Remote VPN Phone

[sibelius1234]

Hi all,

Here is our issue.

We are doing our job on an IP Office 406 V2 V4.1.1201
and a Netgear FVS338. (we use Generic PSK but we have the same issue in Juniper XAuth with PSK)

We have read the Technical Tip of Avaya for that bur unfortunatly, it doesn't work.

We've got no problem with IKE Phase 1.
When trying to establish a connection in IKE Phase 2, we've got a message on the IP Phone : "IKE Phase 2 no response"
In the logs, we can see that he fail to get IPsec SA configuration for: 0.0.0.0/0 ... instead of a real IP Address.

Here is a small part of the log :

2008 Apr 24 13:02:00 [FVS338] [IKE] Remote configuration for identifier "fvx_remote.com" found_
2008 Apr 24 13:02:00 [FVS338] [IKE] Received request for new phase 1 negotiation: 192.168.2.200[500]<=>217.128.18.112[2070]_
2008 Apr 24 13:02:00 [FVS338] [IKE] Beginning Aggressive mode._
2008 Apr 24 13:02:00 [FVS338] [IKE] Received unknown Vendor ID_
2008 Apr 24 13:02:00 [FVS338] [IKE] Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02__
2008 Apr 24 13:02:00 [FVS338] [IKE] Received unknown Vendor ID_
- Last output repeated 2 times -
2008 Apr 24 13:02:00 [FVS338] [IKE] Received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt_
2008 Apr 24 13:02:00 [FVS338] [IKE] For 217.128.18.112[2070], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02_
2008 Apr 24 13:02:02 [FVS338] [IKE] Floating ports for NAT-T with peer 217.128.18.112[4500]_
2008 Apr 24 13:02:02 [FVS338] [IKE] NAT-D payload does not match for 192.168.2.200[4500]_
2008 Apr 24 13:02:02 [FVS338] [IKE] NAT-D payload does not match for 217.128.18.112[4500]_
2008 Apr 24 13:02:02 [FVS338] [IKE] NAT detected: Local is behind a NAT device. and alsoPeer is behind a NAT device_
2008 Apr 24 13:02:02 [FVS338] [IKE] ISAKMP-SA established for 192.168.2.200[4500]-217.128.18.112[4500] with spi:fb3b921c8c7074b1:c7a3b7af0f2387c7_
2008 Apr 24 13:02:03 [FVS338] [IKE] Responding to new phase 2 negotiation: 192.168.2.200[0]<=>217.128.18.112[0]_
2008 Apr 24 13:02:03 [FVS338] [IKE] Ignore INITIAL-CONTACT notification from 217.128.18.112[4500] because it is only accepted after phase1._
2008 Apr 24 13:02:03 [FVS338] [IKE] Failed to get IPsec SA configuration for: 0.0.0.0/0<->192.168.4.190/32 from fvx_remote.com_
2008 Apr 24 13:02:04 [FVS338] [IKE] Responding to new phase 2 negotiation: 192.168.2.200[0]<=>217.128.18.112[0]_
2008 Apr 24 13:02:04 [FVS338] [IKE] Ignore INITIAL-CONTACT notification from 217.128.18.112[4500] because it is only accepted after phase1._
2008 Apr 24 13:02:04 [FVS338] [IKE] Failed to get IPsec SA configuration for: 0.0.0.0/0<->192.168.4.190/32 from fvx_remote.com_
2008 Apr 24 13:02:06 [FVS338] [IKE] Responding to new phase 2 negotiation: 192.168.2.200[0]<=>217.128.18.112[0]_
2008 Apr 24 13:02:06 [FVS338] [IKE] Ignore INITIAL-CONTACT notification from 217.128.18.112[4500] because it is only accepted after phase1._
2008 Apr 24 13:02:06 [FVS338] [IKE] Failed to get IPsec SA configuration for: 0.0.0.0/0<->192.168.4.190/32 from fvx_remote.com_
2008 Apr 24 13:02:08 [FVS338] [IKE] Responding to new phase 2 negotiation: 192.168.2.200[0]<=>217.128.18.112[0]_
2008 Apr 24 13:02:08 [FVS338] [IKE] Ignore INITIAL-CONTACT notification from 217.128.18.112[4500] because it is only accepted after phase1._
2008 Apr 24 13:02:08 [FVS338] [IKE] Failed to get IPsec SA configuration for: 0.0.0.0/0<->192.168.4.190/32 from fvx_remote.com_
2008 Apr 24 13:02:10 [FVS338] [IKE] Responding to new phase 2 negotiation: 192.168.2.200[0]<=>217.128.18.112[0]_
2008 Apr 24 13:02:10 [FVS338] [IKE] Ignore INITIAL-CONTACT notification from 217.128.18.112[4500] because it is only accepted after phase1._
2008 Apr 24 13:02:10 [FVS338] [IKE] Failed to get IPsec SA configuration for: 0.0.0.0/0<->192.168.4.190/32 from fvx_remote.com_

We remain at your disposal for further information.

Thanks for your help
Kind regards

 

[TomMills]

there is something in here about always making sure that netgears are on the latest firmware,

cant be much more help but it is a place to start if this is not the case

http://www.tek-tips.com/viewthread.cfm?qid=1449513&page=4

 

[helper1111]

we just set a phone up with the Netgear 338. we had to upgrade the software as well.

we had the same issues, but found that it was the programming in the 338 that needed to be changed. i cant remember what we changed, but if i can remember right, i just made sure all the setting matched, made sure the ip addresses were correct, and the ip route in the ip office was set up right, then it started working.

there is still one issue i have, and that is, when the phone reboots, it does not hold the memory. i have to imput all the software info everytime it reboots??

 

[sibelius1234]

Thanks TomMills,We've got the latest version

Thanks helper 111, all seems correct but we still have the problem. I don't think it would be a problem if the IP route in the IP Office was not good because the first part of the job is to build correctly the tunnel and the make works the phone. Thanks for all.

Any other ideas ?

 

[SuperJenks]

Helper1111, there should be an option to save to memory in the vpn setup of the phone. I'm assuming you turned this on?

 

[sibelius1234]

Hi all,
It still doesn't work after a long week-end of work and test ... Help would be greatly appreciated.
Kind regards

 

[TheDoz]

Sibelius,

I have had no trouble setting up a FVS338 Router for VPN phones. I have set it up just the way the Documment says from avaya execpt for Preshared key code and local network ip configuration. Just remember at the remote end when you plug your phone in, make sure the phone ip address and the default router of the remote location is entered on the phone so that it can finished initializing at the remote site. All settings should be programmed for the Main site except the phones ip and default gateway ip. Those will change automatically whem VPN phone reboots.


"The lack of money is the root of all evil"

 

[IPOfficeIreland]

http://www.tek-tips.com/viewthread.cfm?qid=1461742&page=1