Avaya Secure Router 2330 / 4134 Avaya 1120/1140E IP Deskphone Engineering SR 2330 / 4134 IPSec with NAT-T Interoperability with Avaya 1120/1140E IP Deskphone / Live Customer Solution Technical Configuration Guide Avaya Networking Document Date: Document Number: NN48500-633 Document Version: 1.0
2011 Avaya Inc. All Rights Reserved. Notices While reasonable efforts have been made to ensure that the information in this document is complete and accurate at the time of printing, Avaya assumes no liability for any errors. Avaya reserves the right to make changes and corrections to the information in this document without the obligation to notify any person or organization of such changes. Documentation disclaimer Avaya shall not be responsible for any modifications, additions, or deletions to the original published version of this documentation unless such modifications, additions, or deletions were performed by Avaya. End User agree to indemnify and hold harmless Avaya, Avaya s agents, servants and employees against all claims, lawsuits, demands and judgments arising out of, or in connection with, subsequent modifications, additions or deletions to this documentation, to the extent made by End User. Link disclaimer Avaya is not responsible for the contents or reliability of any linked Web sites referenced within this site or documentation(s) provided by Avaya. Avaya is not responsible for the accuracy of any information, statement or content provided on these sites and does not necessarily endorse the products, services, or information described or offered within them. Avaya does not guarantee that these links will work all the time and has no control over the availability of the linked pages. Warranty Avaya provides a limited warranty on this product. Refer to your sales agreement to establish the terms of the limited warranty. In addition, Avaya s standard warranty language, as well as information regarding support for this product, while under warranty, is available to Avaya customers and other parties through the Avaya Support Web site: http://www.avaya.com/support Please note that if you acquired the product from an authorized reseller, the warranty is provided to you by said reseller and not by Avaya. Licenses THE SOFTWARE LICENSE TERMS AVAILABLE ON THE AVAYA WEBSITE, HTTP://SUPPORT.AVAYA.COM/LICENSEINFO/ ARE APPLICABLE TO ANYONE WHO DOWNLOADS, USES AND/OR INSTALLS AVAYA SOFTWARE, PURCHASED FROM AVAYA INC., ANY AVAYA AFFILIATE, OR AN AUTHORIZED AVAYA RESELLER (AS APPLICABLE) UNDER A COMMERCIAL AGREEMENT WITH AVAYA OR AN AUTHORIZED AVAYA RESELLER. UNLESS OTHERWISE AGREED TO BY AVAYA IN WRITING, AVAYA DOES NOT EXTEND THIS LICENSE IF THE SOFTWARE WAS OBTAINED FROM ANYONE OTHER THAN AVAYA, AN AVAYA AFFILIATE OR AN AVAYA AUTHORIZED RESELLER, AND AVAYA RESERVES THE RIGHT TO TAKE LEGAL ACTION AGAINST YOU AND ANYONE ELSE USING OR SELLING THE SOFTWARE WITHOUT A LICENSE. BY INSTALLING, DOWNLOADING OR USING THE SOFTWARE, OR AUTHORIZING OTHERS TO DO SO, YOU, ON BEHALF OF YOURSELF AND THE ENTITY FOR WHOM YOU ARE INSTALLING, DOWNLOADING OR USING THE SOFTWARE (HEREINAFTER REFERRED TO INTERCHANGEABLY AS "YOU" AND "END USER"), AGREE TO THESE TERMS AND CONDITIONS AND CREATE A BINDING CONTRACT BETWEEN YOU AND AVAYA INC. OR THE APPLICABLE AVAYA AFFILIATE ("AVAYA"). Copyright Except where expressly stated otherwise, no use should be made of the Documentation(s) and Product(s) provided by Avaya. All content in this documentation(s) and the product(s) provided by Avaya including the selection, arrangement and design of the content is owned either by Avaya or its licensors and is protected by copyright and other intellectual property laws including the sui generis rights relating to the protection of databases. You may not modify, copy, reproduce, republish, upload, post, transmit or distribute in any way any content, in whole or in part, including any code and software. Unauthorized reproduction, transmission, dissemination, storage, and or use without the express written consent of Avaya can be a criminal, as well as a civil offense under the applicable law. Third Party Components Certain software programs or portions thereof included in the Product may contain software distributed under third party agreements ("Third Party Components"), which may contain terms that expand or limit rights to use certain portions of the Product ("Third Party Terms"). Information regarding distributed Linux OS source code (for those Products that have distributed the Linux OS source code), and identifying the copyright holders of the Third Party