Avaya Support Forums  

Go Back   Avaya Support Forums > Small and Medium Business Communications

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 02-05-2015, 05:53 PM
hodge46 hodge46 is offline
Member
 
Join Date: Feb 2015
Posts: 5
hodge46 has 10 reputation points
Default 96xx VPN over L2TP/IPSec?

Hello, I recently set up a 9641G over a 'pure' IPsec tunnel using pfsense. It was easy to configure and it worked flawlessly.

A different office wants to use their 96xx VPN phone to connect to thier office, but they are using a Cisco Meraki firewall. The Meraki only seems to support L2TP/IPSec for it's VPN tunnels. I've confirmed the tunnel working on other clients(PC/cellphone), but cannot get the IP phone to connect to the tunnel.

The error on the phone is:
Code:
Phase 1 No Response
Can anyone confirm whether it's possible to connect an Avaya VPN phone to a L2TP/IPSec tunnel? I've tried several different configurations but it's hard to test each one since it takes several mins to reboot, load, fail, reconfig, rinse/repeat. Thanks in advance for any reply.

Last edited by hodge46; 02-06-2015 at 10:38 PM.
Reply With Quote
  #2  
Old 02-06-2015, 08:26 AM
zakabog zakabog is offline
Genius
 
Join Date: Aug 2014
Posts: 300
zakabog has 25 to 49 reputation pointszakabog has 25 to 49 reputation pointszakabog has 25 to 49 reputation points
Default

That's the only VPN I've ever tried to connect to and it's always worked, phase 1 no response means it can't reach the IP of the VPN gateway, are you sure the phone has internet access? Are you sure the IP settings are correct?

It used to be a headache for me to get these phones working over a VPN, change a few settings on the phone touchpad and reboot hoping it'd work, trying to understand the cryptic messages that it would spit out, trying to verify that the keys are all correct when you're typing them in one character at a time with a dial pad. Eventually it gets easier, plus if you install an HTTP server on a computer you can have the phone pull firmware and the 46xxsettings.txt file so you don't need to keep manually entering the data. I now keep a folder of 46xxsettings.txt files for every customer with their own VPN settings, that way I can just boot up a phone from my laptop and know it has the correct setup.
Reply With Quote
  #3  
Old 02-06-2015, 10:14 PM
hodge46 hodge46 is offline
Member
 
Join Date: Feb 2015
Posts: 5
hodge46 has 10 reputation points
Default

Hello

Quote:
Originally Posted by zakabog View Post
That's the only VPN I've ever tried to connect to and it's always worked
Do you specifically mean an L2TP/IPsec tunnel? I've had great success with a 'pure' IPsec tunnel, but could not get the same phone to connect to an L2TP/IPsec tunnel made by the Meraki. The phone grabs a local IP from DHCP, and assigns all the appropriate local addressing(dns, gateway, subnet), so I'm assuming it had network connectivity(also ethernet passthrough was working for the PC connected to the phone, not sure if relevant). This is the same phone that I take offsite and connect to the 'pure' IPsec tunnel on the pfsense box, so I know that I've got it working at least in that setting. The only difference is the Meraki's L2TP/IPsec tunnel.

The Meraki 'Client VPN' tunnel is not very configurable(http://i.imgur.com/I826XBO.png). It's just PSK + XAuth, with no option for a GroupID, and the IKE configurations are not listed or changeable. The tunnel is working from a PC client(iOS's & OS X's built-in L2TP/IPsec).

I read on another forum that the avaya phones do not support L2TP, but it was not confirmed by any documentation or official source.

Quote:
Originally Posted by zakabog View Post
phase 1 no response means it can't reach the IP of the VPN gateway
That would make sense, but it appears to start conencting to "... gateway x.x.x.x" then starts "negotiating keys", and after about 10s it throws the error about no response. I thought maybe this where the l2tp incompatibility comes into play.

I appreciate your input, if it turns out this L2TP/IPsec would work that'd be great.
Do you have a Cisco Meraki firewall?

