
During normal telephone operation

Procedure
1. Invoke the local procedures (Craft) menu by pressing the Mute button. A 6-second timeout is in effect between button presses after pressing the Mute button. If you do not press a valid button within 6 seconds of pressing the previous button, the collected digits are discarded. In this case, no administrative option is invoked. 2. Enter the local (dialpad) procedure password (0 to 7 numeric digits). If you are using a 9670G IP Telephone, and need to backspace during password entry, use the Contacts button; for other 9600 Series phones, use the left arrow button or the designated softkey. 3. Press the # button. The entry is compared to the PROCPSWD value. If they match, the telephone displays the Craft Local Procedure screen, "Select procedure and press Start." 4. For all 9600 Series IP Telephones except the 9670G, use the navigation arrows to scroll to and highlight VPN, then press Start or OK. Or scroll to VPN and press the corresponding line button. For the 9670G IP Telephone, scroll to VPN if it not already displayed; touch the line on which VPN appears.
Next steps
Proceed to Viewing or changing settings using the VPN Special Procedure.
Viewing or changing settings using the VPN special procedure

Access the VPN Special Procedure, a filtered series of configuration screens, through the local administrative (Craft) Procedures menu, as described in Access using the VPN Special Procedure or Access using the Local Administrative (Craft) Procedure Menu. To change VPN settings you must have: Administrative permission to access the local administrative procedure menu (set administratively using the system parameter PROCSTAT), and an administrative procedure password (set administratively using the system parameter PROCPSWD), and
30

January 2013
Viewing or changing settings using the VPN special procedure
permission to update VPN settings (set administratively using the system parameter VPNPROC of "2" to Update), and you must know the VPN Access Code (set administratively using the system parameter VPNCODE). What you see on the VPN Configuration screens depends on the type of security gateway used to connect the telephone to the corporate network and how your Virtual Private Network (VPN) is administered. For example, settings information is "filtered" to show settings applicable to your specific VPN environment. Like a PC-style "wizard" settings display on a series of screens, the display of which is dependent on the actions you take on the current screen. Related topics: Navigating configuration screens and changing data on page 31
Navigating configuration screens and changing data

More than one screen is required to display all the data relevant to your VPN. In this case, the Right and Left navigation arrows move forward and back through the screen sequence applicable to your VPN. Pressing (or touching, for the 9670) the Right Arrow after updating one or more values on a screen saves the updated information and brings up the next applicable screen. Important: All changes are effective and saved when you press/touch the Right Arrow to navigate to the next screen. Navigating Left after making any change to one or more fields/lines on a particular screen discards those changes does not save any information you might have entered on that screen. Select the field you want to change by positioning the cursor and pressing Change, or for a 9670, by touching the line you want to change. In general, when you press/touch Change the current value toggles to the next higher data value. For example, if the Gateway Vendor line shows "Nortel" (the fifth and last Gateway Vendor currently supported) and you select that line and press/touch the Change softkey, the Gateway Vendor name changes to "Juniper/Net Screen" (the first Gateway Vendor supported). If the Gateway Vendor line shows "Juniper/Net Screen" (the first Gateway Vendor supported) and you select that line and press/touch the Change softkey, the Gateway Vendor name changes to "Cisco" (the second Gateway Vendor supported), and so on. Changes you make to any one screen might cause a different screen to be shown next. For example, pressing Change on line/field names shown with an ellipsis (...) causes the VPN Text Entry screen to display to allow you to enter text. When you indicate you want to change a line containing an IP Address, the IP Address screen displays to allow that type of entry. After entering text or an IP address, press Save to post your entry and return to the previous screen where you can then press the Right Arrow to save your change(s) and display the next applicable settings screen.
January 2013
31
After changing one or more fields/lines on the current screen, press the Right Arrow to save any changes you made and move to the next screen.
General VPN settings general screen field descriptions

Line/Field VPN Description Associated System Parameter
Indicates whether the Virtual NVVPNMODE Private Network is enabled or disabled. Name of the security gateway vendor for your VPN. IP address of the VPN security gateway. This value allows the telephone to access the VPN tunnel. NVVPNSVENDOR
VPN Vendor
Gateway Address...
NVSGIP
External Phone IP Address... External Router... External Subnet Mask... External DNS Server...
External ("outer") IP address NVEXTIPADD of the telephone in VPN mode. External ("outer") router IP address in VPN mode. External ("outer") subnet mask in VPN mode. External ("outer") DNS server IP address in VPN mode. The port numbers used for IKE and IPsec UDP encapsulation, and support for NAT traversal. EXTGIPADD or NVEXTGIPADD NVEXTSUBNETMASK EXTDNSSRVR or NVEXTDNSSRVR NVVPNENCAPS
Encapsulation
Copy TOS
Indicates whether to copy the NVVPNCOPYTOS TOS bits from the tunneled (inner) IP header to the tunnel (outer) IP header.
32

January 2013
Generic authentication type screen field descriptions
Generic authentication type screen field descriptions

This screen shows the type of authentication used by your VPN (based on the system parameter NVVPNAUTHTYPE).
If the authentication type code (NVVPNAUTHTYPE) is: 3 4 5 6 7 This description displays: PSK PSK with XAUTH RSA signatures with XAUTH Hybrid XAUTH RSA signatures
When the Authorization Type is PSK with XAUTH, RSA signatures with XAUTH, or Hybrid XAUTH, the next screen displayed is the User Credentials screen. If the Authorization Type is PSK, the next screen displayed is the IKE PSK screen. If the Authorization Type is RSA signatures, the next screen displayed is the IKE Phase 1 screen.
User credentials screen field descriptions

Line/Field VPN User Type Description Associated system parameter
End user permission to NVVPNUSERTYPE change the VPN username: If the user can change the user name, the description "Any" displays here. If the user cannot change the user name, the description "1 User" displays here and no change can be made to this line. The user name used for NVVPNUSER authentication. Pressing the Change softkey on this line brings up the VPN Text Entry screen so that (if permitted)
VPN User...
January 2013
33
Line/Field
Description you can enter a new user name.
Associated system parameter
Password Type
user password will be stored NVVPNPSWDTYPE and how. For example, when the NVVPNPSWDTYPE value is "3" the description "Numeric OTP" displays to indicate the VPN Password can be numeric only and is stored in volatile memory that is cleared immediately after first-time password use.
If your password is stored in memory (as indicated by a description of either "Save in flash" or "Erase on reset") the next screen displayed is the User Password Entry screen. If your password type is other than the above descriptions and the type of authentication (NVVPNAUTHTYPE) is RSA Signatures with XAUTH or Hybrid XAUTH, the IKE Phase 1 screen displays instead. If none of those passwords types is applicable, the IKE PSK screen displays.
Changing your VPN password

