SR 2330 / 4134 IPSec with NAT-T Interoperability with Avaya 1120/1140E IP Deskphone / Live Customer Solution Technical Configuration Guide

Similar documents
Avaya Software Keycode Installation Guide

Avaya Converged Office 2007 User Guide Microsoft Office Communications Server 2007

Telset Administration

> Port Mirror via SMLT Cluster Technical Configuration Guide. Ethernet Routing Switch 8600/8800. Engineering. Avaya Data Solutions

WLAN 233X Access Points and Microsoft DHCP Technical Brief. Wireless LAN 2300 Engineering

Avaya CallPilot Mini Message Networking User Guide

Avaya 3100 Mobile Communicator - Web UI User Guide. Avaya 3100 Mobile Communicator Release 3.1

WLAN Location Engine 2340 Using the Command Line Interface

System-wide Call Appearance (SWCA) Features Card. Avaya Business Communications Manager Release 6.0

Avaya Meridian Integrated RAN Release 2.0 Telephone Set-Based Administration User Guide. Avaya Communication Server 1000 Release 7.

BCM50 Rls 6.0. Router IP Routing. Task Based Guide

Using Manage Alarm Tool

AG/SR 2330 Installation Reference

BCM Rls 6.0 DHCP. Task Based Guide

Avaya CallPilot 5.0 Library Listing

Release Notes for Avaya Aura Appliance Virtualization Platform Release

Avaya IP Key Expansion Module (KEM) User Guide. Avaya Business Communications Manager Release 2.0

Release Date: Aug 17, 2012 Purpose: Software maintenance release to support the Secure Router product.

IP Office 9.0 IP Office Server Edition Reference Configuration

Avaya Enterprise Policy Manager Configuration - Devices

IP Office 6.1 Embedded Voic Mailbox User Guide

Avaya CallPilot Mini/150 Desktop Messaging Quick Reference Guide

WLAN Release Notes. Release Notes for Avaya Wireless Orchestration System (WOS-E) Version Avaya Inc - External Distribution

Avaya Aura Call Center Elite Multichannel Documentation Roadmap

Avaya Aura Contact Center Documentation Roadmap

User Guide for Avaya Equinox Add-in for IBM Lotus Notes

Avaya 1120E IP Deskphone User Guide. Avaya Business Communications Manager Release 6.0

Administering Avaya Flare Experience for Windows

IP Office Release 7.0 IP Office Essential Edition - Quick Version Embedded Voic User Guide

Administering Avaya Flare Communicator for ipad Devices and Windows

BCM50 Rls 6.0. Router - IP Firewall. Task Based Guide

IP Office. IP Office Mailbox Mode User Guide Issue 11b - (15 May 2010)

Switch User Authentication using. Identity Engines Ignition Server. Technical Configuration Guide. Identity Engines Ignition Server

Implementing Avaya Flare Experience for Windows

BCM Rls 6.0. ipview WallBoard. Task Based Guide

IP Office Intuity Mailbox Mode User Guide

BST Doorphone Installation and Configuration Guide. Avaya Business Communications Manager

WLAN Release Notes. Release Notes for Avaya Wireless Orchestration System (WOS) Version Avaya Inc - External Distribution

Avaya Client Applications Configurator User Guide

BCM Rls 6.0. Redundancy. Task Based Guide

Administering Avaya Flare Experience for ipad Devices and Windows

VMware Getting Started Guide Avaya VPN Gateway

Nortel CallPilot Multimedia Messaging User Guide

Avaya Call Management System Documentation Roadmap

Avaya Aura Call Center Elite Documentation Roadmap

IP Office. TAPI Link Installation Issue 12a - (14 January 2013)

Avaya Aura Contact Center Documentation Roadmap

Avaya Aura Call Center Elite Documentation Roadmap

IP Office. Embedded Voic User Guide (IP Office Mode) Issue 12a (26 February 2013)

