Solved

Juniper SSG20 and Avaya Voip Phone

Posted on 2012-03-19
14
1,666 Views
Last Modified: 2012-05-17
HI,

we have a Juniper SSG20 firewall, i also have an Avaya IP500 unit behind this firewall. We have recruited someone to work from a remote office, and i want to give them a Avaya Voip phone, can someone tell me how to configure the Juniper and Avaya phone so this works. As i believe i need to create VPN tunnel, but having no luck.
0
Comment
Question by:Ashvinv82
  • 7
  • 7
14 Comments
 
LVL 32

Expert Comment

by:dpk_wal
ID: 37741866
User from remote office can connect to your network through VPN [either remote or site-to-site] and then can use IP500 as were directly connected to your network.

Please have a look below to configure/troubleshoot VPN:
http://kb.juniper.net/kb/documents/public/resolution_path/J_FW_VPN_Config_or_Trblsh.htm

Please implement and update.

Thank you.
0
 

Author Comment

by:Ashvinv82
ID: 37746611
I have followed that and am getting the following error.

Rejected an IKE packet on ethernet0/0 from x.x.x.x:23858 to x.x.x.x:500 with cookies 25fde5a775ec8d46 and 0000000000000000 because an initial Phase 1 packet arrived from an unrecognized peer gateway.

I am not sure what to do after this, so the phone is now seeing the firewall but the firewall will not allow this through.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 37746618
The settings do not match. Please make sure that you have configured things like:
IP address
Mode - main mode or aggressive
correctly.

As you are using remote VPN use aggressive mode instead of main mode.

Please check and update. Also, update which client you are using and which method you are using for establishing VPN tunnel [IPSec or L2TP over IPSec]

Thank you.
0
 

Author Comment

by:Ashvinv82
ID: 37746675
I have followed this guide all the wya and im still getting that. so not sure where else to look and what to investigate.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 37747269
Can you post sanitized config from SSG20; and if possible client configuration.

Thank you.
0
 

Author Comment

by:Ashvinv82
ID: 37764663
How do i get the Sanitized Config for you?
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 37770944
you can use CLI: get conf [by sanitized I mean remove all passwords, shared keys, user names, public IP, etc.]
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:Ashvinv82
ID: 37775333
here it is.