Last edited by hodge46; 02-06-2015 at 10:34 PM. Reason: words
Reply With Quote
  #4  
Old 02-07-2015, 11:43 AM
zakabog zakabog is offline
Genius
 
Join Date: Aug 2014
Posts: 300
zakabog has 25 to 49 reputation pointszakabog has 25 to 49 reputation pointszakabog has 25 to 49 reputation points
Default

Ah, sorry wasn't paying attention fully, I don't think the phone will connect to an L2TP/IPSec tunnel and I'm guessing the Meraki won't do a pure IPSec tunnel?
Reply With Quote
  #5  
Old 02-08-2015, 01:02 AM
hodge46 hodge46 is offline
Member
 
Join Date: Feb 2015
Posts: 5
hodge46 has 10 reputation points
Default

Quote:
Originally Posted by zakabog View Post
Ah, sorry wasn't paying attention fully, I don't think the phone will connect to an L2TP/IPSec tunnel and I'm guessing the Meraki won't do a pure IPSec tunnel?
Yeah, I also got this confirmation from another helpful member at tek-tips. The Meraki does not do a pure IPsec tunnel, only L2TP/IPsec We're going with a pfsense solution.

Thank you for your input.
Reply With Quote
  #6  
Old 08-24-2015, 02:15 PM
dkrajc dkrajc is offline
Hot Shot
 
Join Date: Jan 2015
Posts: 18
dkrajc has 10 reputation points
Default Question regarding pfsense

hodge46,

I just go my first 9630 phone and was trying to get it to work with my existing VPN solution and it appears that it also only works over L2TP and I am not sure how long I want to spend to see if I can get it to work if setting up pfsense will quickly solve my issue.

What would like to know is are you using the pfsense as full replacement for the Meraki or just a VPN endpoint. I would like to try to using pfsense just as a VPN endpoint but leave my existing firewall in place and performing all of its current functions. Do you for see any issues with this and if you have any suggestions or helpful hints, I would love to hear them.

Thanks in advance.

Daniel Krajc
Reply With Quote
  #7  
Old 08-24-2015, 02:33 PM
hodge46 hodge46 is offline
Member
 
Join Date: Feb 2015
Posts: 5
hodge46 has 10 reputation points
Default

Hello! Please see my other thread on Tek-Tips http://www.tek-tips.com/viewthread.cfm?qid=1744441 for a basic rundown of the config for IPO+pfsense.

AFAIK, L2TP is not supported, only 'pure' IPSec. I dropped the pfsense box in as a replacement for the Meraki.

Assuming the Meraki can properly pass the protocols for IPSec, I don't see why you couldn't use the pfsense box 'behind' the meraki... Having said that, I tore my hair out at the limited configuration options I got with the meraki, and so you may have trouble doing it that way. I'd post to the pfsense forums/IRC to get their input on pfsense as a VPN only endpoint behind something like Meraki.

Pfsense is a VERY solid platform; Meraki is pretty but I found it to be quite limited. Both the site from this post and my 9-5's site have been running 24/7 since these posts, without issue on pfsense. I'd try to get it running by itself, then once confirmed working place it behind the meraki and try to get IPSec passthrough working.
Reply With Quote
Reply

Tags
96xx, ipsec, l2tp, meraki, vpn

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -7. The time now is 12:46 AM.

This Forum is provided solely for the use and convenience of Avaya customers and partners. Use of the Forum is subject to the Terms and Use and Privacy Statement found at www.avaya.com. No other use is permitted. The Forum including all content posted is “AS IS” and Avaya expressly disclaims all warranties and/or guarantees as to its accuracy, reliability, usefulness, quality or non-infringement of intellectual property. Avaya reserves the right to remove any content posted on the Forum at any time and for whatever reason.

Avaya will not be liable for any content posted on this Forum, including, without limitation, any errors or omissions or for any losses or damages of any kind incurred as a result of use or reliance on any content, regardless of its origin.

You expressly understand and agree that you assume all risks associated with use or reliance on this content.