Before you begin
The system administrator must give you permission to change your VPN password.
About this task

If you already have a VPN password, eight asterisks display. If you do not have a VPN password, the User Password line is blank.
Procedure
1. Press Change to display the displays the VPN Text Entry screen. 2. Enter your new password or change the current password. 3. Press Save. 4. Press the Right Arrow to save the password Either the VPN Settings screen (see Viewing or changing settings using the VPN Special Procedure), the IKE PSK screen, or the IKE Phase 1 screen, whichever is applicable to your VPN structure, opens.
34

January 2013
IKE PSK screen
IKE PSK screen

Use this screen to view or change two IKE values, the IKE ID (or Group Name) and the PreShared Key (PSK).
Procedure
1. Press Change on either line to display the VPN Text Entry Screen. 2. Enter or change the IKE ID value or PSK value. 3. Press or touch Save. 4. Press the RIght Arrow to save the new or changed value(s). The IKE Phase 1 screen opens.
IKE Phase 1 screen field descriptions

Line/Field IKE ID Type Description The following descriptions display, depending on the value of the NVIKEIDTYPE parameter: If the IKE ID Type is 1, "IPV4_ADDR" displays. If the IKE ID Type is 2, "FQDN" displays. If the IKE ID Type is 3 "USER_FQDN" displays. If the IKE ID Type is 9, "DER_ASN1_DN" displays. If the IKE ID Type is 11, "KEY_ID" displays. IKE Xchg Mode IKE DH Group Aggressive Mode ("1") or ID Protect ("2"). NVIKEXCHGMODE Associated system parameter NVIKEIDTYPE
1 denotes First Oakley Group NVIKEDHGRP
January 2013
35
Line/Field
Description 2 denotes Second Oakley Group 5 denotes 1536-bit MODP Group 14 denotes 2048-bit MODP Group 15 denotes 3072-bit MODP Group
IKE Encryption Algorithm
0 = Any 1 = AES-128 2 = 3DES 3 = DES 4 = AES-192 5 = AES-256 0 = Any 1 = MD5 2 = SHA Enabled if value is "0" Disabled if value is "1"
NVIKEP1ENCALG
IKE Authentication Alg
NVIKEP1AUTHALG
IKE Config Mode
NVIKECONFIGMODE
IKE Phase 2 screen field descriptions

Line/Field IPsec PFS DH Group Description Associated system parameter
This field and the next four NVPFSDHGRP fields display only if your VPN meets the conditions for displaying IKE Phase 2. This field specifies the DiffieHellman Group to be used for establishing the IPsec SA (also known as PFS). If this value is not "0", a new DiffieHellman exchange will be initiated for each IKE Phase 2 Quick Mode exchange, where the proposed DH group will be as specified by the value of NVPFSDHGRP, and the meaning of the values will be the same as
36

January 2013
IKE over TCP screen field descriptions
Line/Field
Description those specified above for NVIKEDHGRP.
IPsec Encryption Alg
The encryption algorithm to propose for use during IKE Phase 2 negotiation. Values are: 0 = Any 1 = AES-CBC-128 2 = 3DES-CBC 3 = DES-CBC 4 = AES-CBC-192 5 = AES-CBC-256 6 = Null
NVIKEP2ENCALG
IPsec Authentication Alg
The authentication algorithm NVIKEP2AUTHALG to propose for use during IKE Phase 2 negotiation. Values are: 0 = Any 1 = MD5 2 = SHA Specifies the IP address If a list, the (first) value of range that will use the VPN NVIPSECSUBNET tunnel. Pressing Change brings up the VPN Text Entry screen so that you can enter a new IP address. This field displays only if your NVIKEOVERTCP VPN meets the conditions for displaying IKE Over TCP. Specifies whether and when to use TCP as a transport protocol for IKE.
Protected Network
IKE over TCP
IKE over TCP screen field descriptions

If the IKE over TCP (NVIKEOVERTCP) value is: 0 This description displays: Never use TCP as a transport protocol form IKE.
January 2013
37
If the IKE over TCP (NVIKEOVERTCP) value is: 1 2
This description displays: Auto; IKE over UDP is tried first; if not successful, IKE over TCP is used. Always use TCP as the transport protocol for IKE.
VPN text entry screen

Procedure
1. Select a text value. 2. Touch or press Change. The VPN Text Entry screen displays the current setting and a blank area for you to enter the new setting 3. Use the dialpad to enter text, as you would on a cellular phone. The Symbol softkey displays an ASCII Symbol Table, from which you can select a symbol. 4. Press/touch Save to post the entry to the screen from which it came and return to that screen 5. Press the Right Arrow to save the change and move to the next applicable screen.
IP address screen
Procedure
1. Select a setting that contains an IP address. 2. Press or touch Change. The IP Address screen displays the current setting and a blank area for you to enter the new IP Address. 3. Use the dialpad to enter the IP Address as you would on a cellular phone in the following format: 0.0.0.0 (four numbers separated by decimals, with each number being between 0 and 255). Use the * (asterisk) key to enter the decimals.
38

January 2013
IP address screen
4. Press/touch Save to post the entry to the screen from which it came and return to that screen. 5. Press the Right Arrow to save the change(s) on that screen and move to the next applicable screen.
January 2013
39
40

January 2013
Chapter 6: User Authentication and VPN Sleep
Introduction
This chapter covers how to enter your user name and password for security authentication and how to activate the sleep mode to terminate/reactivate the VPN connection. Prior to performing any of the procedures in this section, and based on how the remote VPN phones are set up, the administrator should establish appropriate values for VPN tunnel connection and user authentication. Note: All 9600 Series IP Telephones except the 9670G require you to select a line or desired action and press a button/softkey to act upon your selection. On 9670G IP Telephones, all actions are touch-based; for example, text/numeric entry uses an on-screen keyboard, and actions are taken or confirmed by touching the applicable line, feature, icon, or softkey on the screen. The procedures that follow apply to non-9670G phones and should be adjusted accordingly for the 9670s touch screen.
User Authentication
VPN user name entry screen
This screen displays to validate the user name or to allow an existing user name to be edited if these three conditions are met: NVVPNUSER contains a non-null value (meaning you have a previously assigned user name), the NVVPNPSWD (VPN password) value is null, and the value of NVVPNUSERTYPE is "1" to allow the VPN user to enter or change a user name. Related topics: Accepting the current user name on page 42 Entering a new VPN user name on page 42
January 2013
41
User Authentication and VPN Sleep
Accepting the current user name

Procedure
To accept the user name displayed, press/touch Enter.
Entering a new VPN user name

Procedure
1. Press/touch Clear. 2. Use standard keyboard text entry to enter the new name. 3. Press/touch Enter to save the entry as the NVVPNUSER value. If a password is already stored in memory, the VPN Password Reuse screen shows. If a password is not stored in memory, the VPN Password Entry screen shows.
VPN Password Reuse screen