unset key protection enable
set clock ntp
set clock timezone 0
set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 3 0 10 02:00
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "Secure Trading 6666" protocol tcp src-port 0-65535 dst-port 6666-6666
set service "Attix SSL" protocol tcp src-port 0-65535 dst-port 8443-8443
set service "Remote Desktop" protocol tcp src-port 0-65535 dst-port 3389-3389
set service "Allied T Pro to TSBS" protocol tcp src-port 0-65535 dst-port 11090-11090
set service "Yahoo Messenger" protocol tcp src-port 0-65535 dst-port 5010-5010
set service "MS Sql - 1433" protocol tcp src-port 0-65535 dst-port 1433-1433
set service "Blackberry ES" protocol tcp src-port 0-65535 dst-port 3101-3101
set service "Flame web mail access" protocol tcp src-port 0-65535 dst-port 2095-2095
set service "Avaya VCM" protocol udp src-port 0-65535 dst-port 1718-1718
set service "Avaya VCM" + udp src-port 0-65535 dst-port 1719-1719
set service "Avaya VCM" + udp src-port 0-65535 dst-port 1720-1720
set service "Avaya VCM" + tcp src-port 0-65535 dst-port 50802-50802
set service "Avaya VCM" + udp src-port 0-65535 dst-port 50795-50795
set service "Avaya VCM" timeout never
unset alg sip enable
unset alg mgcp enable
unset alg sccp enable
unset alg sunrpc enable
unset alg msrpc enable
unset alg xing enable
unset alg talk enable
unset alg sql enable
unset alg rtsp enable
unset alg rsh enable
unset alg real enable
unset alg appleichat enable
unset alg appleichat re-assembly enable
unset alg dns enable
unset alg http enable
unset alg h323 enable
unset alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "admin"
set admin password "xxxxx"
set admin user "xxxxx" password "xxxxxxxxx" privilege "read-only"
set admin manager-ip 10.1.15.20
set admin manager-ip 10.1.14.62
set admin manager-ip 10.1.14.99
set admin manager-ip 10.1.14.202
set admin manager-ip 10.1.14.201
set admin manager-ip 10.1.15.62
set admin manager-ip 10.1.15.1
set admin manager-ip 10.1.20.62
set admin http redirect
set admin mail alert
set admin mail server-name "10.1.14.225"
set admin mail mail-addr1 "xxxxxxx"
set admin auth web timeout 0
set admin auth dial-in timeout 3
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone id 100 "DevLAN"
set zone "Untrust-Tun" vrouter "trust-vr"
unset zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
unset zone "V1-Trust" tcp-rst
unset zone "V1-Untrust" tcp-rst
set zone "DMZ" tcp-rst
unset zone "V1-DMZ" tcp-rst
unset zone "VLAN" tcp-rst
unset zone "DevLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "DMZ"
set interface "ethernet0/3" zone "Trust"
set interface "ethernet0/4" zone "DevLAN"
set interface "bgroup0" zone "Trust"
set interface "tunnel.1" zone "Untrust"
set interface "tunnel.2" zone "Untrust"
set interface "tunnel.3" zone "Untrust"
set interface "tunnel.4" zone "Trust"
set interface bgroup0 port ethernet0/2
unset interface vlan1 ip
set interface ethernet0/0 ip x.x.x.x/28
set interface ethernet0/0 route
set interface ethernet0/3 ip 10.1.15.1/24
set interface ethernet0/3 nat
set interface ethernet0/4 ip 10.1.30.1/24
set interface ethernet0/4 route
set interface bgroup0 ip 192.168.1.1/24
set interface bgroup0 route
set interface tunnel.1 ip unnumbered interface ethernet0/0
set interface tunnel.2 ip unnumbered interface ethernet0/3
set interface tunnel.3 ip unnumbered interface ethernet0/3
set interface tunnel.4 ip unnumbered interface ethernet0/0
set interface tunnel.1 mtu 1500
set interface tunnel.2 mtu 1500
set interface "ethernet0/3" pmtu ipv4
set interface "ethernet0/4" pmtu ipv4
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface ethernet0/3 ip manageable
unset interface ethernet0/4 ip manageable
set interface bgroup0 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/0 manage telnet
set interface ethernet0/0 manage snmp
set interface ethernet0/0 manage ssl
set interface ethernet0/0 manage web
set interface ethernet0/3 manage ident-reset
set interface ethernet0/4 manage ping
