USG VPN tunnel for AVAYA phone

LMac
LMac Posts: 2  Freshman Member
First Comment
edited April 2021 in Security
Hello all,

I am attempting to configure a USG VPN for use with an Avaya phone system.  I have successfully built a PSK based tunnel that works with the Zyxel VPN client using IPSec, but have been unable to get an Avaya phone (model  9608) to connect using these settings.  The phone is failing during the 'Exchanging Keys' configuration and the phone gives the failure reason as 'IKE Phase 1 No Response'.

My google-fu has turned up quite an array of configuration tweaks and changes that I have tried with no change to the outcome.  None of the threads were related to the ZyWall series of devices so I decided to ask here.  

I will be happy to post my configs and/or logs if anyone has any suggestions or questions to help with the configuration.  

** I am looking for confirmation that someone has successfully used a USG VPN to connect to any VOIP hardphone and in specific with an Avaya of any model. **

Thank you in advance for your time and consideration.

------------------

Leo D.

Comments

  • zyman2008
    zyman2008 Posts: 197  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    After google, Ayaya phone connect IPSec gateway with X-Auth and mode config.
    https://downloads.avaya.com/css/P8/documents/100072456

    So I think USG with 4.20 or above version can support that.

    Here is an example CLI configuration of USG IPSec mode config,

    username test password test1234 user-type user
    address-object ANY_NETWORK 0.0.0.0/0
    address-object IPSEC_IP_POOL 10.10.98.1-10.10.98.20

    isakmp policy IPSEC_MODECONF
     peer-ip 0.0.0.0 0.0.0.0
     local-ip interface wan1
     authentication pre-share
     keystring your-psk-here
     mode aggressive
     transform-set aes128-sha
     group2
     lifetime 86400
     peer-id type any
     local-id type fqdn your-usg-name
     xauth type server default user-id any
    exit

    crypto map IPSEC_MODECONF
     ipsec-isakmp IPSEC_MODECONF
     encapsulation tunnel
     transform-set esp-aes128-sha
     set security-association lifetime seconds 28800
     set pfs none
     scenario remote-access-server
     local-policy ANY_NETWORK
     remote-policy any
     mode-config activate
     mode-config address-pool IPSEC_IP_POOL
    exit
    write

  • LMac
    LMac Posts: 2  Freshman Member
    First Comment
    zyman2008.

    So your assumption is that despite being able to use a PSK only config, IPSec to Avaya may require the PSK + X-Auth config type to function?  

    I will jump into console as soon as I can to try this out.  

Security Highlight