2 Replies Latest reply: Jul 10, 2014 2:03 PM by cllanos RSS

    How to configure VPN for to connect avaya IP Phone 9608

    cllanos

      Hi, I am trying to configure the firewall for to connect a ip phone 9608 through of a vpn, but I have not been able. 

      The configuratio of phone is:

      VPN: Enabled

      VPN Vendor: Other

      Gateway: 192.168.0.2

      external phone ip address: 192.168.0.1

      Encapsulation: RFC(500-500)

      copy Tos: no

      auth type: psk

      ike id: a@a.com

      ike id type: user_fqdn

      ike xchg mode: aggresive

      ike dh group: 2

      ike encryption alg: aes128

      ike auth alg: md5

      ike config mode: enabled

      ip sec pfs dh group: no pfs

      ip sec encryption alg: aes128

      ip sed auth alg: md5

      protect network: 0.0.0.0/0

      ike over tcp: never

       

       

      configuration firewall

       

       

      mode: dynamic ip restricted client

      ike: v1

      encap: tunnel

      ip ver: v4

      local ip: use localhost ip

      crypto ip sec: aes128

      crypto ip sec autentication alg: md5

      Advance ike v1: aggresive

      Advance encription : aes128

      Advance hash alg: md5

      Advance key excha group: group 2

      enable nat transversal yes

      enable inital contact yes

      encript final aggresive mode packet yes

       

       

      Question, That is wrong in this configuration?

      This is log of firewall

       

       

       

      2014-07-10 11:10:32 -0500 f_isakmp_daemon a_vpn t_debug p_major

      pid: 1601 logid: 0 cmd: 'ikmpd' hostname: x.com

      vpn_name: !DYNAMIC! cky_i: 7bdd5112df5a72fb cky_r: bb612f3aabeed7b0

      local_gw: 192.168.0.1 remote_gw: 192.168.0.2

      information: [inbound packet]

        [SA]

          [PROPOSAL #1]

            protocol: IKE(1)

            [TRANSFORM #1]

              tran_id: IKE(1)

              [attributes]

                ENCRYPT:AES, KEY_LEN:128, HASH:MD5, GROUP:2,

                AUTH_METHOD:PRE_SHARED_KEY, LIFE:SECONDS, DURATION:|00069780|

        [KE]

          data(128):

       

        [NONCE]

          data(20): |e396c31d16895e3b1d458a4caea1fd36f7396120|

        [IDENTITY]

          type: USER_FQDN(3), data: a@a.com

        [VENDOR_ID]

          vendor_id: NATT_RFC

        [VENDOR_ID]

          vendor_id: NATT_DRAFT2A

        [VENDOR_ID]

          vendor_id: NATT_DRAFT2B

        [VENDOR_ID]

          data(16): |4485152d18b6bbcc0be8a8469579ddcc|

        [VENDOR_ID]

          data(16): |4485152d18b6bbcd0be8a8469579ddcc|

        [VENDOR_ID]

          vendor_id: XAUTH

       

       

      2014-07-10 11:10:32 -0500 f_isakmp_daemon a_aclquery t_aclallow p_major

      pid: 1601 logid: 0 cmd: 'ikmpd' hostname: x.com

      event: ACL allow application: ISAKMP Server src_geo: CO srcip: 192.168.0.2

      srcport: 500 srczone: external protocol: 17 dst_geo: CO dstip: 192.168.0.1

      dstport: 500 dstzone: external rule_name: VPN_Server cache_hit: 0 src_rep: 0

      dst_rep: 0 reason: Traffic allowed by policy.

       

       

      2014-07-10 11:10:32 -0500 f_isakmp_daemon a_vpn t_info p_major

      pid: 1601 logid: 0 cmd: 'ikmpd' hostname: x.com

      vpn_name: vpn_telefonos local_gw: 192.168.0.1 remote_gw: 192.168.0.2

      information: Session creation -

      [session details]

        vpn_name: vpn_telefonos, state: ALIVE, flags: INITIAL_CONTACT

        [local gateway] IPV4_ADDR-192.168.0.1:500

        [remote gateway] IPV4_ADDR-192.168.0.2:500

        [phase1 config]

          vpn: vpn_telefonos, position: 1, address pool: VPN_Portatiles

          [policy]

            exchange: AGGRESSIVE_MODE, protocol: IKE,

            options: [DYNAMIC|LEASED_IP|INITIAL_CONTACT|NAT_T], version: 1,

            local authentication: PRE_SHARED_KEY,

            remote authentication: PRE_SHARED_KEY, encryption: AES:128, integ: MD5,

            DH group: 2

        [phase2 config]

          vpn: vpn_telefonos, position: 1

          [policy]

            protocol: ESP, zone: 4, options: [DYNAMIC|FORCED_REKEY], version: 1,

            encryption: AES:128, integ: MD5, ESN: OFF, encapsulation: TUNNEL

       

       

      2014-07-10 11:10:32 -0500 f_isakmp_daemon a_vpn t_debug p_major

      pid: 1601 logid: 0 cmd: 'ikmpd' hostname: x.com

      vpn_name: vpn_telefonos cky_i: 7bdd5112df5a72fb cky_r: bb612f3aabeed7b0

      local_gw: 192.168.0.1 remote_gw: 192.168.0.2 remote_id: a@a.com

      information: [outbound packet]

        [NONE]