IP Office Release 9.0

IP Office Basic Edition

Release Notes for Operation Support System Release

Avaya Branch Gateways 6.3 (build ) Release Notes

Avaya Aura 6.2 Feature Pack 3

User Guide for Scopia Video Gateway for Microsoft Lync and Skype for Business

Avaya Call Redirection Manager Snap-in Reference

BCM Rls 6.0. InTouch. Task Based Guide

Avaya Callback Assist Considerations for Avaya Call Management System

Avaya one-x Communicator Centralized Administration Tool

Avaya Aura System Platform Overview

Interconnecting Multiple PIM-SM Domains Using MSDP for ERS 8600 Technical Configuration Guide. Ethernet Routing Switch 8600 Engineering

IP Office Platform. Using Voic Pro in Intuity Mode Issue 10a - (16 January 2015)

Avaya 3456 UC Client User Guide. Avaya Communication Server 1000 Release 7.5

IP Office Platform. Avaya IP Office Platform Embedded Voic User Guide (Intuity Mode) Issue 15b - (22 January 2015)

Upgrading Intelligent Customer Routing

Using Avaya Aura Messaging Web Access

Avaya Agent for Desktop Release Notes

Avaya Agile Communication Environment Communicator Add-in User Guide

Avaya Enterprise Policy Manager 5.0 User-Based Policies

Avaya Branch Gateways (build ) Release Notes

Using the DMC DECT Manager Avaya Communication Server 1000

Call Pilot Auto-Attendant

Avaya Agile Communication Environment Mobility Application for BlackBerry

Migrating from Intuity Audix R5.1 to Avaya Aura Communication Manager Messaging R6.0

Avaya one-x Mobile Client for BlackBerry - Avaya one-x Client

Setup and Operations Guide

IP Office Essential Edition Quick Version Phone Based Administration

Documentation Roadmap Avaya Secure Router 2330/4134

Engagement Call Control Release Notes

User Interface Fundamentals Avaya Virtual Services Platform 9000

Avaya Aura Messaging Web Access Feature Description

Avaya Communication Server 1000 Using the DMC DECT Manager

Using Avaya Flare Communicator for ipad Devices

Release Notes for Avaya Engagement Designer Release 3.1 Service Pack 2 ( ) Release Notes Issue 1, 2/18/2016

Avaya Aura Contact Center Documentation Roadmap

Avaya Agile Communication Environment Web Browser and Office Add-ins Application Fundamentals

Intelligent Customer Routing. Release Notes

Using Avaya VDI Communicator

Administering Intelligent Customer Routing

Avaya Aura Session Manager Release 6.1 Service Pack 1 Release Notes

Fundamentals Avaya Bulk Configuration Manager

NN Avaya Aura Contact Center Routine Maintenance

Configuration IP Routing and Multicast Avaya Ethernet Routing Switch 4500 Series

Release Notes for Avaya Aura Communication Manager Messaging R VMware vappliance Software with SP5 (for CMM )

Avaya Aura Offsite Agent User Guide

IP Office Essential Edition IP Office Essential Edition - Norstar Version Phone Based Administration

Configuring Avaya 12x0 Series IP Phones

Avaya VPN Client Release Notes. VPN Client Software Release 10.01

Avaya Virtual Services Platform 7000 Series Configuration Quality of Service

Quick Install for Avaya Aura Device Services

Transcription:

Avaya Secure Router 2330 / 4134 Avaya 1120/1140E IP Deskphone Engineering SR 2330 / 4134 IPSec with NAT-T Interoperability with Avaya 1120/1140E IP Deskphone / Live Customer Solution Technical Configuration Guide Avaya Networking Document Date: Document Number: NN48500-633 Document Version: 1.0

