Avaya VPNremote Phone Service Guide

Avaya Solution & Interoperability Test Lab

Application Notes for Configuring Avaya VPNremote™ Phone with Juniper Secure Services Gateway using PolicyBased IPSec VPN and XAuth Enhanced Authentication – Issue 1.0

Abstract

These Application Notes describe the steps for configuring the Juniper Secure Services Gateway 520 Security Platform with a policy-based IPSec VPN and XAuth enhanced authentication to support the Avaya VPNremote™ Phone. The sample configuration presented in these Application Notes utilizes a shared IKE Group ID to streamline the VPN configuration and management, IP Network Region segmentation to logically group and administer VPNremote Phones and NAT-T for IPSec traversal of Network Address Translation devices.

EMH; Reviewed: SPOC 9/27/06

Solution & Interoperability Test Lab Application Notes

1 of 42

vpnphone_ssg.doc

TABLE OF CONTENTS

1. INTRODUCTION..............................................................................................................................................3

1.1. HIGHLIGHTS ................................................................................................................................................3

2. NETWORK TOPOLOGY ................................................................................................................................4

3. EQUIPMENT AND SOFTWARE VALIDATED...........................................................................................7

4. CONFIGURE JUNIPER SSG 520....................................................................................................................7

4.1. ACCESS SSG 520 ........................................................................................................................................7

4.2. CONFIGURE JUNIPER SSG ETHERNET INTERFACES .....................................................................................8

4.3. IP ADDRESS POOL .....................................................................................................................................11

4.4. ROUTES .....................................................................................................................................................12

4.5. LOCAL USER CONFIGURATION ..................................................................................................................14

4.6. LOCAL USER GROUP CONFIGURATION......................................................................................................17

4.7. VPN..........................................................................................................................................................19

4.8. XAUTH CONFIGURATION ..........................................................................................................................24

4.9. H.323 ALG ...............................................................................................................................................26

4.10. SECURITY POLICIES...................................................................................................................................26

5. AVAYA VPNREMOTE PHONE CONFIGURATION................................................................................28

5.1. VPNREMOTE PHONE FIRMWARE...............................................................................................................28

5.2. CONFIGURING AVAYA VPNREMOTE PHONE .............................................................................................28

6. EXTREME 3804 CONFIGURATION...........................................................................................................30

6.1. ADD IP ROUTE TO VPN IP ADDRESS POOL NETWORK ..............................................................................30

7. AVAYA COMMUNICATION MANAGER CONFIGURATION..............................................................31

7.1. VPNREMOTE PHONE CONFIGURATION......................................................................................................31

7.2. IP CODEC SETS CONFIGURATION ..............................................................................................................31

7.3. IP NETWORK MAP CONFIGURATION .........................................................................................................32

7.4. IP NETWORK REGIONS CONFIGURATION...................................................................................................33

8. VERIFICATION STEPS.................................................................................................................................34

8.1. VPNREMOTE PHONE QTEST ......................................................................................................................34

8.2. VPNREMOTE PHONE IPSEC STATS ............................................................................................................35

8.3. JUNIPER SSG DEBUG AND LOGGING .........................................................................................................35

8.4. OVERLAPPING NETWORK ADDRESSES ......................................................................................................37

9. CONCLUSION.................................................................................................................................................37

10. DEFINITIONS AND ABBREVIATIONS.................................................................................................37

11. REFERENCES............................................................................................................................................38

APPENDIX A: SSG 520 A CLI CONFIGURATION ............................................................................................39

EMH; Reviewed: SPOC 9/27/06

Solution & Interoperability Test Lab Application Notes

2 of 42

vpnphone_ssg.doc

1. Introduction

These Application Notes describes the steps for configuring the Juniper Secure Services Gateway 520 security appliance to support the Avaya VPNremote™ Phone.

The Avaya VPNremote™ Phone is a software based Virtual Private Network (VPN) client integrated into the firmware of an Avaya IP Telephone. This enhancement allows the Avaya IP Telephone to be plugged in and used seamlessly over a secure VPN from any broadband Internet connection. The end user experiences the same IP telephone features as if they were using the phone in the office. Avaya IP Telephone models supporting the Avaya VPNremote Phone firmware are the 4610SW, 4620SW, 4621SW, 4622SW and 4625SW.

Release 2 of the Avaya VPNremote Phone extends the support of head-end VPN gateways to include Juniper security platforms. The configuration steps described in these Application Notes utilize a Juniper Secure Services Gateway (SSG) model 520. However, these configuration steps can be applied to Juniper NetScreen and ISG platforms using the ScreenOS version specified in Section 3.

1.1. Highlights

The sample network provided in these Application Notes implements the following features of the Juniper SSG 520 and Avaya VPNremote Phone:

• Policy-Based IPSec VPN

The policy-based VPN feature of the Juniper SSG allows a VPN Tunnel to be directly associated with a security policy as opposed to a route-based VPN being bound to a logical VPN Tunnel interface. Because no network exists beyond a VPN client end-point, policy-based VPN tunnels are a good choice for VPN end-point configurations such as with the Avaya VPNremote Phone.

• XAuth User Authentication

The XAuth protocol enables the Juniper SSG to authenticate the individual users of the VPNremote Phone. The XAuth user authentication is in addition to the IKE IPSec VPN authentication. The IKE and XAuth authentication steps of the Avaya VPNremote Phone are as follows:

Step 1. Phase 1 negotiations: the Juniper SSG authenticates the Avaya VPNremote

Phone by matching the IKE ID and Pre-SharedKkey sent by the Avaya VPNremote Phone. If there is a match, the Juniper SSG XAuth process begins.

EMH; Reviewed: SPOC 9/27/06

Solution & Interoperability Test Lab Application Notes

3 of 42

vpnphone_ssg.doc

Step 2. XAuth: the Juniper SSG XAuth server prompts the Avaya VPNremote Phone for

user credentials (username and password). If the Avaya VPNremote Phone is configured to store user credentials in flash memory, the Avaya VPNremote Phone responds to the Juniper SSG with the stored credentials without user involvement. Otherwise the Avaya VPNremote Phone displays a prompt for username and password to be manually entered.

Step 3. Phase 2 negotiations: Once the XAuth user authentication is successful, Phase 2

negotiations begin.

• XAuth Dynamic IP Address Assignment

The XAuth protocol enables the Juniper SSG appliance to dynamically assign IP addresses from a configured IP Address pool range. The assignment of IP address ranges to Avaya VPNremote Phones enables Avaya Communication Manager to map the Avaya VPNremote Phones into IP Network Regions.

• Shared IKE Group ID

The shared IKE ID feature of the Juniper SSG appliance facilitates the deployment of a large number of dialup IPSec VPN users. With this feature, the security device authenticates multiple dialup VPN users using a single group IKE ID and preshared key. Thus, it provides IPSec protection for large remote user groups through a common VPN configuration. XAuth user authentication must be used when implementing Shared IKE Group ID.

• IP-Network-Region Segmentation

A common deployment for the Avaya VPNremote Phones is in a home network environment with limited bandwidth. The G.729 codec is recommended for such bandwidth constrained environments. Avaya Communication Manager IP Network Regions allow IP endpoints to be logically grouped together to apply unique configuration settings, including the assignment of specific codecs.

2. Network Topology

The sample network implemented for these Application Notes is shown in Figure 1. Three office locations are included, a “Main Campus” and three “Remote Offices”.

The Main Campus consists of two Juniper SSG 520’s, named “SSG 520 A” and “SSG 520 B”, functioning as perimeter security devices and IPSec VPN head-ends. The Avaya S8710 Media Server and Avaya G650 Media Gateway are also located at the Main Campus. The Main Campus is mapped to Network Region 1 in Avaya Communication Manager.

EMH; Reviewed: SPOC 9/27/06

Solution & Interoperability Test Lab Application Notes

4 of 42

vpnphone_ssg.doc

Remote SOHO Office A consists of two Avaya VPNremote Phones connected to a Netgear broadband router. The Netgear router is configured as a firewall with NAT enabled as well as a local DHCP server. The VPNremote phones in Remote Office A are configured to use SSG 520 A for IPSec tunnel termination. SSG 520 A assigns an IP address to the VPNremote Phones mapped to Network Region 2 in Avaya Communications Manager.