Components and the Third Party Terms that apply to them is available on the Avaya Support Web site: http://support.avaya.com/copyright. Trademarks The trademarks, logos and service marks ("Marks") displayed in this site, the documentation(s) and product(s) provided by Avaya are the registered or unregistered Marks of Avaya, its affiliates, or other third parties. Users are not permitted to use such Marks without prior written consent from Avaya or such third party which may own the Mark. Nothing contained in this site, the documentation(s) and product(s) should be construed as granting, by implication, estoppel, or otherwise, any license or right in and to the Marks without the express written permission of Avaya or the applicable third party. Avaya is a registered trademark of Avaya Inc. All non-avaya trademarks are the property of their respective owners. Downloading documents For the most current versions of documentation, see the Avaya SupportWeb site: http://www.avaya.com/support 2
Contact Avaya Support Avaya provides a telephone number for you to use to report problems or to ask questions about your product. The support telephone number is 1-800-242-2121 in the United States. For additional support telephone numbers, see the Avaya Web site: http:// www.avaya.com/support. Abstract This document describes a real customer deployment of a secure managed VoIP solution for a teleworker involving the Avaya Secure Router 2330 (SR 2330), Avaya 1100 Series IP Deskphones and the Avaya Communication Server 1000 (CS 1000). Revision Control No Date Version Revised By Remarks 1 14November11 0.1 Laurent Beucher Original Draft 2 13December11 1.0 Mike Fitzgerald Minor edits and additions 3
TABLE OF CONTENTS ABOUT THIS DOCUMENT... 5 ACRONYM KEY... 5 INTRODUCTION... 5 NETWORK DIAGRAM... 6 SOLUTION TESTED... 6 SR 2330 CONFIGURATION... 6 11x0E IP DESKPHONE CONFIGURATION.... 11 CONFIGURATION APPENDIX.. 12 REFERENCE DOCUMENTATION. 16 CUSTOMER SERVICES.. 17 4
About this document Non-Disclosure The Avaya non-disclosure processes will be followed for any documentation and information being released to the End Customer or any type of Channel Partner s personnel not covered by a contract with Avaya prior to GA. Acronym Key Throughout this guide the following acronyms will be used: DH: Diffie Hellman IKE: Internet Key Exchange IPSec: Internet Protocol Security IRAS: Internet Remote Access Server Introduction This Technical Configuration Guide (TCG) describes a real customer deployment of a secure managed VoIP solution for a Teleworker. This solution uses the Avaya Secure Router 2330 (SR 2330), Avaya 1100 Series IP Deskphones and the Avaya Communication Server 1000 (CS 1000). The CS 1000 and SR 2330 are owned by the Service Provider. The Avaya 11xx Phone is at the Teleworker site and requires NAT traversal (NAT-T) across a NAT router. All configuration examples are based on the software and hardware level as shown below. The configuration setup on the Avaya CS 1000 is not in the scope of this document. Equipment used Software Level Avaya Secure Router 2330 (note 1) 10.3.2.25 (note 2) Avaya 1120e IP Deskphone Avaya 1140e IP Deskphone 0624C8G 0625C8G Avaya Communication Server 1000 7.5 Note 1: Since the SR 4134 shares the same IPSec implementation as the SR 2330, this TCG applies to the SR 4134 as well as the SR 2330. Note 2: 10.3.2.25 is a special build used for this test. Previous software build (=>10.3) does not allow the 11x0e IP Deskphone to establish a VPN tunnel to the SR 2330 IRAS when the phone is behind a NAT router. The fixes are incorporated into Secure Router 2330/4134 Release 10.3.2 and later. 5
Network Diagram Solution Tested IP phones establish a secured IPSec VPN tunnel to the SR 2330 from the Teleworker home office and register to the CS 1000. The SR 2330 and CS 1000 are equipment installed and managed at the Service Provider premises. The Teleworker s Avaya 1120e/1140e IP deskphone is located at the customer site and is connected to a consumer-grade router or access device. SR 2330 Configuration 1. Loopback interface 11.11.11.11 added for remote management 2. policy 102 added to Internet FW to allow management of the Secure Router 3. pool 1 addresses range added for Teleworkers 4. management ike policy added (to loopback address) 5. pool 2 addresses range added for 2 x management access's Configuration commands are commented for some additional clarity. The entire configuration for this test is in the Configuration Appendix. 6