2011 Avaya Inc. All Rights Reserved. Notices While reasonable efforts have been made to ensure that the information in this document is complete and accurate at the time of printing, Avaya assumes no liability for any errors. Avaya reserves the right to make changes and corrections to the information in this document without the obligation to notify any person or organization of such changes. Documentation disclaimer Avaya shall not be responsible for any modifications, additions, or deletions to the original published version of this documentation unless such modifications, additions, or deletions were performed by Avaya. End User agree to indemnify and hold harmless Avaya, Avaya s agents, servants and employees against all claims, lawsuits, demands and judgments arising out of, or in connection with, subsequent modifications, additions or deletions to this documentation, to the extent made by End User. Link disclaimer Avaya is not responsible for the contents or reliability of any linked Web sites referenced within this site or documentation(s) provided by Avaya. Avaya is not responsible for the accuracy of any information, statement or content provided on these sites and does not necessarily endorse the products, services, or information described or offered within them. Avaya does not guarantee that these links will work all the time and has no control over the availability of the linked pages. Warranty Avaya provides a limited warranty on this product. Refer to your sales agreement to establish the terms of the limited warranty. In addition, Avaya s standard warranty language, as well as information regarding support for this product, while under warranty, is available to Avaya customers and other parties through the Avaya Support Web site: http://www.avaya.com/support Please note that if you acquired the product from an authorized reseller, the warranty is provided to you by said reseller and not by Avaya. Licenses THE SOFTWARE LICENSE TERMS AVAILABLE ON THE AVAYA WEBSITE, HTTP://SUPPORT.AVAYA.COM/LICENSEINFO/ ARE APPLICABLE TO ANYONE WHO DOWNLOADS, USES AND/OR INSTALLS AVAYA SOFTWARE, PURCHASED FROM AVAYA INC., ANY AVAYA AFFILIATE, OR AN AUTHORIZED AVAYA RESELLER (AS APPLICABLE) UNDER A COMMERCIAL AGREEMENT WITH AVAYA OR AN AUTHORIZED AVAYA RESELLER. UNLESS OTHERWISE AGREED TO BY AVAYA IN WRITING, AVAYA DOES NOT EXTEND THIS LICENSE IF THE SOFTWARE WAS OBTAINED FROM ANYONE OTHER THAN AVAYA, AN AVAYA AFFILIATE OR AN AVAYA AUTHORIZED RESELLER, AND AVAYA RESERVES THE RIGHT TO TAKE LEGAL ACTION AGAINST YOU AND ANYONE ELSE USING OR SELLING THE SOFTWARE WITHOUT A LICENSE. BY INSTALLING, DOWNLOADING OR USING THE SOFTWARE, OR AUTHORIZING OTHERS TO DO SO, YOU, ON BEHALF OF YOURSELF AND THE ENTITY FOR WHOM YOU ARE INSTALLING, DOWNLOADING OR USING THE SOFTWARE (HEREINAFTER REFERRED TO INTERCHANGEABLY AS "YOU" AND "END USER"), AGREE TO THESE TERMS AND CONDITIONS AND CREATE A BINDING CONTRACT BETWEEN YOU AND AVAYA INC. OR THE APPLICABLE AVAYA AFFILIATE ("AVAYA"). Copyright Except where expressly stated otherwise, no use should be made of the Documentation(s) and Product(s) provided by Avaya. All content in this documentation(s) and the product(s) provided by Avaya including the selection, arrangement and design of the content is owned either by Avaya or its licensors and is protected by copyright and other intellectual property laws including the sui generis rights relating to the protection of databases. You may not modify, copy, reproduce, republish, upload, post, transmit or distribute in any way any content, in whole or in part, including any code and software. Unauthorized reproduction, transmission, dissemination, storage, and or use without the express written consent of Avaya can be a criminal, as well as a civil offense under the applicable law. Third Party Components Certain software programs or portions thereof included in the Product may contain software distributed under third party agreements ("Third Party Components"), which may contain terms that expand or limit rights to use certain portions of the Product ("Third Party Terms"). Information regarding distributed Linux OS source code (for those Products that have distributed the Linux OS source code), and identifying the copyright holders of the Third Party Components and the Third Party Terms that apply to them is available on the Avaya Support Web site: http://support.avaya.com/copyright. Trademarks The trademarks, logos and service marks ("Marks") displayed in this site, the documentation(s) and product(s) provided by Avaya are the registered or unregistered Marks of Avaya, its affiliates, or other third parties. Users are not permitted to use such Marks without prior written consent from Avaya or such third party which may own the Mark. Nothing contained in this site, the documentation(s) and product(s) should be construed as granting, by implication, estoppel, or otherwise, any license or right in and to the Marks without the express written permission of Avaya or the applicable third party. Avaya is a registered trademark of Avaya Inc. All non-avaya trademarks are the property of their respective owners. Downloading documents For the most current versions of documentation, see the Avaya SupportWeb site: http://www.avaya.com/support 2