About this task
This screen displays to authenticate an existing password or to allow access to the VPN Password Entry screen for entry of a new password.
Procedure
1. To accept the current password, press/touch Enter. Authentication of the user name and password occurs and if successful, the VPN Tunnel setup screen redisplays. If authentication is unsuccessful, the VPN Authentication Failure screen displays; press/ touch Continue to reenter the user name and/or password. 2. To delete the current password and enter a new password, press/touch Clear to display the VPN Password Entry screen. Enter at least one character to display the VPN User Name Editing screen, described in the VPN Password Entry screen procedure that follows.
42

January 2013
User Authentication
VPN password entry screen

This screen displays to authenticate an existing password or to allow access to the VPN Password Entry screen for entry of a new password. Related topics: Accepting the current password on page 43 Entering a new password on page 43
Accepting the current password

Procedure
Press/touch Enter. Authentication of the user name and password occurs if authentication is successful, the VPN Tunnel setup screen redisplays. If authentication is unsuccessful, the VPN Authentication Failure screen displays. Note: If authentication is unsuccessful, press/ touch Continue to reenter the user name and/or password.
Entering a new password

Procedure
1. Press/touch Clear. 2. Use standard keyboard text entry to enter the new password. 3. Press/touch Enter to Save the entry as the entry as the NVVPNPSWD (VPN Password) value if NVPNPSWDTYPE is "1, or Store the password in volatile memory if NVVPNPSWDTYPE is not "1".
January 2013
43
Result
Authentication of the user name and password occurs. If authentication is successful, the VPN Tunnel setup screen redisplays. press/touch Continue to reenter the user name and/or password. If authentication is unsuccessful, the VPN Authentication Failure screen displays. Press/touch Continue to reenter the user name and/or password. Note: When NVPNPSWDTYPE has a value of "3" or "4" the password is deleted from memory immediately after it is used. See VPN parameters on page 60 for an explanation of the NVVPNPSWDTYPE values.
VPN sleep mode

Your phone connects to your corporate network through a VPN tunnel. If VPN tunnel establishment fails or if an existing VPN tunnel fails, the VPN Tunnel Failure screen displays to notify you of the situation and provide the option to inactivate your phone by putting it into a "sleep mode." Sleep mode also turns the telephone backlight off to conserve energy until the tunnel can be re-established. This section describes sleep mode in relation to VPN tunnel failure, but you can also activate sleep mode from the Login screen or the Unnamed Registration screen. Activating sleep mode can be helpful when the phone is located in a bedroom and an illuminated display would disturb you. Note: On 9600 Series IP Telephones, you can touch the LightOff softkey at any time to turn off the display backlight, regardless of being connected for VPN operation or not. When you see the VPN Tunnel Failure screen, the right softkey is labeled Sleep. Pressing (or touching if you have a 9670G phone) this softkey turns off the display backlight and displays the message "VPN tunnel terminated." One softkey, Wake Up, is available. Pressing/touching Wake Up or pressing/touching any telephone button illuminates the telephone display area and displays two softkeys, Activate and Sleep: Related topics: VPN sleep mode keys on page 45
44

January 2013
VPN sleep mode
VPN sleep mode keys

Softkey Name Activate Description Initiates VPN tunnel establishment, so that you can use your phone as a remote VPN phone. Turns off the backlight and places the telephone back into sleep mode.
Sleep
January 2013
45
46

January 2013
Chapter 7: Troubleshooting
VPN Authentication Failed

Problem description
Incorrect credentials provided for authentication or not provided at all.
Resolution
Procedure
Follow the display prompts and reenter the password.
VPN Tunnel Failure

Problem description
The remote telephone cannot establish a link with the VPN tunnel.
Resolution
Procedure
Press Retry to attempt connection again. If that fails, press Details for more information as to why the VPN tunnel could not be established.
January 2013
47
Troubleshooting
Need IKE ID/PSK

Problem description
The value of system parameter NVPNAUTHTYPE is "3" or "4" indicating a Pre-Shared Key but the value of one or both system parameters NVIKEID or NVIKEPSK is null.
Resolution
Procedure
Determine which parameter is null and set a value.
Need phone certificate

Problem description
The value of system parameter NVVPNAUTHTYPE is "5" or "7" indicating RSA signature authentication, but a device certificate is not stored in the phone.
Resolution
Procedure
Use SCEP to provision a digital certificate in the phone.
Invalid Configuration
Problem description
A configuration problem not covered by the preceding five messages.
48

January 2013
No DNS Server Response
Resolution
Procedure
Review settings and reconfigure values as needed.
No DNS Server Response

Problem description
The DNS server is out of service.
Resolution
Procedure
Either: Wait for the DNS server to come back into service, configure an IP address for an alternate DNS server, or Provide dotted-decimal IP addresses for the DNS names that cannot be resolved.
Bad Gateway DNS Name

Problem description
The DNS server cannot resolve the gateway DNS name.
Resolution
Procedure
Check the spelling of the DNS name for the VPN gateway.
January 2013
49
Troubleshooting
Gateway certificate invalid

Problem description
The identity certificate presented by the VPN gateway is not valid.
Resolution
Procedure
Either Check whether the TRUSTCERTS parameter has been configured with the name of a file that contains a PEM-format copy of the Certificate Authority (CA) certificate that signed the servers identity certificate; or Check whether the server certificate has expired.
Phone certificate invalid

Problem description
The VPN gateway has rejected the digital certificate presented by the phone.
Resolution
Procedure
Use SCEP to provision a new digital certificate in the phone.
IKE Phase 1 No Response
50

January 2013
IKE ID/PSK invalid
Problem description
A message was not received from the VPN gateway in response to a message sent by the phone. Another cause might be that a Phase 1 parameter is not set correctly, causing the VPN gateway to ignore the message from the phone.
Resolution
About this task
Either the VPN gateway is experiencing difficulties, or network congestion is interfering with communication.
Procedure
If that is not the cause, check the following IKE Phase 1 parameters for compatibility: NVVPNSVENDOR NVVPNAUTHTYPE NVIKEDHGRP NVIKEP1AUTHALG NVIKEP1ENCALG NVIKEP1LIFESEC
IKE ID/PSK invalid

Problem description
The value in either system parameter NVIKEID or NVIKEPSK is invalid.
Resolution
Procedure
Verify that the current value is correct.
January 2013
51
Troubleshooting
IKE Phase 1 failure

Problem description
An IKE Security Association could not be established between the phone and the VPN gateway. Related topics: Resolution on page 52
Resolution
Procedure
Check the following IKE Phase 1 parameters for compatibility: NVIKEDHGRP NVIKEP1AUTHALG NVIKEP1ENCALG NVIKEP1LIFESEC
IKE Phase 2 No Response

