VPN Phone w/Cisco Meraki
VPN Phone w/Cisco Meraki
(OP)
Hello, I've setup a 9641G w/pfsense firewall and it's working great. Took longer to reboot the phone than it took to configure both sides. :D
Anyway, another customer has a Cisco Meraki firewall, and unfortunately I have not been successful in getting the phone to connect. I assume it's because the 'Client VPN' on the Meraki side is L2TP/IPSec and not 'pure' IPSec. The error I'm getting is 'Phase 1 No Response'. The tunnel does connect from PC/cellphone/etc fine, just not the Avaya Phone.
Anyone have experience setting up a VPN phone with Cisco Meraki?
I saw this thread http://www.tek-tips.com/viewthread.cfm?qid=1661398 so I am not getting my hopes up, but it is several years old so I thought, 'why not ask?'.
The firewall also has a Site-to-Site VPN configuration available, but I don't think that would work in this situation.
Thanks in advance for any replies.
Anyway, another customer has a Cisco Meraki firewall, and unfortunately I have not been successful in getting the phone to connect. I assume it's because the 'Client VPN' on the Meraki side is L2TP/IPSec and not 'pure' IPSec. The error I'm getting is 'Phase 1 No Response'. The tunnel does connect from PC/cellphone/etc fine, just not the Avaya Phone.
Anyone have experience setting up a VPN phone with Cisco Meraki?
I saw this thread http://www.tek-tips.com/viewthread.cfm?qid=1661398 so I am not getting my hopes up, but it is several years old so I thought, 'why not ask?'.
The firewall also has a Site-to-Site VPN configuration available, but I don't think that would work in this situation.
Thanks in advance for any replies.
Talk To Other Members
RE: VPN Phone w/Cisco Meraki
RE: VPN Phone w/Cisco Meraki
No problem! Is there something specific you are having issues with pfsense-side or phone-side?
Below was a little cheat sheet I made, but it was mostly for the phone-side... Lemme know what you need on the pfsense side. I pretty much followed this to the letter: http://blog.benca.net/2012/03/05/serving-ipsec-vpn...
CODE -->
*VPN Config(Firewall)* Type: IPSec Auth: Mutual PSK + XAuth Network: 172.16.1.0/24 (<- or another unused private network) Set up VPN User(s) Set up IKE('Group Name') & PSK(Pre-Shared Key) i.e. IKE: ${IKE Group ID} (i.e. vpn@mydomain.com) PSK: ${YourPresharedKey} (i.e. f30S722hd864) *IP Office Config* IP Route > New IP Address: ${VPN Network} (i.e. 172.16.1.0) IP Mask: 255.255.255.0 Gateway: ${your gateway} (i.e. 10.10.10.1) Destination: LAN1 *VPN Config(IP Phone)* NOTE: most of these settings are default CRAFT menu > VPN General(tab) VPN: Enabled VPN Vendor: Cisco Gateway Address: ${Public IP Here} External Phone IP Address: BLANK(DHCP) External Router: BLANK(DHCP) External Subnet Mask: BLANK(DHCP) External DNS Server: BLANK(DHCP) Encapsulation: 4500-4500 Copy TOS: No Auth Type(tab) PSK with XAUTH User Cred.(tab) VPN User Type: Any VPN User: ${VPN Username Here} Password Type: Save in Flash Password Entry(tab) User Password: ${VPN Password Here} IKE PSK(tab) IKE ID (Group Name): ${Group Name Here} Pre-Shared Key (PSK): ${Pre-Shared Key Here} IKE Phase 1(tab) IKE ID Type: KEY_ID IKE Xchg Mode: Aggressive IKE DH Group: 2 IKE Encryption Alg: Any IKE Auth. Alg.: Any IKE Config. Mode: Enabled IKE Phase 2(tab) IPsec PFS DH Group: No PFS IPSec Encryption Alg: Any IPSec Auth Alg.: Any Protected Network: 0.0.0.0/0RE: VPN Phone w/Cisco Meraki
L2TP/IPSec won't work.
BAZINGA!
I'm not insane, my mother had me tested!
RE: VPN Phone w/Cisco Meraki
Thank you very much for the definitive response. Both the avaya forums and a support contact from avay couldn't give me a solid answer.
I've convinced them to install a pfsense appliance as I know this configuration works. Now to convince them to ditch the Meraki altogether for the pfsense box...
Thank you again, you are always very helpful. Have a great weekend.
RE: VPN Phone w/Cisco Meraki
A productive used firewall is not really a playground to check some options yourself. The firewall is the door into your data network so make sure that it is well locked.
RE: VPN Phone w/Cisco Meraki
NO issues, I just haven't tried it yet.
RE: VPN Phone w/Cisco Meraki
Cool, let me know if you have any issues. The above is for pfsense 2.1.5, but I just set up the box for this project on 2.2 and it works as well. Just be sure to use "Key Exchange version: V1" and "Mode: aggressive".
derfloh: I see what you mean, but isn't that true for all enterprise firewalls anyway? You don't want to be using an ASA as a playground in a production environment either. Pfsense is arguably an better or easier option for many just because everything can be done in the web gui. It's also nice that there aren't any licensing hassles either - you can make as many IPsec/OpenVPN/L2TP tunnels, networks, etc as you want(or whatever your hardware can handle); it has proxy server + filtering, IDS/IPS, traffic shaping/limiting, bandwidth monitoring, remote logging, UPS monitoring, and a lot more. You can get support directly from the guys that make it if needed(and much cheaper than cisco), and the community is outstanding.
Also, no NSA backdoors... :D