Contact Avaya Support Avaya provides a telephone number for you to use to report problems or to ask questions about your product. The support telephone number is 1-800-242-2121 in the United States. For additional support telephone numbers, see the Avaya Web site: http:// www.avaya.com/support. Abstract This document describes a real customer deployment of a secure managed VoIP solution for a teleworker involving the Avaya Secure Router 2330 (SR 2330), Avaya 1100 Series IP Deskphones and the Avaya Communication Server 1000 (CS 1000). Revision Control No Date Version Revised By Remarks 1 14November11 0.1 Laurent Beucher Original Draft 2 13December11 1.0 Mike Fitzgerald Minor edits and additions 3

TABLE OF CONTENTS ABOUT THIS DOCUMENT... 5 ACRONYM KEY... 5 INTRODUCTION... 5 NETWORK DIAGRAM... 6 SOLUTION TESTED... 6 SR 2330 CONFIGURATION... 6 11x0E IP DESKPHONE CONFIGURATION.... 11 CONFIGURATION APPENDIX.. 12 REFERENCE DOCUMENTATION. 16 CUSTOMER SERVICES.. 17 4

About this document Non-Disclosure The Avaya non-disclosure processes will be followed for any documentation and information being released to the End Customer or any type of Channel Partner s personnel not covered by a contract with Avaya prior to GA. Acronym Key Throughout this guide the following acronyms will be used: DH: Diffie Hellman IKE: Internet Key Exchange IPSec: Internet Protocol Security IRAS: Internet Remote Access Server Introduction This Technical Configuration Guide (TCG) describes a real customer deployment of a secure managed VoIP solution for a Teleworker. This solution uses the Avaya Secure Router 2330 (SR 2330), Avaya 1100 Series IP Deskphones and the Avaya Communication Server 1000 (CS 1000). The CS 1000 and SR 2330 are owned by the Service Provider. The Avaya 11xx Phone is at the Teleworker site and requires NAT traversal (NAT-T) across a NAT router. All configuration examples are based on the software and hardware level as shown below. The configuration setup on the Avaya CS 1000 is not in the scope of this document. Equipment used Software Level Avaya Secure Router 2330 (note 1) 10.3.2.25 (note 2) Avaya 1120e IP Deskphone Avaya 1140e IP Deskphone 0624C8G 0625C8G Avaya Communication Server 1000 7.5 Note 1: Since the SR 4134 shares the same IPSec implementation as the SR 2330, this TCG applies to the SR 4134 as well as the SR 2330. Note 2: 10.3.2.25 is a special build used for this test. Previous software build (=>10.3) does not allow the 11x0e IP Deskphone to establish a VPN tunnel to the SR 2330 IRAS when the phone is behind a NAT router. The fixes are incorporated into Secure Router 2330/4134 Release 10.3.2 and later. 5

Network Diagram Solution Tested IP phones establish a secured IPSec VPN tunnel to the SR 2330 from the Teleworker home office and register to the CS 1000. The SR 2330 and CS 1000 are equipment installed and managed at the Service Provider premises. The Teleworker s Avaya 1120e/1140e IP deskphone is located at the customer site and is connected to a consumer-grade router or access device. SR 2330 Configuration 1. Loopback interface 11.11.11.11 added for remote management 2. policy 102 added to Internet FW to allow management of the Secure Router 3. pool 1 addresses range added for Teleworkers 4. management ike policy added (to loopback address) 5. pool 2 addresses range added for 2 x management access's Configuration commands are commented for some additional clarity. The entire configuration for this test is in the Configuration Appendix. 6

Interface Configuration ## Loopback interface 11.11.11.11 added for remote management interface loopback mgmt crypto trusted ip address 11.11.11.11 255.255.255.255 exit interface ## Private interface interface ethernet 0/1 description customer-lan ip address 10.10.0.254 255.255.255.0 ## proxy arp required so SR arps on behalf of IPsec RAS clients ip proxy_arp ip proxy_arp crypto trusted exit ethernet ## Public interface interface ethernet 0/2 description Internet ip address 192.168.1.193 255.255.255.248 crypto untrusted exit ethernet ## Default route ip route 0.0.0.0/0 192.168.1.198 Firewall configuration Starting with Secure Router Release 10.3, VPN is no longer tightly coupled with the Firewall. The Firewall can be disabled using the command system security firewall-disabled. For the current solution, the Firewall is mandatory for remote management (a.k.a control tunnel on VPN router). Therefore if the stateful firewall is enabled, SELF policies are very important to allow IKE and IPSec traffic to be permitted. The global firewall configuration can be found in configuration appendix. ## untrusted policies firewall internet interface ethernet0/2 policy 100 in permit service ike self 7