Problem description
A message was not received from the VPN gateway in response to a message sent by the phone. Another cause might be that a Phase 2 parameter is not set correctly, causing the VPN gateway to ignore the message from the phone. Related topics: Resolution on page 53
52

January 2013
IKE Phase 2 failure
Resolution
About this task
Either the VPN gateway is experiencing difficulties, or network congestion is interfering with communication.
Procedure
If that is not the cause, check the following IKE Phase 2 parameters for compatibility: NVVPNSVENDOR NVVPNAUTHTYPE NVIKEDHGRP NVIKEP2AUTHALG NVIKEP2ENCALG NVIKEP2LIFESEC
IKE Phase 2 failure

Problem description
An IKE Security Association could not be established between the phone and the VPN gateway.
Resolution
Procedure
Check the following IKE Phase 2 parameters for compatibility: NVIKEDHGRP NVIKEP2AUTHALG NVIKEP2ENCALG NVIKEP2LIFESEC
January 2013
53
Troubleshooting
IKE keep-alive failure

Problem description
A keep-alive message was not received from the VPN gateway for an extended interval.
Resolution
Procedure
Either the VPN gateway is experiencing difficulties or network congestion is interfering with communication.
IKE SA expired
Problem description
The IKE Security Association was not renewed.
Resolution
Procedure
Check the security policy configured in the VPN gateway to ensure that it supports renewals for the desired interval.
IPSec SA expired
Problem description
The IPSec Security Association was not renewed.
54

January 2013
VPN tunnel terminated
Resolution
Procedure
Check the security policy configured in the VPN gateway to ensure that it supports renewals for the desired interval.
VPN tunnel terminated

Problem description
The telephone is in VPN Sleep mode.
Resolution
Procedure
Press Wake Up to display an option to re-activate the VPN tunnel.
SCEP: Failed
Problem description
The telephone cannot enroll the certificate using SCEP from the call server.
Insert "ing" title

Procedure
1. Check to be sure that the following parameters are configured properly: MYCERTURL MYCERTCAID MYCERTCN
January 2013
55
Troubleshooting
MYCERTDN SCEPPASSWORD MYCERTKEYLEN 2. If the SCEP server is outside the corporate firewall, also check WMLPROXY.
Next steps
If the parameters are properly configured, check that the applicable server is setup and running properly.
56

January 2013
Appendix A: VPN parameters
VPN configuration profiles

Based on the value of NVVPNCFGPROF, the other persistent parameters listed inTable 2 below will automatically be set to the value specified Column 2. If a value is not specified for a persistent parameter in the table below, the value of the parameter will not be changed. If the value of NVVPNCFGPROF is "0", no values will be set for the other persistent parameters shown here. The administrator can set any of the parameters listed individually, however allowing them to be set automatically ensures that related settings are correct. Table 1: Security Gateway System Parameters
Supported Device as set by the administrator Checkpoint Security Gateway (NVVPNCFGPROF = 2) System Parameter Values (set automatically) Sets the following values (to): NVIKECONFIGMODE (1) NVIKEID ("" - Null String) NVIKETYPE (11) NVIKEOVERTCP (1) NVIKEXCHANGEMODE (2) NVVPNAUTHTYPE (6) NVVPNSVENDOR (3) Cisco PSK with XAUTH (NVVPNCFGPROF Sets the following values (to): = 3) NVIKECONFIGMODE (1) NVIKEID ("" - Null String) NVIKETYPE (11) NVIKEXCHANGEMODE (1) NVVPNAUTHTYPE (4) NVVPNSVENDOR (2)
January 2013
57
VPN parameters
Supported Device as set by the administrator
System Parameter Values (set automatically)
Cisco Cert with XAUTH (NVVPNCFGPROF Sets the following values (to): = 8) NVIKECONFIGMODE (1) NVIKEID ("" - Null String) NVIKETYPE (11) NVIKEXCHANGEMODE (1) NVVPNAUTHTYPE (5) NVVPNSVENDOR (2) Juniper PSK with XAUTH (NVVPNCFGPROF = 5) Sets the following values (to): NVIKECONFIGMODE (1) NVIKEID ("" - Null String) NVIKETYPE (3) NVIKEXCHANGEMODE (1) NVVPNAUTHTYPE (4) NVVPNSVENDOR (1) Juniper Cert with XAUTH (NVVPNCFGPROF = 9) Sets the following values (to): NVIKECONFIGMODE (1) NVIKEID ("" - Null String) NVIKETYPE (9) NVIKEXCHANGEMODE (1) NVVPNAUTHTYPE (5) NVVPNSVENDOR (1) Nortel Contivity (NVVPNCFGPROF = 11) Sets the following values (to): NVIKECONFIGMODE (11) NVIKEID ("" - Null String) NVIKETYPE (11) NVIKEXCHANGEMODE (1) NVVPNAUTHTYPE (3) NVVPNSVENDOR (5) Any Security Device (Generic) with Sets the following values (to): Preshared Key (PSK) (NVVPNCFGPROF = NVIKECONFIGMODE (2) 6) NVIKEID ("" - Null String) NVIKETYPE (3)
58

January 2013
DHCPACK messages
Supported Device as set by the administrator
System Parameter Values (set automatically) NVIKEXCHANGEMODE (1) NVVPNAUTHTYPE (3) NVVPNSVENDOR (4)
DHCPACK messages
If the value of NVVPNMODE is "1" and the value of VPNACTIVE is "0", the values of the following parameters will be set based on the fields and options received in the DHCPACK message when DHCP is in the INIT state (converting from binary to ASCII as necessary): The parameter EXTIPADD will be set to the value of the yiaddr field, The parameter EXTNETMASK will be set to the value of option #1 (if received), The parameter EXTGIPADD will be set to the first value of option #3 (if received, which may be a list of IP addresses), The parameters DNSSRVR and EXTDNSSRVR will be set to the value of option #6 (if received, which may be a list of IP addresses), The DHCP lease time for EXTIPADD will be set to the value of option #51 (if received), The DHCP lease renew time for EXTIPADD will be set to the value of option #58 (if received), The DHCP lease rebind time for EXTIPADD will be set to the value of option #59 (if received). If the value of NVVPNMODE is "1" and the value of VPNACTIVE is "1", the values of the following parameters will be set based on the fields and options received in the DHCPACK message (converting from binary to ASCII as necessary): The parameters TLSSRVR and HTTPSRVR will be set to the value of the siaddr field if and only if the siaddr field is non-zero, The parameter DNSSRVR will be set to the value of option #6 (if received, which may be a list of IP addresses), and The parameter DOMAIN will be set to the value of option #15 (if received).
Time to service functionality

