Avaya VPN Phone Parameters

This document focuses on basic connection with a SonicWALL security device.

Avaya does not guarantee compatibility with all security gateway devices or software provided by a particular vendor, nor is every possible configuration of such devices supported.

    In general, the Avaya VPN client supports:

    • Pre-Shared Key (PSK) with or without XAUTH,
    • Internet Key Exchange (IKE),
    • Internet Protocol Security (IPSec),
    • Internet Security Association and Key Management (ISAKMP),
    • RSA (Rivest-Shamir-Adleman) signatures with or without XAUTH,
    • NAT traversal, and
    • Simple Certificate Enrollment Protocol (SCEP).

VPN is established when the two hosts negotiate authentication, key management, encryption, and encapsulation. These negotiations happen in two phases; the control channel is established to govern the traffic, and then a two-way data channel is established for that traffic.

Avaya VPN Phone Parameters

Page One

  • VPN = [Enabled | Disabled]
    Disabled by default.
  • VPN Vendor
    [Nortel | Juniper | Cisco | Nokia | Other]
    This will set specific features for the brand of VPN. (For SonicWall, use Other.
  • Gateway Address
    The "Inner IP address" is the public static IP address of the main office where the IP Office is located.
  • External Phone IP Address
    The "Outer IP address" of the phone itself on the local network. ( = DHCP).
  • External Router/Gateway, Subnet, and DNS
    These are the "Outer IP address" parameters usually DHCP ( set for local network.
  • Encapsulation = [4500-4500 | 2070-500 | 500-500 | disabled]
    This setting specifies the type of encapsulation to use if there is a NAT device between the phone and the security gateway. By default, 4500-4500 is used.
    Encapsulated Security Payload (ESP is part of the TCP/IP VPN packet structure) is not associated with a port, therefore it cannot pass through a NAT/PAT device.
    When NAT-Traversal encapulation is enabled, a NAT device can be detected automatically and then ESP packets will use port 4500. (IKE is associated with port 500.)
    Avaya suggests that you do not disable NAT traversal even when a NAT device does not exist.
  • Copy TOS
    The type of service (ToS) field in the IPv4 header.
    This indicates whether to copy the ToS bits from the tunneled (inner) IP header to the outer IP header.

    Since we are using ESP, the original packet is intact. Recommended: No

Page Two

  • Auth Type [PSK | PSK with XAUTH | RSA Signature | RSA Signatures with XAUTH | Hybrid XAuth ]

    A Pre Shared Key establishes Authentication.. RSA Signature and XAUTH requires third party hardware and software, is a two-step authentication method, and is beyond the scope of this document.

Page Three

Page Three options are dependent upon the selection of Page Two. Since PSK was chosen as the authentiation method, enter the PSK and Group Name on this page.

  • IKE ID (Group Name)
    (Avaya default=VPNPHONE, SonicWALL default=GroupVPN)
    Take Note of Capital Letters
  • Pre Shared Key (PSK)
    Enter the Pre Shared Key. (Example: 1a0b4fb1ae844397dc564fa9e3c0)

    Alternate Page Two

    • Auth Type [PSK | PSK with XAUTH | RSA Signature | RSA Signatures with XAUTH | Hybrid XAuth ]
      A Pre Shared Key, username, and a password are required.

    Alternate Page Three

    Page Three options are dependent upon the selection of Page Two. Since PSK with XAUTH was chosen as the authentiation method, further information is needed.

    • VPN User Type [Any | One User]
    • VPN User
      Enter the username. This value should be unique to each phone. It is possible to force the VPN client in the phone to use phone's mac address or serial number as a user name thus eliminating the need to enter a user name via the phone keypad. In such cases you need to add each phone's serial number or mac address in your authentication.
    • Password Type
      [Save in Flash | Erase on Reset | Numeric OTP | Alpha-Numeric OTP | Erase on VPN termination ]
      OTP = one time password. Alpha-Numeric must be entered each time. VPN is only terminated on reset.

Page Four

  • IKE ID Type = [FQDN | User-FQDN | ASN.1 | Key-ID | IP4Address("outer")]
    Typically, the VPN client will identify itself with either the outer IPv4 address or the Fully Qualified Domain Name it receives from the local network.
  • IKE Xchange mode [Aggressive | ID Protect]
    Aggressive mode enabled on an external facing firewall will cause a PCI compliance scan to fail.
    Ideally, Aggressive Mode should use certificates as it is vulnerable to DoS attacks if connection attempts are not limited.
    • If Static IPs are used, use Main Mode(ID Protect) with a long "pre-shared key". Main mode(ID Protect) may use the IP4Aaddress as the identity.
    • If DHCP addresses are used, use aggressive mode with a long "identification string".
  • IKE DH Group
    The Diffie-Hellman Group is the algorithm for the Key Exchange.
    The default Diffie-Hellman Group for both IKE Phase 1 and Phase 2 is DH Group 2.
    This group provides basic security and good performance. A higher group reduces performance.
    DH Group 1 = 768-bits, DH Group 2 = 1024-bits, 5 = 1536-bits, etc.
  • IKE Encryption Algorithm [Any | AES-128 | 3DES | DES | AES-192 | AES-256]
    It is suggested to use AES-128.
    For a comparison between DES and AES, this "International Journal of Security and Its Applications" publication
    A Comparison of the 3DES and AES Encryption Standards by Noura Aleisa
    is comprehensive and readable.

  • IKE Authentication Algorithm [Any | MD5 | SHA-1]
  • IKE Config Mode [Enabled | Disabled]
    This will enable the remote security device to assign IP address and other various parameters. This is typically disabled.

Page Five

  • IPSec PFS DH Group [No PFS | 1 | 2 | 5 | 14 | 15]
    Perfect Forward Secrecy (PFS) forces a new diffie-hellman key exchange.
    PFS is more secure but requires processing power and takes longer for phase 1 and 2 to complete a new session key.
    The numbers correspond to the DH Group for the key.

  • IPSec Encryption Algorithm [None | Any | AES-128 | 3DES | DES | AES-192 | AES-256]
    It is suggested to use AES-128.
  • IPSec Authentication Algorithm [Any | MD5 | SHA-1]
  • Protected Network
    Specifies the "Inner" IP address range that will use the VPN tunnel. If VLANs are in use, use the VLAN that assigns the initial DHCP address.

Page Six

  • IKE over TCP = never
    If NAT traversal is used, ESP is encapsulated in UDP, which allows for more flexible NATing.