Interface Configuration ## Loopback interface 11.11.11.11 added for remote management interface loopback mgmt crypto trusted ip address 11.11.11.11 255.255.255.255 exit interface ## Private interface interface ethernet 0/1 description customer-lan ip address 10.10.0.254 255.255.255.0 ## proxy arp required so SR arps on behalf of IPsec RAS clients ip proxy_arp ip proxy_arp crypto trusted exit ethernet ## Public interface interface ethernet 0/2 description Internet ip address 192.168.1.193 255.255.255.248 crypto untrusted exit ethernet ## Default route ip route 0.0.0.0/0 192.168.1.198 Firewall configuration Starting with Secure Router Release 10.3, VPN is no longer tightly coupled with the Firewall. The Firewall can be disabled using the command system security firewall-disabled. For the current solution, the Firewall is mandatory for remote management (a.k.a control tunnel on VPN router). Therefore if the stateful firewall is enabled, SELF policies are very important to allow IKE and IPSec traffic to be permitted. The global firewall configuration can be found in configuration appendix. ## untrusted policies firewall internet interface ethernet0/2 policy 100 in permit service ike self 7
policy 101 in permit service contivity self ## allows remote management from provider network policy 102 in address 10.10.3.101 10.10.3.102 11.11.11.11 32 self exit firewall add the following rules only to allow remote testing directly through the Internet policy 103 in permit protocol icmp self policy 104 in permit service telnet self ## trusted policies firewall corp policy 101 in address 10.10.3.1 10.10.3.100 any any policy 1024 out permit exit firewall IPSec configuration crypto keepalive mode periodic ## contivity-iras used for interoperability with 11x0e phone contivity-iras ## Teleworker IKE policy ike policy teleworker ## local-address is the public interface of the Secure Router. Crypto UNTRUSTED local-address 81.142.14.193 ## remote-id username trings must be quoted, followed by password remote-id user-name "telwkr" vtstw ## first IKE proposal proposal 1 dh-group group2 encryption-algorithm 3des-cbc 8
exit proposal client configuration ## address-pool assigned to IP phones address-pool 1 10.10.3.1 10.10.3.100 ## private-side address is the LAN interface of the Secure Router. Crypto TRUSTED private-side-address 10.10.0.254 keepalive exit keepalive split-tunnel exit split-tunnel nat-keepalive 20 exit configuration ## Remote management IKE policy ike policy mgmt local-address 192.168.1.193 remote-id user-name "mgt" mgt proposal 1 dh-group group2 encryption-algorithm 3des-cbc exit proposal client configuration ## address-pool for remote management address-pool 2 10.10.3.101 10.10.3.102 ## loopback IP address used for remote management private-side-address 11.11.11.11 banner-enable banner-text "If you do not have authorisation to access this device you must click CANCEL and disconnect this session immediately." keepalive exit keepalive split-tunnel exit split-tunnel exit configuration ## Teleworker IPsec policy 9
ipsec policy teleworker proposal 1 lifetime seconds 3600 exit proposal ## Remote management IPSEC policy ipsec policy mgmt proposal 1 lifetime seconds 3600 exit proposal exit contivity-iras exit crypto 10
11x0e IP Deskphone Configuration Entering configuration mode: Power cycle the phone When the small Avaya message is displayed in the bottom left corner of the screen press the four horizontal buttons just below the screen in sequence from left to right. Do this within 4 seconds. At the Password prompt enter: 26567*738 (COLOR*SET) followed by OK. Use the navigation buttons to move around the screen and the centre button to make a change: 1. Enable VPN 2. Set VPN mode to Aggressive 3. Select Pre-shared-key (PSK) 4. Enter PSK user ID as defined in SR2330 ike policy 5. Enter PSK password as defined in SR2330 ike policy 6. No XAUTH 7. Enter the VPN peer address of SR2330 8. Set DSCP to EF High Priority 9. Enable DHCP 10. Enter the CS1000 server address 11. Enter the CS1000 port number 11
12. Add the provisioning server address (needed for FW and Licencing updates) Configuration Appendix sr2330# show run Retrieving configuration... please wait system logging console priority crit exit console syslog module alarms local0 none module dos local0 none module forwarding local0 none module voip-ssm-cdr local0 none module voip-cdr local0 none module voip-gwy local0 none exit syslog exit logging hostname vts-sr2330 log utc event exit event terminal exit terminal qos module exit module chassis exit chassis exit qos aaa tacacs exit tacacs radius primary_server exit primary_server 12