set interface ethernet0/4 manage ssh
set interface ethernet0/4 manage telnet
set interface ethernet0/4 manage snmp
set interface ethernet0/4 manage ssl
set interface ethernet0/4 manage web
set interface ethernet0/4 manage ident-reset
set interface bgroup0 manage mtrace
set interface "ethernet0/0" mip x.x.x.x host 10.1.15.100 netmask 255.255.255.255 vr "trust-vr"
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set flow tcp-mss
unset flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set domain totalstay.com
set hostname ssg20Goth
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 10.1.15.100 src-interface ethernet0/3
set dns host dns2 10.1.14.203 src-interface tunnel.2
set dns host dns3 195.67.199.27 src-interface ethernet0/0
set dns host schedule 06:28
set address "Trust" "10.1.15.19/32" 10.1.15.19 255.255.255.255
set address "Trust" "212.181.77.1" 212.181.77.1 255.255.255.255
set address "Trust" "Andreas PC" 10.1.15.19 255.255.255.255
set address "Trust" "Ash PC" 10.1.15.62 255.255.255.255
set address "Trust" "Avaya IP Goth" 10.1.15.120 255.255.255.255
set address "Trust" "GothLAN" 10.1.15.0 255.255.255.0
set address "Trust" "HPBS" 10.1.14.205 255.255.255.255
set address "Trust" "Internet NAT for VPN users" 10.1.15.0 255.255.255.0 "Internet NAT for VPN users"
set address "Trust" "Richard Davis PC" 10.1.14.99 255.255.255.255
set address "Trust" "Sofia PC" 10.1.15.25 255.255.255.255
set address "Trust" "TS Goth DC" 10.1.15.100 255.255.255.255
set address "Untrust" "10.1.20.0/24" 10.1.20.0 255.255.255.0
set address "Untrust" "69.63.184.11/32" 69.63.184.11 255.255.255.255
set address "Untrust" "77.99.61.4/24" 77.99.61.4 255.255.255.0
set address "Untrust" "87.86.238.221/32" 87.86.238.221 255.255.255.255
set address "Untrust" "Allied T Pro" 65.220.96.45 255.255.255.255 "TSBS gets data from here"
set address "Untrust" "Ash Home" 213.106.168.64 255.255.255.255
set address "Untrust" "Attix - Techgate 1" 217.161.12.36 255.255.255.255
set address "Untrust" "Attix - Techgate 2" 217.161.12.15 255.255.255.255
set address "Untrust" "Attix - Techgate 3" 217.161.12.39 255.255.255.255
set address "Untrust" "Attix - Techgate 4" 217.161.12.27 255.255.255.255
set address "Untrust" "Attix Server Global List" 217.12.161.1 255.255.255.128 "Attix Server Global List"
set address "Untrust" "Avaya IP Lon" 10.1.14.120 255.255.255.255
set address "Untrust" "Blackberry ES" 193.109.81.33 255.255.255.255 "Blackberry ES"
set address "Untrust" "Call Master" 10.1.14.74 255.255.255.255 "Call Master"
set address "Untrust" "Cluj LAN" 10.1.27.0 255.255.255.0
set address "Untrust" "Cluster3.eu.messagelabs.com" 194.106.220.67 255.255.255.255
set address "Untrust" "cluster3.mailwallremote.com" 92.48.99.31 255.255.255.255
set address "Untrust" "cluster4.mailwallremote.com" 92.48.99.18 255.255.255.255
set address "Untrust" "DEVLAN" 10.1.10.0 255.255.255.0
set group address "Trust" "IT Support Group"
set group address "Trust" "IT Support Group" add "Ash PC"
set group address "Trust" "IT Support Group" add "Richard Davis PC"
set group address "Untrust" "Attix - Techgate"
set group address "Untrust" "Attix - Techgate" add "Attix - Techgate 1"
set group address "Untrust" "Attix - Techgate" add "Attix - Techgate 2"
set group address "Untrust" "Attix - Techgate" add "Attix - Techgate 3"
set group address "Untrust" "Attix - Techgate" add "Attix - Techgate 4"
set group address "Untrust" "Mail Wall Servers"
set group address "Untrust" "Mail Wall Servers" add "cluster3.mailwallremote.com"
set group address "Untrust" "Mail Wall Servers" add "cluster4.mailwallremote.com"
set group address "Untrust" "Mail Wall Servers" add "Mailwall 1"
set group address "Untrust" "Mail Wall Servers" add "Mailwall 10"
set group address "Untrust" "Mail Wall Servers" add "Mailwall 11"
set group address "Untrust" "Mail Wall Servers" add "Mailwall 12"
set group address "Untrust" "Mail Wall Servers" add "Mailwall 13"
set group address "Untrust" "Mail Wall Servers" add "Mailwall 14"