          CKY_I: |7bdd5112df5a72fb|, CKY_R: |bb612f3aabeed7b0|,

          exch: AGGRESSIVE_MODE(4), mess_id: 0

        [SA]

          [PROPOSAL #1]

            protocol: IKE(1)

            [TRANSFORM #1]

              tran_id: IKE(1)

              [attributes]

                AUTH_METHOD:PRE_SHARED_KEY, HASH:MD5, ENCRYPT:AES, GROUP:2,

                LIFE:SECONDS, DURATION:|00069780|, KEY_LEN:128

        [KE]

          data(128):

       

        [NONCE]

          data(20): |0dd820e0de44f743e67d1298572e0d643839e452|

        [IDENTITY]

          type: IPV4_ADDR(1), data: 192.168.0.1

        [NOTIFY]

          protocol: IKE, type: RESPONDER_LIFETIME(24576)

          spi(16): |7bdd5112df5a72fbbb612f3aabeed7b0|

          data(12): |800b0001000c000400000e10|

        [HASH]

          data(16): |d6b4268996c587f0093e80981c1df6ac|

        [VENDOR_ID]

          vendor_id: SIDEWINDER

        [VENDOR_ID]

          vendor_id: SW_V_7_0

        [VENDOR_ID]

          vendor_id: NATT_RFC

        [VENDOR_ID]

          vendor_id: NATT_DRAFT3

        [VENDOR_ID]

          vendor_id: NATT_DRAFT2B

        [VENDOR_ID]

          vendor_id: NATT_DRAFT2A

        [NAT_D]

      ...(cont)...

       

       

      2014-07-10 11:10:32 -0500 f_isakmp_daemon a_vpn t_debug p_major

      pid: 1601 logid: 0 cmd: 'ikmpd' hostname: x.com

      vpn_name: vpn_telefonos cky_i: 7bdd5112df5a72fb cky_r: bb612f3aabeed7b0

      local_gw: 192.168.0.1 remote_gw: 192.168.0.2 remote_id: a@a.com

      information: ...(cont)...

          data(16): |7de7a271a9d65f480283781c8e0421b2|

        [NAT_D]

          data(16): |727c0faef4a9ef6d1e20a6bc46845701|

       

       

      2014-07-10 11:10:35 -0500 f_isakmp_daemon a_vpn t_info p_minor

      pid: 1601 logid: 0 cmd: 'ikmpd' hostname: x.com

      vpn_name: vpn_telefonos cky_i: 7bdd5112df5a72fb cky_r: bb612f3aabeed7b0

      local_gw: 192.168.0.1 remote_gw: 192.168.0.2 remote_id: a@a.com

      information: Message timed out for AGGRESSIVE_MODE negotiation in state: RESP_SETUP... retransmitting

       

       

      2014-07-10 11:10:35 -0500 f_isakmp_daemon a_vpn t_debug p_major

      pid: 1601 logid: 0 cmd: 'ikmpd' hostname: x.com

      vpn_name: vpn_telefonos cky_i: 7bdd5112df5a72fb cky_r: bb612f3aabeed7b0

      msg_id: 6edab03d local_gw: 192.168.0.1 remote_gw: 192.168.0.2

      information: [inbound packet]

        [NOTIFY]

          protocol: IKE, type: INVALID_IKE_SPI(4)

          data(476):

       

      2014-07-10 11:10:35 -0500 f_isakmp_daemon a_vpn t_error p_minor

      pid: 1601 logid: 0 cmd: 'ikmpd' hostname: x.com

      vpn_name: vpn_telefonos cky_i: 7bdd5112df5a72fb cky_r: bb612f3aabeed7b0

      msg_id: 6edab03d local_gw: 192.168.0.1 remote_gw: 192.168.0.2

      information: [detailed info]

        [error]

          Incomplete/Invalid attribute encoding detected

      [INFORMATIONAL]

        VPN: vpn_telefonos, CKY_I: |7bdd5112df5a72fb|, CKY_R: |bb612f3aabeed7b0|,

        msg_id: 0x6edab03d

        [state info]

          init/resp: RESPONDER, condition: DYING

        [retry info]

          counter: 0, num_trans: 1, total_time: 3, total_deviation: 0,

          timestamp_out: 0, timestamp_in: 1405008635

        [local gateway] IPV4_ADDR-192.168.0.1

        [remote gateway] IPV4_ADDR-192.168.0.2

       

       

      2014-07-10 11:10:41 -0500 f_isakmp_daemon a_vpn t_info p_minor

      pid: 1601 logid: 0 cmd: 'ikmpd' hostname: x.com

      vpn_name: vpn_telefonos cky_i: 7bdd5112df5a72fb cky_r: bb612f3aabeed7b0

      local_gw: 192.168.0.1 remote_gw: 192.168.0.2 remote_id: a@a.com

      information: Message timed out for AGGRESSIVE_MODE negotiation in state: RESP_SETUP... retransmitting

       

       

      2014-07-10 11:10:56 -0500 f_isakmp_daemon a_vpn t_info p_minor

      pid: 1601 logid: 0 cmd: 'ikmpd' hostname: x.com

      vpn_name: vpn_telefonos cky_i: 7bdd5112df5a72fb cky_r: bb612f3aabeed7b0

      local_gw: 192.168.0.1 remote_gw: 192.168.0.2 remote_id: a@a.com

      information: Message timed out for AGGRESSIVE_MODE negotiation in state: RESP_SETUP... retransmitting