Full PDF Text Version14th August 2007 - Full PDF Text Version
The following document assumes that the user/installer is familiar with configuring both the IP Office and VPN device as well as setting manually configuring IP Hard-phones. This document is for reference purposes only when creating the VPN tunnels and does not provide any details on how to configure any other aspect of either device.
Test Systems Software Versions and Basic Phone Settings
|
IP Office Core Software |
4.0.7 |
|
Adtran Netvanta 3305 Router |
Software 15.02.00.E |
|
IP Phone Model |
5610 |
|
IP Phone Firmware |
2.3.249 |
|
IP Office IP Address |
192.168.2.5 |
|
TFTP/File Server |
192.168.2.10 |
|
IP Phone IP Address |
DHCP |
|
IP Phone CallSV |
192.168.2.5 |
|
IP Phone CallSVPort |
1719 [Default] |
|
IP Phone Router |
DHCP |
|
IP Phone Mask |
DHCP |
|
IP Phone FileSv |
192.168.2.10 |
|
IP Phone 802.1Q |
Auto |
|
IP Phone VLAN ID |
0 |
|
Password used during testing |
1234567890 |
|
Remote ID used during testing |
remote21.com |
Notes
The IP Phones may require a Virtual IP Address to be configured in the VPN settings. Please take care in choosing a Virtual IP Range. Consider where the phone is most likely to be used and ensure that the Virtual IP Range selected will not conflict. For instance, many VPN IP Phones may be installed at user’s homes. Typically a Home Router uses 192.168.0.x or 192.168.1.x as its internal network range therefore it is recommended that this is not used as a Virtual IP Address Range.
IMPORTANT: Many VPN Routers will not allow a direct media path to be established between two VPN Endpoints. It will be necessary to uncheck the Direct Media Path checkbox in the Extension Configuration in IP Office. Failure to do so will result in No Speech path when two VPN extensions try and establish a call.
Review the Sample 46vpnsetting.txt file for simplifying configuration settings on the IP Phones.
While the defaults for Encryption are set at 4500-4500 and these settings do work in most configurations, there may be instances where (depending on what the VPN Router and Home router supports) the user may need to either disable this setting, or change to one of the other options.
If manually configuring a Virtual IP Address on the IP Hard-phone, ensure that accurate records are kept of IP Address allocations to avoid IP Address conflicts.
Using IP Office Manager, Open the Configuration and Select IP Routes.
Add a New IP Route for the Virtual LAN Network to be
used in the environment.
Modify the Extensions - VoIP Tab for those extensions
that will be VPN Extensions, and uncheck the Direct Media Path Check Box.
Networking Scenario:
To Create a VPN and IKE Policy, either the Wizard can be used to setup most of the basic settings, and then each profile with specific needs, or create the IKE and VPN Policy without the Wizard.
By default the Adtran Netvanta does not have QoS enabled. To do so use the QoS Map Wizard and manually change parameters as needed or configure the QoS Map Manually.
|
QoS Map Setup |
|
|
Match Packets |
DSCP (46) |
|
Packet Marking |
Disable |
|
Priority Queue |
Unlimited Bandwidth |
Create a New VPN Peer
|
Policy Configuration |
|
|
VPN Peer Configuration |
|
|
Name |
Adtran |
|
VPN Interface |
Interface that will Terminate the VPN Tunnel |
|
Peer Type |
Mobile Peer |
|
IKE Configuration |
|
|
XAUTH |
Disabled |
|
Respond Mode |
Any |
|
NAT Traversal |
Allow V1 and Allow V2 |
|
Local ID |
IP Address |
|
|
71.10.10.4 |
|
IPSEC Configuration |
|
|
PFS |
Group2 |
|
Encryption / Hash |
ESP:3 DES / SHA1 |
|
Encryption / Hash |
No Additional Transforms |
|
Lifetime |
28800 seconds |
|
IKE Attribute |
|
|
Encryption / Hash |
3 DES |
|
Hash |
SHA |
|
Authentication |
Pre Shared Key |
|
DH Group |
2 |
|
Lifetime |
28800 seconds |
|
Remote Id’s Allowed to Connect |
|
|
Remote ID Type |
FQDN |
|
Remote ID |
remote21.com |
|
Mode Config |
Enabled |
|
Pre Shared Key |
1234567890 |
|
XAUTH |
Disabled |
|
NAT Traversal |
Allow V1 / Allow V2 |
|
Remote Addressing |
|
|
IP Range |
172.16.22.1 to 172.16.22.253 |
|
VPN Selector Entry |
|
|
Type |
Permit |
|
Protocol |
Any |
|
Source Network / Ports |
192.168.2.0/24 |
|
Destination Network / Ports |
172.16.22.0/24 |
VPN Remote Phone Settings
|
VPN Remote Phone Configuration |
|
|
VPN Profile |
Generic PSK |
|
Server |
71.10.10.4 |
|
IKE ID |
remote21.com |
|
PSK - (Pre Shared Key) |
1234567890 |
|
IKE Parameters |
|
|
IKE ID Type |
FQDN |
|
Diffie Hellman Group |
2 |
|
Encryption ALG |
3DES |
|
Authentication ALG |
Sha1 |
|
IKE Xchange Mode |
Aggressive |
|
IKE Config Mode |
Enabled |
|
IPSEC Parameters |
|
|
Encryption ALG |
3DES |
|
Authentication ALG |
Sha1 |
|
Diffie Hellman Group |
2 |
|
VPN Start Mode |
Boot |
|
Password Type |
Save in Flash |
|
Encapsulation |
Disabled |
|
Protected Nets |
|
|
Virtual IP |
|
|
Remote Net #1 |
192.168.2.0/24 |
|
Remote Net #2 |
|
|
Remote Net #3 |
|
|
Copy TOS |
No |
|
Connectivity Check |
Always |