policy 101 in permit service contivity self ## allows remote management from provider network policy 102 in address 10.10.3.101 10.10.3.102 11.11.11.11 32 self exit firewall add the following rules only to allow remote testing directly through the Internet policy 103 in permit protocol icmp self policy 104 in permit service telnet self ## trusted policies firewall corp policy 101 in address 10.10.3.1 10.10.3.100 any any policy 1024 out permit exit firewall IPSec configuration crypto keepalive mode periodic ## contivity-iras used for interoperability with 11x0e phone contivity-iras ## Teleworker IKE policy ike policy teleworker ## local-address is the public interface of the Secure Router. Crypto UNTRUSTED local-address 81.142.14.193 ## remote-id username trings must be quoted, followed by password remote-id user-name "telwkr" vtstw ## first IKE proposal proposal 1 dh-group group2 encryption-algorithm 3des-cbc 8

exit proposal client configuration ## address-pool assigned to IP phones address-pool 1 10.10.3.1 10.10.3.100 ## private-side address is the LAN interface of the Secure Router. Crypto TRUSTED private-side-address 10.10.0.254 keepalive exit keepalive split-tunnel exit split-tunnel nat-keepalive 20 exit configuration ## Remote management IKE policy ike policy mgmt local-address 192.168.1.193 remote-id user-name "mgt" mgt proposal 1 dh-group group2 encryption-algorithm 3des-cbc exit proposal client configuration ## address-pool for remote management address-pool 2 10.10.3.101 10.10.3.102 ## loopback IP address used for remote management private-side-address 11.11.11.11 banner-enable banner-text "If you do not have authorisation to access this device you must click CANCEL and disconnect this session immediately." keepalive exit keepalive split-tunnel exit split-tunnel exit configuration ## Teleworker IPsec policy 9

ipsec policy teleworker proposal 1 lifetime seconds 3600 exit proposal ## Remote management IPSEC policy ipsec policy mgmt proposal 1 lifetime seconds 3600 exit proposal exit contivity-iras exit crypto 10

11x0e IP Deskphone Configuration Entering configuration mode: Power cycle the phone When the small Avaya message is displayed in the bottom left corner of the screen press the four horizontal buttons just below the screen in sequence from left to right. Do this within 4 seconds. At the Password prompt enter: 26567*738 (COLOR*SET) followed by OK. Use the navigation buttons to move around the screen and the centre button to make a change: 1. Enable VPN 2. Set VPN mode to Aggressive 3. Select Pre-shared-key (PSK) 4. Enter PSK user ID as defined in SR2330 ike policy 5. Enter PSK password as defined in SR2330 ike policy 6. No XAUTH 7. Enter the VPN peer address of SR2330 8. Set DSCP to EF High Priority 9. Enable DHCP 10. Enter the CS1000 server address 11. Enter the CS1000 port number 11

12. Add the provisioning server address (needed for FW and Licencing updates) Configuration Appendix sr2330# show run Retrieving configuration... please wait system logging console priority crit exit console syslog module alarms local0 none module dos local0 none module forwarding local0 none module voip-ssm-cdr local0 none module voip-cdr local0 none module voip-gwy local0 none exit syslog exit logging hostname vts-sr2330 log utc event exit event terminal exit terminal qos module exit module chassis exit chassis exit qos aaa tacacs exit tacacs radius primary_server exit primary_server 12

