×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

VPN Phone w/Cisco Meraki

VPN Phone w/Cisco Meraki

VPN Phone w/Cisco Meraki

(OP)
Hello, I've setup a 9641G w/pfsense firewall and it's working great. Took longer to reboot the phone than it took to configure both sides. :D

Anyway, another customer has a Cisco Meraki firewall, and unfortunately I have not been successful in getting the phone to connect. I assume it's because the 'Client VPN' on the Meraki side is L2TP/IPSec and not 'pure' IPSec. The error I'm getting is 'Phase 1 No Response'. The tunnel does connect from PC/cellphone/etc fine, just not the Avaya Phone.

Anyone have experience setting up a VPN phone with Cisco Meraki?

I saw this thread http://www.tek-tips.com/viewthread.cfm?qid=1661398 so I am not getting my hopes up, but it is several years old so I thought, 'why not ask?'.

The firewall also has a Site-to-Site VPN configuration available, but I don't think that would work in this situation.

Thanks in advance for any replies.

RE: VPN Phone w/Cisco Meraki

off topic, but do you have any config clues as to your 96xx to pfSense VPN setup?

RE: VPN Phone w/Cisco Meraki

(OP)
@nnaarrnn

No problem! Is there something specific you are having issues with pfsense-side or phone-side?

Below was a little cheat sheet I made, but it was mostly for the phone-side... Lemme know what you need on the pfsense side. I pretty much followed this to the letter: http://blog.benca.net/2012/03/05/serving-ipsec-vpn...

CODE -->

*VPN Config(Firewall)* 

    Type: IPSec 
    Auth: Mutual PSK + XAuth 
    Network: 172.16.1.0/24 (<- or another unused private network) 
    Set up VPN User(s) 
    Set up IKE('Group Name') & PSK(Pre-Shared Key) 
        i.e. 
            IKE: ${IKE Group ID}  (i.e. vpn@mydomain.com)
            PSK: ${YourPresharedKey}  (i.e. f30S722hd864)


*IP Office Config* 

    IP Route > New 
        IP Address: ${VPN Network} (i.e. 172.16.1.0) 
        IP Mask: 255.255.255.0 
        Gateway: ${your gateway} (i.e. 10.10.10.1) 
        Destination: LAN1 


*VPN Config(IP Phone)* 
  NOTE: most of these settings are default 

    CRAFT menu > VPN 
     
    General(tab) 
        VPN: Enabled 
        VPN Vendor: Cisco 
        Gateway Address: ${Public IP Here} 
External Phone IP Address: BLANK(DHCP) 
        External Router: BLANK(DHCP) 
        External Subnet Mask: BLANK(DHCP) 
External DNS Server: BLANK(DHCP) 
        Encapsulation: 4500-4500 
        Copy TOS: No 

    Auth Type(tab) 
        PSK with XAUTH 

    User Cred.(tab) 
        VPN User Type: Any 
        VPN User: ${VPN Username Here} 
        Password Type: Save in Flash 

    Password Entry(tab) 
        User Password: ${VPN Password Here} 

    IKE PSK(tab) 
IKE ID (Group Name): ${Group Name Here} 
    Pre-Shared Key (PSK): ${Pre-Shared Key Here} 

    IKE Phase 1(tab) 
        IKE ID Type: KEY_ID 
        IKE Xchg Mode: Aggressive 
        IKE DH Group: 2 
        IKE Encryption Alg: Any 
        IKE Auth. Alg.: Any 
        IKE Config. Mode: Enabled 

    IKE Phase 2(tab) 
        IPsec PFS DH Group: No PFS 
        IPSec Encryption Alg: Any 
        IPSec Auth Alg.: Any 
        Protected Network: 0.0.0.0/0 

RE: VPN Phone w/Cisco Meraki

You will need a real IPSec VPN with group authentication.
L2TP/IPSec won't work.

BAZINGA!

I'm not insane, my mother had me tested!

RE: VPN Phone w/Cisco Meraki

(OP)
@tlpeter

Thank you very much for the definitive response. Both the avaya forums and a support contact from avay couldn't give me a solid answer.

I've convinced them to install a pfsense appliance as I know this configuration works. Now to convince them to ditch the Meraki altogether for the pfsense box...

Thank you again, you are always very helpful. Have a great weekend.

RE: VPN Phone w/Cisco Meraki

presence is a nice one. But make sure you have a partner with solid knowledge of the box. For Cisco and others you can find certified partners that can provide you support.

A productive used firewall is not really a playground to check some options yourself. The firewall is the door into your data network so make sure that it is well locked.

RE: VPN Phone w/Cisco Meraki

thanks!

NO issues, I just haven't tried it yet.

RE: VPN Phone w/Cisco Meraki

(OP)
nnaarrnn:

Cool, let me know if you have any issues. The above is for pfsense 2.1.5, but I just set up the box for this project on 2.2 and it works as well. Just be sure to use "Key Exchange version: V1" and "Mode: aggressive".

derfloh: I see what you mean, but isn't that true for all enterprise firewalls anyway? You don't want to be using an ASA as a playground in a production environment either. Pfsense is arguably an better or easier option for many just because everything can be done in the web gui. It's also nice that there aren't any licensing hassles either - you can make as many IPsec/OpenVPN/L2TP tunnels, networks, etc as you want(or whatever your hardware can handle); it has proxy server + filtering, IDS/IPS, traffic shaping/limiting, bandwidth monitoring, remote logging, UPS monitoring, and a lot more. You can get support directly from the guys that make it if needed(and much cheaper than cisco), and the community is outstanding.

Also, no NSA backdoors... :D

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close