96xx VPN over L2TP/IPSec?

[hodge46]

Hello, I recently set up a 9641G over a 'pure' IPsec tunnel using pfsense. It was easy to configure and it worked flawlessly.

A different office wants to use their 96xx VPN phone to connect to thier office, but they are using a Cisco Meraki firewall. The Meraki only seems to support L2TP/IPSec for it's VPN tunnels. I've confirmed the tunnel working on other clients(PC/cellphone), but cannot get the IP phone to connect to the tunnel.

The error on the phone is:

Code:

Phase 1 No Response

Can anyone confirm whether it's possible to connect an Avaya VPN phone to a L2TP/IPSec tunnel? I've tried several different configurations but it's hard to test each one since it takes several mins to reboot, load, fail, reconfig, rinse/repeat. Thanks in advance for any reply.

[zakabog]

That's the only VPN I've ever tried to connect to and it's always worked, phase 1 no response means it can't reach the IP of the VPN gateway, are you sure the phone has internet access? Are you sure the IP settings are correct?

It used to be a headache for me to get these phones working over a VPN, change a few settings on the phone touchpad and reboot hoping it'd work, trying to understand the cryptic messages that it would spit out, trying to verify that the keys are all correct when you're typing them in one character at a time with a dial pad. Eventually it gets easier, plus if you install an HTTP server on a computer you can have the phone pull firmware and the 46xxsettings.txt file so you don't need to keep manually entering the data. I now keep a folder of 46xxsettings.txt files for every customer with their own VPN settings, that way I can just boot up a phone from my laptop and know it has the correct setup.

[hodge46]

Hello

Quote:

Originally Posted by zakabog

That's the only VPN I've ever tried to connect to and it's always worked

Do you specifically mean an L2TP/IPsec tunnel? I've had great success with a 'pure' IPsec tunnel, but could not get the same phone to connect to an L2TP/IPsec tunnel made by the Meraki. The phone grabs a local IP from DHCP, and assigns all the appropriate local addressing(dns, gateway, subnet), so I'm assuming it had network connectivity(also ethernet passthrough was working for the PC connected to the phone, not sure if relevant). This is the same phone that I take offsite and connect to the 'pure' IPsec tunnel on the pfsense box, so I know that I've got it working at least in that setting. The only difference is the Meraki's L2TP/IPsec tunnel.

The Meraki 'Client VPN' tunnel is not very configurable(http://i.imgur.com/I826XBO.png). It's just PSK + XAuth, with no option for a GroupID, and the IKE configurations are not listed or changeable. The tunnel is working from a PC client(iOS's & OS X's built-in L2TP/IPsec).

I read on another forum that the avaya phones do not support L2TP, but it was not confirmed by any documentation or official source.

Quote:

Originally Posted by zakabog

phase 1 no response means it can't reach the IP of the VPN gateway

That would make sense, but it appears to start conencting to "... gateway x.x.x.x" then starts "negotiating keys", and after about 10s it throws the error about no response. I thought maybe this where the l2tp incompatibility comes into play.

I appreciate your input, if it turns out this L2TP/IPsec would work that'd be great.
Do you have a Cisco Meraki firewall?

[zakabog]

Ah, sorry wasn't paying attention fully, I don't think the phone will connect to an L2TP/IPSec tunnel and I'm guessing the Meraki won't do a pure IPSec tunnel?

[hodge46]

Quote:

Originally Posted by zakabog

Ah, sorry wasn't paying attention fully, I don't think the phone will connect to an L2TP/IPSec tunnel and I'm guessing the Meraki won't do a pure IPSec tunnel?

Yeah, I also got this confirmation from another helpful member at tek-tips. The Meraki does not do a pure IPsec tunnel, only L2TP/IPsec We're going with a pfsense solution.

Thank you for your input.

[dkrajc]

hodge46,

I just go my first 9630 phone and was trying to get it to work with my existing VPN solution and it appears that it also only works over L2TP and I am not sure how long I want to spend to see if I can get it to work if setting up pfsense will quickly solve my issue.

What would like to know is are you using the pfsense as full replacement for the Meraki or just a VPN endpoint. I would like to try to using pfsense just as a VPN endpoint but leave my existing firewall in place and performing all of its current functions. Do you for see any issues with this and if you have any suggestions or helpful hints, I would love to hear them.

Thanks in advance.

Daniel Krajc

[hodge46]

Hello! Please see my other thread on Tek-Tips http://www.tek-tips.com/viewthread.cfm?qid=1744441 for a basic rundown of the config for IPO+pfsense.

AFAIK, L2TP is not supported, only 'pure' IPSec. I dropped the pfsense box in as a replacement for the Meraki.

Assuming the Meraki can properly pass the protocols for IPSec, I don't see why you couldn't use the pfsense box 'behind' the meraki... Having said that, I tore my hair out at the limited configuration options I got with the meraki, and so you may have trouble doing it that way. I'd post to the pfsense forums/IRC to get their input on pfsense as a VPN only endpoint behind something like Meraki.

Pfsense is a VERY solid platform; Meraki is pretty but I found it to be quite limited. Both the site from this post and my 9-5's site have been running 24/7 since these posts, without issue on pfsense. I'd try to get it running by itself, then once confirmed working place it behind the meraki and try to get IPSec passthrough working.