Important: Some vendors may have gateways that interfere with TTS functionality. Avaya recommends always setting the system parameter VPNTTS to "1" (On) unless you determine that your
January 2013
59
VPN parameters
gateway interferes with TTS. If you determine that your gateway interferes with TTS, set or leave the VPNTTS default of "0" (Off), which turns off TTS.
VPN parameters
Parameter name ALWCLRNOTIFY Default value 0 Description and value range Specifies whether unencrypted ISAKMP Notification Payloads will be accepted. One ASCII numeric digit. Valid values are: 0 = Ignore a received Notification Payload that is not encrypted 1 = Accept a received Notification Payload for further processing. HTTPPORT 80 TCP port number used for HTTP file downloading. 2 to 5 ASCII numeric digits. Valid values are 80 through 65535. Note: when the file server is on Communication Manager, set this value to 81 (port required for HTTP downloads) rather than the using the default. HTTPSRVR " " (Null) IP Address(es) or DNS Name(s) of HTTP file servers used to download telephone files. Dotted decimal or DNS format, separated by commas (0-255 ASCII characters, including commas). Certificate Authority Identifier to be used in a certificate
MYCERTCAID
"CAIdentifier"
60

January 2013
VPN parameters
Parameter name
Default value
Description and value range request. 0 to 255 ASCII characters.
MYCERTCN
"$SERIALNO"
Common Name of the Subject of a certificate request. 0 to 255 ASCII characters that contain the string "$SERIALNO" or "$MACADDR". Bit length of the private key to be generated for a certificate request. 4 ASCII numeric digits, "1024" through "2048". Percentage of a certificate's Validity interval after which renewal procedures will be initiated. 1 or 2 ASCII numeric digits, "1" through "99". URL to be used to contact an SCEP server. 0 to 255 ASCII characters, zero or one URL. Specifies whether the telephone will wait until a pending certificate request is complete, or whether it will periodically check in the background. 1 ASCII numeric digit, "0" or "1" as follows: 1 = If a connection to the SCEP server is successfully established, SCEP will remain in progress until the request for a certificate is granted or rejected. 0 = SCEP will remain in progress until the request for a certificate is granted or rejected or until a response is received indicating that the request
MYCERTKEYLEN
1024
MYCERTRENEW
90
MYCERTURL
" " (Null)
MYCERTWAIT
January 2013
61
VPN parameters
Parameter name
Default value
Description and value range is pending for manual approval.
NORTELAUTH
Specifies user authentication method for Nortel security gateways. 1 ASCII numeric digit. Valid values are: 1= Local credentials 2 = RADIUS credentials 3 = RADIUS SecurID 4 = RADIUS Axent
NVHTTPSRVR
0.0.0.0
VPN and non-VPN. HTTP file server IP addresses used to initialize HTTPSRVR the next time the phone starts up. 0 to 255 ASCII characters: zero or more IP addresses in dotted decimal or DNS name format, separated by commas without any intervening spaces. As of Software Release 6.1, NVHTTPSRVR is provided for VPN mode so that a file server IP address can be preconfigured and saved in non-volatile memory. Enables IKE configuration mode. 1 ASCII numeric digit. Valid values are: 1 = The ISAKMP configuration method will be supported for setting the following values: - IPADD will be set from a received value of INTERNAL_IP4_ADDR ESS, - the IPADD lease time will be set from a received value of INTERNAL_ADDRESS_ EXPIRY,
NVIKECONFIGMODE
62

January 2013
VPN parameters
Parameter name
Default value
Description and value range - DNSSRVR will be set from received value(s) of INTERNAL_IP4_DNS, - DHCPSRVR will be set from received value(s) of INTERNAL_IP4_DHCP, and - NVIPSECSUBNET will be set from received value(s) of INTERNAL_IP4_SUBN ET 2 = Disable/turn off this setting because a generic PSK profile is in effect.
NVIKEDHGRP
Specifies the Diffie-Hellman Group to be used for establishing the IKE SA. 1 or 2 ASCII numeric digits. Valid values are: 1 = First Oakley Group 2 = Second Oakley Group 5 = 1536-bit MODP Group 14 = 2048-bit MODP Group 15 = 3072-bit MODP Group For more information, see Section 4 in RFC 3526.
NVIKEID
"VPNPHONE"
Specifies the identity to be used during IKE Phase 1 negotiation (also called the group name in XAUTH). 0 to 30 ASCII characters. Specifies the type of identification to use for establishing the IKE SA. 1 or 2 ASCII numeric digits. Valid values are: 1 = ID_IPV4_ADDR 2 = ID_FQDN 3 = ID_USER_FQDN
NVIKEIDTYPE
January 2013
63
VPN parameters
Parameter name
Default value
Description and value range 9 = ID_DER_ASN1_DN 11= ID_KEY_ID
NVIKEOVERTCP
Specifies whether and when to use TCP as a transport protocol for IKE. 1 ASCII numeric digit. Valid values are: 0 = Never use TCP as a transport protocol for IKE. 1 = Auto; use IKE over UDP first, and if that isnt valid use IKE over TCP. 2 = Always use TCP as the transport protocol for IKE.
NVIKEP1AUTHALG
Specifies the authentication algorithm to use during IKE Phase 1 negotiation. 1 ASCII numeric digit. Valid values are: 0 = Any 1 = MD5 (per RFC 2403) 2 = SHA (per RFC 2404)
NVIKEP1ENCALG
Specifies the encryption algorithm to use during IKE Phase 1 negotiation. 1 ASCII numeric digit. Valid values are: 1 = AES-CBC-128 (per RFC 3602) 2 = 3DES-CBC (per RFC 2451) 3 = DES-CBC (per RFC 2405) 4 = AES-CBC-192 (per RFC 3602) 5 = AES-CBC-256 (per RFC 3602)
NVIKEP1LIFESEC
432000
Specifies the IKE SA lifetime in seconds. 3 to 8 ASCII
64