secondary_server exit secondary_server exit radius exit aaa vlan database exit database vlan classification exit classification bridge mstp exit mstp exit bridge lacp exit lacp interface loopback mgmt ip address 11.11.11.11 255.255.255.255 crypto trusted exit loopback interface ethernet 0/1 description customer-lan ip address 10.10.0.254 255.255.255.0 ip proxy_arp aaa exit aaa crypto trusted qos module exit module chassis exit chassis exit qos exit ethernet interface ethernet 0/2 description Internet ip address 192.168.1.193 255.255.255.248 aaa exit aaa crypto untrusted qos module exit module chassis exit chassis exit qos exit ethernet interface console aaa 13

exit aaa exit console gvrp exit gvrp snmp-server engine-id local 0000000c000000007f000001 exit engine-id chassis-id vts-sr2330 enable traps exit traps exit snmp-server rmon exit rmon oam cfm enable ethtype 88e6 exit cfm exit oam ftp_server icmp_timestamp telnet_server telnet_banner exit telnet_banner sntp exit sntp ip proxy-dns exit proxy-dns ip load-balancing per-flow ip route 0.0.0.0/0 192.168.1.198 ipv6 unicast-routing ipv6 load-balancing per-flow mpls tunnel-mode uniform firewall global algs dns exit dns exit algs max-connection-limit self 2048 exit firewall firewall internet interface ethernet0/2 policy 100 in permit service ike self policy 101 in permit service contivity self 14

policy 102 in permit address 10.10.3.101 10.10.3.102 11.11.11.11 32 self exit firewall firewall corp interface ethernet0/1 mgmt policy 101 in permit address 10.10.3.1 10.10.3.100 any any policy 1024 out permit exit firewall crypto keepalive mode periodic dynamic exit dynamic contivity-iras ike policy teleworker local-address 192.168.1.193 remote-id user-name "telwkr" vtstw proposal 1 dh-group group2 encryption-algorithm 3des-cbc exit proposal client configuration address-pool 1 10.10.3.1 10.10.3.100 private-side-address 10.10.0.254 keepalive exit keepalive split-tunnel exit split-tunnel nat-keepalive 20 exit configuration ike policy mgmt local-address 192.168.1.193 remote-id user-name "vts2330" vts1664 proposal 1 dh-group group2 encryption-algorithm 3des-cbc exit proposal client configuration address-pool 2 10.10.3.101 10.10.3.102 private-side-address 11.11.11.11 banner-enable banner-text "If you do not have authorization to access this device you must click CANCEL and disconnect this session immediately." keepalive exit keepalive 15

split-tunnel exit split-tunnel exit configuration ipsec policy teleworker proposal 1 lifetime seconds 3600 exit proposal ipsec policy mgmt proposal 1 lifetime seconds 3600 exit proposal exit contivity-iras pmtu exit pmtu qos chassis exit chassis exit qos exit crypto dst no enable exit dst sr2330# Reference Documentation Document Title Secure Router IPSec with NAT-T Interop with Avaya 9600 IP phones Security- Configuration_Manage ment AG 2330 & SR 2330/4134 Ordering Config Guide Publication Number NN48500-631 NN47263-600 N/A Description https://support.avaya.com/css/p8/documents/100153157 https://support.avaya.com/css/products/p0770/all_documents https://enterpriseportal.avaya.com/ptlweb/gs/products/p0617/orderinginf ormation 16

Customer Service Visit the Avaya Web site to access the complete range of services and support that Avaya provides. Go to www.avaya.com or go to one of the pages listed in the following sections. 1.1 Getting technical documentation To download and print selected technical publications and release notes directly from the Internet,go to www.avaya.com/support. 1.2 Getting product training Ongoing product training is available. For more information or to register, you can access the Web site at www.avaya.com/support. From this Web site, you can locate the Training contacts link on the left-hand navigation pane. 1.3 Getting help from a distributor or reseller If you purchased a service contract for your Avaya product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller for assistance. 1.4 Getting technical support from the Avaya Web site The easiest and most effective way to get technical support for Avaya products is from the Avaya Technical Support Web site at www.avaya.com/support. 2011 Avaya Inc. All Rights Reserved. Avaya and the Avaya Logo are trademarks of Avaya Inc. and are registered in the United States and other countries. All trademarks identified by, TM or SM are registered marks, trademarks, and service marks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners. Avaya may also have trademark rights in other terms used herein. References to Avaya include the Nortel Enterprise business, which was acquired as of December 18, 2009. 17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback