IP Office Technical Tip (Region: Global)

185: Configuring a VPN IP Phone with a Kentrox Q2300 VPN Router

13th July 2007 - Full PDF Text Version

 

The following document assumes that the user/installer is familiar with configuring both the IP Office and VPN devices as well as setting manually configuring IP hard phones. This document is for reference purposes only when creating the VPN tunnels and does not provide details on how to configure any other aspect of either device.

 

Test Systems Software Versions and Basic Phone Settings

IP Office Core Software

4.0.7

Kentrox Q2300 Router Software

1.35.17 [Apr 25 2006]

IP Phone Model

5610

IP Phone Firmware

2.3.249

IP Office IP Address

192.168.2.5

TFTP/File Server

192.168.2.10

IP Phone IP Address

DHCP

IP Phone CallSV

192.168.2.5

IP Phone CallSVPort

1719 [Default]

IP Phone Router

DHCP

IP Phone Mask

DHCP

IP Phone FileSv

192.168.2.10

IP Phone 802.1Q

Auto

IP Phone VLAN ID

0

Password used during testing

1234567890

Remote ID used for Option1 test

vpnphone

Remote ID used for Option2 test

vpnphone2

 

Notes

  1. The IP Phones may require a Virtual IP Address to be configured in the VPN settings. Please take care in choosing a Virtual IP Range. Consider where the phone is most likely to be used and ensure that the Virtual IP Range selected will not conflict. For instance, many VPN IP Phones may be installed at userís homes. Typically a Home Router uses 192.168.0.x or 192.168.1.x as its internal network range therefore it is recommended that this is not used as a Virtual IP Address Range.

  2. IMPORTANT: Many VPN Routers will not allow a direct media path to be established between two VPN Endpoints. It will be necessary to uncheck the Direct Media Path checkbox in the Extension Configuration in IP Office. Failure to do so will result in No Speech path when two VPN extensions try and establish a call.

  3. Review the Sample 46vpnsetting.txt file for simplifying configuration settings on the IP Phones.

  4. While the defaults for Encryption are set at 4500-4500 and these settings do work in most configurations, there may be instances where (depending on what the VPN Router and Home router supports) the user may need to either disable this setting, or change to one of the other options.

  5. If manually configuring a Virtual IP Address on the IP Hard-phone, ensure that accurate records are kept of IP Address allocations to avoid IP Address conflicts.

 

IP Office Configuration

Using IP Office Manager, Open the Configuration and Select IP Routes.

Add a New IP Route for the Virtual LAN Network to be used in the environment.

Modify the Extensions - VoIP Tab for those extensions that will be VPN Extensions, and uncheck the Direct Media Path Check Box.

 

Networking Scenario:

 

Kentrox Q2300 VPN Router VPN Configuration settings

There are two methods that can be used to connect a VPN Remote Phone providing the customer with different options for installation and management of the remote phone users.

 

Option 1 - Using Dynamic VPN
This is the simplest and quickest method of implementation allowing multiple clients to connect.

For configuration settings, refer to page 4.

 

Option 2 - Using IKE and VPN Policy
This option provides more configuration options so far as defining the Client policy to be used, more control over the algorithms to be used etc, it also has more steps to setup and configure.

For configuration settings, refer to pages 5 - 6

 

Kentrox Q2300 Option 1: Using a Dynamic VPN Policy

Once logged into the FVS338, Select the VPN Option, then Select Global Settings.

Global Settings - Option 1

VPN Interface

Ipwan [71.10.10.4]

Local ID

VPN Interface

 

ipwan

Egress TOS Action

Copy

Ingress TOS Action

Copy

Egress DF Bit Action

clear

Enable Strict Encryption

Checked

Enable Dynamic VPN

Checked

VPN Preshared Key

1234567890

 

Kentrox Option 1: VPN Remote Phone Settings

VPN Remote Phone Configuration - Option 1

VPN Profile

Generic PSK

Server

71.10.10.4

IKE ID

vpnphone

PSK - (Pre Shared Key)

1234567890

IKE Parameters

 

IKE ID Type

FQDN

Diffie Hellman Group

2

Encryption ALG

3Des

Authentication ALG

Sha1

IKE Xchange Mode

Aggressive

IKE Config Mode

Disabled

IPSEC Parameters

 

Encryption ALG

3DES

Authentication ALG

Sha1

Diffie Hellman Group

2

VPN Start Mode

Boot

Password Type

Save in Flash

Encapsulation

4500 - 4500

Protected Nets

 

Virtual IP

172.16.22.5

Remote Net #1

192.168.2.0/24

Remote Net #2

 

Remote Net #3

 

Copy TOS

Yes

Connectivity Check

Always

 

Kentrox Q2300 Option 2: Using a VPN Gateway Client and Tunnel Policy

Once logged into the FVS338, Select the VPN Option, then Select Global Settings

Global Settings - Option 2

VPN Interface

Ipwan [71.10.10.4]

Local ID

VPN Interface

 

ipwan

Egress TOS Action

Copy

Ingress TOS Action

Copy

Egress DF Bit Action

clear

Enable Strict Encryption

Checked

Enable Dynamic VPN

Unchecked

 

Once Configured, Select and Add a Client Gateway

Client Gateway   Client Configuration - Option 2

Gateway

ipo [Name must start with a letter]

Remote ID Type

Email

Email

vpnphone2

Authentication Type

Pre Shared Key

Pre Shared Key

1234567890

Negotiation Mode

Aggressive **

Diffie Hellman Group

2 **

Phase 1 Encryption Hash

3DES-Sha **

Lifetime Format

Secs

Lifetime [secs]

432000 [Important] **

Enable Gateway

Checked

NAT Traversal Configuration

 

Enable NAT Traversal

Checked

Enable UDP Checksum

Checked

** The Kentrox Router requires that all these values match. If these do not match, you will receive a No_Proposal_Chosen Error in the Kentrox Logs. The VPN Remote Phone does not have a configuration option for the Lifetime value. This value can usually be viewed in the Kentrox VPN Log.

 

Once the Client Gateway has been added Add a Tunnel to the Client Gateway Profile

Tunnel Configuration

Tunnel Name

ipot [Name must start with a letter]

Local Address

User Defined

 

192.168.2.0/24

Enable Tunnel

Checked

Phase 2

Configuration

Transform

ESP **

Authentication

Sha **

Encryption

3DES

Diffie Hellman

Group 2 **

Lifetime Format

Secs

Lifetime [secs]

432000 [Important] **

 

Kentrox Option 2: VPN Remote Phone Settings

VPN Remote Phone Configuration - Option 2

VPN Profile

Generic PSK

Server

71.10.10.4

IKE ID

Vpnphone2

PSK - (Pre Shared Key)

1234567890

IKE Parameters

 

IKE ID Type

User-FQDN

Diffie Hellman Group

2

Encryption ALG

3DES

Authentication ALG

Sha1

IKE Xchange Mode

Aggressive

IKE Config Mode

Disabled

IPSEC Parameters

 

Encryption ALG

3DES

Authentication ALG

Sha1

Diffie Hellman Group

2

VPN Start Mode

Boot

Password Type

Save in Flash

Encapsulation

4500 - 4500

Protected Nets

 

Virtual IP

172.16.22.5

Remote Net #1

192.168.2.0/24

Remote Net #2

 

Remote Net #3

 

Copy TOS

Yes

Connectivity Check

Always