Avaya IP 9620/9650 VPN connection to Fortigate

[MagIsa]

Hello

I have a problem with this setup, see if any of you can help me.

I can get the VPN tunnel to work so i get contact to the IP Office (8.0) and can call out with no problems, but, the phone does not get a IP from the remote side, it gets stuck with the IP i gets from my local net, and the reason it works is couse the other end has allowed that ip range. Accordingly to the IT guy at the other end the phone does not even ask for a DHCP server. I have tried to specify the DHCP server but still the same problem.

Connection it to a Fortigate FG60 and here are my settings im using on the phone.

----------------------------------------
VPN Profile Generic PSK
Server: xxx.xxx.xxx.xxx
IKE ID: [I used "vpn", but you can set this as "any" in the Fortigate and then put anything you like]
PSK: ****************

IKE Parameters
IKE ID Type FQDN
Diffie Hellman Group 2
Encryption ALG Any
Authentication ALG Any
IKE Xchange Mode Aggressive
IKE Config Mode Disabled
XAUTH Disable
Cert Expiry Check Disabled
Cert DN Check Disabled

IPSEC Parameters
Encryption ALG 3DES
Authentication ALG Sha1
Diffie Hellman Group 2

VPN Start Mode Boot
Password Type Save in Flash
Encapsulation 4500 – 4500
Protected Nets
Virtual IP 192.168.0.210
Remote Net #1 192.168.0.0/24
Remote Net #2
Remote Net #3
Copy TOS No
Connectivity Check Always
QTEST Disabled
-------------------------------------------
And my 96xxvpn.txt config file

############### VPN SETTINGS (H.323 ONLY) ################
##
SET NVVPNMODE 1

## VPN security gateway IP addresses
SET NVSGIP "xxx.xxx.xxx.xxx"

## Call server IP Addresses
SET NVMCIPADD "xxx.xxx.xxx.xxx"

## VPN configuration profile
SET NVVPNCFGPROF = 6

## User authentication method
SET NVVPNAUTHTYPE 3

## VPN Username
SET NVVPNUSER "vpn"

## VPN user password storage
SET NVVPNPSWDTYPE 1

## Secure net / Protected net
SET NVIPSECSUBNET "192.168.254.0/24,192.168.253.0/24"

## IKE implementation vendor
SET NVVPNSVENDOR 4

## User can change the VPN username
SET NVVPNUSERTYPE 2

## DHCP Server Address
## SET DHCPSRVR xxx.xxx.xxx.xxx


######### IKE Phase 1 ###########

## IKE Phase 1 identity (Group ID)
SET NVIKEID "vpn"

## IKE SA identification
SET NVIKEIDTYPE 2

## IKE Phase 1 negotiation mode
SET NVIKEXCHGMODE 1

## Diffie-Hellman Group to be used for establishing the IKE SA
SET NVIKEDHGRP 2

## Encryption algorithm to use during IKE Phase 1 negotiation
SET NVIKEP1ENCALG 0

## Authentication algorithm to use during IKE Phase 1 negotiation
SET NVIKEP1AUTHALG 0

## IKE configuration mode
SET NVIKECONFIGMODE 2

## IKE PSK (Group password)
SET NVIKEPSK "*************"

## XAUTH user authentication
SET NVXAUTH 2


######### IKE Phase 2 ###########

## Port numbers used for IKE and IPsec UDP encapsulation
SET NVVPNENCAPS 2

## Diffie-Hellman Group to be used for establishing the IPsec SA
SET NVPFSDHGRP 2

## Encryption algorithm to use during IKE Phase 2 negotiation.
SET NVIKEP2ENCALG 2

## Authentication algorithm to use during IKE Phase 2 negotiation
SET NVIKEP2AUTHALG 2

## Copy TOS
IF $VPNACTIVE SEQ 1 GOTO skipcopytos
SET NVVPNCOPYTOS 1
# skipcopytos
SET NVVPNCOPYTOS 2


## TCP as a transport protocol for IKE
SET NVIKEOVERTCP 0

## VPN procedure access code
## SET VPNCODE "876"

## Indicates whether a VPN tunnel has been established
SET VPNACTIVE 0

## SET VPNTTS 0


Would preciate any help
Regards
Magnus

 

[MagIsa]

Anyone knows how to set a static ip on the 96xx series phoen when used thru VPN?

 

[jconrad0305]

i do beleive it is because ike config mode is disabled. if your router does not support this then the phone has to be set statically. i have worked around this by using xauth before and seemed to have worked.

ACE IP Telephony
ACS IP Office

 

[MagIsa]

Tried with XAUTH and still the same problem, the phones are keeping the local ip on the vpn interface.
Can this become a problem or are the clients seperated from each in the tunnel due to the XAUTH?

//Magnus