set group address "Untrust" "Mail Wall Servers" add "Mailwall 15"
set group address "Untrust" "Mail Wall Servers" add "Mailwall 16"
set group address "Untrust" "Mail Wall Servers" add "Mailwall 2"
set group address "Untrust" "Mail Wall Servers" add "Mailwall 3"
set group address "Untrust" "Mail Wall Servers" add "Mailwall 4"
set group address "Untrust" "Mail Wall Servers" add "Mailwall 5"
set group address "Untrust" "Mail Wall Servers" add "Mailwall 6"
set group address "Untrust" "Mail Wall Servers" add "Mailwall 7"
set group address "Untrust" "Mail Wall Servers" add "Mailwall 8"
set group address "Untrust" "Mail Wall Servers" add "Mailwall 9"
set group address "Untrust" "Mail Wall Servers" add "Mailwall Range 1"
set group address "Untrust" "Mail Wall Servers" add "Mailwall Range 2"
set group address "Untrust" "Message Labs Servers Group"
set group address "Untrust" "Message Labs Servers Group" add "Cluster3.eu.messagelabs.com"
set group address "Untrust" "Message Labs Servers Group" add "Message Labs 1"
set group address "Untrust" "Message Labs Servers Group" add "Message Labs 10"
set group address "Untrust" "Message Labs Servers Group" add "Message Labs 11"
set group address "Untrust" "Message Labs Servers Group" add "Message Labs 12"
set group address "Untrust" "Message Labs Servers Group" add "Message Labs 13"
set group address "Untrust" "Message Labs Servers Group" add "Message Labs 14"
set group address "Untrust" "Message Labs Servers Group" add "Message Labs 15"
set group address "Untrust" "Message Labs Servers Group" add "Message Labs 16"
set group address "Untrust" "Message Labs Servers Group" add "Message Labs 17"
set group address "Untrust" "Message Labs Servers Group" add "Message Labs 18"
set group address "Untrust" "Message Labs Servers Group" add "Message Labs 19"
set group address "Untrust" "Message Labs Servers Group" add "Message Labs 2"
set group address "Untrust" "Message Labs Servers Group" add "Message Labs 3"
set group address "Untrust" "Message Labs Servers Group" add "Message Labs 4"
set group address "Untrust" "Message Labs Servers Group" add "Message Labs 5"
set group address "Untrust" "Message Labs Servers Group" add "Message Labs 7"
set group address "Untrust" "Message Labs Servers Group" add "Message Labs 8"
set group address "Untrust" "Message Labs Servers Group" add "Message Labs Cluster3a"
set group address "Untrust" "Message Labs Servers Group" add "Message Labs Global"
set group address "Untrust" "Message Labs Servers Group" add "Message Labs Swmgmnt"
set group address "Untrust" "Message Labs Servers Group" add "Message Labs x"
set group address "Untrust" "Secure Trading"
set group address "Untrust" "Secure Trading" add "Secure Trading 1"
set group address "Untrust" "Secure Trading" add "Secure Trading 2"
set group address "Untrust" "Secure Trading" add "Secure Trading 3"
set group address "Untrust" "Softwire External Interces" comment "Used to VPN to us"
set group address "Untrust" "Softwire External Interces" add "Softwire External Int back-up"
set group address "Untrust" "Softwire External Interces" add "Softwire External Interface"
set group address "Untrust" "Softwire External Interces" add "Softwire Internal int back-up"
set group address "Untrust" "Titan VPN Group"
set group address "Untrust" "Titan VPN Group" add "Titan VPN - Redbus"
set group address "Untrust" "Titan VPN Group" add "Titan VPN - Telehouse"
set ippool "RemoteUserIP" 50.50.100.1 50.50.100.100
set ippool "VPNremote Phone" 10.10.10.1 10.10.10.254
set user "jane" uid 1
set user "jane" ike-id u-fqdn "xxxxxxxx" share-limit 25
set user "jane" type ike
set user "jane" password "xxxxxxx"
unset user "jane" type auth
set user "jane" "enable"
set user "vpnphone-ike" uid 2
set user "vpnphone-ike" ike-id u-fqdn "xxxxxxxx" share-limit 25
set user "vpnphone-ike" type ike
set user "vpnphone-ike" password "xxxxxxxxx"
unset user "vpnphone-ike" type auth
set user "vpnphone-ike" "enable"
set user "vpnuser" uid 3
set user "vpnuser" type xauth
