96xx VPN over L2TP/IPSec?

That's the only VPN I've ever tried to connect to and it's always worked, phase 1 no response means it can't reach the IP of the VPN gateway, are you sure the phone has internet access? Are you sure the IP settings are correct?

It used to be a headache for me to get these phones working over a VPN, change a few settings on the phone touchpad and reboot hoping it'd work, trying to understand the cryptic messages that it would spit out, trying to verify that the keys are all correct when you're typing them in one character at a time with a dial pad. Eventually it gets easier, plus if you install an HTTP server on a computer you can have the phone pull firmware and the 46xxsettings.txt file so you don't need to keep manually entering the data. I now keep a folder of 46xxsettings.txt files for every customer with their own VPN settings, that way I can just boot up a phone from my laptop and know it has the correct setup.

Hello

Do you specifically mean an L2TP/IPsec tunnel? I've had great success with a 'pure' IPsec tunnel, but could not get the same phone to connect to an L2TP/IPsec tunnel made by the Meraki. The phone grabs a local IP from DHCP, and assigns all the appropriate local addressing(dns, gateway, subnet), so I'm assuming it had network connectivity(also ethernet passthrough was working for the PC connected to the phone, not sure if relevant). This is the same phone that I take offsite and connect to the 'pure' IPsec tunnel on the pfsense box, so I know that I've got it working at least in that setting. The only difference is the Meraki's L2TP/IPsec tunnel.

The Meraki 'Client VPN' tunnel is not very configurable(http://i.imgur.com/I826XBO.png). It's just PSK + XAuth, with no option for a GroupID, and the IKE configurations are not listed or changeable. The tunnel is working from a PC client(iOS's & OS X's built-in L2TP/IPsec).

I read on another forum that the avaya phones do not support L2TP, but it was not confirmed by any documentation or official source.

That would make sense, but it appears to start conencting to "... gateway x.x.x.x" then starts "negotiating keys", and after about 10s it throws the error about no response. I thought maybe this where the l2tp incompatibility comes into play.

I appreciate your input, if it turns out this L2TP/IPsec would work that'd be great.
Do you have a Cisco Meraki firewall?

Ah, sorry wasn't paying attention fully, I don't think the phone will connect to an L2TP/IPSec tunnel and I'm guessing the Meraki won't do a pure IPSec tunnel?

Yeah, I also got this confirmation from another helpful member at tek-tips. The Meraki does not do a pure IPsec tunnel, only L2TP/IPsec We're going with a pfsense solution.

Thank you for your input.

Question regarding pfsense

hodge46,

I just go my first 9630 phone and was trying to get it to work with my existing VPN solution and it appears that it also only works over L2TP and I am not sure how long I want to spend to see if I can get it to work if setting up pfsense will quickly solve my issue.

What would like to know is are you using the pfsense as full replacement for the Meraki or just a VPN endpoint. I would like to try to using pfsense just as a VPN endpoint but leave my existing firewall in place and performing all of its current functions. Do you for see any issues with this and if you have any suggestions or helpful hints, I would love to hear them.

Thanks in advance.

Daniel Krajc

Hello! Please see my other thread on Tek-Tips http://www.tek-tips.com/viewthread.cfm?qid=1744441 for a basic rundown of the config for IPO+pfsense.

AFAIK, L2TP is not supported, only 'pure' IPSec. I dropped the pfsense box in as a replacement for the Meraki.

Assuming the Meraki can properly pass the protocols for IPSec, I don't see why you couldn't use the pfsense box 'behind' the meraki... Having said that, I tore my hair out at the limited configuration options I got with the meraki, and so you may have trouble doing it that way. I'd post to the pfsense forums/IRC to get their input on pfsense as a VPN only endpoint behind something like Meraki.

Pfsense is a VERY solid platform; Meraki is pretty but I found it to be quite limited. Both the site from this post and my 9-5's site have been running 24/7 since these posts, without issue on pfsense. I'd try to get it running by itself, then once confirmed working place it behind the meraki and try to get IPSec passthrough working.