Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Rhinorhino on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN Phone w/Cisco Meraki 1

Status
Not open for further replies.
indefinitedrums

indefinitedrums

IS-IT--Management
Joined
Aug 14, 2012
Messages
35
Location
US
Hello, I've setup a 9641G w/pfsense firewall and it's working great. Took longer to reboot the phone than it took to configure both sides. :D

Anyway, another customer has a Cisco Meraki firewall, and unfortunately I have not been successful in getting the phone to connect. I assume it's because the 'Client VPN' on the Meraki side is L2TP/IPSec and not 'pure' IPSec. The error I'm getting is 'Phase 1 No Response'. The tunnel does connect from PC/cellphone/etc fine, just not the Avaya Phone.

Anyone have experience setting up a VPN phone with Cisco Meraki?

I saw this thread so I am not getting my hopes up, but it is several years old so I thought, 'why not ask?'.

The firewall also has a Site-to-Site VPN configuration available, but I don't think that would work in this situation.

Thanks in advance for any replies.
 
Sort by date Sort by votes
off topic, but do you have any config clues as to your 96xx to pfSense VPN setup?
 
Upvote 0 Downvote
@nnaarrnn

No problem! Is there something specific you are having issues with pfsense-side or phone-side?

Below was a little cheat sheet I made, but it was mostly for the phone-side... Lemme know what you need on the pfsense side. I pretty much followed this to the letter:
Code: 
*VPN Config(Firewall)* 

    Type: IPSec 
    Auth: Mutual PSK + XAuth 
    Network: 172.16.1.0/24 (<- or another unused private network) 
    Set up VPN User(s) 
    Set up IKE('Group Name') & PSK(Pre-Shared Key) 
        i.e. 
            IKE: ${IKE Group ID}  (i.e. vpn@mydomain.com)
            PSK: ${YourPresharedKey}  (i.e. f30S722hd864)


*IP Office Config* 

    IP Route > New 
        IP Address: ${VPN Network} (i.e. 172.16.1.0) 
        IP Mask: 255.255.255.0 
        Gateway: ${your gateway} (i.e. 10.10.10.1) 
        Destination: LAN1 


*VPN Config(IP Phone)* 
  NOTE: most of these settings are default 

    CRAFT menu > VPN 
     
    General(tab) 
        VPN: Enabled 
        VPN Vendor: Cisco 
        Gateway Address: ${Public IP Here} 
External Phone IP Address: BLANK(DHCP) 
        External Router: BLANK(DHCP) 
        External Subnet Mask: BLANK(DHCP) 
External DNS Server: BLANK(DHCP) 
        Encapsulation: 4500-4500 
        Copy TOS: No 

    Auth Type(tab) 
        PSK with XAUTH 

    User Cred.(tab) 
        VPN User Type: Any 
        VPN User: ${VPN Username Here} 
        Password Type: Save in Flash 

    Password Entry(tab) 
        User Password: ${VPN Password Here} 

    IKE PSK(tab) 
IKE ID (Group Name): ${Group Name Here} 
    Pre-Shared Key (PSK): ${Pre-Shared Key Here} 

    IKE Phase 1(tab) 
        IKE ID Type: KEY_ID 
        IKE Xchg Mode: Aggressive 
        IKE DH Group: 2 
        IKE Encryption Alg: Any 
        IKE Auth. Alg.: Any 
        IKE Config. Mode: Enabled 

    IKE Phase 2(tab) 
        IPsec PFS DH Group: No PFS 
        IPSec Encryption Alg: Any 
        IPSec Auth Alg.: Any 
        Protected Network: 0.0.0.0/0
 
Upvote 0 Downvote
You will need a real IPSec VPN with group authentication.
L2TP/IPSec won't work.

BAZINGA!

I'm not insane, my mother had me tested!

 
Upvote 0 Downvote
@tlpeter

Thank you very much for the definitive response. Both the avaya forums and a support contact from avay couldn't give me a solid answer.

I've convinced them to install a pfsense appliance as I know this configuration works. Now to convince them to ditch the Meraki altogether for the pfsense box...

Thank you again, you are always very helpful. Have a great weekend.
 
Upvote 0 Downvote
presence is a nice one. But make sure you have a partner with solid knowledge of the box. For Cisco and others you can find certified partners that can provide you support.

A productive used firewall is not really a playground to check some options yourself. The firewall is the door into your data network so make sure that it is well locked.
 
Upvote 0 Downvote
thanks!

NO issues, I just haven't tried it yet.
 
Upvote 0 Downvote
nnaarrnn:

Cool, let me know if you have any issues. The above is for pfsense 2.1.5, but I just set up the box for this project on 2.2 and it works as well. Just be sure to use "Key Exchange version: V1" and "Mode: aggressive".

derfloh: I see what you mean, but isn't that true for all enterprise firewalls anyway? You don't want to be using an ASA as a playground in a production environment either. Pfsense is arguably an better or easier option for many just because everything can be done in the web gui. It's also nice that there aren't any licensing hassles either - you can make as many IPsec/OpenVPN/L2TP tunnels, networks, etc as you want(or whatever your hardware can handle); it has proxy server + filtering, IDS/IPS, traffic shaping/limiting, bandwidth monitoring, remote logging, UPS monitoring, and a lot more. You can get support directly from the guys that make it if needed(and much cheaper than cisco), and the community is outstanding.

Also, no NSA backdoors... :D
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

virgiliom
  • Locked
  • Question Question
Meraki vlan configuration issue
Replies
2
Views
475
nnaarrnn
nnaarrnn
PhonesTech
  • Locked
  • Question Question
Remote Phone issues
Replies
3
Views
434
MikeeOK
MikeeOK
oidm
  • Question Question
Avaya E129 phone with errors in 12.1
Replies
4
Views
197
oidm
oidm
WirSysPlus
  • Locked
  • Question Question
VPN hardware
Replies
0
Views
349
WirSysPlus
WirSysPlus
TnPtech
  • Locked
  • Question Question
Avaya IP Office -IP phone issue.
Replies
17
Views
2K
MikeeOK
MikeeOK

Part and Inventory Search

Sponsor

Back
Top