IP Office Technical Tip (Region: Global)

186: Configuring a VPN IP Phone with an Adtran Netvanta 3305 VPN Router

14th August 2007 - Full PDF Text Version

 

The following document assumes that the user/installer is familiar with configuring both the IP Office and VPN device as well as setting manually configuring IP Hard-phones. This document is for reference purposes only when creating the VPN tunnels and does not provide any details on how to configure any other aspect of either device.

 

Test Systems Software Versions and Basic Phone Settings

IP Office Core Software

4.0.7

Adtran Netvanta 3305 Router

Software 15.02.00.E

IP Phone Model

5610

IP Phone Firmware

2.3.249

IP Office IP Address

192.168.2.5

TFTP/File Server

192.168.2.10

IP Phone IP Address

DHCP

IP Phone CallSV

192.168.2.5

IP Phone CallSVPort

1719 [Default]

IP Phone Router

DHCP

IP Phone Mask

DHCP

IP Phone FileSv

192.168.2.10

IP Phone 802.1Q

Auto

IP Phone VLAN ID

0

Password used during testing

1234567890

Remote ID used during testing

remote21.com

 

Notes

  1. The IP Phones may require a Virtual IP Address to be configured in the VPN settings. Please take care in choosing a Virtual IP Range. Consider where the phone is most likely to be used and ensure that the Virtual IP Range selected will not conflict. For instance, many VPN IP Phones may be installed at userís homes. Typically a Home Router uses 192.168.0.x or 192.168.1.x as its internal network range therefore it is recommended that this is not used as a Virtual IP Address Range.

  2. IMPORTANT: Many VPN Routers will not allow a direct media path to be established between two VPN Endpoints. It will be necessary to uncheck the Direct Media Path checkbox in the Extension Configuration in IP Office. Failure to do so will result in No Speech path when two VPN extensions try and establish a call.

  3. Review the Sample 46vpnsetting.txt file for simplifying configuration settings on the IP Phones.

  4. While the defaults for Encryption are set at 4500-4500 and these settings do work in most configurations, there may be instances where (depending on what the VPN Router and Home router supports) the user may need to either disable this setting, or change to one of the other options.

  5. If manually configuring a Virtual IP Address on the IP Hard-phone, ensure that accurate records are kept of IP Address allocations to avoid IP Address conflicts.

 

IP Office Configuration

Using IP Office Manager, Open the Configuration and Select IP Routes.

Add a New IP Route for the Virtual LAN Network to be used in the environment.

Modify the Extensions - VoIP Tab for those extensions that will be VPN Extensions, and uncheck the Direct Media Path Check Box.

 

Networking Scenario:

 

 

Adtran Netvant 3305 - IKE and VPN Policy Settings

To Create a VPN and IKE Policy, either the Wizard can be used to setup most of the basic settings, and then each profile with specific needs, or create the IKE and VPN Policy without the Wizard.

By default the Adtran Netvanta does not have QoS enabled. To do so use the QoS Map Wizard and manually change parameters as needed or configure the QoS Map Manually.

QoS Map Setup

Match Packets

DSCP (46)

Packet Marking

Disable

Priority Queue

Unlimited Bandwidth

 

Create a New VPN Peer

Policy Configuration

VPN Peer Configuration

 

Name

Adtran

VPN Interface

Interface that will Terminate the VPN Tunnel

Peer Type

Mobile Peer

IKE Configuration

 

XAUTH

Disabled

Respond Mode

Any

NAT Traversal

Allow V1 and Allow V2

Local ID

IP Address

 

71.10.10.4

IPSEC Configuration

 

PFS

Group2

Encryption / Hash

ESP:3 DES / SHA1

Encryption / Hash

No Additional Transforms

Lifetime

28800 seconds

IKE Attribute

 

Encryption / Hash

3 DES

Hash

SHA

Authentication

Pre Shared Key

DH Group

2

Lifetime

28800 seconds

Remote Idís Allowed to Connect

 

Remote ID Type

FQDN

Remote ID

remote21.com

Mode Config

Enabled

Pre Shared Key

1234567890

XAUTH

Disabled

NAT Traversal

Allow V1 / Allow V2

Remote Addressing

 

IP Range

172.16.22.1 to 172.16.22.253

VPN Selector Entry

 

Type

Permit

Protocol

Any

Source Network / Ports

192.168.2.0/24

Destination Network / Ports

172.16.22.0/24

 

VPN Remote Phone Settings

VPN Remote Phone Configuration

VPN Profile

Generic PSK

Server

71.10.10.4

IKE ID

remote21.com

PSK - (Pre Shared Key)

1234567890

IKE Parameters

 

IKE ID Type

FQDN

Diffie Hellman Group

2

Encryption ALG

3DES

Authentication ALG

Sha1

IKE Xchange Mode

Aggressive

IKE Config Mode

Enabled

IPSEC Parameters

 

Encryption ALG

3DES

Authentication ALG

Sha1

Diffie Hellman Group

2

VPN Start Mode

Boot

Password Type

Save in Flash

Encapsulation

Disabled

Protected Nets

 

Virtual IP

 

Remote Net #1

192.168.2.0/24

Remote Net #2

 

Remote Net #3

 

Copy TOS

No

Connectivity Check

Always