Knowledge Search


×
 

[ScreenOS] Basic Dial-up VPN configuration with the Avaya VPNremote Phone

  [KB25012] Show Article Properties


Summary:
 This article provides information on how to configure the SSG device to support the Avaya VPNremote Phone.

The Avaya VPNremote Phone is a software based Virtual Private Network (VPN) client that is integrated into the firmware of an Avaya IP Telephone. This enhancement allows the Avaya IP Telephone to be plugged in and used seamlessly over a secure VPN from any broadband Internet connection. The end user experiences the same IP telephone features, as if they were using the phone in the office.
Symptoms:
 This article provides information on how to implement the following features on SSG:
 
  • Policy based IPSec VPN:
     
    • The policy-based VPN feature allows a VPN Tunnel to be directly associated with a security policy, as opposed to a route-based VPN being bound to a logical VPN Tunnel interface.

    • As no network exists beyond a VPN client end-point, policy-based VPN tunnels are a good choice for VPN end-point configurations, such as with the Avaya VPNremote phone.

  • XAuth user authentication:
     
    • The XAuth protocol authenticates individual users of the VPNremote phone. It is in addition to the IKE IPSec VPN authentication. The IKE and XAuth authentication procedures on the Avaya VPNremote Phone are:
       
      • Phase 1 negotiations: The firewall authenticates the Avaya VPNremote phone by matching the IKE ID and Pre-Shared key, which is sent by the Avaya VPNremote phone. If there is a match, the Juniper SSG XAuth process is started.

      • XAuth: The firewall's XAuth server prompts the Avaya VPNremote Phone for user credentials (username and password). If the Avaya VPNremote phone is configured to store user credentials in the flash memory, it responds to the Juniper firewall with the stored credentials; without user involvement. Otherwise, the Avaya VPNremote Phone displays a prompt for the username and password to be manually entered.

      • Phase 2 negotiations: When the XAuth user authentication is successful, Phase 2 negotiations are started.

  • XAuth Dynamic IP address assignment:
     
    • The XAuth protocol enables the firewall to dynamically assign IP addresses from a configured IP Address pool range.

    • The assignment of IP address ranges to Avaya VPNremote Phones enables Avaya Communication Manager to map the Avaya VPNremote phones to IP Network Regions.

  • Shared IKE Group ID:
     
    • The shared IKE ID feature of the firewall facilitates the deployment of a large number of dialup IPSec VPN users.

    • With this feature, the security device authenticates multiple dialup VPN users via a single group IKE ID and pre-shared key.

    • So, it provides IPSec protection for large remote user groups via a common VPN configuration.

    • XAuth user authentication must be used, when the Shared IKE Group ID is implemented.
Solution:
For the SSG firewall configuration, perform the following procedure. The following procedure configures Ethernet 0/0 to a Trust security zone, which is facing the internal corporate network, and Ethernet 0/2 to an Untrust security zone, which is facing the public internet. The Avaya VPNremote Phone will interact with Ethernet 0/2, when establishing an IPSec Tunnel.

Configuring the Ethernet 0/0 interface:
 
  1. From the left navigation menu, go to Network > Interfaces and click Edit for ethernet0/0:


  2. In the Ethernet 0/0 properties page, configure the highlighted fields (in the image below). All the remaining fields can be left with their default values or settings. Select OK to save the changes.



Configuring the Ethernet 0/2 Interface:
 
  1. From the Network Interfaces List, click Edit for ethernet 0/2:


  2. In the ethernet 0/2 properties page, configure the highlighted fields (in the image below). All the remaining fields can be left with their default values or settings. Select OK to save the changes.


Configuring the IP address pool:
 
  • The XAuth protocol enables the firewall to dynamically assign IP addresses from a configured IP Address pool range to IPSec clients, such as the Avaya VPNremote phone.

  • Controlling the assignment of IP address ranges to Avaya VPNremote Phones enables Avaya Communication Manager to map the Avaya VPNremote phones to IP Network Regions.

To create the IP address pool, perform the following procedure:
 
  1. From the left navigation menu, select Objects > IP Pools and on the IP Pools list page, click New.

  2. From the IP Pools Edit page, populate the highlighted fields (in the image below) and click OK to save it:



    The IP Pool Name is a descriptive name for this IP pool. When configured, this name is displayed as the IP Pool Name. Ensure that the IP address range does not conflict with addresses being used throughout the corporate trusted network.

