VPN XAUTH Connectivity Woes

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • brgnewman
    Member
    • May 2012
    • 4
    #1

    VPN XAUTH Connectivity Woes

    Prior to my arrival, the VPN Policy on the organization's main SonicWALL NSA 250M gateway had XAUTH disabled, and all our remote Avaya 9620 phones connected with a single preshared key.

    I wasn't a fan of this and opted to enforce XAUTH on our gateway for security reasons. However, ever since we enforced XAUTH both on the SonicWALL gateway and the Avaya 9620 handsets, we've been experiencing countless remote connectivity issues. These issues include:
    1. Dropped calls and poor call audio
    2. Phones suddenly resetting and having to reinitialize the VPN connection
    3. Our SonicWALL log is full of "User logged out" and "User logged in" events (1-5 minutes apart of each other).

    This is the VPN policy I am pushing to the 9620 handsets:
    SET NVVPNMODE 1
    SET NVVPNSVENDOR 4
    SET NVSGIP 184.75.26.130
    SET NVVPNENCAPS 0
    SET NVVPNCOPYTOS 2
    SET NVVPNAUTHTYPE 4
    SET NVVPNUSERTYPE 1
    SET NVVPNUSER vpnphone
    SET NVVPNPSWDTYPE 1
    SET NVVPNPSWD vpnphone
    SET NVIKEID GroupVPN
    SET NVIKEPSK **********
    SET NVIKEIDTYPE 2
    SET NVIKEXCHGMODE 1
    SET NVIKEDHGRP 1
    SET NVIKEP1ENCALG 3
    SET NVIKEP1AUTHALG 2
    SET NVIKECONFIGMODE 2
    SET NVPFSDHGRP 1
    SET NVIKEP2ENCALG 3
    SET NVIKEP2AUTHALG 2
    SET NVIPSECSUBNET 10.0.1.0/24
    SET NVIKEOVERTCP 1
    SET MCIPADD 10.0.1.29
    SET HTTPSRVR 10.0.1.29

    And this is the VPN Policy on our SonicWALL Gateway:
    Authentication Method: IKE using Preshared Secret
    Name: WAN GroupVPN
    Shared Secret: **********
    IKE (Phase 1) Proposal - DH Group: 1
    IKE (Phase 1) Proposal - Encryption: DES
    IKE (Phase 1) Proposal - Authentication: SHA1
    IKE (Phase 1) Proposal - Lifetime (Sec): 28800
    Ipsec (Phase 2) Proposal - Protocol: ESP
    Ipsec (Phase 2) Proposal - Encryption: DES
    Ipsec (Phase 2) Proposal - Authentication: SHA1
    Ipsec (Phase 2) Proposal - Perfect Forward Secrecy: Yes
    Ipsec (Phase 2) Proposal - DH Group: 1
    Ipsec (Phase 2) Proposal - Lifetime (Sec): 28800
    Require Authentication of VPN Clients by XAUTH: Yes
    User Group for XAUTH Users: Trusted Users
    Virtual Adapter Settings: DHCP Lease or Manual Configuration
    Allow Connections To: Split Tunnels

    Important Notes:
    - XAUTH is configured to use RADIUS to our Network Policy Service running on on one of our Windows Server 2008 R2 servers.
    - Originally, I had planned to move the encryption to AES-128 (from DES), but I was advised by the original company managing the phones that we would experience connectivity issues with our handsets. When I brought up Avaya's Global Tech Tip document regarding SonicWALL VPN connectivity and how it said 3DES (http://www.usedphonesonline.com/Avay...ch_Tip_190.pdf), I was also told to stick to DES.
    Tags: None
  • kkanna
    Aspiring Member
    • Jul 2012
    • 2
    #2
    Hello!

    I am facing very similar issues; I am wondering if you were able to resolve yours. I am not IT, and I am struggling to understand the root cause and to arrive at a solution. Any help / pointers would be greatly appreciated!!

    BTW, we use IP Office v500, and the 9620 phones for our remote / home office employees. We use Juniper for our firewall.

    Our problem is that the phone does not stay connected; the reseller we bought the IP office and phones from, who also installed / implemented the system and VPN, is pointing to 60ms ping as the issue. I dont agree with this ... latency would come into the picture when I make calls; but my phone does not stay connected - same issues as you describe.

    --- my original post ---
    The reseller we bought our IP office 500 and Avaya phones from has not been able to resolve the issue; to their credit, they did try, and also upgraded our original phones from 9608 to 9620 ... however the problem below persists.

    Description -
    We have 2 home-office colleagues in different cities; one uses Time Warner Cable, and the other uses Comcast for high speed internet. For the person using TimeWarner (not implying at all that this is the problem), the VPN phone just does not work ... It reboots a few to several times in a day; also calls go directly to voicemail sometimes. When he tries to use the phone it sometimes responds, other times it is delayed a few seconds before it takes a command such as pressing the "speaker" button, and other times it never responds other than making a beep. It seems like there is NO consistency in performance.

    Our reseller had the two home office users do a ping test; tests showed about 60ms in both cases (same whether on or off VPN). The reseller insists that this is the problem - that latency should be less than 30ms for the phones to work. However, one of the 2 phones works fine, and the other one does not ...

    Any pointers on what we should be looking for would be greatly appreciated!!

    Kannan
    ---------------

    Comment

    • ylabonte
      Member
      • Apr 2011
      • 5
      #3
      Hi guys, just read your post because I am looking for the easiest way to make a 1100 series phone (Avaya CS1000 system) work at home over a VPN session.

      Would you have something to recommend ? I know the 1100 phones have VPN built in capacity but I don't think this will work with our enterprise VPN, it seems it needs a Nortel router and licence server, designed for that usage.

      What I can tell you about softphones that wouldn't stay connected is that we had to make sure the firewall was not blocking udp ports 5000 and 5010. A policy blocking those ports ( and "accept reply" to those ports as well ) was blocking the udp watchdog from the Sig Server to the softphone, thus making the connexion to drop when idle after 120 seconds.

      Don't know if it applies to your issue Kannan with the 9620 phones but I tought I'd let you know.

      Comment

      Previous template Next
      Loading