January 2013
VPN parameters
Parameter name
Default value
Description and value range numeric digits. Valid values are: "600" through "15552000".
NVIKEP2AUTHALG
Specifies the authentication algorithm to use during IKE Phase 2 negotiation. 1 ASCII numeric digit. Valid values are: 0 = Any 1 = MD5 (per RFC 2403) 2 = SHA (per RFC 2404)
NVIKEP2ENCALG
Specifies the encryption algorithm to use during IKE Phase 2 negotiation. 1 ASCII numeric digit. Valid values are: 1 = AES-CBC-128 (per RFC 3602) 2 = 3DES-CBC (per RFC 2451) 3 = DES-CBC (per RFC 2405) 4 = AES-CBC-192 (per RFC 3602) 5 = AES-CBC-256 (per RFC 3602)
NVIKEP2LIFESEC
432000
Specifies the IKE SA lifetime in seconds. 3 to 8 ASCII numeric digits. Valid values are: "600" through "15552000". Specifies the pre-shared key to be used during IKE Phase 1 negotiation (also called the group password in XAUTH. Zero to 30 ASCII characters. Specifies the IKE Phase 1 negotiation mode. 1 ASCII
NVIKEPSK
" " (Null)
NVIKEXCHGMODE
January 2013
65
VPN parameters
Parameter name
Default value
Description and value range numeric digit.Valid values are: 1 = Aggressive Mode. 2 = Main Mode Identity Protection. (Per Section 5 in RFC 2409.)
NVIPSECSUBNET
0.0.0.0/0
Specifies IP address ranges that will use the VPN tunnel. 0 to 255 ASCII characters: zero or more dotted decimal IP address/integer strings, separated by commas without any intervening spaces. Call server IP Addresses. 0 to 255 ASCII characters: zero or more IP addresses in dotted decimal or DNS name format, separated by commas without any intervening spaces. Specifies the Diffie-Hellman Group to be used for establishing the IPsec SA (also known as PFS). 1 or 2 ASCII numeric digits. Valid values are: 1 = First Oakley Group 2 = Second Oakley Group 5 = 1536-bit MODP Group 14 = 2048-bit MODP Group 15 = 3072-bit MODP Group For more information, see Section 4 in RFC 3526.
NVMCIPADD
0.0.0.0
NVPFSDHGRP
NVSGIP
" " (Null)
VPN security gateway IP addresses. 0 to 255 ASCII characters: zero or more IP addresses in dotted decimal or DNS name format, separated by commas without any intervening spaces.
66

January 2013
VPN parameters
Parameter name NVTLSSRVR
Default value 0.0.0.0
Description and value range VPN and non-VPN. HTTPS file server IP addresses used to initialize TLSSRVR the next time the phone starts up. 0 to 255 ASCII characters: zero or more IP addresses in dotted decimal or DNS name format, separated by commas without any intervening spaces. Specifies the user authentication method. 1 ASCII numeric digit. Valid values are: 3 = Pre-Shared Key (PSK) 4 = PSK with XAUTH 5 = RSA signatures with XAUTH 6 = Hybrid XAUTH 7 = RSA Signatures
NVVPNAUTHTYPE
NVVPNCFGPROF
VPN configuration profile. 1 or 2 ASCII numeric digits. Valid values are: "0", "1", "2", "3", "5", "6", "8", "9" or "11". See VPN configuration profiles on page 57 for information and a description of valid values. Specifies whether to copy the TOS bits from the tunneled (inner) IP header to the tunnel (outer) IP header. 1 ASCII numeric digit. Values are: 1 = the value of the TOS bits will be copied from the inner IP header to the outer IP header. 2 = the TOS bits of the outer IP header will be set to 0.
NVVPNCOPYTOS
January 2013
67
VPN parameters
Parameter name NVVPNENCAPS
Default value 0
Description and value range Specifies port numbers used for IKE and IPsec UDP encapsulation, and support for NAT traversal. 1 ASCII numeric digit. Valid values are: 0 = Procedures for the negotiation of NAT traversal will be supported as specified in IETF RFC 3947, except that IKE negotiation will begin with a source port of 2070 (instead of 500), and that source port will continue to be used unless the source and destination port numbers are changed to 4500 per RFC 3947. 1 = UDP encapsulation of the "inner" IP layer will not be provided. The procedures for the negotiation of NAT traversal specified in IETF RFC 3947 will not be supported. 2 = Procedures for the negotiation of NAT traversal will be supported as specified in IETF RFC 3947, except that IKE will use a source port of 2070, and the source and destination port numbers will not be subsequently changed. UDP encapsulation of the "inner" IP layer will be supported as specified in RFC 3948 [7.3-41c], using the same UDP source and destination port numbers that were used during the final phase of IKE 4 = Procedures for the negotiation of NAT
68

January 2013
VPN parameters
Parameter name
Default value
Description and value range traversal will be supported as specified in IETF RFC 3947. UDP encapsulation of the "inner" IP layer will be supported as specified in RFC 3948 [7.3-41c], using the same UDP source and destination port numbers that were used during the final phase of IKE
NVVPNMODE
Specifies whether VPN is supported. 1 ASCII numeric digit. Valid values are: 0 = VPN is not supported. 1 = VPN is supported. See DHCPACK Messages for additional information.
NVVPNPSWD
" " (Null)
User password for VPN. If the user password can be stored in NV memory (see NVVPNPSWDTYPE below), it is stored as the value of NVVPNPSWD. 0 to 30 ASCII characters. Specifies whether and how the VPN user password will be stored. 1 ASCII numeric digit. Valid values are: 1 = Password can be alphanumeric and is stored in reprogrammable nonvolatile memory as the NVVPNPSWD value. 2 = Password can be alphanumeric and is stored in volatile memory but will be cleared when the phone resets. 3 = Password can be numeric only and is stored in volatile memory that is cleared immediately after first-time password use.
NVVPNPSWDTYPE
January 2013
69
VPN parameters
Parameter name
Default value
Description and value range 4 = Password can be alphanumeric and is stored in volatile memory that is cleared immediately after first-time password use. 5 = Password can be alphanumeric and is stored in volatile memory that is cleared when the user invokes VPN Sleep Mode and when the telephone resets.
NVVPNSVENDOR
Specifies the IKE implementation to use. 1 ASCII numeric digit. Valid values are: 1 = Juniper PSK with XAUTH or Juniper Cert with XAUTH 2 = Cisco PSK with XAUTH or Cisco Cert with XAUTH 3 = Checkpoint Security Gateway 4 = Generic PSK 5 = Nortel Contivity See VPN configuration profiles on page 57for information on automatically-set parameters based on this NVVPNSVENDOR setting.
NVVPNUSER
" " (Null)
Specifies the user name to use during authentication. 0 to 30 ASCII characters. Specifies whether the user can change the VPN
NVVPNUSERTYPE
70