Remote Home Office B consists of a single Avaya VPNremote Phones connected to a Linksys broadband router. The Linksys router is configured as a firewall with NAT enabled as well as a local DHCP server. The VPNremote phone in Remote Office B is configured to use SSG 520 A for IPSec tunnel termination. SSG 520 A assigns an IP address to the VPNremote Phone mapped to Network Region 2 in Avaya Communication Manager.

Remote Home Office C consists of a single Avaya VPNremote Phones connected to a Dlink broadband router. The Dlink router is configured as a firewall with NAT enabled as well as a local DHCP server. The VPNremote phone in Remote Office C is configured to use SSG 520 B for IPSec tunnel termination. SSG 520 B assigns an IP address to the VPNremote Phone mapped to Network Region 3 in Avaya Communication Manager.

Table 1 summarizes the Network Region IP address mappings.

Network

Region

IP Address

Range

Juniper

SSG

Office

1 192.168.1.0 /24 - Main

2 50.50.100.0 /24 A

Remote SOHO Office A

Remote Home Office B

3 50.50.130.0 /24 B Remote Home Office C

Table 1 – Network Region Mappings

EMH; Reviewed: SPOC 9/27/06

Solution & Interoperability Test Lab Application Notes

5 of 42

vpnphone_ssg.doc

EMH; Reviewed: SPOC 9/27/06

Figure 1: Physical Network

Solution & Interoperability Test Lab Application Notes

6 of 42

vpnphone_ssg.doc

3. Equipment and Software Validated

Table 2 lists the equipment and software/firmware versions used in the sample configuration provided.

Device Description Versions Tested

Avaya S8710 Media Server

Avaya Communication Manager R3.0.1 (R013x.00.1.346.0)

Avaya G650 Media Gateway -

TN2312BP IPSI FW 22 (HV 6) TN799DP C-LAN FW 16 (HV 1)

TN2302AP IP MedPro FW 108 (HV 12) Avaya 4610SW IP Telephones R2.3.2 – Release 2 (a10bVPN232_1.bin) Avaya 4620SW IP Telephones R2.3.2 – Release 2 (a20bVPN232_1.bin) Avaya 4621SW IP Telephones R2.3.2 – Release 2 (a20bVPN232_1.bin) Avaya 4625SW IP Telephones R2.5.2 – Application (a25VPN252_1.bin) Juniper Networks SSG 520 ScreenOS 5.4.0r1.0 Extreme Alpine 3804 Netgear Broadband Router – RP614v3 Firmware – V6.0NA 09/03/04 D-Link Broadband Router – DL-604 Firmware – 3.51 11/22/04 Linksys Broadband Router – BEFSR41 Ver4 Firmware – v1.04.05 07/20/05

Table 2 – Equipment and Software Validated

4. Configure Juniper SSG 520

Two Juniper SSG 520’s are included in the sample configuration as described in Section 2. The primary difference in the configuration between these Juniper SSG 520s is IP address assignment and IP Pool address range. For brevity purposes, only the steps for configuring one of the SSG’s, SSG 520 A, is covered in these Application Notes.

The configuration steps utilize the Web User Interface (WebUI) of the Juniper SSG 520. The entire Juniper SSG 520 system CLI configuration is provided as a reference in Appendix A.

4.1. Access SSG 520

EMH; Reviewed: SPOC 9/27/06

From a serial connection to the Console port of the Juniper SSG, log in and access the Command Line Interface using a Terminal Emulation application such as Windows HyperTerm. Execute the following commands to configure the Juniper SSG Ethernet interface 0/0. This enables access to the Juniper SSG WebUI.

SSG520-> set interface ethernet0/0 ip 192.168.1.199/24

SSG520-> set interface ethernet0/0 ip manageable

Solution & Interoperability Test Lab Application Notes

vpnphone_ssg.doc

7 of 42

From a web browser, enter the URL of the Juniper SSG WebUI management interface, https://<IP address of the SSG>, and the following login screen appears. Log in using a user name with administrative privileges.

