Avaya VPN Phone Con
-
Has anyone had any luck getting Avaya IP/VPN handsets working with IPSec in pfSense?
-
I've never tried one, but judging by the manual it appears to be standard IPsec, very much like what you'd setup for iOS or Android IPsec mobile clients. Should work fine.
-
Hello. I have Avaya VPN phones working with pfsense. Specifically Avaya 9641G on pfsense 2.1.5 is working flawlessly. 2.2 is working, but with some odd settings. Hopefully that'll get resolved eventually too.
Assumptions
-
LAN: 10.10.10.0/24
-
VPN pool: 172.16.1.0/24
-
pfsense: 10.10.10.1
-
IP Office: 10.10.10.100
On the pfsense side, for IPsec on 2.1.5 follow this guide: https://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To
In IP Office
Create an IP route in IPO(IP Route > New):
IP Address: 172.16.1.0 IP Mask: 255.255.255.0 Gateway: 10.10.10.1 Destination: LAN1
Avaya Phone Setup
Ensure the lan settings are configured for the phone(CRAFT > ADDR)
CRAFT menu > VPN
note: most of these settings are defaultGeneral(tab) VPN: Enabled VPN Vendor: Cisco Gateway Address: ${Public IP Here} External Phone IP Address: BLANK(DHCP) External Router: BLANK(DHCP) External Subnet Mask: BLANK(DHCP) External DNS Server: BLANK(DHCP) Encapsulation: 4500-4500 Copy TOS: No Auth Type(tab) PSK with XAUTH User Cred.(tab) VPN User Type: Any VPN User: ${VPN Username Here} Password Type: Save in Flash Password Entry(tab) User Password: ${VPN User Password Here} IKE PSK(tab) IKE ID (Group Name): ${Group Name Here} Pre-Shared Key (PSK): ${Pre-Shared Key Here} IKE Phase 1(tab) IKE ID Type: KEY_ID IKE Xchg Mode: Aggressive IKE DH Group: 2 IKE Encryption Alg: Any IKE Auth. Alg.: Any IKE Config. Mode: Enabled IKE Phase 2(tab) IPsec PFS DH Group: No PFS IPSec Encryption Alg: Any IPSec Auth Alg.: Any Protected Network: 0.0.0.0/0
Once you save the phone should reboot, connect to the tunnel, register with the PBX and be able to make/receive calls. If you have any trouble please report back.
pfsense 2.2 Notes
-
Encapsulation does not work from the Avaya phone to the pfsense box on 2.2. The tunnel will connect but the phone will not find/register with the PBX and will show 'Discover x.x.x.x' on the display. You can disable it on the phone side by going to CRAFT > VPN, and changing the 'Encapsulation' value from '4500-4500' to 'Disabled' on the 'General' tab. This allows the phone to see the PBX. I hope there is some way to correct this in the future.
-
Renegotiation does not work from the Avaya phone to the pfsense box on 2.2. The tunnel will connect but when the first renegotiation starts the phone will complain about IKE phase 1 having no response. Also, the tunnel could not be reestablished for several hours even after manually closing the tunnel and restarting IPsec on the pfsense side. Only waiting for the keys to expire or clearing the values on the phone would allow a new tunnel to connect. The only solution I've found is disabling rekey altogether.
IPsec > Phase 1 > Advanced Options > Disable Rekey: [checked]
Not ideal but the phone doesn't seem to mind or ask to renegotiate.
These problems could entirely be due to Avaya's implementation, but it is still unfortunate that these workarounds must be used at this point.
Final Thoughts
Make sure that the networks are on different subnets, or else you will have problems…
i.e:
LAN(pfsense): 10.10.10.0/24
VPN Virtual Pool: 172.16.1.0/24
Remote LAN: 192.168.1.0/24This is easily overlooked(guilty – and I knew better).
-
-
I was helping someone on IRC last week with an Avaya phone with 2.2. Sounds like a bit different of a circumstance, but the phone was sending malformed traffic. It apparently worked with 2.1.5. It appeared strongswan was doing something differently than racoon which triggered a bug in the phone's IPsec client. He had no means of getting to the phone's management interface so we were stuck.
You have a spare phone or two you could contribute to the cause? If you can ship me one, I'll experiment and see what works and what changed in behavior between racoon and strongswan there. PM me if you (or anyone) is willing to give us one and I'll get you an address. I'm in the US, FYI, in case shipment destination and associated cost influences your decision.
-
@cmb:
I was helping someone on IRC last week with an Avaya phone with 2.2. Sounds like a bit different of a circumstance, but the phone was sending malformed traffic. It apparently worked with 2.1.5. It appeared strongswan was doing something differently than racoon which triggered a bug in the phone's IPsec client. He had no means of getting to the phone's management interface so we were stuck.
You have a spare phone or two you could contribute to the cause? If you can ship me one, I'll experiment and see what works and what changed in behavior between racoon and strongswan there. PM me if you (or anyone) is willing to give us one and I'll get you an address. I'm in the US, FYI, in case shipment destination and associated cost influences your decision.
That…. might've been me actually. Encapsulation and rekey was working on 2.1.5, but unfortunately at this point both have to be disabled for it to work properly with 2.2/strongswan.
I have an open support ticket and have done some back and forth with jimp on this(as always, he's extremely helpful). I mentioned a very similar sounding situation but with Avaya + Cisco ASA... tl;dr: cisco expects a nat-d payload type 20, and avaya only does nat-d payload type 15. Same solution - disable encapsulation. It appears to have happened when cisco changed some of their more forgiving backend. Link: http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/116294-problem-nat-00.html
I really feel that this is a problem with Avaya's implementation, and that raccoon was simply more forgiving – still kinda a bummer.
I'd like to try and get a phone to you. It's not my decision but I might be able to make it happen. They're ~$230 on amazon. I think you would have to set up an IP Office PBX to really get to the root of this issue; with encapsulation enabled the tunnel connects, but the phone just will not see/register with the PBX. iirc, a developer account with avaya can get the 'server edition' that you could run on a vm at no cost.
Thank you for your interest in this, Chris. I really appreciate it.
sidenote: read the blog post last night. Instantly bought a ticket for the hype train! Choo-choo!