January 2013
VPN parameters
Parameter name
Default value
Description and value range username. 1 ASCII numeric digit. Valid values are: 1 = User can change VPN user name 2 = User cannot change VPN user name
NVXAUTH
Specifies whether to disable XAUTH user authentication for profiles that enable XAUTH by default. 1 ASCII numeric digit. Valid values are: 1= XAUTH user authentication enabled 2 = XAUTH user authentication disabled
SCEPPASSWORD
"$SERIALNO"
Specifies a challenge password for SCEP. Zero to 32 ASCII characters TCP port number used for HTTP file downloading. 2 to 5 ASCII numeric digits. Valid values are "80" through "65535". Controls whether the identity of a TLS server is checked against its certificate. 1 ASCII numeric digit. Valid values are: 1=Provides additional security by checking to verify that the server certificates DNS name matches the DNS name used to contact the server. 0=Certificate is not checked against the DNS name used to contact the server.
TLSPORT
411
TLSSRVRID
January 2013
71
VPN parameters
Parameter name VPNACTIVE
Default value 0
Description and value range Indicates whether a VPN tunnel has been established. Valid values are: 0 = VPN tunnel not established. 1 = VPN tunnel established. If an existing VPN tunnel fails, VPNACTIVE will be set to "0", IPADD will be set to "0.0.0.0", DNSSRVR will be set to the value of EXTDNSSRVR, DOMAIN will be set to null, the backlight will be turned on, the display will be cleared, and the name/logo image will be displayed. Also see DHCPACK messages on page 59 for additional information.
VPNCODE
876
VPN procedure access code; default is "VPN" on the dialpad. Zero to 7 ASCII numeric digits, null ("") and "0" through "9999999". Specifies whether VPNCODE can be used to access the VPN procedure at all, in view-only mode, or in view/ modify mode. 1 ASCII numeric digit. Valid values are: 0 = User cannot access VPN settings/information. 1= The user can view the VPN Settings Screen but cannot change VPN settings. 2 = User has the ability to view and change VPN settings.
VPNPROC
72

January 2013
VPN parameters
Parameter name VPNTTS
Default value 0
Description and value range Turns off Time to Service (TTS) support when a VPN gateway may not allow TTS functionality to work. Valid values are: 0 = TTS is not supported by the security gateway; turn off TTS functionality for VPN operation. 0 = TTS is not supported by the security gateway; turn off TTS functionality for VPN operation.
January 2013
73
VPN parameters
74

January 2013
Glossary
CA DH Group Certificate Authority, the entity which issues digital certificates for use by other parties. A number that determines the public parameters used by the DiffieHellman key exchange. To successfully establish a shared secret key, both parties must use the same DH group. A key agreement algorithm based on the use of two public parameters p and g that may be used by all users in a system. Parameter p is a prime number and parameter g (usually called a generator) is an integer less than p. The digital equivalent of an ID card used in conjunction with a public key encryption system. Digital certificates are issued by a trusted third party known as a Certificate Authority (CA) such as VeriSign (www.verisign.com). The CA verifies that a public key belongs to a specific company or individual (the Subject), and the validation process the publick key goes through to determine if the claim of the subject is correct and depends on the level of certification and the CA itself. A digital signature is an encrypted digest of the file being signed. The file can be a message, a document, or a driver program. The digest is computed from the contents of the file by a one-way hash function such as MD5 or SHA-1 and then encrypted with the private part of a public or private key pair. To prove that the file was not tampered with, the recipient uses the public key to decrypt the signature back into the original digest, recomputes a new digest from the transmitted file and compares the two to see if they match. If they do, the file has not been altered in transit by an attacker. Hypertext Transfer Protocol, used to request and transmit pages on the World Wide Web. A secure version of HTTP. Internet Engineering Task Force, the organization that produces standards for communications on the Internet. Internet Key Exchange Protocol, RFC 2409, which is now replaced by IKEv2 in RFC 4306. A security mechanism for IP that provides encryption, integrity assurance, and authentication of data. Applies only to IPv4.
Diffie -Hellman key exchange
Digital Certificate
Digital Signature
HTTP HTTPS IETF IKE IPsec
January 2013
75
ISAKMP
ISAKMP
Internet Security Association and Key Management Protocol, RFC 2408, ISAKMP has been replaced by IKEv2 in RFC 4306. ISAKMP defines the procedures for authenticating a communicating peer, creation and management of Security Associations (SA), key generation techniques, and threat mitigation. Example: Denial of service and Replay Attacks. ISAKMP defines two phases of negotiation. During Phase 1 negotiation, two entities establish an ISAKMP SA, which is used to protect Phase 2 negotiations establish SAs for other protocols. Use IKE to create a new SA with a new SPI. Rivest-Shamir-Adleman: A highly secure asymmetric cryptography method developed by RSA Security, Inc. that uses a public and private key pair. The private key is kept secret by the owner and the public key is published, usually in a digital certificate. Data is encrypted using the public key of the recipient, which can only be decrypted by the private key of the recipient. RSA is very computation intensive, thus it is often used to encrypt a symmetric session key that is then used by a less computationally-intensive algorithm to encrypt protocol data during a session.You can also use RSA for authentication by creating a digital signature, for which the private key of the sender is used for encryption, and the public key of the sender' is used for decryption. Real-time Transport Protocol. Provides end-to-end services for real-time data such as voice over IP. Security Association, a security protocol, for example, IPSEC, TLS, and a specific set of parameters that completely define the services and mechanism necessary to protect security at that security protocol location. These parameters can include algorithm identifiers, modes, cryptographic keys, etc. The SA is referred to by its associated security protocol, for example, ISAKMP SA, ESP SA, and TLS SA. Simple Certificate Enrollment Protocol, used to obtain a unique digital certificate. Session Description Protocol. A well-defined format for conveying sufficient information to discover and participate in a multimedia session. Encryption of the signaling protocol exchanged between the IP telephone and the call server. Signaling channel encryption provides additional security to the security provided by media channel encryption. Simple Network Time Protocol. An adaptation of the Network Time Protocol used to synchronize computer clocks in the internet.
Refresh/Rekey RSA
RTP SA
SCEP SDP
Signaling Channel Encryption SNTP
76

January 2013
VPN
SOHO SPD
Small Office Home Office. The environment for which a virtual private network (VPN) is administered. Security Policy Database. Specifies the policies that determine the disposition of all IP traffic inbound or outbound from a host or security gateway IPsec implementation. Security Parameter Index. An identifier for a Security Association, relative to some security protocol. Each security protocol has its own SPI-space. Secure Real-time Transport Control Protocol. Secure Real-time Transport Protocol. Specific to a particular type of call server. For example, Avaya Communication Manager or SIP Enablement Services (SES). Systemspecific signaling refers to messages specific to the signaling protocol used by the system. For example, H.323 and/or CCMS messages used by CM and IP Office, or SIP messages that possibly include systemspecific headers used by SES. System-specific procedures refers to procedures in deskphone software that are specific to the call server with which the software is to be used. Transmission Control Protocol/Internet Protocol, a network-layer protocol used on LANs and internets. Trivial File Transfer Protocol, used to provide downloading of upgrade scripts and application files to certain IP telephones. Transport Layer Security, an enhancement of Secure Sockets Layer (SSL). TLS is compatible with SSL 3.0 and allows for privacy and data integrity between two communicating applications. Uniform Resource Identifier and Uniform Resource Locator. Names for the strings used to reference resources on the Internet. For example, HTTP://..... URI is the newer term. Virtual Private Network, a private network constructed across a public network such as the Internet. A VPN can be made secure, even though the network uses using existing Internet connections to carry data communication. Security measures involve encrypting data before sending data across the Internet and decrypting the data at the other end. To add an additional level of security, you can encrypt the originating and receiving network address.
SPI
SRTCP SRTP system -specific
TCP/IP TFTP TLS
URI & URL
VPN
January 2013
77
VPN
78