set user "vpnuser" password "xxxxxxxxx"
unset user "vpnuser" type auth
set user "vpnuser" "enable"
set user-group "netscreen-remote-grp" id 5
set user-group "netscreen-remote-grp" user "jane"
set user-group "remoteuser-grp" id 3
set user-group "remoteuser-grp" user "vpnuser"
set user-group "vpnphone-grp" id 2
set user-group "vpnphone-grp" user "vpnphone-ike"
set crypto-policy
exit
set ike gateway "Totalstay" address x.x.x.x Main outgoing-interface "ethernet0/0" preshare "xxxxxxxxxxx" proposal "pre-g2-3des-sha"
set ike gateway "TSGothRomania" address x.x.x.x Main outgoing-interface "ethernet0/0" preshare "xxxxxxx" proposal "pre-g2-3des-sha"
set ike gateway "TSCluj" address x.x.x.x Main outgoing-interface "ethernet0/0" preshare "xxxxxxxx" proposal "pre-g2-3des-sha"
set ike gateway "vpnphone-gw" dialup "vpnphone-grp" Aggr outgoing-interface "ethernet0/0" preshare "xxxxxxxxx" proposal "pre-g2-3des-md5"
unset ike gateway "vpnphone-gw" nat-traversal udp-checksum
set ike gateway "vpnphone-gw" nat-traversal keepalive-frequency 5
set ike gateway "vpnphone-gw" xauth server "Local" user-group "remoteuser-grp"
set ike gateway "vpnphone-gw" xauth server auth-method chap
unset ike gateway "vpnphone-gw" xauth do-edipi-auth
set ike gateway "netscreenremote-gw" dialup "netscreen-remote-grp" Aggr outgoing-interface "ethernet0/0" preshare "xxxxxxxxxx" proposal "pre-g2-3des-md5"
unset ike gateway "netscreenremote-gw" nat-traversal udp-checksum
set ike gateway "netscreenremote-gw" nat-traversal keepalive-frequency 5
set ike gateway "netscreenremote-gw" xauth server "Local" user-group "remoteuser-grp"
unset ike gateway "netscreenremote-gw" xauth do-edipi-auth
set ike respond-bad-spi 1
set ike soft-lifetime-buffer 80
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set xauth default ippool "VPNremote Phone"
set xauth default dns1 10.1.15.100
set xauth default dns2 10.1.14.203
set vpn "TotalstaySiteVPN" gateway "xxxxxxxx" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha"
set vpn "TotalstaySiteVPN" monitor optimized rekey
set vpn "TotalstaySiteVPN" id 0x2 bind interface tunnel.2
set vpn "RomaniaVPN" gateway "xxxxxxx" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha"
set vpn "RomaniaVPN" monitor optimized rekey
set vpn "RomaniaVPN" id 0x3 bind interface tunnel.1
set vpn "TSClujVPN" gateway "TSCluj" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha"
set vpn "TSClujVPN" monitor optimized rekey
set vpn "TSClujVPN" id 0x4 bind interface tunnel.3
set vpn "vpnphone-vpn" gateway "vpnphone-gw" replay tunnel idletime 0 proposal "g2-esp-aes128-sha"
set vpn "vpnphone-vpn" monitor
set vpn "netscreen-remote-vpn" gateway "netscreenremote-gw" replay tunnel idletime 0 proposal "g2-esp-aes128-sha"
set vpn "netscreen-remote-vpn" monitor
unset interface tunnel.3 acvpn-dynamic-routing
set l2tp default dns1 10.1.15.100
set l2tp default dns2 10.1.14.203
set l2tp default ippool "RemoteUserIP"
set url protocol websense
unset deny-message use-server
set server src-interface ethernet0/3
exit
set vpn "TotalstaySiteVPN" proxy-id local-ip 10.1.15.0/24 remote-ip 10.1.14.0/24 "ANY"
set vpn "RomaniaVPN" proxy-id local-ip 10.1.15.0/24 remote-ip 10.1.20.0/24 "ANY"
set policy id 89 from "Trust" to "Untrust"  "Avaya IP Goth" "Avaya IP Lon" "Avaya VCM" permit log traffic priority 0
set policy id 89
exit
set policy id 94 from "Trust" to "Untrust"  "TS Goth DC" "Any" "ANY" permit log
set policy id 94
exit
set policy id 97 from "Trust" to "Untrust"  "GothLAN" "Cluj LAN" "ANY" permit log
set policy id 97
exit
set policy id 92 from "Trust" to "Untrust"  "GothLAN" "10.1.20.0/24" "ANY" permit log
set policy id 92
exit
set policy id 76 from "Trust" to "Untrust"  "GothLAN" "TotalstayLAN" "ANY" permit log
set policy id 76
exit
set policy id 91 from "Trust" to "Untrust"  "Andreas PC" "Any" "ANY" permit
set policy id 91
exit
set policy id 2 name "Internet Access" from "Trust" to "Untrust"  "GothLAN" "Any" "DNS" permit log
set policy id 2
set service "FTP"
set service "HTTP"