  3. The IP Pools list page displays the new address pool entry:


Routes configuration:

The sample configuration requires two new route entries to be added to the Juniper SSG routing table; one that specifies the default route and the other specifies the network address range being entered for the IP Address Pool .Even though several routing options exist in the firewall, static routes are used for this sample configuration.

Configuring the default route:
 
  1. From the left navigation menu, go to Network > Routing > Destination; the Route Entries screen is displayed. Select trust-vr from the drop-down menu and then click New:


  2. Configure the highlighted fields (in the image below). All remaining fields can be left with their default setting or value. Click OK to save the settings.



    The 0.0.0.0/0 network indicates the default route, when no other matches exist in the routing table. The route is going to the next hop out interface for Ethernet 0/2 to the public internet.


Configure a route to the IP Pool Address range:
 
  1. In the Route Entries screen, select trust-vr from the drop-down menu and then click New.

  2. Configure the highlighted fields (in the image below). All the remaining fields can be left with their default setting or value. Click OK to save the settings.



    The IP Address / Netmask is the network that is used for the IP Address Pool.

Local User Configuration

The sample configuration includes two different user types; IKE users and XAuth users. IKE users are typically associated with a device, such as the Avaya VPNremote phone and are used to authenticate the actual device during the establishment of the IPSec tunnel.

XAuth users are remotely authenticated users, who access a head-end security gateway via an AutoKey IKE VPN tunnel. Whereas the authentication of IKE users is actually the authentication of an individual’s device (Avaya VPNremote phone), the authentication of XAuth users is the authentication of the individuals themselves.

IKE User

To create an IKE user to be used by Avaya VPNremote phones for IKE authentication, perform the following procedure:
  1. From the left navigation menu, go to Objects > User > Local > New.

  2. Configure the highlighted fields (in the image below) All remaining fields can be left with their default setting or value. Click OK to save the setting.



    Number of Multiple Logins with Same ID parameter specifies the number of end-points, which can concurrently establish IPSec tunnels, by using this identity. This number must equal or exceed the number of Avaya VPNremote phones that are accessing this firewall.

    The IKE Identity, combined with a Pre-Shared Key, is used to identify the end-point, when an initial IKE Phase one dialog begins. The format of the IKE Identity used is of an email address. As described earlier, the Group Name field of the Avaya VPNremote phone must match this IKE Identity string. vpnphone@avaya.com is used in these Application Notes; however any email address string can be used.

  3. The local Users list page displays the new IKE user.

XAuth Users

Three XAuth user accounts - owen, garrett, and evan are created in the sample configuration for the users of the Avaya VPNremote phones. The procedure below creates a user account for owen.Perform the same procedure to create accounts for the other users.

The XAuth server of the Juniper firewall authenticates these users. The users of the Avaya VPNremote phone will need to be provided with their user name and password. Users will be prompted on the phone display to enter this information, as the Avaya VPNremote phone establishes the IPSec tunnel or the password can be stored in the VPNremote Phones flash memory.

 
  1. From the left navigation menu, go to Objects > User > Local > New.

  2. Configure the highlighted fields (in the image below). All remaining fields can be left with their default setting or value. Click OK to save the setting.


  3. The local Users list page displays the new XAuth users:




 Local User Group Configuration

User groups have the benefit of being able to create one policy for the user group and that policy is automatically applied to all members of a group. This eliminates the need to create polices for each individual user. The sample configuration includes two different types of User Groups - IKE and XAuth. The created IKE and XAuth users must now be added to an IKE Group and a XAuth Group respectfully.

IKE User Group:
  1. From the left navigation menu, go to Objects > User > Local Groups > New.



    Type a descriptive Group Name. Select the vpnphone-ike user name from the Available Members column on the right. Select the << icon to move the user name to the Group Members column on the left. Click OK to save the setting.

  2. The Local Groups list page displays the new IKE group.

 Xauth User Group
 
  1. From the left navigation menu, go to Objects > User > Local Groups > New:



    Type a descriptive Group Name. Select the owen, garrett and evan user names from the Available Members column on the right. Select the << icon to move them to the Group Members column on the left. Select OK to save.

  2. The Local Groups list page displays the new XAuth group:



VPN

Setting up the VPN tunnel encryption and authentication is a two-phase process:
 
  • Phase 1 involves the process of the Avaya VPNremote phone and the Juniper SSG device securely negotiates and handles the building of the tunnel.

