VPN Setup Guide for 9600 Series IP

Deskphones

Release 3.1 and 6.2

16-602968
Issue 2
September 2015
© 2013-2015, Avaya Inc. object code, provided by Avaya or an Avaya Channel Partner,
All Rights Reserved. whether as stand-alone products, pre-installed on hardware products,
and any upgrades, updates, patches, bug fixes, or modified versions
Note thereto. “Designated Processor” means a single stand-alone
Using a cell, mobile, or GSM phone, or a two-way radio in close computing device. “Server” means a Designated Processor that
proximity to an Avaya IP telephone might cause interference. hosts a software application to be accessed by multiple users.
“Instance” means a single copy of the Software executing at a
Documentation disclaimer particular time: (i) on one physical machine; or (ii) on one deployed
“Documentation” means information published by Avaya in varying software virtual machine (“VM”) or similar deployment.
mediums which may include product information, operating License types
instructions and performance specifications that Avaya may generally
make available to users of its products and Hosted Services. Designated System(s) License (DS). End User may install and use
Documentation does not include marketing materials. Avaya shall not each copy or an Instance of the Software only on a number of
be responsible for any modifications, additions, or deletions to the Designated Processors up to the number indicated in the order.
original published version of documentation unless such Avaya may require the Designated Processor(s) to be identified in
modifications, additions, or deletions were performed by Avaya. End the order by type, serial number, feature key, Instance, location or
User agrees to indemnify and hold harmless Avaya, Avaya's agents, other specific designation, or to be provided by End User to Avaya
servants and employees against all claims, lawsuits, demands and through electronic means established by Avaya specifically for this
judgments arising out of, or in connection with, subsequent purpose.
modifications, additions or deletions to this documentation, to the Shrinkwrap License (SR). You may install and use the Software in
extent made by End User. accordance with the terms and conditions of the applicable license
Link disclaimer agreements, such as “shrinkwrap” or “clickthrough” license
accompanying or applicable to the Software (“Shrinkwrap License”).
Avaya is not responsible for the contents or reliability of any linked
websites referenced within this site or documentation provided by Copyright
Avaya. Avaya is not responsible for the accuracy of any information, Except where expressly stated otherwise, no use should be made of
statement or content provided on these sites and does not materials on this site, the Documentation, Software, Hosted Service,
necessarily endorse the products, services, or information described or hardware provided by Avaya. All content on this site, the
or offered within them. Avaya does not guarantee that these links will documentation, Hosted Service, and the product provided by Avaya
work all the time and has no control over the availability of the linked including the selection, arrangement and design of the content is
pages. owned either by Avaya or its licensors and is protected by copyright
Warranty and other intellectual property laws including the sui generis rights
relating to the protection of databases. You may not modify, copy,
Avaya provides a limited warranty on Avaya hardware and software. reproduce, republish, upload, post, transmit or distribute in any way
Refer to your sales agreement to establish the terms of the limited any content, in whole or in part, including any code and software
warranty. In addition, Avaya’s standard warranty language, as well as unless expressly authorized by Avaya. Unauthorized reproduction,
information regarding support for this product while under warranty is transmission, dissemination, storage, and or use without the express
available to Avaya customers and other parties through the Avaya written consent of Avaya can be a criminal, as well as a civil offense
Support website: http://support.avaya.com or such successor site as under the applicable law.
designated by Avaya. Please note that if You acquired the product(s)
from an authorized Avaya Channel Partner outside of the United Third Party Components
States and Canada, the warranty is provided to You by said Avaya “Third Party Components” mean certain software programs or
Channel Partner and not by Avaya. portions thereof included in the Software or Hosted Service may
Licenses contain software (including open source software) distributed under
third party agreements (“Third Party Components”), which contain
THE SOFTWARE LICENSE TERMS AVAILABLE ON THE AVAYA terms regarding the rights to use certain portions of the Software
WEBSITE, HTTP://SUPPORT.AVAYA.COM/LICENSEINFO OR (“Third Party Terms”). As required, information regarding distributed
SUCH SUCCESSOR SITE AS DESIGNATED BY AVAYA, ARE Linux OS source code (for those products that have distributed Linux
APPLICABLE TO ANYONE WHO DOWNLOADS, USES AND/OR OS source code) and identifying the copyright holders of the Third
INSTALLS AVAYA SOFTWARE, PURCHASED FROM AVAYA INC., Party Components and the Third Party Terms that apply is available
ANY AVAYA AFFILIATE, OR AN AVAYA CHANNEL PARTNER (AS in the products, Documentation or on Avaya’s website at: http://
APPLICABLE) UNDER A COMMERCIAL AGREEMENT WITH support.avaya.com/Copyright or such successor site as designated
AVAYA OR AN AVAYA CHANNEL PARTNER. UNLESS by Avaya. You agree to the Third Party Terms for any such Third
OTHERWISE AGREED TO BY AVAYA IN WRITING, AVAYA DOES Party Components.
NOT EXTEND THIS LICENSE IF THE SOFTWARE WAS
OBTAINED FROM ANYONE OTHER THAN AVAYA, AN AVAYA Preventing Toll Fraud
AFFILIATE OR AN AVAYA CHANNEL PARTNER; AVAYA “Toll Fraud” is the unauthorized use of your telecommunications
RESERVES THE RIGHT TO TAKE LEGAL ACTION AGAINST YOU system by an unauthorized party (for example, a person who is not a
AND ANYONE ELSE USING OR SELLING THE SOFTWARE corporate employee, agent, subcontractor, or is not working on your
WITHOUT A LICENSE. BY INSTALLING, DOWNLOADING OR company's behalf). Be aware that there can be a risk of Toll Fraud
USING THE SOFTWARE, OR AUTHORIZING OTHERS TO DO SO, associated with your system and that, if Toll Fraud occurs, it can
YOU, ON BEHALF OF YOURSELF AND THE ENTITY FOR WHOM result in substantial additional charges for your telecommunications
YOU ARE INSTALLING, DOWNLOADING OR USING THE services.
SOFTWARE (HEREINAFTER REFERRED TO
INTERCHANGEABLY AS “YOU” AND “END USER”), AGREE TO Avaya Toll Fraud intervention
THESE TERMS AND CONDITIONS AND CREATE A BINDING If You suspect that You are being victimized by Toll Fraud and You
CONTRACT BETWEEN YOU AND AVAYA INC. OR THE need technical assistance or support, call Technical Service Center
APPLICABLE AVAYA AFFILIATE (“AVAYA”). Toll Fraud Intervention Hotline at +1-800-643-2353 for the United
Avaya grants You a license within the scope of the license types States and Canada. For additional support telephone numbers, see
described below, with the exception of Heritage Nortel Software, for the Avaya Support website: http://support.avaya.com or such
which the scope of the license is detailed below. Where the order successor site as designated by Avaya. Suspected security
documentation does not expressly identify a license type, the vulnerabilities with Avaya products should be reported to Avaya by
applicable license will be a Designated System License. The sending mail to: [email protected].
applicable number of licenses and units of capacity for which the Downloading Documentation
license is granted will be one (1), unless a different number of
licenses or units of capacity is specified in the documentation or other For the most current versions of Documentation, see the Avaya
materials available to You. “Software” means computer programs in Support website: http://support.avaya.com, or such successor site as
designated by Avaya.
Contact Avaya Support
See the Avaya Support website: http://support.avaya.com for product
or Hosted Service notices and articles, or to report a problem with
your Avaya product or Hosted Service. For a list of support telephone
numbers and contact addresses, go to the Avaya Support website:
http://support.avaya.com (or such successor site as designated by Denan Power Cord Statement
Avaya), scroll to the bottom of the page, and select Contact Avaya
Support. Danger:
Regulatory Statements Please be careful of the following while installing the
Australia Statements equipment:

Handset Magnets Statement • Please only use the connecting cables, power cord, and
AC adapters shipped with the equipment or specified by
Danger: Avaya to be used with the equipment. If you use any
other equipment, it may cause failures, malfunctioning,
The handset receiver contains magnetic devices that can or fire.
attract small metallic objects. Care should be taken to avoid
personal injury. • Power cords shipped with this equipment must not be
Industry Canada (IC) Statements used with any other equipment. In case the above
guidelines are not followed, it may lead to death or
RSS Standards Statement severe injury.
This device complies with Industry Canada licence-exempt RSS
standard(s). Operation is subject to the following two conditions:
1. This device may not cause interference, and
2. This device must accept any interference, including 本製品を安全にご使用頂くため、以下のことにご注意ください。
interference that may cause undesired operation of the • 接続ケーブル、電源コード、AC アダプタなどの部品は、必ず
device. 製品に同梱されております添付品または指定品をご使用くだ
Le présent appareil est conforme aux CNR d'Industrie Canada さい。添付品指定品以外の部品をご使用になると故障や動作
applicables aux appareils radio exempts de licence. L'exploitation est 不良、火災の原因となることがあります。
autorisée aux deux conditions suivantes: • 同梱されております付属の電源コードを他の機器には使用し
ないでください。上記注意事項を守らないと、死亡や大怪我
1. L'appareil ne doit pas produire de brouillage, et など人身事故の原因となることがあります。
2. L'utilisateur de l'appareil doit accepter tout brouillage México Statement
radioélectrique subi, même si le brouillage est susceptible
d'en compromettre le fonctionnement. The operation of this equipment is subject to the following two
conditions:
Radio Transmitter Statement
1. It is possible that this equipment or device may not cause
Under Industry Canada regulations, this radio transmitter may only harmful interference, and
operate using an antenna of a type and maximum (or lesser) gain
approved for the transmitter by Industry Canada. To reduce potential 2. This equipment or device must accept any interference,
radio interference to other users, the antenna type and its gain including interference that may cause undesired operation.
should be so chosen that the equivalent isotropically radiated power La operación de este equipo está sujeta a las siguientes dos
(EIRP) is not more than that necessary for successful condiciones:
communication.
1. Es posible que este equipo o dispositivo no cause
Conformément à la réglementation d'Industrie Canada, le présent interferencia perjudicial y
émetteur radio peut fonctionner avec une antenne d'un type et d'un
gain maximal (ou inférieur) approuvé pour l'émetteur par Industrie 2. Este equipo o dispositivo debe aceptar cualquier
Canada. Dans le but de réduire les risques de brouillage interferencia, incluyendo la que pueda causar su operación
radioélectrique à l'intention des autres utilisateurs, il faut choisir le no deseada.
type d'antenne et son gain de sorte que la puissance isotrope Power over Ethernet (PoE) Statement
rayonnée équivalente ne dépasse pas l'intensité nécessaire à
l'établissement d'une communication satisfaisante. This equipment must be connected to PoE networks without routing
to the outside plant.
This Class B digital apparatus complies with Canadian ICES-003.
U.S. Federal Communications Commission (FCC) Statements
Cet appareil numérique de la classe B est conforme à la norme
NMB-003 du Canada. Compliance Statement
Radiation Exposure Statement The changes or modifications not expressly approved by the party
responsible for compliance could void the user’s authority to operate
This device complies with Industry Canada's RF radiation exposure the equipment.
limits set forth for the general population (uncontrolled environment)
and must not be co-located or operated in conjunction with any other To comply with the FCC RF exposure compliance requirements, this
antenna or transmitter. device and its antenna must not be co-located or operating to
conjunction with any other antenna or transmitter.
Cet appareil est conforme aux limites d'exposition aux rayonnements
RF d'Industrie Canada énoncés dans la population générale This device complies with part 15 of the FCC Rules. Operation is
(environnement non contrôlé) et ne doivent pas être co-situés ou subject to the following two conditions:
exploités conjointement avec une autre antenne ou émetteur. 1. This device may not cause harmful interference, and
Japan Statements 2. This device must accept any interference received,
Class B Statement including interferences that may cause undesired
operation.
This is a Class B product based on the standard of the VCCI Council.
If this is used near a radio or television receiver in a domestic Class B Part 15 Statement
environment, it may cause radio interference. Install and use the This equipment has been tested and found to comply with the limits
equipment according to the instruction manual. for a Class B digital device, pursuant to Part 15 of the FCC Rules.
These limits are designated to provide reasonable protection against
harmful interferences in a residential installation. This equipment
generates, uses and can radiate radio frequency energy and, if not
installed and used in accordance with the instructions, may cause
harmful interference to radio communications. However, there is no
guarantee that interference will not occur in a particular installation. If
this equipment does cause harmful interferences to radio or
television reception, which can be determined by turning the
equipment off and on, the user is encouraged to try to correct the
interference by one or more of the following measures:
• Reorient or relocate the receiving antenna.
• Increase the separation between the equipment and receiver.
• Connect the equipment into an outlet on a circuit different from
that to which the receiver is connected.
• Consult the dealer or an experienced radio/TV technician for
help.
Radiation Exposure Statement
This equipment complies with FCC radiation exposure limits set forth
for an uncontrolled environment . This equipment should be installed
and operated with minimum distance of 8 in or 20 cm between the
radiator and your body. This transmitter must not be co-located or
operating in conjunction with any other antenna or transmitter.
Trademarks
All non-Avaya trademarks are the property of their respective owners.
Linux® is the registered trademark of Linus Torvalds in the U.S. and
other countries.
 Contents

Chapter 1: Introduction............................................................................................................ 7
About this guide...................................................................................................................... 7
Intended audience................................................................................................................... 7
Revision history....................................................................................................................... 8
Online documentation.............................................................................................................. 8
Related documentation............................................................................................................ 8
Customer support.................................................................................................................... 8
Chapter 2: VPN overview......................................................................................................... 9
Introduction............................................................................................................................. 9
Differences between 4600–series and 9600–series IP deskphone VPNs................................... 10
Third-Party Security Gateways interoperability limitations......................................................... 10
Chapter 3: Configuring the VPN............................................................................................ 12
Introduction........................................................................................................................... 12
Preliminary configuration requirements................................................................................... 12
Configuration Preparation...................................................................................................... 13
Configuration preparation................................................................................................. 13
Preparing the Security Gateway....................................................................................... 13
Configuring the VPN settings............................................................................................ 14
Simple Enrollment Certificate Protocol (SCEP).................................................................. 14
Configuring VPN system parameters................................................................................ 15
Administrative Pre-requisites for authentication.................................................................. 15
®
Preparing Avaya Aura Communication Manager.............................................................. 15
Installing the 9600 Series IP deskphone............................................................................ 16
Deploying the VPN-ready 9600–Series IP deskphone........................................................ 16
Chapter 4: Viewing VPN settings.......................................................................................... 18
Introduction........................................................................................................................... 18
Access using the Avaya (A) menu.......................................................................................... 18
VPN settings screen fields..................................................................................................... 19
Chapter 5: Changing VPN settings....................................................................................... 23
Introduction........................................................................................................................... 23
Accessing VPN settings......................................................................................................... 23
Access using the Avaya (A) menu.................................................................................... 23
Access using the VPN special procedure.......................................................................... 24
Access using the Local Administrative (Craft) procedure menu........................................... 24
Viewing or changing settings using the VPN special procedure................................................. 26
Navigating configuration screens and changing data.......................................................... 26
General VPN settings — general screen field descriptions........................................................ 27
Generic authentication type screen field descriptions............................................................... 28
User credentials screen field descriptions................................................................................ 28

September 2015 VPN Setup Guide for 9600 Series IP Deskphones 5

Comments on this document? [email protected]
Contents

Changing your VPN password................................................................................................ 29

IKE PSK screen.................................................................................................................... 30
IKE Phase 1 screen field descriptions..................................................................................... 30
IKE Phase 2 screen field descriptions..................................................................................... 31
IKE over TCP screen field descriptions................................................................................... 32
VPN text entry screen............................................................................................................ 32
IP address screen................................................................................................................. 33
Chapter 6: User Authentication and VPN Sleep................................................................... 34
Introduction........................................................................................................................... 34
User Authentication............................................................................................................... 34
VPN user name entry screen............................................................................................ 34
VPN Password Reuse screen.......................................................................................... 35
VPN password entry screen............................................................................................. 35
VPN sleep mode................................................................................................................... 37
VPN sleep mode keys..................................................................................................... 37
Chapter 7: Troubleshooting................................................................................................... 38
VPN Authentication Failed..................................................................................................... 38
VPN Tunnel Failure............................................................................................................... 38
Need IKE ID/PSK.................................................................................................................. 38
Need phone certificate........................................................................................................... 39
Invalid Configuration.............................................................................................................. 39
No DNS Server Response..................................................................................................... 39
Bad Gateway DNS Name....................................................................................................... 40
Gateway certificate invalid...................................................................................................... 40
Phone certificate invalid......................................................................................................... 41
IKE Phase 1 No Response..................................................................................................... 41
IKE ID/PSK invalid................................................................................................................. 42
IKE Phase 1 failure................................................................................................................ 42
IKE Phase 2 No Response..................................................................................................... 42
IKE Phase 2 failure................................................................................................................ 43
IKE keep-alive failure............................................................................................................. 44
IKE SA expired...................................................................................................................... 44
IPSec SA expired.................................................................................................................. 44
VPN tunnel terminated........................................................................................................... 45
SCEP: Failed........................................................................................................................ 45
Appendix A: VPN parameters................................................................................................ 46
VPN configuration profiles...................................................................................................... 46
DHCPACK messages............................................................................................................ 48
Time to service functionality................................................................................................... 48
VPN parameters.................................................................................................................... 49
Glossary................................................................................................................................... 60

6 VPN Setup Guide for 9600 Series IP Deskphones September 2015

Comments on this document? [email protected]
Chapter 1: Introduction

About this guide

This guide provides information describing VPN configuration, use, and troubleshooting from both
the Administrator’s and end user’s perspective, including items that should be noted as part of
installation. For more information regarding administrative configuration, see Chapter 2 - VPN
Overview on page 9.
End-user configuration information is provided to assist the end user in installing and configuring a
9600 Series IP Telephone in their small office home office (SOHO) environment with minimal
assistance from corporate IT or Telephony groups. Procedures for end user viewing and updating
VPN settings are also provided.
®
Use this setup guide in conjunction with the standard setup instructions in the Avaya one-X
Deskphone Edition for 9600 Series IP Telephones Administrator Guide (Document Number
16-300698).
Note:
This guide applies to versions 3.1 and 6.2 of the 9600 Series IP Telephones. The content is the
same for both versions unless otherwise indicated.
Note:
The 9610 IP Telephone is not VPN-capable you cannot use it as part of your VPN.

Intended audience
This guide provides network administrator and end-user information for a Virtual Private Network
(VPN) for 9600 Series IP Telephones. If you are an administrator, use this document in conjunction
®
with the Avaya one-X Deskphone Edition for 9600 Series IP Telephones Administrator Guide
(Document Number 16-300698).

Caution:
Avaya does not provide product support for many of the products mentioned in this document,
including security gateways, remote Internet access devices such as DSL or cable modems, file
servers, DNS servers, or DHCP servers. Take care to ensure that there is adequate technical

September 2015 VPN Setup Guide for 9600 Series IP Deskphones 7

Comments on this document? [email protected]
Introduction

support available for these products and that they are properly configured, otherwise the IP
telephones might not be able to operate correctly.

Revision history
Issue Date Summary of changes
1 11/2009 This is the first release of this document, issued in November 2009 as part of
Software Release 3.1.
2 10/2012 This release is updated for 9600–series phones Software Release 6.2.
3 03/2015 Updated to resolve the typographical error for parameter NVIKEIDTYPE.

Online documentation

Related documentation
Administering Avaya Aura® Communication Manager This document provides an overall reference for
(03-300509) planning, operating, and administering your
Communication Manager solution.
®
Avaya one-X Deskphone Edition for 9600 Series IP This document provides a detailed description of
Telephones Administrator Guide (16-300698) how to administer the 9600 Series IP Telephones for
use in your Enterprise environment, including VPN
administration.
®
Avaya one-X Deskphone Edition for 9600 Series IP This document provides a detailed description of
Telephones Installation and Maintenance Guide how to install and maintain the 9600 Series IP
(16-300694) Telephones for use in your environment.

Customer support
For 9600 Series IP Telephone support, call the Avaya support number provided to you by your
Avaya representative or Avaya reseller.
See support.avaya.com for Information about Avaya products.

8 VPN Setup Guide for 9600 Series IP Deskphones September 2015

Comments on this document? [email protected]
Chapter 2: VPN overview

Introduction
Setting up a virtual private network provides enterprise telephony services for remote or small office
home office (SOHO) locations through a secure VPN connection to the user’s Enterprise
Communication Manager infrastructure. A VPN uses a high-speed connection to the Internet and
then to the VPN-administered solution in the enterprise network. VPNs provide a significant
improvement of the communications capabilities of SOHO users.
9600 Series IP Telephone Release 3.1 provides the capability to implement a VPN in Enterprise
networks with third-party devices. For more information regarding third-party devices, see Third-
Party Security Gateways interopability limitations on page 10
Figure 1 illustrates a possible corporate network configuration with three 9600 Series IP Telephones
connected through secure VPN connections.

Figure 1: VPN configuration

September 2015 VPN Setup Guide for 9600 Series IP Deskphones 9

Comments on this document? [email protected]
VPN overview

Differences between 4600–series and 9600–series IP

deskphone VPNs
Review this section if you already have a VPN in place for 4600 Series IP Telephones. There are
several differences between the structure and administration for each type of telephone series,
namely:
• A 9600 Series VPN telephone is administered by setting the applicable system parameters
using the 46xxsettings.txt file. This is the same settings file you already use for the non-VPN
system parameters you currently customize for both 9600 Series and 4600 Series IP
Telephones. A 4600 Series VPN uses a unique settings file (46vpnsetting.txt) to administer
applicable system parameters instead of the 46xxsettings.txt file.
• 9600 Series IP VPN Telephones do not support the Avaya SG203 security gateway, whereas
4600 Series IP VPN Telephones do.
• 9600 Series IP Telephone VPNs use an enhanced security process:
- End users have a separate access code and permission settings that allow access only to
VPN settings rather than general access to all local administrative (Craft) procedures.
- VPN users are assigned a unique VPN password which can be administered to be erased
on VPN termination or telephone reset; this measure prevents unauthorized users from
automatically re-establishing a VPN tunnel.
- Users with valid VPN credentials can be prevented from using each other’s telephones by
setting the NVVPNUSERTYPE parameter to allow the VPN user name to be changed only
through the settings file or the VPN Settings Craft procedure.
• 9600 Series IP Telephone VPNs provide longer DNS names, up to 255 characters whereas
4600 Series VPNs limit DNS names to 16 characters.
• 9600 Series IP VPN Telephones do not support user entry of an SCEP challenge password.
• 9600 Series IP Telephones do not support the NVSECSGIP and NVBACKUPSGIP
parameters. See Appendix A: VPN Parameters on page 49 for a detailed list of the VPN
system parameters applicable to a 9600 Series IP Telephone.
Note:
Avaya B189 Conference IP Phone does not support VPN setup.

Third-Party Security Gateways interoperability limitations

Third-party devices by the following vendors interoperate with Avaya VPN phones and may have
certain limitations as per the note below:
• Checkpoint
• Cisco
• Juniper

10 VPN Setup Guide for 9600 Series IP Deskphones September 2015

Comments on this document? [email protected]
 Third-Party Security Gateways interoperability limitations

• Nokia
• Nortel
Note:
Avaya does not guarantee compatibility with all security gateway devices or software provided
by a particular vendor, nor is every possible configuration of such devices supported. In general,
the following capabilities interoperate:
• Integrated IPSec VPN Client that supports these IPSec protocols:
- Internet Protocol Security (IPSec),
- Internet Key Exchange (IKE), and
- Internet Security Association and Key Management (ISAKMP)
• Pre-Shared Key (PSK) with or without XAUTH
• RSA (Rivest-Shamir-Adleman) signatures with or without XAUTH
• NAT traversal, and
• SCEP
Note:
Refer to Avaya DevConnect for application notes regarding VPN gateways and IP deskphones.
Vendors who are not Avaya DevConnect Certified are encouraged to contact Avaya and certify
through the program.

September 2015 VPN Setup Guide for 9600 Series IP Deskphones 11

Comments on this document? [email protected]
Chapter 3: Configuring the VPN

Introduction
This section outlines configuration requirements and setup options, and provides administrators with
information on how to configure 9600 Series IP Telephones for a VPN.

Preliminary configuration requirements

The enterprise network must be configured with a security gateway. Corporate firewalls and routers
must be configured to allow IPSec tunnels from the remote phone(s) to the security gateway. See
Third-Party Security Gateways operability limitations on page 10. For a list of configuration system
parameters, see VPN parameters on page 49.
Technicians or administrators can stage phones centrally and pass an administered phone to an
end user, or use the standard settings file. In the latter case, place VPN parameters in the beginning
of the 46xxsettings.txt file before model-specific settings. The possible VPN configuration methods
are:
• Centralized administration of some or all VPN functionality by trained technicians/
administrators, using either the settings file and/or the local (Craft) procedure for VPNs. The
administered telephone is then passed to the user.
• Remote administration of VPN functionality by users who are either trained in, or who have
been provided specific documentation to guide them in the administration process, generally
involving the VPN Special Procedure.
Avaya recommends that administrators perform these preliminary configuration steps:
• Load the 9600 Series IP Telephone with the latest software,
• Configure the phone to connect to the Enterprise infrastructure, and
• Provide the end users with information for VPN access from their small office home office
(SOHO) environment.
Important:
Never "downgrade" a telephone on your VPN to a software release prior to R3.1, as VPN
operation will either fail or not operate properly.

12 VPN Setup Guide for 9600 Series IP Deskphones September 2015

Comments on this document? [email protected]
 Configuration Preparation

Configuration Preparation

Configuration preparation
To ensure that the end user is able to configure a 9600 Series IP Telephone in their SOHO
environment and to connect to the enterprise network, administrators can pre-configure the IP
telephone prior to deployment to allow the remote 9600 Series IP Telephone to establish a
connection over the VPN tunnel and if applicable, to provide authentication parameter values.
The administrator completes the initial configuration while the IP telephone is connected to the
enterprise network and prior to deployment to the end user. When more than five or six phones
require configuration, Avaya recommends the administrator use the settings file for configuring the
VPN telephones, with the exception of the User Name and User Password.
This is the recommended pre configuration method, including the sequence and procedures:
Related Links
Configuration preparation procedure on page 13

Configuration preparation procedure

Procedure
1. Allow access into and out of the corporate firewall through VPN tunnels, see Preparing the
Security Gateway on page 13.
2. Configure the VPN parameters to meet the configuration parameters for each remote site,
see Configuring VPN system parameters on page 15.
3. If necessary, create and administer a new extension on , Avaya Aura® Communication
Manager Release 5.1 or higher. For additional information see Preparing Avaya® Aura
Communication Manager on page 15.
4. Install and test the IP telephone on the enterprise network. For additional information, see
®
the Avaya one-X Deskphone Edition for 9600 Series IP Telephones Installation and
Maintenance Guide (Document Number 16-600394).
5. Send the pre-configured telephone to the end user with specific instructions for VPN remote
setup.
Related Links
Configuration preparation on page 13

Preparing the Security Gateway

At a minimum, you must configure a user name and password for each remote user. User names
can be up to 16 characters long and can contain any character except a comma (,).

September 2015 VPN Setup Guide for 9600 Series IP Deskphones 13

Comments on this document? [email protected]
Configuring the VPN

Procedure
1. Install the security gateway in accordance with the vendor’s instructions.
2. Configure authentication credentials to allow users to establish a VPN connection.

Configuring the VPN settings

The administrator can populate the 46xxsettings.txt file with all or some of the settings that are used
to create the VPN tunnels and for authentication, depending on whether or not end users will be
given permission to add/change settings.
Note:
For a detailed list of VPN settings in the 46xxsettings.txt file, see Appendix A: VPN Parameters.
At startup, the phone will attempt to establish a VPN connection using the configured VPN
parameters. Users with permission to do so can view, add, or change the VPN parameters.

Simple Enrollment Certificate Protocol (SCEP)

9600 Series SIP Deskphones support Media Encryption (SRTP) and use built-in Avaya SIP
Certificates for trust management. Trust management involves downloading certificates for
additional trusted Certificate Authorities (CA) and the policy management of those CAs. Identity
management is handled by Simple Certificate Enrollment Protocol (SCEP) with phone certificates
and private keys.
SCEP can apply to your VPN operation or to standard enterprise network operation. SCEP is
®
described in the Avaya one-X Deskphone Edition for 9600 Series IP Telephones Administrator
Guide (Document Number 16-300698), however for ease of VPN setup, the applicable parameters
are also included this guide, in Appendix A - VPN parameters on page 49. A few pointers
regarding SCEP follow:
• If the SCEP server is outside of the corporate firewall, telephones connecting to the corporate
network over a VPN connection can be configured to establish the SCEP connection using an
HTTP proxy server to reach the SCEP server. In this instance, use the WMLPROXY system
parameter to configure the HTTP proxy server.
• When SCEP is initiated the telephone will attempt to contact an SCEP server via HTTP, using
the value of the configuration parameter MYCERTURL as the URI.
• SCEP supports the use of an HTTP proxy server.
• The telephone creates a private/public key pair, where each key has a length equal to the
value of the configuration parameter MYCERTKEYLEN. The public key and the values of the
configuration parameters MYCERTCAID, MYCERTCN, MYCERTDN and SCEPPASSWORD
are used in the certificate request.

14 VPN Setup Guide for 9600 Series IP Deskphones September 2015

Comments on this document? [email protected]
 Configuration Preparation

Configuring VPN system parameters

Appendix A: VPN Parameters lists the system parameters that you need to configure for VPN tunnel
establishment, and in general. Certain parameters will be set automatically based on the VPN
security gateway you indicate in the NVVPNCFGPROF parameter in the 46xxsettings.txt file or
using the Special VPN procedure; see VPN Configuration Profiles in Appendix A: VPN
parameters on page 49 for information on these automatically-set configuration parameters.
Important:
When using the settings file to establish VPN values, place all of your VPN parameters before
any model-specific parameters.
For detailed information regarding system parameters, see Appendix A: VPN parameters on
page 49.

Administrative Pre-requisites for authentication

Authentication is performed during VPN tunnel initialization only if the NVXAUTH parameter is set to
"enabled." The following system parameters are used for authentication and are described in detail
in Appendix A: VPN Parameters:
• NVXAUTH - Specifies whether XAUTH user authentication is enabled or disabled; must be
enabled for authentication.
• NVVPNUSER - Specifies the user name to use during VPN authentication; can be null and
entered on the VPN User Name Entry screen.
• NVVPNPSWD - Specifies the user’s VPN password; can initially be null and entered on the
VPN Password Entry screen if NVVPNUSER contains a non-null value and
NVVPNUSERTYPE is set to "1" (user can edit the user name).
• NVVPNPSWDTYPE - Specifies whether the VPN user password will be stored, and if so, how
it is stored.
• NVVPNUSERTYPE - Specifies whether the end user can ("1") or cannot ("2") change the VPN
user name.
When authentication is enabled, three potential authentication entry screens display, depending on
the values of these VPN authentication parameters. See Chapter 6 -User Authentication and VPN
Sleep on page 34 for a description of each authentication screen.

Preparing Avaya Aura® Communication Manager

A 9600 Series IP Telephone that will be used in your virtual private network is configured the same
as other IP telephones on the call server running Avaya Aura® Communication Manager. Even
though the phone is physically located outside of the corporate network, it will behave the same as
other LAN-based Avaya IP telephones once the VPN tunnel has been established.

September 2015 VPN Setup Guide for 9600 Series IP Deskphones 15

Comments on this document? [email protected]
Configuring the VPN

Note:
The end user can have either a single extension or a bridged extension on the server running
Avaya Communication Manager. A single extension allows the user to be connected to Avaya
Aura® Communication Manager from one location at a time - either the office or the SOHO. To
connect to Avaya Aura® Communication Manager from both the office and the SOHO, configure
the telephone as a separate extension that has a bridged appearance of the office extension.
For information regarding Avaya Aura® Communication Manager configuration, see Administering
Avaya Aura® Communication Manager.

Installing the 9600 Series IP deskphone

Installation of 9600 Series IP Telephones to be used in a VPN network is the same as for any Avaya
®
9600 Series IP Telephone. For detailed installation instructions, see the Avaya one-X Deskphone
Edition for 9600 Series IP Telephones Installation and Maintenance Guide (Document Number
16-600394).
If you are staging the telephones centrally before deploying them to the users, install and test the IP
telephone on the enterprise network.
Important:
Telephones will attempt to establish a VPN connection only if the system parameter
NVVPNMODE is set to "1" (Enabled). You can choose to permit your end users to change this
value if a remote telephone will also be used within the enterprise environment.

Deploying the VPN-ready 9600–Series IP deskphone

Deploy the telephone to the end user. When the end user installs the phone in the home network,
what displays is dependent on the authentication policy you have set up and on the permission you
have assigned to VPN users in the VPNPROC parameter. Typically, users of a centrally-staged
telephone will see a screen requesting the VPN User Name and/or Password; once the VPN tunnel
is established, the user experience is essentially the same as for a non-VPN phone:
• If you have set the VPNPROC parameter to "1" or "2", the Avaya Menu (or, for 9670G phones,
the Home Screen) your VPN users see has a VPN Settings option. Users can either view (if
VPNPROC = 1) or change (if VPNPROC=2) VPN settings.
• If you have set the VPNPROC parameter to "0", the VPN Settings option does not display as
an Avaya Menu (or Home screen) option. Your users cannot view or change VPN settings.
Communicate the VPN Access Code (VPNCODE) to those users you have assigned permission to
view or change VPN settings. While not recommended for security reasons, you can set VPNCODE
to null (" ") to allow anyone you have given permission to view or change settings via VPNPROC to
bypass access code entry when they want to view or update VPN settings.

16 VPN Setup Guide for 9600 Series IP Deskphones September 2015

Comments on this document? [email protected]
 Configuration Preparation

Also provide each user with the appropriate chapter(s) in this guide describing how to access VPN
Settings screen(s) as follows:
• Chapter 4: Viewing VPN Settings — for those users you are permitting view-only access.
• Chapter 5: Changing VPN Settings — for those users you are permitting to change VPN
settings. Although these users can use the procedures in Chapter 5 to view settings as well,
you may also want to provide them with Chapter 4: Viewing VPN Settings to allow them to view
the VPN Summary screen instead of the individual filtered screens.
• Chapter 6: User Authentication and VPN Sleep Mode if you have established authentication
parameters, as covered in Administrative Pre-Requisites for Authentication.

September 2015 VPN Setup Guide for 9600 Series IP Deskphones 17

Comments on this document? [email protected]
Chapter 4: Viewing VPN settings

Introduction
Two methods are available to view VPN settings:
• Using the VPN Settings screen, available through the Avaya (A) Menu for all but the 9670G IP
Telephone, and available through the Home Screen for the 9670. Typically, users without
authorization to change settings use this screen to view VPN settings.
• Using the VPN Configuration screen, available through the VPN Settings Craft (local
administrative) procedure. This screen is also used to change settings and requires special
authorization; therefore, viewing settings using the VPN Configuration screen is described in
Chapter 5: Changing VPN Settings on page 23. Your administrator must authorize your
ability to change VPN settings. This includes providing you with a VPN Access Code and
applicable procedures describing how to change the settings. If you have the proper
authorization to change VPN settings, see Chapter 5: Changing VPN Settings on page 23 for
information.
Note:
As a security feature, the first time you use your remote phone over the Virtual Private Network
or following a telephone reset or reboot, you may be asked to identify yourself so that you can
be verified as a valid user and your user credentials can be validated. Chapter 6: User
Authentication and VPN Sleep Mode on page 18 explains the authentication process.
Note:
All 9600 Series IP Telephones except the 9670G require you to press a button or softkey to take
an action like exiting a screen. On 9670G IP Telephones, all actions are touch-based and are
taken or confirmed by touching a softkey on the screen.

Access using the Avaya (A) menu

Use this procedure If your administrator has instructed you to use the Avaya (A) Menu to access
VPN settings and has provided you with a VPN Access Code.
Before you begin
If your VPN administration requires authentication of your user name and password, follow the steps
in Chapter 6 -User Authentication and VPN sleeep on page 34 before proceeding.

18 VPN Setup Guide for 9600 Series IP Deskphones September 2015

Comments on this document? [email protected]
 VPN settings screen fields

Procedure
1. For all 9600 Series IP Telephones except the 9670, press the Avaya (A) Menu button.
2.
• For 9600 Series IP Telephones without administered WML applications, select VPN
Settings.
• For 9600 Series IP Telephones with administered WML applications, select Phone
Settings first, then VPN Settings.
• For the 9670, touch Settings, then VPN Settings.
3. If the phone prompts you to "Enter Password and press Enter (or OK)" use the dialpad to
enter the VPN Access Code assigned by the administrator and press Enter or OK. On a
9670, enter the VPN Access Code and touch Enter.
When the access code is validated the VPN Settings screen displays. See Viewing the VPN
Settings Screen for a description of this screen.

VPN settings screen fields

Line/Field Description Associated System Parameter
VPN If "1" the Virtual Private Network is NVVPNMODE
enabled. If "0" VPN is disabled.
VPN Vendor Name of the security gateway NVVPNSVENDOR
vendor.
Gateway Address IP address of the VPN security NVSGIP
gateway. This value allows the
telephone to access the VPN
tunnel.
External Phone IP Address External ("outer") IP address of NVEXTIPADD
the telephone in VPN mode.
External Router External ("outer") router IP EXTGIPADD or NVEXTGIPADD
address in VPN mode.
External Subnet Mask External ("outer") subnet mask in NVEXTSUBNETMASK
VPN mode.
External DNS Server External ("outer") DNS server IP EXTDNSSRVR or
address in VPN mode. NVEXTDNSSRVR
Encapsulation The port numbers used for IKE NVVPNENCAPS
and IPsec UDP encapsulation,
and support for NAT traversal.
Copy TOS Indicates whether to copy the TOS NVVPNCOPYTOS
bits from the tunneled (inner) IP
Table continues…

September 2015 VPN Setup Guide for 9600 Series IP Deskphones 19

Comments on this document? [email protected]
Viewing VPN settings

Line/Field Description Associated System Parameter

header to the tunnel (outer) IP
header.
Auth Type User authentication method for NORTELAUTH (for Nortel
non-Nortel gateways: 3 = Pre- gateways only), otherwise
Shared Key (PSK) 4 = PSK with NVVPNAUTHTYPE
XAUTH 5 = RSA signatures with
XAUTH 6 = Hybrid XAUTH 7 =
RSA Signatures User
authentication method for Nortel
gateways: 1= Local credentials 2 =
RADIUS credentials 3 = RADIUS
SecurID 4 = RADIUS Axent
VPN User Type End user permission to change NVVPNUSERTYPE
the VPN username: 1 = User can
change the user name 2 = User
cannot change the user name
VPN User The user name used for NVVPNUSER
authentication.
Password Type Indicates if the VPN user NVVPNPSWDTYPE
password will be stored and how:
1 = Password can be
alphanumeric and is stored in
reprogrammable non-volatile
memory as the NVVPNPSWD
value. 2 = Password can be
alphanumeric and is stored in
volatile memory but will be cleared
when the phone resets. 3 =
Password can be numeric only
and is stored in volatile memory
that is cleared immediately after
first-time password use. 4 =
Password can be alphanumeric
and is stored in volatile memory
that is cleared immediately after
first-time password use. 5 =
Password can be alphanumeric
and is stored in volatile memory
that is cleared when the user
invokes VPN Sleep Mode and
when the telephone resets.
User Password If a user password exists, it is Blank if user password has no
shown here as 8 asterisks value (null), otherwise 8 asterisks
(********)
Table continues…

20 VPN Setup Guide for 9600 Series IP Deskphones September 2015

Comments on this document? [email protected]
 VPN settings screen fields

Line/Field Description Associated System Parameter

IKE ID (Group Name) This field and the next three fields NVIKEID
display only if your VPN meets the
conditions for displaying IKE PSK.
Pre-Shared Key (PSK) Pre-Shared Key. Blank if PSK has no value (null),
otherwise 8 asterisks.
IKE ID type This field and the next five fields NVIKEIDTYPE
display only if your VPN meets the
conditions for displaying IKE
Phase 1. Values are: 1 =
ID_IPV4_ADDR 2 = ID_FQDN 3 =
ID_USER_FQDN 9 =
ID_DER_ASN1_DN 11 =
ID_KEY_ID
IKE Xchg Mode 1 = Aggressive Mode 2 = Main NVIKEXCHGMODE
Mode Identity Protection
IKE Xchg Mode 1 = Aggressive Mode 2 = Main NVIKEXCHGMODE
Mode Identity Protection
IKE DH Group 1 = First Oakley Group 2 = NVIKEDHGRP
Second Oakley Group 5 = 1536-
bit MODP Group 14 = 2048-bit
MODP Group 15 = 3072-bit
MODP Group
IKE Encryption Alg Algorithm 0 = Any 1 = AES- NVIKEP1ENCALG
CBC-128 2 = 3DES-CBC 3 =
DES-CBC 4 = AES-CBC-192 5 =
AES-CBC-256
IKE Auth. Alg Authentication algorithm for IKE: 0 NVIKEP1AUTHALG
= Any 1 = MD5 2 = SHA
IKE Config Mode 1 = Use the ISAKMP configuration NVIKECONFIGMODE
method for setting certain
applicable values. 2 = This setting
is turned off (disabled) because a
generic PSK profile is in effect.
IPsec PFS DH Group This field and the next four fields NVPFSDHGRP
display only if your VPN meets the
conditions for displaying IKE
Phase 2. This field specifies the
Diffie-Hellman Group to be used
for establishing the IPsec SA (also
known as PFS). If this value is not
"0", a new Diffie-Hellman
exchange will be initiated for each
IKE Phase 2 Quick Mode
exchange, where the proposed
DH group will be as specified by
Table continues…

September 2015 VPN Setup Guide for 9600 Series IP Deskphones 21

Comments on this document? [email protected]
Viewing VPN settings

Line/Field Description Associated System Parameter

the value of NVPFSDHGRP, and
the meaning of the values will be
the same as those specified above
for NVIKEDHGRP.
IPsec Encryption Alg The encryption algorithm to NVIKEP2ENCALG
propose for use during IKE Phase
2 negotiation. Values are: 0 = Any
1 = AES-CBC-128 2 = 3DES-CBC
3 = DES-CBC 4 = AES-CBC-192
5 = AES-CBC-256 6 = Null
IPsec Auth. Alg The authentication algorithm to NVIKEP2AUTHALG
propose for use during IKE Phase
2 negotiation. Values are: 0 = Any
1 = MD5 2 = SHA
Protected Network Specifies the IP address range If a list, the (first) value of
that will use the VPN tunnel. NVIPSECSUBNET
IKE over TCP This field displays only if your VPN NVIKEOVERTCP
meets the conditions for displaying
IKE Over TCP. Specifies whether
and when to use TCP as a
transport protocol for IKE: Never =
Never use TCP as a transport
protocol for IKE. Auto = Use IKE
over UDP first, and if that isn’t
valid use IKE over TCP. Always =
Always use TCP as the transport
protocol for IKE.

For detailed information regarding system parameters, see Appendix A: VPN Parameters.

22 VPN Setup Guide for 9600 Series IP Deskphones September 2015

Comments on this document? [email protected]
Chapter 5: Changing VPN settings

Introduction
Prior to performing any of the procedures in this section, and based on whether the telephones will
be set up centrally or remotely, the administrator should establish appropriate values for VPN tunnel
connection and user authentication. Applicable VPN system parameters are listed in Appendix A:
VPN Parameters.
Three methods are available to change VPN settings:
• Invoking the VPN Special Procedure from the local administrative (Craft) procedure menu
using the same access method as you would for any local procedure. This method requires
that the person accessing the local procedure knows the local procedure access password set
in the PROCPSWD parameter.
• Invoking the VPN Special Procedure using the VPN Access Code, when administrative
permission to change settings has been granted by setting the VPNPROC parameter to "2."
• Invoking the VPN Settings option from the Avaya (A) Menu (or the Home screen for a 9670)
using the VPN Access Code (if VPNPROC is set to "2").
Note:
All 9600 Series IP Telephones except the 9670G require you to select a line or desired action
and press a button/softkey to act upon your selection. On 9670G IP Telephones, all actions are
touch-based; for example, text/numeric entry uses an on-screen keyboard, and actions are
taken or confirmed by touching the applicable line, feature, icon, or softkey on the screen. The
procedures that follow apply to non-9670G phones and should be adjusted accordingly for the
9670’s touch screen.

Accessing VPN settings

Access using the Avaya (A) menu

Use this procedure If your administrator has instructed you to use the Avaya (A) Menu to access
VPN settings and has provided you with a VPN Access Code.

September 2015 VPN Setup Guide for 9600 Series IP Deskphones 23

Comments on this document? [email protected]
Changing VPN settings

Before you begin

If your VPN administration requires authentication of your user name and password, follow the steps
in Chapter 6 -User Authentication and VPN sleeep on page 34 before proceeding.
Procedure
1. For all 9600 Series IP Telephones except the 9670, press the Avaya (A) Menu button.
2.
• For 9600 Series IP Telephones without administered WML applications, select VPN
Settings.
• For 9600 Series IP Telephones with administered WML applications, select Phone
Settings first, then VPN Settings.
• For the 9670, touch Settings, then VPN Settings.
3. If the phone prompts you to "Enter Password and press Enter (or OK)" use the dialpad to
enter the VPN Access Code assigned by the administrator and press Enter or OK. On a
9670, enter the VPN Access Code and touch Enter.
When the access code is validated the VPN Settings screen displays. See Viewing the VPN
Settings Screen for a description of this screen.

Access using the VPN special procedure

Use this procedure if your administrator has instructed you to use the VPN Special Procedure to
update VPN settings.
The VPN Special Procedure is a series of filtered screens showing settings applicable to your
specific VPN setup.
Procedure
1. At any time following telephone login, press Mute.
2. Enter the VPN Access Code provided by your administrator.
3. Press #.
Next steps
Proceed to Viewing or changing settings using the VPN Special Procedure on page 24.

Access using the Local Administrative (Craft) procedure menu

Use this procedure if your administrator has instructed you to use the Craft (local administrative)
procedure to update VPN settings. This access method allows you to access the VPN Special
Procedure, to change VPN settings.
Related Links
During telephone startup on page 25

24 VPN Setup Guide for 9600 Series IP Deskphones September 2015

Comments on this document? [email protected]
 Accessing VPN settings

During normal telephone operation on page 25

During telephone startup

Procedure
1. During startup, invoke local procedures by pressing * to display the Craft Access Code Entry
screen.
2. Enter the local dialpad procedure password (0 to 7 numeric digits), as specified by the
system administrator in the system value PROCPSWD.
For security purposes, the telephone displays an asterisk for each numeric dialpad press.
If you are using a 9670G IP Telephone, and need to backspace during password entry, use
the Contacts button; for other 9600 Series phones, use the left arrow button or the
designated softkey.
3. Press # when password entry is complete.
The entry is compared to the PROCPSWD value. If they match, the telephone displays the
Craft Local Procedure screen, "Select procedure and press Start."
4. For all 9600 Series IP Telephones except the 9670G, use the navigation arrows to scroll to
and highlight VPN, then press Start or OK. Or scroll to VPN and press the corresponding line
button. For the 9670G IP Telephone, scroll to VPN if it not already displayed; touch the line
on which VPN appears.
Related Links
Access using the Local Administrative (Craft) procedure menu on page 24

During normal telephone operation

Procedure
1. Invoke the local procedures (Craft) menu by pressing the Mute button.
A 6-second timeout is in effect between button presses after pressing the Mute button. If you
do not press a valid button within 6 seconds of pressing the previous button, the collected
digits are discarded. In this case, no administrative option is invoked.
2. Enter the local (dialpad) procedure password (0 to 7 numeric digits).
If you are using a 9670G IP Telephone, and need to backspace during password entry, use
the Contacts button; for other 9600 Series phones, use the left arrow button or the
designated softkey.
3. Press the # button.
The entry is compared to the PROCPSWD value. If they match, the telephone displays the
Craft Local Procedure screen, "Select procedure and press Start."
4. For all 9600 Series IP Telephones except the 9670G, use the navigation arrows to scroll to
and highlight VPN, then press Start or OK. Or scroll to VPN and press the corresponding line
button. For the 9670G IP Telephone, scroll to VPN if it not already displayed; touch the line
on which VPN appears.

September 2015 VPN Setup Guide for 9600 Series IP Deskphones 25

Comments on this document? [email protected]
Changing VPN settings

Next steps
Proceed to Viewing or changing settings using the VPN Special Procedure.
Related Links
Access using the Local Administrative (Craft) procedure menu on page 24

Viewing or changing settings using the VPN special

procedure
Access the VPN Special Procedure, a filtered series of configuration screens, through the local
administrative (Craft) Procedures menu, as described in Access using the VPN Special Procedure
or Access using the Local Administrative (Craft) Procedure Menu. To change VPN settings you
must have:
• Administrative permission to access the local administrative procedure menu (set
administratively using the system parameter PROCSTAT), and
• an administrative procedure password (set administratively using the system parameter
PROCPSWD), and
• permission to update VPN settings (set administratively using the system parameter
VPNPROC of "2" to Update), and
• you must know the VPN Access Code (set administratively using the system parameter
VPNCODE).
What you see on the VPN Configuration screens depends on the type of security gateway used to
connect the telephone to the corporate network and how your Virtual Private Network (VPN) is
administered. For example, settings information is "filtered" to show settings applicable to your
specific VPN environment. Like a PC-style "wizard" settings display on a series of screens, the
display of which is dependent on the actions you take on the current screen.
Related Links
Navigating configuration screens and changing data on page 26

Navigating configuration screens and changing data

More than one screen is required to display all the data relevant to your VPN. In this case, the Right
and Left navigation arrows move forward and back through the screen sequence applicable to your
VPN. Pressing (or touching, for the 9670) the Right Arrow after updating one or more values on a
screen saves the updated information and brings up the next applicable screen.
Important:
All changes are effective and saved when you press/touch the Right Arrow to navigate to the
next screen. Navigating Left after making any change to one or more fields/lines on a particular

26 VPN Setup Guide for 9600 Series IP Deskphones September 2015

Comments on this document? [email protected]
 General VPN settings — general screen field descriptions

screen discards those changes does not save any information you might have entered on that
screen.
Select the field you want to change by positioning the cursor and pressing Change, or for a 9670, by
touching the line you want to change. In general, when you press/touch Change the current value
toggles to the next higher data value. For example, if the Gateway Vendor line shows "Nortel" (the
fifth and last Gateway Vendor currently supported) and you select that line and press/touch the
Change softkey, the Gateway Vendor name changes to "Juniper/Net Screen" (the first Gateway
Vendor supported). If the Gateway Vendor line shows "Juniper/Net Screen" (the first Gateway
Vendor supported) and you select that line and press/touch the Change softkey, the Gateway
Vendor name changes to "Cisco" (the second Gateway Vendor supported), and so on.
Changes you make to any one screen might cause a different screen to be shown next. For
example, pressing Change on line/field names shown with an ellipsis (...) causes the VPN Text
Entry screen to display to allow you to enter text. When you indicate you want to change a line
containing an IP Address, the IP Address screen displays to allow that type of entry. After entering
text or an IP address, press Save to post your entry and return to the previous screen where you
can then press the Right Arrow to save your change(s) and display the next applicable settings
screen.
After changing one or more fields/lines on the current screen, press the Right Arrow to save any
changes you made and move to the next screen.
Related Links
Viewing or changing settings using the VPN special procedure on page 26

General VPN settings — general screen field descriptions

Line/Field Description Associated System Parameter
VPN Indicates whether the Virtual NVVPNMODE
Private Network is enabled or
disabled.
VPN Vendor Name of the security gateway NVVPNSVENDOR
vendor for your VPN.
Gateway Address... IP address of the VPN security NVSGIP
gateway. This value allows the
telephone to access the VPN
tunnel.
External Phone IP Address... External ("outer") IP address of NVEXTIPADD
the telephone in VPN mode.
External Router... External ("outer") router IP EXTGIPADD or NVEXTGIPADD
address in VPN mode.
Table continues…

September 2015 VPN Setup Guide for 9600 Series IP Deskphones 27

Comments on this document? [email protected]
Changing VPN settings

Line/Field Description Associated System Parameter

External Subnet Mask... External ("outer") subnet mask in NVEXTSUBNETMASK
VPN mode.
External DNS Server... External ("outer") DNS server IP EXTDNSSRVR or
address in VPN mode. NVEXTDNSSRVR
Encapsulation The port numbers used for IKE NVVPNENCAPS
and IPsec UDP encapsulation,
and support for NAT traversal.
Copy TOS Indicates whether to copy the TOS NVVPNCOPYTOS
bits from the tunneled (inner) IP
header to the tunnel (outer) IP
header.

Generic authentication type screen field descriptions

This screen shows the type of authentication used by your VPN (based on the system parameter
NVVPNAUTHTYPE).

If the authentication type code This description displays:

(NVVPNAUTHTYPE) is:
3 PSK
4 PSK with XAUTH
5 RSA signatures with XAUTH
6 Hybrid XAUTH
7 RSA signatures

When the Authorization Type is PSK with XAUTH, RSA signatures with XAUTH, or Hybrid XAUTH,
the next screen displayed is the User Credentials screen. If the Authorization Type is PSK, the next
screen displayed is the IKE PSK screen. If the Authorization Type is RSA signatures, the next
screen displayed is the IKE Phase 1 screen.

User credentials screen field descriptions

Line/Field Description Associated system parameter
VPN User Type End user permission to change NVVPNUSERTYPE
the VPN username: If the user can
change the user name, the
description "Any" displays here. If
the user cannot change the user
Table continues…

28 VPN Setup Guide for 9600 Series IP Deskphones September 2015

Comments on this document? [email protected]
 Changing your VPN password

Line/Field Description Associated system parameter

name, the description "1 User"
displays here and no change can
be made to this line.
VPN User... The user name used for NVVPNUSER
authentication. Pressing the
Change softkey on this line brings
up the VPN Text Entry screen so
that (if permitted) you can enter a
new user name.
Password Type user password will be stored and NVVPNPSWDTYPE
how. For example, when the
NVVPNPSWDTYPE value is "3"
the description "Numeric OTP"
displays to indicate the VPN
Password can be numeric only
and is stored in volatile memory
that is cleared immediately after
first-time password use.

If your password is stored in memory (as indicated by a description of either "Save in flash" or
"Erase on reset") the next screen displayed is the User Password Entry screen. If your password
type is other than the above descriptions and the type of authentication (NVVPNAUTHTYPE) is
RSA Signatures with XAUTH or Hybrid XAUTH, the IKE Phase 1 screen displays instead. If none of
those passwords types is applicable, the IKE PSK screen displays.

Changing your VPN password

Before you begin
The system administrator must give you permission to change your VPN password.
About this task
If you already have a VPN password, eight asterisks display. If you do not have a VPN password,
the User Password line is blank.
Procedure
1. Press Change to display the displays the VPN Text Entry screen.
2. Enter your new password or change the current password.
3. Press Save.
4. Press the Right Arrow to save the password
Either the VPN Settings screen (see Viewing or changing settings using the VPN Special
Procedure), the IKE PSK screen, or the IKE Phase 1 screen, whichever is applicable to your
VPN structure, opens.

September 2015 VPN Setup Guide for 9600 Series IP Deskphones 29

Comments on this document? [email protected]
Changing VPN settings

IKE PSK screen

Use this screen to view or change two IKE values, the IKE ID (or Group Name) and the Pre-Shared
Key (PSK).
Procedure
1. Press Change on either line to display the VPN Text Entry Screen.
2. Enter or change the IKE ID value or PSK value.
3. Press or touch Save.
4. Press the RIght Arrow to save the new or changed value(s).
The IKE Phase 1 screen opens.

IKE Phase 1 screen field descriptions

Line/Field Description Associated system parameter
IKE ID Type The following descriptions display, NVIKEIDTYPE
depending on the value of the
NVIKEIDTYPE parameter:
• If the IKE ID Type is 1,
"IPV4_ADDR" displays.
• If the IKE ID Type is 2, "FQDN"
displays.
• If the IKE ID Type is 3
"USER_FQDN" displays.
• If the IKE ID Type is 9,
"DER_ASN1_DN" displays.
• If the IKE ID Type is 11,
"KEY_ID" displays.
IKE Xchg Mode Aggressive Mode ("1") or ID NVIKEXCHGMODE
Protect ("2").
IKE DH Group 1 denotes First Oakley Group NVIKEDHGRP
2 denotes Second Oakley Group
5 denotes 1536-bit MODP Group
14 denotes 2048-bit MODP Group
15 denotes 3072-bit MODP Group
IKE Encryption Algorithm 0 = Any NVIKEP1ENCALG
Table continues…

30 VPN Setup Guide for 9600 Series IP Deskphones September 2015

Comments on this document? [email protected]
 IKE Phase 2 screen field descriptions

Line/Field Description Associated system parameter

1 = AES-128
2 = 3DES
3 = DES
4 = AES-192
5 = AES-256
IKE Authentication Alg 0 = Any NVIKEP1AUTHALG
1 = MD5
2 = SHA
IKE Config Mode Enabled if value is "0" NVIKECONFIGMODE
Disabled if value is "1"

IKE Phase 2 screen field descriptions

Line/Field Description Associated system parameter
IPsec PFS DH Group This field and the next four fields NVPFSDHGRP
display only if your VPN meets the
conditions for displaying IKE
Phase 2. This field specifies the
Diffie-Hellman Group to be used
for establishing the IPsec SA (also
known as PFS). If this value is not
"0", a new Diffie-Hellman
exchange will be initiated for each
IKE Phase 2 Quick Mode
exchange, where the proposed
DH group will be as specified by
the value of NVPFSDHGRP, and
the meaning of the values will be
the same as those specified above
for NVIKEDHGRP.
IPsec Encryption Alg The encryption algorithm to NVIKEP2ENCALG
propose for use during IKE Phase
2 negotiation. Values are:
0 = Any
1 = AES-CBC-128
2 = 3DES-CBC
3 = DES-CBC
Table continues…

September 2015 VPN Setup Guide for 9600 Series IP Deskphones 31

Comments on this document? [email protected]
Changing VPN settings

Line/Field Description Associated system parameter

4 = AES-CBC-192
5 = AES-CBC-256
6 = Null
IPsec Authentication Alg The authentication algorithm to NVIKEP2AUTHALG
propose for use during IKE Phase
2 negotiation. Values are:
0 = Any
1 = MD5
2 = SHA
Protected Network Specifies the IP address range If a list, the (first) value of
that will use the VPN tunnel. NVIPSECSUBNET
Pressing Change brings up the
VPN Text Entry screen so that you
can enter a new IP address.
IKE over TCP This field displays only if your VPN NVIKEOVERTCP
meets the conditions for displaying
IKE Over TCP. Specifies whether
and when to use TCP as a
transport protocol for IKE.

IKE over TCP screen field descriptions

If the IKE over TCP (NVIKEOVERTCP) value is: This description displays:
0 Never use TCP as a transport protocol form IKE.
1 Auto; IKE over UDP is tried first; if not successful,
IKE over TCP is used.
2 Always use TCP as the transport protocol for IKE.

VPN text entry screen

Procedure
1. Select a text value.
2. Touch or press Change.
The VPN Text Entry screen displays the current setting and a blank area for you to enter the
new setting
3. Use the dialpad to enter text, as you would on a cellular phone.

32 VPN Setup Guide for 9600 Series IP Deskphones September 2015

Comments on this document? [email protected]
 IP address screen

The Symbol softkey displays an ASCII Symbol Table, from which you can select a symbol.
4. Press/touch Save to post the entry to the screen from which it came and return to that
screen
5. Press the Right Arrow to save the change and move to the next applicable screen.

IP address screen
Procedure
1. Select a setting that contains an IP address.
2. Press or touch Change.
The IP Address screen displays the current setting and a blank area for you to enter the new
IP Address.
3. Use the dialpad to enter the IP Address as you would on a cellular phone in the following
format: 0.0.0.0 (four numbers separated by decimals, with each number being between 0
and 255).
Use the * (asterisk) key to enter the decimals.
4. Press/touch Save to post the entry to the screen from which it came and return to that
screen.
5. Press the Right Arrow to save the change(s) on that screen and move to the next
applicable screen.

September 2015 VPN Setup Guide for 9600 Series IP Deskphones 33

Comments on this document? [email protected]
Chapter 6: User Authentication and VPN
Sleep

Introduction
This chapter covers how to enter your user name and password for security authentication and how
to activate the sleep mode to terminate/reactivate the VPN connection. Prior to performing any of
the procedures in this section, and based on how the remote VPN phones are set up, the
administrator should establish appropriate values for VPN tunnel connection and user
authentication.
Note:
All 9600 Series IP Telephones except the 9670G require you to select a line or desired action
and press a button/softkey to act upon your selection. On 9670G IP Telephones, all actions are
touch-based; for example, text/numeric entry uses an on-screen keyboard, and actions are
taken or confirmed by touching the applicable line, feature, icon, or softkey on the screen. The
procedures that follow apply to non-9670G phones and should be adjusted accordingly for the
9670’s touch screen.

User Authentication

VPN user name entry screen

This screen displays to validate the user name or to allow an existing user name to be edited if
these three conditions are met: NVVPNUSER contains a non-null value (meaning you have a
previously assigned user name), the NVVPNPSWD (VPN password) value is null, and the value of
NVVPNUSERTYPE is "1" to allow the VPN user to enter or change a user name.
Related Links
Accepting the current user name on page 35
Entering a new VPN user name on page 35

34 VPN Setup Guide for 9600 Series IP Deskphones September 2015

Comments on this document? [email protected]
 User Authentication

Accepting the current user name

Procedure
To accept the user name displayed, press/touch Enter.
Related Links
VPN user name entry screen on page 34

Entering a new VPN user name

Procedure
1. Press/touch Clear.
2. Use standard keyboard text entry to enter the new name.
3. Press/touch Enter to save the entry as the NVVPNUSER value.
If a password is already stored in memory, the VPN Password Reuse screen shows.
If a password is not stored in memory, the VPN Password Entry screen shows.
Related Links
VPN user name entry screen on page 34

VPN Password Reuse screen

About this task
This screen displays to authenticate an existing password or to allow access to the VPN Password
Entry screen for entry of a new password.
Procedure
1. To accept the current password, press/touch Enter. Authentication of the user name and
password occurs and if successful, the VPN Tunnel setup screen redisplays. If
authentication is unsuccessful, the VPN Authentication Failure screen displays; press/ touch
Continue to reenter the user name and/or password.
2. To delete the current password and enter a new password, press/touch Clear to display the
VPN Password Entry screen. Enter at least one character to display the VPN User Name
Editing screen, described in the VPN Password Entry screen procedure that follows.

VPN password entry screen

This screen displays to authenticate an existing password or to allow access to the VPN Password
Entry screen for entry of a new password.
Related Links
Accepting the current password on page 36
Entering a new password on page 36

September 2015 VPN Setup Guide for 9600 Series IP Deskphones 35

Comments on this document? [email protected]
User Authentication and VPN Sleep

Accepting the current password

Procedure
Press/touch Enter.
Authentication of the user name and password occurs
if authentication is successful, the VPN Tunnel setup screen redisplays.
If authentication is unsuccessful, the VPN Authentication Failure screen displays.
Note:
If authentication is unsuccessful, press/ touch Continue to reenter the user name and/or
password.
Related Links
VPN password entry screen on page 35

Entering a new password

Procedure
1. Press/touch Clear.
2. Use standard keyboard text entry to enter the new password.
3. Press/touch Enter to
Save the entry as the entry as the NVVPNPSWD (VPN Password) value if
NVPNPSWDTYPE is "1”, or
Store the password in volatile memory if NVVPNPSWDTYPE is not "1".
Result
Authentication of the user name and password occurs.
• If authentication is successful, the VPN Tunnel setup screen redisplays. press/touch Continue
to reenter the user name and/or password.
• If authentication is unsuccessful, the VPN Authentication Failure screen displays.
Press/touch Continue to reenter the user name and/or password.
Note:
When NVPNPSWDTYPE has a value of "3" or "4" the password is deleted from memory
immediately after it is used. See VPN parameters on page 49 for an explanation of the
NVVPNPSWDTYPE values.
Related Links
VPN password entry screen on page 35

36 VPN Setup Guide for 9600 Series IP Deskphones September 2015

Comments on this document? [email protected]
 VPN sleep mode

VPN sleep mode

Your phone connects to your corporate network through a VPN tunnel. If VPN tunnel establishment
fails or if an existing VPN tunnel fails, the VPN Tunnel Failure screen displays to notify you of the
situation and provide the option to inactivate your phone by putting it into a "sleep mode." Sleep
mode also turns the telephone backlight off to conserve energy until the tunnel can be re-
established. This section describes sleep mode in relation to VPN tunnel failure, but you can also
activate sleep mode from the Login screen or the Unnamed Registration screen. Activating sleep
mode can be helpful when the phone is located in a bedroom and an illuminated display would
disturb you.
Note:
On 9600 Series IP Telephones, you can touch the LightOff softkey at any time to turn off the
display backlight, regardless of being connected for VPN operation or not.
When you see the VPN Tunnel Failure screen, the right softkey is labeled Sleep. Pressing (or
touching if you have a 9670G phone) this softkey turns off the display backlight and displays the
message "VPN tunnel terminated." One softkey, Wake Up, is available.
Pressing/touching Wake Up or pressing/touching any telephone button illuminates the telephone
display area and displays two softkeys, Activate and Sleep:
Related Links
VPN sleep mode keys on page 37

VPN sleep mode keys

Softkey Name Description
Activate Initiates VPN tunnel establishment, so that you can
use your phone as a remote VPN phone.
Sleep Turns off the backlight and places the telephone
back into sleep mode.

Related Links
VPN sleep mode on page 37

September 2015 VPN Setup Guide for 9600 Series IP Deskphones 37

Comments on this document? [email protected]
Chapter 7: Troubleshooting

VPN Authentication Failed

Problem description
Incorrect credentials provided for authentication or not provided at all.

Resolution
Procedure
Follow the display prompts and reenter the password.

VPN Tunnel Failure

Problem description
The remote telephone cannot establish a link with the VPN tunnel.

Resolution
Procedure
Press Retry to attempt connection again.
If that fails, press Details for more information as to why the VPN tunnel could not be established.

Need IKE ID/PSK

Problem description
The value of system parameter NVPNAUTHTYPE is "3" or "4" indicating a Pre-Shared Key but the
value of one or both system parameters NVIKEID or NVIKEPSK is null.

38 VPN Setup Guide for 9600 Series IP Deskphones September 2015

Comments on this document? [email protected]
 Need phone certificate

Resolution
Procedure
Determine which parameter is null and set a value.

Need phone certificate

Problem description
The value of system parameter NVVPNAUTHTYPE is "5" or "7" indicating RSA signature
authentication, but a device certificate is not stored in the phone.

Resolution
Procedure
Use SCEP to provision a digital certificate in the phone.

Invalid Configuration
Problem description
A configuration problem not covered by the preceding five messages.

Resolution
Procedure
Review settings and reconfigure values as needed.

No DNS Server Response

Problem description
The DNS server is out of service.

September 2015 VPN Setup Guide for 9600 Series IP Deskphones 39

Comments on this document? [email protected]
Troubleshooting

Resolution
Procedure
Either:
• Wait for the DNS server to come back into service, configure an IP address for an alternate DNS
server, or
• Provide dotted-decimal IP addresses for the DNS names that cannot be resolved.

Bad Gateway DNS Name

Problem description
The DNS server cannot resolve the gateway DNS name.

Resolution
Procedure
Check the spelling of the DNS name for the VPN gateway.

Gateway certificate invalid

Problem description
The identity certificate presented by the VPN gateway is not valid.

Resolution
Procedure
Either
• Check whether the TRUSTCERTS parameter has been configured with the name of a file that
contains a PEM-format copy of the Certificate Authority (CA) certificate that signed the server’s
identity certificate; or
• Check whether the server certificate has expired.

40 VPN Setup Guide for 9600 Series IP Deskphones September 2015

Comments on this document? [email protected]
 Phone certificate invalid

Phone certificate invalid

Problem description
The VPN gateway has rejected the digital certificate presented by the phone.

Resolution
Procedure
Use SCEP to provision a new digital certificate in the phone.

IKE Phase 1 No Response

Problem description
A message was not received from the VPN gateway in response to a message sent by the phone.
Another cause might be that a Phase 1 parameter is not set correctly, causing the VPN gateway to
ignore the message from the phone.

Resolution
About this task
Either the VPN gateway is experiencing difficulties, or network congestion is interfering with
communication.
Procedure
If that is not the cause, check the following IKE Phase 1 parameters for compatibility:
• NVVPNSVENDOR
• NVVPNAUTHTYPE
• NVIKEDHGRP
• NVIKEP1AUTHALG
• NVIKEP1ENCALG
• NVIKEP1LIFESEC

September 2015 VPN Setup Guide for 9600 Series IP Deskphones 41

Comments on this document? [email protected]
Troubleshooting

IKE ID/PSK invalid

Problem description
The value in either system parameter NVIKEID or NVIKEPSK is invalid.

Resolution
Procedure
Verify that the current value is correct.

IKE Phase 1 failure

Problem description
An IKE Security Association could not be established between the phone and the VPN gateway.
Related Links
Resolution on page 42

Resolution
Procedure
Check the following IKE Phase 1 parameters for compatibility:
• NVIKEDHGRP
• NVIKEP1AUTHALG
• NVIKEP1ENCALG
• NVIKEP1LIFESEC
Related Links
IKE Phase 1 failure on page 42

IKE Phase 2 No Response

Problem description
A message was not received from the VPN gateway in response to a message sent by the phone.
Another cause might be that a Phase 2 parameter is not set correctly, causing the VPN gateway to
ignore the message from the phone.

42 VPN Setup Guide for 9600 Series IP Deskphones September 2015

Comments on this document? [email protected]
 IKE Phase 2 failure

Related Links
Resolution on page 43

Resolution
About this task
Either the VPN gateway is experiencing difficulties, or network congestion is interfering with
communication.
Procedure
If that is not the cause, check the following IKE Phase 2 parameters for compatibility:
• NVVPNSVENDOR
• NVVPNAUTHTYPE
• NVIKEDHGRP
• NVIKEP2AUTHALG
• NVIKEP2ENCALG
• NVIKEP2LIFESEC
Related Links
IKE Phase 2 No Response on page 42

IKE Phase 2 failure

Problem description
An IKE Security Association could not be established between the phone and the VPN gateway.

Resolution
Procedure
Check the following IKE Phase 2 parameters for compatibility:
• NVIKEDHGRP
• NVIKEP2AUTHALG
• NVIKEP2ENCALG
• NVIKEP2LIFESEC

September 2015 VPN Setup Guide for 9600 Series IP Deskphones 43

Comments on this document? [email protected]
Troubleshooting

IKE keep-alive failure

Problem description
A keep-alive message was not received from the VPN gateway for an extended interval.

Resolution
Procedure
Either the VPN gateway is experiencing difficulties or network congestion is interfering with
communication.

IKE SA expired
Problem description
The IKE Security Association was not renewed.

Resolution
Procedure
Check the security policy configured in the VPN gateway to ensure that it supports renewals for the
desired interval.

IPSec SA expired
Problem description
The IPSec Security Association was not renewed.

Resolution
Procedure
Check the security policy configured in the VPN gateway to ensure that it supports renewals for the
desired interval.

44 VPN Setup Guide for 9600 Series IP Deskphones September 2015

Comments on this document? [email protected]
 VPN tunnel terminated

VPN tunnel terminated

Problem description
The telephone is in VPN Sleep mode.

Resolution
Procedure
Press Wake Up to display an option to re-activate the VPN tunnel.

SCEP: Failed
Problem description
The telephone cannot enroll the certificate using SCEP from the call server.

Insert "ing" title

Procedure
1. Check to be sure that the following parameters are configured properly:
• MYCERTURL
• MYCERTCAID
• MYCERTCN
• MYCERTDN
• SCEPPASSWORD
• MYCERTKEYLEN
2. If the SCEP server is outside the corporate firewall, also check WMLPROXY.
Next steps
If the parameters are properly configured, check that the applicable server is setup and running
properly.

September 2015 VPN Setup Guide for 9600 Series IP Deskphones 45

Comments on this document? [email protected]
Appendix A: VPN parameters

VPN configuration profiles

Based on the value of NVVPNCFGPROF, the other persistent parameters listed inTable 2 below will
automatically be set to the value specified Column 2. If a value is not specified for a persistent
parameter in the table below, the value of the parameter will not be changed. If the value of
NVVPNCFGPROF is "0", no values will be set for the other persistent parameters shown here.
The administrator can set any of the parameters listed individually, however allowing them to be set
automatically ensures that related settings are correct.
Table 1: Security Gateway System Parameters

Supported Device as set by the administrator System Parameter Values (set automatically)
Checkpoint Security Gateway (NVVPNCFGPROF = Sets the following values (to):
2)
• NVIKECONFIGMODE (1)
• NVIKEID ("" - Null String)
• NVIKETYPE (11)
• NVIKEOVERTCP (1)
• NVIKEXCHANGEMODE (2)
• NVVPNAUTHTYPE (6)
• NVVPNSVENDOR (3)
Cisco PSK with XAUTH (NVVPNCFGPROF = 3) Sets the following values (to):
• NVIKECONFIGMODE (1)
• NVIKEID ("" - Null String)
• NVIKETYPE (11)
• NVIKEXCHANGEMODE (1)
• NVVPNAUTHTYPE (4)
• NVVPNSVENDOR (2)
Cisco Cert with XAUTH (NVVPNCFGPROF = 8) Sets the following values (to):
• NVIKECONFIGMODE (1)
• NVIKEID ("" - Null String)
Table continues…

46 VPN Setup Guide for 9600 Series IP Deskphones September 2015

Comments on this document? [email protected]
 VPN configuration profiles

Supported Device as set by the administrator System Parameter Values (set automatically)
• NVIKETYPE (11)
• NVIKEXCHANGEMODE (1)
• NVVPNAUTHTYPE (5)
• NVVPNSVENDOR (2)
Juniper PSK with XAUTH (NVVPNCFGPROF = 5) Sets the following values (to):
• NVIKECONFIGMODE (1)
• NVIKEID ("" - Null String)
• NVIKETYPE (3)
• NVIKEXCHANGEMODE (1)
• NVVPNAUTHTYPE (4)
• NVVPNSVENDOR (1)
Juniper Cert with XAUTH (NVVPNCFGPROF = 9) Sets the following values (to):
• NVIKECONFIGMODE (1)
• NVIKEID ("" - Null String)
• NVIKETYPE (9)
• NVIKEXCHANGEMODE (1)
• NVVPNAUTHTYPE (5)
• NVVPNSVENDOR (1)
Nortel Contivity (NVVPNCFGPROF = 11) Sets the following values (to):
• NVIKECONFIGMODE (11)
• NVIKEID ("" - Null String)
• NVIKETYPE (11)
• NVIKEXCHANGEMODE (1)
• NVVPNAUTHTYPE (3)
• NVVPNSVENDOR (5)
Any Security Device (Generic) with Preshared Key Sets the following values (to):
(PSK) (NVVPNCFGPROF = 6)
• NVIKECONFIGMODE (2)
• NVIKEID ("" - Null String)
• NVIKETYPE (3)
• NVIKEXCHANGEMODE (1)
• NVVPNAUTHTYPE (3)
• NVVPNSVENDOR (4)

September 2015 VPN Setup Guide for 9600 Series IP Deskphones 47

Comments on this document? [email protected]
VPN parameters

DHCPACK messages
If the value of NVVPNMODE is "1" and the value of VPNACTIVE is "0", the values of the following
parameters will be set based on the fields and options received in the DHCPACK message when
DHCP is in the INIT state (converting from binary to ASCII as necessary):
• The parameter EXTIPADD will be set to the value of the yiaddr field,
• The parameter EXTNETMASK will be set to the value of option #1 (if received),
• The parameter EXTGIPADD will be set to the first value of option #3 (if received, which may be
a list of IP addresses),
• The parameters DNSSRVR and EXTDNSSRVR will be set to the value of option #6 (if
received, which may be a list of IP addresses),
• The DHCP lease time for EXTIPADD will be set to the value of option #51 (if received),
• The DHCP lease renew time for EXTIPADD will be set to the value of option #58 (if received),
• The DHCP lease rebind time for EXTIPADD will be set to the value of option #59 (if received).
If the value of NVVPNMODE is "1" and the value of VPNACTIVE is "1", the values of the following
parameters will be set based on the fields and options received in the DHCPACK message
(converting from binary to ASCII as necessary):
• The parameters TLSSRVR and HTTPSRVR will be set to the value of the siaddr field if and
only if the siaddr field is non-zero,
• The parameter DNSSRVR will be set to the value of option #6 (if received, which may be a list
of IP addresses), and
• The parameter DOMAIN will be set to the value of option #15 (if received).

Time to service functionality

Important:
Some vendors may have gateways that interfere with TTS functionality. Avaya recommends
always setting the system parameter VPNTTS to "1" (On) unless you determine that your
gateway interferes with TTS. If you determine that your gateway interferes with TTS, set or
leave the VPNTTS default of "0" (Off), which turns off TTS.

48 VPN Setup Guide for 9600 Series IP Deskphones September 2015

Comments on this document? [email protected]
 VPN parameters

VPN parameters
Parameter name Default value Description and value range
ALWCLRNOTIFY 0 Specifies whether un-encrypted
ISAKMP Notification Payloads will
be accepted. One ASCII numeric
digit. Valid values are:
• 0 = Ignore a received
Notification Payload that is not
encrypted
• 1 = Accept a received
Notification Payload for further
processing.
HTTPPORT 80 TCP port number used for HTTP
file downloading. 2 to 5 ASCII
numeric digits. Valid values are
“80” through “65535”.

Note:
when the file server is on
Communication Manager, set
this value to “81” (port
required for HTTP
downloads) rather than the
using the default.
HTTPSRVR " " (Null) IP Address(es) or DNS Name(s) of
HTTP file servers used to
download telephone files. Dotted
decimal or DNS format, separated
by commas (0-255 ASCII
characters, including commas).
MYCERTCAID "CAIdentifier" Certificate Authority Identifier to be
used in a certificate request. 0 to
255 ASCII characters.
MYCERTCN "$SERIALNO" Common Name of the Subject of a
certificate request. 0 to 255 ASCII
characters that contain the string
"$SERIALNO" or "$MACADDR".
MYCERTKEYLEN 1024 Bit length of the private key to be
generated for a certificate request.
4 ASCII numeric digits, "1024"
through "2048".
MYCERTRENEW 90 Percentage of a certificate's
Validity interval after which
renewal procedures will be
Table continues…

September 2015 VPN Setup Guide for 9600 Series IP Deskphones 49

Comments on this document? [email protected]
VPN parameters

Parameter name Default value Description and value range

initiated. 1 or 2 ASCII numeric
digits, "1" through "99".
MYCERTURL " " (Null) URL to be used to contact an
SCEP server. 0 to 255 ASCII
characters, zero or one URL.
MYCERTWAIT 1 Specifies whether the telephone
will wait until a pending certificate
request is complete, or whether it
will periodically check in the
background. 1 ASCII numeric
digit, "0" or "1" as follows:
• 1 = If a connection to the SCEP
server is successfully
established, SCEP will remain in
progress until the request for a
certificate is granted or rejected.
• 0 = SCEP will remain in
progress until the request for a
certificate is granted or rejected
or until a response is received
indicating that the request is
pending for manual approval.
NORTELAUTH 1 Specifies user authentication
method for Nortel security
gateways. 1 ASCII numeric digit.
Valid values are:
• 1= Local credentials
• 2 = RADIUS credentials
• 3 = RADIUS SecurID
• 4 = RADIUS Axent
NVHTTPSRVR 0.0.0.0 VPN and non-VPN. HTTP file
server IP addresses used to
initialize HTTPSRVR the next time
the phone starts up. 0 to 255
ASCII characters: zero or more IP
addresses in dotted decimal or
DNS name format, separated by
commas without any intervening
spaces. As of Software Release
6.1, NVHTTPSRVR is provided for
VPN mode so that a file server IP
address can be preconfigured and
saved in non-volatile memory.
Table continues…

50 VPN Setup Guide for 9600 Series IP Deskphones September 2015

Comments on this document? [email protected]
 VPN parameters

Parameter name Default value Description and value range

NVIKECONFIGMODE 1 Enables IKE configuration mode. 1
ASCII numeric digit. Valid values
are:
• 1 = The ISAKMP configuration
method will be supported for
setting the following values:
- IPADD will be set from a
received value of
INTERNAL_IP4_ADDRESS,
- the IPADD lease time will be
set from a received value of
INTERNAL_ADDRESS_EXPI
RY,
- DNSSRVR will be set from
received value(s) of
INTERNAL_IP4_DNS,
- DHCPSRVR will be set from
received value(s) of
INTERNAL_IP4_DHCP, and
- NVIPSECSUBNET will be set
from received value(s) of
INTERNAL_IP4_SUBNET
• 2 = Disable/turn off this setting
because a generic PSK profile is
in effect.
NVIKEDHGRP 2 Specifies the Diffie-Hellman Group
to be used for establishing the IKE
SA. 1 or 2 ASCII numeric digits.
Valid values are:
• 1 = First Oakley Group
• 2 = Second Oakley Group
• 5 = 1536-bit MODP Group
• 14 = 2048-bit MODP Group
• 15 = 3072-bit MODP Group
For more information, see Section
4 in RFC 3526.
NVIKEID "VPNPHONE" Specifies the identity to be used
during IKE Phase 1 negotiation
(also called the group name in
XAUTH). 0 to 30 ASCII
characters.
Table continues…

September 2015 VPN Setup Guide for 9600 Series IP Deskphones 51

Comments on this document? [email protected]
VPN parameters

Parameter name Default value Description and value range

NVIKEIDTYPE 3 Specifies the type of identification
to use for establishing the IKE SA.
1 or 2 ASCII numeric digits. Valid
values are:
• 1 = ID_IPV4_ADDR
• 2 = ID_FQDN
• 3 = ID_USER_FQDN
• 9 = ID_DER_ASN1_DN
• 11= ID_KEY_ID
NVIKEOVERTCP 0 Specifies whether and when to
use TCP as a transport protocol
for IKE. 1 ASCII numeric digit.
Valid values are:
• 0 = Never use TCP as a
transport protocol for IKE.
• 1 = Auto; use IKE over UDP
first, and if that isn’t valid use
IKE over TCP.
• 2 = Always use TCP as the
transport protocol for IKE.
NVIKEP1AUTHALG 0 Specifies the authentication
algorithm to use during IKE Phase
1 negotiation. 1 ASCII numeric
digit. Valid values are:
• 0 = Any
• 1 = MD5 (per RFC 2403)
• 2 = SHA (per RFC 2404)
NVIKEP1ENCALG 0 Specifies the encryption algorithm
to use during IKE Phase 1
negotiation. 1 ASCII numeric digit.
Valid values are:
• 1 = AES-CBC-128 (per RFC
3602)
• 2 = 3DES-CBC (per RFC 2451)
• 3 = DES-CBC (per RFC 2405)
• 4 = AES-CBC-192 (per RFC
3602)
• 5 = AES-CBC-256 (per RFC
3602)
Table continues…

52 VPN Setup Guide for 9600 Series IP Deskphones September 2015

Comments on this document? [email protected]
 VPN parameters

Parameter name Default value Description and value range

NVIKEP1LIFESEC 432000 Specifies the IKE SA lifetime in
seconds. 3 to 8 ASCII numeric
digits. Valid values are: "600"
through "15552000".
NVIKEP2AUTHALG 0 Specifies the authentication
algorithm to use during IKE Phase
2 negotiation. 1 ASCII numeric
digit. Valid values are:
• 0 = Any
• 1 = MD5 (per RFC 2403)
• 2 = SHA (per RFC 2404)
NVIKEP2ENCALG 0 Specifies the encryption algorithm
to use during IKE Phase 2
negotiation. 1 ASCII numeric digit.
Valid values are:
• 1 = AES-CBC-128 (per RFC
3602)
• 2 = 3DES-CBC (per RFC 2451)
• 3 = DES-CBC (per RFC 2405)
• 4 = AES-CBC-192 (per RFC
3602)
• 5 = AES-CBC-256 (per RFC
3602)
NVIKEP2LIFESEC 432000 Specifies the IKE SA lifetime in
seconds. 3 to 8 ASCII numeric
digits. Valid values are: "600"
through "15552000".
NVIKEPSK " " (Null) Specifies the pre-shared key to be
used during IKE Phase 1
negotiation (also called the group
password in XAUTH. Zero to 30
ASCII characters.
NVIKEXCHGMODE 1 Specifies the IKE Phase 1
negotiation mode. 1 ASCII
numeric digit.Valid values are:
• 1 = Aggressive Mode.
• 2 = Main Mode Identity
Protection. (Per Section 5 in
RFC 2409.)
NVIPSECSUBNET 0.0.0.0/0 Specifies IP address ranges that
will use the VPN tunnel. 0 to 255
Table continues…

September 2015 VPN Setup Guide for 9600 Series IP Deskphones 53

Comments on this document? [email protected]
VPN parameters

Parameter name Default value Description and value range

ASCII characters: zero or more
dotted decimal IP address/integer
strings, separated by commas
without any intervening spaces.
NVMCIPADD 0.0.0.0 Call server IP Addresses. 0 to 255
ASCII characters: zero or more IP
addresses in dotted decimal or
DNS name format, separated by
commas without any intervening
spaces.
NVPFSDHGRP 0 Specifies the Diffie-Hellman Group
to be used for establishing the
IPsec SA (also known as PFS). 1
or 2 ASCII numeric digits. Valid
values are:
• 1 = First Oakley Group
• 2 = Second Oakley Group
• 5 = 1536-bit MODP Group
• 14 = 2048-bit MODP Group
• 15 = 3072-bit MODP Group
For more information, see Section
4 in RFC 3526.
NVSGIP " " (Null) VPN security gateway IP
addresses. 0 to 255 ASCII
characters: zero or more IP
addresses in dotted decimal or
DNS name format, separated by
commas without any intervening
spaces.
NVTLSSRVR 0.0.0.0 VPN and non-VPN. HTTPS file
server IP addresses used to
initialize TLSSRVR the next time
the phone starts up. 0 to 255
ASCII characters: zero or more IP
addresses in dotted decimal or
DNS name format, separated by
commas without any intervening
spaces.
NVVPNAUTHTYPE 3 Specifies the user authentication
method. 1 ASCII numeric digit.
Valid values are:
• 3 = Pre-Shared Key (PSK)
• 4 = PSK with XAUTH
Table continues…

54 VPN Setup Guide for 9600 Series IP Deskphones September 2015

Comments on this document? [email protected]
 VPN parameters

Parameter name Default value Description and value range

• 5 = RSA signatures with XAUTH
• 6 = Hybrid XAUTH
• 7 = RSA Signatures
NVVPNCFGPROF 0 VPN configuration profile. 1 or 2
ASCII numeric digits. Valid values
are: "0", "1", "2", "3", "5", "6", "8",
"9" or "11". See VPN configuration
profiles on page 46 for information
and a description of valid values.
NVVPNCOPYTOS 2 Specifies whether to copy the TOS
bits from the tunneled (inner) IP
header to the tunnel (outer) IP
header. 1 ASCII numeric digit.
Values are:
• 1 = the value of the TOS bits will
be copied from the inner IP
header to the outer IP header.
• 2 = the TOS bits of the outer IP
header will be set to 0.
NVVPNENCAPS 0 Specifies port numbers used for
IKE and IPsec UDP
encapsulation, and support for
NAT traversal. 1 ASCII numeric
digit. Valid values are:
• 0 = Procedures for the
negotiation of NAT traversal will
be supported as specified in
IETF RFC 3947, except that IKE
negotiation will begin with a
source port of 2070 (instead of
500), and that source port will
continue to be used unless the
source and destination port
numbers are changed to 4500
per RFC 3947.
• 1 = UDP encapsulation of the
"inner" IP layer will not be
provided. The procedures for the
negotiation of NAT traversal
specified in IETF RFC 3947 will
not be supported.
• 2 = Procedures for the
negotiation of NAT traversal will
be supported as specified in
IETF RFC 3947, except that IKE
Table continues…

September 2015 VPN Setup Guide for 9600 Series IP Deskphones 55

Comments on this document? [email protected]
VPN parameters

Parameter name Default value Description and value range

will use a source port of 2070,
and the source and destination
port numbers will not be
subsequently changed. UDP
encapsulation of the "inner" IP
layer will be supported as
specified in RFC 3948 [7.3-41c],
using the same UDP source and
destination port numbers that
were used during the final phase
of IKE
• 4 = Procedures for the
negotiation of NAT traversal will
be supported as specified in
IETF RFC 3947. UDP
encapsulation of the "inner" IP
layer will be supported as
specified in RFC 3948 [7.3-41c],
using the same UDP source and
destination port numbers that
were used during the final phase
of IKE
NVVPNMODE 0 Specifies whether VPN is
supported. 1 ASCII numeric digit.
Valid values are:
• 0 = VPN is not supported.
• 1 = VPN is supported.
See DHCPACK Messages for
additional information.
NVVPNPSWD " " (Null) User password for VPN. If the
user password can be stored in
NV memory (see
NVVPNPSWDTYPE below), it is
stored as the value of
NVVPNPSWD. 0 to 30 ASCII
characters.
NVVPNPSWDTYPE 1 Specifies whether and how the
VPN user password will be stored.
1 ASCII numeric digit. Valid values
are:
• 1 = Password can be
alphanumeric and is stored in
reprogrammable non-volatile
memory as the NVVPNPSWD
value.
Table continues…

56 VPN Setup Guide for 9600 Series IP Deskphones September 2015

Comments on this document? [email protected]
 VPN parameters

Parameter name Default value Description and value range

• 2 = Password can be
alphanumeric and is stored in
volatile memory but will be
cleared when the phone resets.
• 3 = Password can be numeric
only and is stored in volatile
memory that is cleared
immediately after first-time
password use.
• 4 = Password can be
alphanumeric and is stored in
volatile memory that is cleared
immediately after first-time
password use.
• 5 = Password can be
alphanumeric and is stored in
volatile memory that is cleared
when the user invokes VPN
Sleep Mode and when the
telephone resets.
NVVPNSVENDOR 4 Specifies the IKE implementation
to use. 1 ASCII numeric digit.
Valid values are:
• 1 = Juniper PSK with XAUTH or
Juniper Cert with XAUTH
• 2 = Cisco PSK with XAUTH or
Cisco Cert with XAUTH
• 3 = Checkpoint Security
Gateway
• 4 = Generic PSK
• 5 = Nortel Contivity
• See VPN configuration
profiles on page 46for
information on automatically-set
parameters based on this
NVVPNSVENDOR setting.
NVVPNUSER " " (Null) Specifies the user name to use
during authentication. 0 to 30
ASCII characters.
NVVPNUSERTYPE 1 Specifies whether the user can
change the VPN username. 1
Table continues…