secondary_server exit secondary_server exit radius exit aaa vlan database exit database vlan classification exit classification bridge mstp exit mstp exit bridge lacp exit lacp interface loopback mgmt ip address 11.11.11.11 255.255.255.255 crypto trusted exit loopback interface ethernet 0/1 description customer-lan ip address 10.10.0.254 255.255.255.0 ip proxy_arp aaa exit aaa crypto trusted qos module exit module chassis exit chassis exit qos exit ethernet interface ethernet 0/2 description Internet ip address 192.168.1.193 255.255.255.248 aaa exit aaa crypto untrusted qos module exit module chassis exit chassis exit qos exit ethernet interface console aaa 13
exit aaa exit console gvrp exit gvrp snmp-server engine-id local 0000000c000000007f000001 exit engine-id chassis-id vts-sr2330 enable traps exit traps exit snmp-server rmon exit rmon oam cfm enable ethtype 88e6 exit cfm exit oam ftp_server icmp_timestamp telnet_server telnet_banner exit telnet_banner sntp exit sntp ip proxy-dns exit proxy-dns ip load-balancing per-flow ip route 0.0.0.0/0 192.168.1.198 ipv6 unicast-routing ipv6 load-balancing per-flow mpls tunnel-mode uniform firewall global algs dns exit dns exit algs max-connection-limit self 2048 exit firewall firewall internet interface ethernet0/2 policy 100 in permit service ike self policy 101 in permit service contivity self 14
policy 102 in permit address 10.10.3.101 10.10.3.102 11.11.11.11 32 self exit firewall firewall corp interface ethernet0/1 mgmt policy 101 in permit address 10.10.3.1 10.10.3.100 any any policy 1024 out permit exit firewall crypto keepalive mode periodic dynamic exit dynamic contivity-iras ike policy teleworker local-address 192.168.1.193 remote-id user-name "telwkr" vtstw proposal 1 dh-group group2 encryption-algorithm 3des-cbc exit proposal client configuration address-pool 1 10.10.3.1 10.10.3.100 private-side-address 10.10.0.254 keepalive exit keepalive split-tunnel exit split-tunnel nat-keepalive 20 exit configuration ike policy mgmt local-address 192.168.1.193 remote-id user-name "vts2330" vts1664 proposal 1 dh-group group2 encryption-algorithm 3des-cbc exit proposal client configuration address-pool 2 10.10.3.101 10.10.3.102 private-side-address 11.11.11.11 banner-enable banner-text "If you do not have authorization to access this device you must click CANCEL and disconnect this session immediately." keepalive exit keepalive 15
split-tunnel exit split-tunnel exit configuration ipsec policy teleworker proposal 1 lifetime seconds 3600 exit proposal ipsec policy mgmt proposal 1 lifetime seconds 3600 exit proposal exit contivity-iras pmtu exit pmtu qos chassis exit chassis exit qos exit crypto dst no enable exit dst sr2330# Reference Documentation Document Title Secure Router IPSec with NAT-T Interop with Avaya 9600 IP phones Security- Configuration_Manage ment AG 2330 & SR 2330/4134 Ordering Config Guide Publication Number NN48500-631 NN47263-600 N/A Description https://support.avaya.com/css/p8/documents/100153157 https://support.avaya.com/css/products/p0770/all_documents https://enterpriseportal.avaya.com/ptlweb/gs/products/p0617/orderinginf ormation 16
Customer Service Visit the Avaya Web site to access the complete range of services and support that Avaya provides. Go to www.avaya.com or go to one of the pages listed in the following sections. 1.1 Getting technical documentation To download and print selected technical publications and release notes directly from the Internet,go to www.avaya.com/support. 1.2 Getting product training Ongoing product training is available. For more information or to register, you can access the Web site at www.avaya.com/support. From this Web site, you can locate the Training contacts link on the left-hand navigation pane. 1.3 Getting help from a distributor or reseller If you purchased a service contract for your Avaya product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller for assistance. 1.4 Getting technical support from the Avaya Web site The easiest and most effective way to get technical support for Avaya products is from the Avaya Technical Support Web site at www.avaya.com/support. 2011 Avaya Inc. All Rights Reserved. Avaya and the Avaya Logo are trademarks of Avaya Inc. and are registered in the United States and other countries. All trademarks identified by, TM or SM are registered marks, trademarks, and service marks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners. Avaya may also have trademark rights in other terms used herein. References to Avaya include the Nortel Enterprise business, which was acquired as of December 18, 2009. 17