The Juniper SSG WebUI administration home page appears upon successful login. Note the ScreenOS Firmware Version in the Device Information section.

4.2. Configure Juniper SSG Ethernet Interfaces

The Juniper SSG 520 has four build-in Ethernet interfaces, Ethernet 0/0 – Ethernet 0/3. The steps below configured Ethernet 0/0 to a Trust security zone facing the internal corporate network and Ethernet 0/2 to an Untrust security zone facing the public internet. The Avaya VPNremote Phone will interact with Ethernet 0/2 when establishing an IPSec Tunnel.

Configure Ethernet 0/0:

From the left navigation menu, select Network The Network Interfaces List screen appears. The IP address is already populated for Ethernet0/0 from the basic configuration of Section 4.1. Select Edit for Ethernet 0/0 to configure additional parameters.

> Interfaces.

EMH; Reviewed: SPOC 9/27/06

Solution & Interoperability Test Lab Application Notes

8 of 42

vpnphone_ssg.doc

From the Ethernet 0/0 properties page, configure the highlighted fields shown below. All remaining fields can be left as default. Select OK to save.

Ethernet 0/0 connects to the private corporate network making it a trusted interface. It is placed in the Trust security zone of the Juniper SSG. The Service Options selected and enabling Manageability are related to the interface being in the Trust zone.

EMH; Reviewed: SPOC 9/27/06

Solution & Interoperability Test Lab Application Notes

9 of 42

vpnphone_ssg.doc

Configure Ethernet 0/2 Interface:

From the Network Interfaces List screen, select Edit for Ethernet 0/2

From the Ethernet 0/2 properties page, configure the highlighted fields shown below. All remaining fields can be left as default. Select OK to save.

Because Ethernet0/2 is in the Untrust zone and not configured as manageable, all service options are disabled.

EMH; Reviewed: SPOC 9/27/06

Solution & Interoperability Test Lab Application Notes

10 of 42

vpnphone_ssg.doc

4.3. IP Address Pool

The XAuth protocol enables the Juniper SSG to dynamically assign IP addresses from a configured IP Address pool range to IPSec clients such as the Avaya VPNremote Phone. Controlling the assignment of IP address ranges to Avaya VPNremote Phones enables Avaya Communication Manager to map the Avaya VPNremote Phones into IP Network Regions as described in Section 7.4.

The following steps create the IP Address Pool:

From the left navigation menu, select Objects > IP Pools. On the IP Pools list page, select New.

From the IP Pools Edit page, populate the highlighted fields shown below then select OK to save.

The IP Pool Name is a descriptive name for this IP Pool. Once configured, this name will appear in the IP Pool Name drop-down menu of Section 4.8.

Ensure the IP address range does not conflict with addresses used throughout the corporate trusted network.

The IP Pools list page displays the new address pool entry.

EMH; Reviewed: SPOC 9/27/06

Solution & Interoperability Test Lab Application Notes

11 of 42

vpnphone_ssg.doc

4.4. Routes

The sample configuration requires two new route entries be added to the Juniper SSG routing table, one specifying the default route and one specifying the network address range entered for the IP Address Pool in Section 4.3. Although several routing options exist in the Juniper SSG platform, static routes are used for this sample configuration.

4.4.1. Configure Default Route

From the left navigation menu, select Network > Routing > Destination The Route Entries screen similar to the one below appears.

Select trust-vr from drop down menu then New

EMH; Reviewed: SPOC 9/27/06

Solution & Interoperability Test Lab Application Notes

12 of 42

vpnphone_ssg.doc

Configure the highlighted fields shown below. All remaining fields can be left as default. Select OK to save.

The 0.0.0.0/0 network indicates the default route when no other matches existing in the routing table. The route is going to the next hop out interface Ethernet 0/2 to the public internet.

EMH; Reviewed: SPOC 9/27/06

Solution & Interoperability Test Lab Application Notes

13 of 42

vpnphone_ssg.doc

+ 29 hidden pages