September 2015 VPN Setup Guide for 9600 Series IP Deskphones 57

Comments on this document? [email protected]
VPN parameters

Parameter name Default value Description and value range

ASCII numeric digit. Valid values
are:
• 1 = User can change VPN user
name
• 2 = User cannot change VPN
user name
NVXAUTH 1 Specifies whether to disable
XAUTH user authentication for
profiles that enable XAUTH by
default. 1 ASCII numeric digit.
Valid values are:
• 1= XAUTH user authentication
enabled
• 2 = XAUTH user authentication
disabled
SCEPPASSWORD "$SERIALNO" Specifies a challenge password
for SCEP. Zero to 32 ASCII
characters
TLSPORT 411 TCP port number used for HTTP
file downloading. 2 to 5 ASCII
numeric digits. Valid values are
"80" through "65535".
TLSSRVRID 1 Controls whether the identity of a
TLS server is checked against its
certificate. 1 ASCII numeric digit.
Valid values are:
• 1=Provides additional security
by checking to verify that the
server certificate’s DNS name
matches the DNS name used to
contact the server.
• 0=Certificate is not checked
against the DNS name used to
contact the server.
VPNACTIVE 0 Indicates whether a VPN tunnel
has been established. Valid values
are:
• 0 = VPN tunnel not established.
• 1 = VPN tunnel established.
If an existing VPN tunnel fails,
VPNACTIVE will be set to "0",
IPADD will be set to "0.0.0.0",
Table continues…

58 VPN Setup Guide for 9600 Series IP Deskphones September 2015

Comments on this document? [email protected]
 VPN parameters

Parameter name Default value Description and value range

DNSSRVR will be set to the value
of EXTDNSSRVR, DOMAIN will
be set to null, the backlight will be
turned on, the display will be
cleared, and the name/logo image
will be displayed. Also see
DHCPACK messages on page 48
for additional information.
VPNCODE 876 VPN procedure access code;
default is "VPN" on the dialpad.
Zero to 7 ASCII numeric digits,
null ("") and "0" through
"9999999".
VPNPROC 1 Specifies whether VPNCODE can
be used to access the VPN
procedure at all, in view-only
mode, or in view/ modify mode. 1
ASCII numeric digit. Valid values
are:
• 0 = User cannot access VPN
settings/information.
• 1= The user can view the VPN
Settings Screen but cannot
change VPN settings.
• 2 = User has the ability to view
and change VPN settings.
VPNTTS 0 Turns off Time to Service (TTS)
support when a VPN gateway may
not allow TTS functionality to
work. Valid values are:
• 0 = TTS is not supported by the
security gateway; turn off TTS
functionality for VPN operation.
• 0 = TTS is not supported by the
security gateway; turn off TTS
functionality for VPN operation.

September 2015 VPN Setup Guide for 9600 Series IP Deskphones 59

Comments on this document? [email protected]
Glossary

CA Certificate Authority, the entity which issues digital certificates for use by
other parties.

DH Group A number that determines the public parameters used by the Diffie-Hellman
key exchange. To successfully establish a shared secret key, both parties
must use the same DH group.

Diffie -Hellman key A key agreement algorithm based on the use of two public parameters p
exchange and g that may be used by all users in a system. Parameter p is a prime
number and parameter g (usually called a generator) is an integer less than
p.

Digital Certificate The digital equivalent of an ID card used in conjunction with a public key
encryption system. Digital certificates are issued by a trusted third party
known as a “Certificate Authority” (CA) such as VeriSign
(www.verisign.com). The CA verifies that a public key belongs to a specific
company or individual (the “Subject”), and the validation process the public
key goes through to determine if the claim of the subject is correct and
depends on the level of certification and the CA.

Digital Signature A digital signature is an encrypted digest of the file being signed. The file
can be a message, a document, or a driver program. The digest is
computed from the contents of the file by a one-way hash function such as
MD5 or SHA-1 and then encrypted with the private part of a public or
private key pair. To prove that the file was not tampered with, the recipient
uses the public key to decrypt the signature back into the original digest,
recomputes a new digest from the transmitted file and compares the two to
see if they match. If they do, the file has not been altered in transit by an
attacker.

HTTP Hypertext Transfer Protocol, used to request and transmit pages on the
World Wide Web.

HTTPS A secure version of HTTP.

IETF Internet Engineering Task Force, the organization that produces standards
for communications on the Internet.

60 VPN Setup Guide for 9600 Series IP Deskphones September 2015

Comments on this document? [email protected]
 IKE

IKE Internet Key Exchange Protocol, RFC 2409, which is now replaced by
IKEv2 in RFC 4306.

IPsec A security mechanism for IP that provides encryption, integrity assurance,

and authentication of data. Applies only to IPv4.

ISAKMP Internet Security Association and Key Management Protocol, RFC 2408,
ISAKMP has been replaced by IKEv2 in RFC 4306. ISAKMP defines the
procedures for authenticating a communicating peer, creation and
management of Security Associations (SA), key generation techniques, and
threat mitigation. Example: Denial of service and Replay Attacks. ISAKMP
defines two phases of negotiation. During Phase 1 negotiation, two entities
establish an ISAKMP SA, which is used to protect Phase 2 negotiations
establish SAs for other protocols.

Refresh/Rekey Use IKE to create a new SA with a new SPI.

RSA Rivest-Shamir-Adleman: A highly secure asymmetric cryptography method

developed by RSA Security, Inc. that uses a public and private key pair.
The private key is kept secret by the owner and the public key is published,
usually in a digital certificate. Data is encrypted using the public key of the
recipient, which can only be decrypted by the private key of the recipient.
RSA is very computation intensive, thus it is often used to encrypt a
symmetric session key that is then used by a less computationally-intensive
algorithm to encrypt protocol data during a “session”. You can also use
RSA for authentication by creating a digital signature, for which the private
key of the sender is used for encryption, and the public key of the sender' is
used for decryption.

RTP Real-time Transport Protocol. Provides end-to-end services for real-time

data such as voice over IP.

SA Security Association, a security protocol, for example, IPSEC, TLS, and a

specific set of parameters that completely define the services and
mechanism necessary to protect security at that security protocol location.
These parameters can include algorithm identifiers, modes, cryptographic
keys, etc. The SA is referred to by its associated security protocol, for
example, ISAKMP SA, ESP SA, and TLS SA.

SCEP Simple Certificate Enrollment Protocol, used to obtain a unique digital

certificate.

SDP Session Description Protocol. A well-defined format for conveying sufficient

information to discover and participate in a multimedia session.

Signaling Channel Encryption of the signaling protocol exchanged between the IP telephone
Encryption and the call server. Signaling channel encryption provides additional
security to the security provided by media channel encryption.

September 2015 VPN Setup Guide for 9600 Series IP Deskphones 61

Comments on this document? [email protected]
Glossary

SNTP Simple Network Time Protocol. An adaptation of the Network Time Protocol
used to synchronize computer clocks in the internet.

SOHO Small Office Home Office. The environment for which a virtual private
network (VPN) is administered.

SPD Security Policy Database. Specifies the policies that determine the
disposition of all IP traffic inbound or outbound from a host or security
gateway IPsec implementation.

SPI Security Parameter Index. An identifier for a Security Association, relative

to some security protocol. Each security protocol has its own “SPI-space”.

SRTCP Secure Real-time Transport Control Protocol.

SRTP Secure Real-time Transport Protocol.

system -specific Specific to a particular type of call server. For example, Avaya
Communication Manager or SIP Enablement Services (SES). System-
specific signaling refers to messages specific to the signaling protocol used
by the system. For example, H.323 and/or CCMS messages used by CM
and IP Office, or SIP messages that possibly include system-specific
headers used by SES. System-specific procedures refers to procedures in
deskphone software that are specific to the call server with which the
software is to be used.

TCP/IP Transmission Control Protocol/Internet Protocol, a network-layer protocol

used on LANs and internets.

TFTP Trivial File Transfer Protocol, used to provide downloading of upgrade

scripts and application files to certain IP telephones.

TLS Transport Layer Security, an enhancement of Secure Sockets Layer (SSL).

TLS is compatible with SSL 3.0 and allows for privacy and data integrity
between two communicating applications.

URI & URL Uniform Resource Identifier and Uniform Resource Locator. Names for the
strings used to reference resources on the Internet. For example,
HTTP://..... URI is the newer term.

VPN Virtual Private Network, a private network constructed across a public

network such as the Internet. A VPN can be made secure, even though the
network uses using existing Internet connections to carry data
communication. Security measures involve encrypting data before sending
data across the Internet and decrypting the data at the other end. To add
an additional level of security, you can encrypt the originating and receiving
network address.

62 VPN Setup Guide for 9600 Series IP Deskphones September 2015

Comments on this document? [email protected]
Index
Numerics D
VPNs ....................................................................................10 Data
9600–series .................................................................. 10 changing ....................................................................... 26
4600–series VPNs ............................................................... 10 Changing data .............................................................. 26
9600–series deskphone DHCPACK messages ..........................................................48
deploying to end-user ................................................... 16 Documentation
9600–series IP deskphone online .............................................................................. 8
installing ........................................................................16 related .............................................................................8
9600–series VPNS .............................................................. 10
E
A
Entering new VPN user name ............................................. 35
About this guide ..................................................................... 7
Authentication
pre-requisites for ...........................................................15
F
Avaya (A) Menu Functionality
using ....................................................................... 18, 23 time to service .............................................................. 48

B G
Bad gateway DNS name ..................................................... 40 Gateway certificate
invalid ........................................................................... 40
C General VPN settings .......................................................... 27
Generic authentication type screen ..................................... 28
Certificate
phone ............................................................................39
change history ....................................................................... 8
I
Changing VPN password .....................................................29 IKE ................................................................................. 42–44
Changing VPN settings ........................................................23 SA expired .................................................................... 44
Communication Manager IKE ID/PSK
preparing ...................................................................... 15 invalid ........................................................................... 42
Configuration IKE keep-alive
invalid ........................................................................... 39 failure ............................................................................44
Configuration preparation .................................................... 13 IKE over TCP screen ........................................................... 32
procedure ..................................................................... 13 IKE phase 1
Configuration requirements failure ............................................................................42
preliminary .................................................................... 12 IKE Phase 1 screen ............................................................. 30
Configuration screens IKE phase 2
navigating ..................................................................... 26 failure ............................................................................43
Configuring VPN IKE Phase 2
introduction ................................................................... 12 no response ..................................................................42
Craft IKE Phase 2 screen ............................................................. 31
accessing during normal telephone operation ..............25 IKE Phase I
Craft menu ........................................................................... 24 no response ..................................................................41
accessing during telephone startup ..............................25 IKE PSK screen ................................................................... 30
Current password IKE SA expired .................................................................... 44
accepting ...................................................................... 36 Installing the 9600–Series IP deskphone ............................ 16
Accepting the current password ................................... 36 Intended audience ................................................................. 7
Customer support .................................................................. 8 Invalid certificate .................................................................. 41
Invalid configuration .............................................................39
IP address screen ................................................................33

September 2015 VPN Setup Guide for 9600 Series IP Deskphones 63

Comments on this document? [email protected]
Index

IPSec IKE Phase 2 ..................................................................31

SA expired .................................................................... 44 IKE PSK ........................................................................30
IPSec SA expired .................................................................44 IP address .................................................................... 33
user credentials ............................................................ 28
VPN password entry .....................................................35
L VPN settings
legal notices ............................................................................. general .................................................................. 27
Local Administrative menu ...................................................24 VPN text entry .............................................................. 32
VPN user name entry ................................................... 34
Security Gateway
M preparing ...................................................................... 13
Settings
Messages
viewing ..........................................................................19
DHCPACK .................................................................... 48
VPN .............................................................................. 19
Simple enrollment certificate protocol ..................................14
N Sleep mode
VPN .............................................................................. 37
Need IKE ID/PSK .................................................................38 Supported third-party security gateways ............................. 10
New VPN user name
entering .........................................................................35
No DNS server response .....................................................39 T
Third-party security gateways
O supported ......................................................................10
Time to service .................................................................... 48
Online documentation ............................................................8

U
P
User authentication ..............................................................34
Parameters User credentials screen ....................................................... 28
VPN .............................................................................. 49 User name
Password accepting ...................................................................... 35
VPN reuse .................................................................... 35
phase 1 failure ..................................................................... 42
phase 2 failure ..................................................................... 43 V
phone ...................................................................................41
Viewing the VPN settings screen .........................................19
Phone certificate .................................................................. 39
Viewing VPN settings .......................................................... 18
invalid ........................................................................... 41
VPN
Preliminary configuration requirements ............................... 12
sleep mode ................................................................... 37
Profiles
VPN authentication
VPN configuration .........................................................46
failure ............................................................................38
VPN configuration profles .................................................... 46
R VPN Overview ....................................................................... 9
VPN parameters .................................................................. 49
Related documentation ..........................................................8 VPN password
revision history .......................................................................8 changing ....................................................................... 29
VPN password entry screen ................................................ 35
S VPN password reuse screen ............................................... 35
VPN settings
SCEP ................................................................................... 14 changing ....................................................................... 23
failed ............................................................................. 45 configuring .................................................................... 14
SCEP failed ......................................................................... 45 viewing ..........................................................................18
Screens viewing or changing using the VPN special procedure 26
general VPN settings ....................................................27 VPN settings screen
Generic authentication type ..........................................28 viewing ..........................................................................19
IKE over TCP ................................................................32 VPN sleep mode ............................................................34, 37
IKE Phase 1 ..................................................................30 VPN special procedure ........................................................ 24

64 VPN Setup Guide for 9600 Series IP Deskphones September 2015

Comments on this document? [email protected]
 Index

VPN system parameters

configuring .................................................................... 15
VPN text entry screen ..........................................................32
VPN tunnel
failure ............................................................................38
terminated .....................................................................45
VPN user name entry screen ...............................................34

September 2015 VPN Setup Guide for 9600 Series IP Deskphones 65

Comments on this document? [email protected]