January 2013
Index Numerics
VPNs .......................................................................... 12 9600series ......................................................... 12 4600series VPNs ......................................................12 9600series deskphone ............................................. 20 deploying to end-user .......................................... 20 9600series IP deskphone ......................................... 19 installing ............................................................... 19 9600series VPNS ..................................................... 12 Current password ....................................................... 43 accepting ..............................................................43 Accepting the current password ...........................43 Customer support .........................................................9
D
Data ............................................................................ 31 changing .............................................................. 31 Changing data ......................................................31 DHCPACK messages ................................................. 59 Documentation ............................................................. 8 online ..................................................................... 8 related .................................................................... 8
A
About this guide ........................................................... 7 Authentication .............................................................18 pre-requisites for .................................................. 18 Avaya (A) Menu .................................................... 22, 28 using ............................................................... 22, 28
E
Entering new VPN user name .................................... 42
B
Bad gateway DNS name ............................................ 49
F
Functionality ............................................................... 59 time to service ...................................................... 59
C
Certificate ................................................................... 48 phone ................................................................... 48 change history .............................................................. 8 Changing VPN password ........................................... 34 Changing VPN settings .............................................. 27 Communication Manager ........................................... 19 preparing .............................................................. 19 Configuration .............................................................. 48 invalid ................................................................... 48 Configuration preparation ........................................... 16 procedure ............................................................. 16 Configuration requirements ........................................ 15 preliminary ........................................................... 15 Configuration screens ................................................ 31 navigating .............................................................31 Configuring VPN .........................................................15 introduction .......................................................... 15 Craft ............................................................................30 accessing during normal telephone operation ..... 30 Craft menu ..................................................................29 accessing during telephone startup ..................... 29
G
Gateway certificate ..................................................... 50 invalid ................................................................... 50 General VPN settings ................................................. 32 Generic authentication type screen ............................ 33
I
IKE ........................................................................ 5254 SA expired ........................................................... 54 IKE ID/PSK ................................................................. 51 invalid ................................................................... 51 IKE keep-alive ............................................................ 54 failure ................................................................... 54 IKE over TCP screen ..................................................37 IKE phase 1 ................................................................ 52 failure ................................................................... 52 IKE Phase 1 screen ....................................................35 IKE phase 2 ................................................................ 53 failure ................................................................... 53
January 2013
79
IKE Phase 2 ............................................................... 52 no response ......................................................... 52 IKE Phase 2 screen ....................................................36 IKE Phase I ................................................................ 50 no response ......................................................... 50 IKE PSK screen ..........................................................35 IKE SA expired ........................................................... 54 Installing the 9600Series IP deskphone ................... 19 Intended audience ........................................................7 Invalid certificate .........................................................50 Invalid configuration ................................................... 48 IP address screen ...................................................... 38 IPSec .......................................................................... 54 SA expired ........................................................... 54 IPSec SA expired ....................................................... 54
VPN configuration ................................................ 57
R
Related documentation ................................................ 8 revision history ............................................................. 8
S
SCEP .................................................................... 17, 55 failed .................................................................... 55 SCEP failed ................................................................ 55 Screens .......................................... 32, 33, 3538, 41, 43 general VPN settings ........................................... 32 Generic authentication type ................................. 33 IKE over TCP ....................................................... 37 IKE Phase 1 ......................................................... 35 IKE Phase 2 ......................................................... 36 IKE PSK ............................................................... 35 IP address ............................................................ 38 user credentials ....................................................33 VPN password entry ............................................ 43 VPN settings ........................................................ 32 general .......................................................... 32 VPN text entry ...................................................... 38 VPN user name entry ...........................................41 Security Gateway ....................................................... 17 preparing .............................................................. 17 Settings ...................................................................... 22 viewing ................................................................. 22 VPN ......................................................................22 Simple enrollment certificate protocol ........................ 17 Sleep mode ................................................................ 44 VPN ......................................................................44 Supported third-party security gateways .................... 13
L
legal notices ................................................................. 2 Local Administrative menu ......................................... 29
M
Messages ................................................................... 59 DHCPACK ............................................................59
N
Need IKE ID/PSK ....................................................... 48 New VPN user name .................................................. 42 entering ................................................................ 42 No DNS server response ........................................... 49
O
Online documentation .................................................. 8
T P
Parameters ................................................................. 60 VPN ......................................................................60 Password ....................................................................42 VPN reuse ............................................................42 phase 1 failure ............................................................ 52 phase 2 failure ............................................................ 53 phone ......................................................................... 50 Phone certificate ................................................... 48, 50 invalid ................................................................... 50 Preliminary configuration requirements ...................... 15 Profiles ....................................................................... 57 Third-party security gateways .................................... 13 supported ............................................................. 13 Time to service ........................................................... 59
U
User authentication .................................................... 41 User credentials screen ..............................................33 User name .................................................................. 42 accepting ..............................................................42
80
January 2013
V
Viewing the VPN settings screen ............................... 22 Viewing VPN settings ................................................. 21 VPN ............................................................................ 44 sleep mode .......................................................... 44 VPN authentication .....................................................47 failure ................................................................... 47 VPN configuration profles ...........................................57 VPN Overview ............................................................ 11 VPN parameters ......................................................... 60 VPN password ............................................................34 changing .............................................................. 34 VPN password entry screen ....................................... 43 VPN password reuse screen ...................................... 42 VPN settings .............................................. 17, 21, 27, 30
changing .............................................................. 27 configuring ........................................................... 17 viewing ................................................................. 21 viewing or changing using the VPN special procedure ................................................ 30 VPN settings screen ................................................... 22 viewing ................................................................. 22 VPN sleep mode ................................................... 41, 44 VPN special procedure ...............................................28 VPN system parameters ............................................ 18 configuring ........................................................... 18 VPN text entry screen ................................................ 38 VPN tunnel ............................................................47, 55 failure ................................................................... 47 terminated ............................................................ 55 VPN user name entry screen ..................................... 41
January 2013
81

VPNSetup Guide For 9600 Series IPTelephones

Uploaded by

Copyright:

Available Formats

VPNSetup Guide For 9600 Series IPTelephones

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

VPNSetup Guide For 9600 Series IPTelephones

Uploaded by

Copyright:

Available Formats

VPN Setup Guide for 9600 Series IP Telephones

Release 3.1 and 6.2 16-602968 Issue 1 January 2013

2013 Avaya Inc.