  • Phase 2 involves how the data, which passes through the tunnel, will be encrypted at one end and decrypted at the other. This process is carried out on both sides of the tunnel.

AutoKey IKE Gateway Configuration - Phase 1:
 
  1. From the left navigation menu, go to VPNs > AutoKey Advanced > Gateway.

  2. Click New. Configure the highlighted fields (in the image below). All remaining fields can be left with their default setting or value.



    Provide a descriptive Gateway Name. Selecting the Custom security level provides access to a more complete list of proposals, which are available on this Juniper fire wall.

    Selecting the Dialup User Group radio button associates the vpnphone-grp group to this IKE gateway. Type an ASCII text string for a Pre-shared Key, which will match the text that is entered on the Avaya VPNremote Phone. The Outgoing Interface is the interface that terminates the VPN tunnel. Select Advanced to access additional configuration options.

  3. Configure the highlighted fields (in the below image). All the remaining fields can be left with their default setting or value. Click Return to complete the advanced configuration and then OK to save the setting. Select the Custom security level and the appropriate Phase 1 Proposal from the drop-down menu. Refer to Table 3 – IKE P1 / P2 Proposals.

    The Aggressive Mode must be used for end-point negotiations, such as the Avaya VPNremote phone. Enabling NAT-Traversal allows the IPSec traffic; after Phase 2 negotiations are complete, to traverse a Network Address Translation (NAT) device.

    The Juniper SSG device first checks if a NAT device is present in the path between itself and the Avaya VPNremote phone. If a NAT device is detected, the Juniper SSG device uses UDP to encapsulate each IPSec packet.


  4. As the IKE group was selected in Step 1, the following pop-up window is displayed; it is a reminder to enable the XAuth server. Click OK:


  5. The AutoKey Advanced > Gateway list page displays the new gateway:




AutoKey IKE VPN Tunnel Configuration - Phase 2
  1. From the left navigation menu, go to VPNs > AutoKey IKE.

  2. Click New. Configure the highlighted fields (in the image below). All the remaining fields can be left with their default setting or value:



    Provide a descriptive VPN Name. Selecting the Custom security level provides access to a more complete list of proposals, which are available on the Juniper SSG device. Select the Predefined radio button for the Remote Gateway and select vpnphone-gw from the drop-down menu. Click Advanced to access additional configuration options.

  3. Configure the highlighted fields (in the image below). All the remaining fields can be left with their default setting or value. Click Return to complete the advanced configuration and then OK to save the setting.



XAuth configuration
 
  1. From the left navigation menu, go to VPNs > AutoKey Advanced > XAuth Settings.
Enable XAuth Authentication for the AutoKey IKE gateway:
 
  1. From the left navigation menu, go to VPNs > AutoKey Advanced > Gateway. Click Xauth under the Configure column for the vpnphone-gw IKE gateway:


  2. Configure the highlighted fields (in the image below). All the remaining fields can be left with their default value or setting. Click OK to save the settings:


H.323 ALG:

From the left navigation menu, go to Configuration > Advanced > ALG > Configure. Clear the H323 check box to globally disable the H.323 application Layer Gateway.




Security Policies:
 
  1. Create a security policy for the traffic that is flowing from the Untrust zone to the Trust zone. At the top of the Policies page, select Untrust from the From drop-down menu and Trust from the To drop-down menu. Click the New button, which is located at the top right corner of the page, to create the new security policy.

  2. Configure the highlighted fields (in the image below). All the remaining fields can be left with their default setting or value. Click OK to save the settings.



    Type a descriptive Policy Name to easily identify this policy in the policy list and logs. Selecting Dial-Up VPN from the Source Address drop-down menu and Any from the Destination Address drop-down menu defines the VPN tunnel as the traffic originator.

    Selecting the Tunnel from the Action drop-down menu indicates the action that the SSG device will take against the traffic, which matches the first three criteria of the policy - Source Address, Destination Address, and Service. All matching traffic will be associated with the VPN Tunnel, which is specified in the Tunnel field. Selecting vpnphone-vpn from the Tunnel VPN drop-down menu associates the VPNremote phone's VPN tunnel to the Action.

    Select the Modify matching bidirectional VPN policy checkbox, for the SSG device to create a matching VPN policy, for the traffic that is flowing in the opposite direction.

  3. The Policies list page displays the new Dial-Up VPN policy:

Related Links: