This guide covers VPN programming to work with Juniper SSG VPN equipment. This does NOT show you how to program the Juniper SSG,just how to configure the phone itself. Please see Avaya document IPO-JUN-SSG5.doc. VPN profile used is Juniper X-auth with PSK. A manual programming approach was used to keep things as simple as possible. The document mentioned above covers 46xx and 56xx phone programming. This document covers the differences when programming the 96xx phones.
Step 1:Prepare your system to update the phone firmware if required.
The IP phone must be configured to work on the IP Office as a standard IP extension. Enable the phone to download any updates for correct operation. The 96xx series of phones do not use TFTP to send the binary files or settings to the phones as with the 56xx series phones – HTTP is used for file and settings transfers.
If you have not done so,enable the Voicemail Pro system as a web server. Copy all .bin files and .txt files from the manager folder to the root directory of your web server. This folder is usually c:\inetpub\wwwroot.
Configure the IP address of the web server in the IP Office|system|HTTP address.
Note: If you are using an Avaya IP500 v2,you can use the memory card as your web and file server. This may be a simpler approach.
Step 2:Set the phone up with the IP address settings and register it to your PBX.
There are several ways of doing this.
1. Press the ‘A’ or MENU button. Enter CRAFT (27238) as the password when prompted.
2. Press the MUTE button,enter CRAFT (27238) and press #.
3. If the phone is starting up for the first time,press the * button. The phone will prompt you for a code. Enter CRAFT (27238) then press #.
Scroll down to ADDR and push the OK button. Enter appropriate values for
Phone,Call Server,Router,Mask,HTTP Server (your web server IP address) – all the rest are optional. When finished,press BACK then EXIT. The phone reboots. If new firmware is required,you will see the activity on the
screen as the different files are pulled down. The phone will need to reboot at
least two times – let it go through its paces until it prompts you to enter an
extension. Enter it along with the password,then press #.
If all has gone well,you should have a functioning phone that you can use to make and take calls
Step 3: Enable the phone to function as a VPN phone.
Edit the 46xxsettings.txt file on the web server. Add in a new line with the following –SET VPNPROC 2. You will notice many lines start with a ##. These are used as comments,so don’t put them in front of your command.
Reboot the phone. When the phone is back up,press the ‘A’ MENU button. Scroll down to VPN Settings. Enter 876 (VPN) when prompted.
Select VPN – default value is Disabled. Press the Change softkey and
it will change to Enabled.
Note: If you cannot change this setting,it means you cannot edit any of the VPN settings. Check your 46xxsettings.txt file and reboot your phone. You can also verify this file is available by entering the following in your browser –
http://yourwebserveraddress/46xxsettings.txt. You should see all the text in the browser.
Scroll down to VPN Vendor and press change until Juniper\Netscreen shows up.
Select Gateway Address. Make this the public or WAN IP Address of your VPN gateway. Note: if you are entering ip address numbers,you will have press most keys multiple times to get the numbers to appear. Also,you will need to press the More and Symbol soft keys to get to the period and other characters. Press Save and go on to External Phone IP Address. This is the LAN address for the phone.
Important Note: At this point,the phone should be on a separate network behind a router (not the one you have the IP Office on) with its own separate public internet address. You are simulating a remote connection from this point forward.
Do the same for External Router,External Subnet Mask and External DNS Server. You will find that these fields are already in numeric mode and so you can just punch the numbers in using the * key for the required periods. Scroll down to Copy TOS and select the Change button so this value says yes. DO NOT PRESS EXIT!! Press the right arrow button on the selector.
This will take you to the next set of values – Auth. Type.
Choose PSK with XAUTH. Press the right arrow button to get to the User Cred. section. Note: this is for the Juniper configuration detailed in the Avaya documentation. When possible,more of these job aids will be created for other VPN configurations.
Leave the VPN User Type as Any. Enter the vpn user name. Set Password Type setting to Save in Flash. Press the right arrow button to get to the Password Entry section.
Enter the User Password and press Save. Press the right arrow button to
get to the IKE PSK section.
Press Change and enter your IKE ID (Group Name),Pre-Shared Key (PSK),and then press the right arrow button to get to the IKE
Phase 1 section.
Select IKE ID Type (USER_FQDN),IKE Xchg Mode (Aggreesive),IKE DH Group (2),IKE Encryption Alg (3DES),IKE Auth. Alg. (MD5),and IKE Config. Mode (Enabled). Press the right arrow button to get to the IKE Phase 2 section.
Select IPsec PFS DH Group (2),IPsec Engcryption Alg (AES-128),IPsec Auth. Alg. (SHA-1),Protected Network (0.0.0.0/0). Press the right arrow button to get to the IKE Over TCP section and select Never.
Press Exit and the phone will reboot. If you have everything done correctly,your phone will negotiate the tunnel,encryption and passwords to connect to your IP Office switch.