set service "HTTP-EXT"
set service "HTTPS"
set service "PING"
exit
set policy id 79 from "Untrust" to "Trust"  "TotalstayLAN" "GothLAN" "ANY" permit log
set policy id 79
exit
set policy id 93 from "Untrust" to "Trust"  "10.1.20.0/24" "GothLAN" "ANY" permit log
set policy id 93
exit
set policy id 86 from "Trust" to "Untrust"  "GothLAN" "x.x.x.x" "ANY" permit
set policy id 86
set dst-address "DEVLAN"
exit
set policy id 87 from "Trust" to "Untrust"  "x.x.x.x" "x.x.x.x" "ANY" permit
set policy id 87
exit
set policy id 88 from "Untrust" to "Trust"  "x.x.x.x" "x.x.x.x" "ANY" permit
set policy id 88
exit
set policy id 90 from "Untrust" to "Trust"  "Avaya IP Lon" "Avaya IP Goth" "Avaya VCM" permit log
set policy id 90
exit
set policy id 95 from "Untrust" to "Trust"  "Attix - Techgate" "TS Goth DC" "Attix SSL" permit log
set policy id 95
exit
set policy id 96 from "DevLAN" to "Untrust"  "Any" "Any" "ANY" nat src permit log
set policy id 96
exit
set policy id 98 from "Untrust" to "Trust"  "Cluj LAN" "GothLAN" "ANY" permit log
set policy id 98
exit
set policy id 99 name "VPNPhones" from "Untrust" to "Trust"  "Dial-Up VPN" "Any" "ANY" tunnel vpn "netscreen-remote-vpn" id 0x6 pair-policy 100 log
set policy id 99
exit
set policy id 100 name "VPNPhones" from "Trust" to "Untrust"  "Any" "Dial-Up VPN" "ANY" tunnel vpn "netscreen-remote-vpn" id 0x6 pair-policy 99 log
set policy id 100
exit
set policy id 101 name "VPNPhones" from "Untrust" to "Trust"  "Dial-Up VPN" "Any" "ANY" tunnel vpn "vpnphone-vpn" id 0x7 pair-policy 102 log
set policy id 101
exit
set policy id 102 name "VPNPhones" from "Trust" to "Untrust"  "Any" "Dial-Up VPN" "ANY" tunnel vpn "vpnphone-vpn" id 0x7 pair-policy 101 log
set policy id 102
exit
set log module system level emergency destination console
set log module system level alert destination console
set log module system level critical destination console
set log module system level error destination console
set log module system level warning destination console
set log module system level notification destination console
set log module system level information destination console
set log module system level debugging destination console
set log module system level error destination webtrends
set log module system level warning destination webtrends
set log module system level information destination webtrends
set log module system level debugging destination webtrends
set firewall log-self
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set telnet client enable
set ntp server "10.1.15.100"
set ntp server src-interface "ethernet0/3"
set snmp port listen 161
set snmp port trap 162
set snmpv3 local-engine id "0164022008000342"
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 10.1.14.0/24 interface tunnel.2
set route 10.1.20.0/24 interface tunnel.1 permanent
set route 0.0.0.0/0 interface ethernet0/0 gateway 212.181.77.1 permanent
set route 10.1.11.0/24 interface tunnel.2 preference 20 permanent
set route 10.1.27.0/24 interface tunnel.3 permanent
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 500 total points
ID: 37777649
Issue following CLI:

Replace xxxxxx with appropriate values.

unset user "vpnphone-ike"
set user "vpnphone-ike" ike-id u-fqdn "xxxxxxxx" share-limit 1
set user "vpnphone-ike" type ike
set user "vpnphone-ike" "enable"
set user-group "vpnphone-grp"
set user-group "vpnphone-grp" user "vpnphone-ike"
unset ike gateway "vpnphone-gw"
set ike gateway "vpnphone-gw" dialup "vpnphone-grp" Aggr outgoing-interface "ethernet0/0" preshare "xxxxxxxxx" proposal "pre-g2-3des-sha"
unset vpn "vpnphone-vpn"
set vpn "vpnphone-vpn" gateway "vpnphone-gw" no-replay tunnel idletime 0 proposal "g2-esp-3des-sha"
unset policy 101
unset policy 102
set policy id 101 name "VPNPhones" from "Untrust" to "Trust"  "Dial-Up VPN" "GothLAN" "ANY" tunnel vpn "vpnphone-vpn"
save

Follow instructions to configure the netscreen remote client:
kb.juniper.net/KB22075

If problem persists, post sanitized screenshots of your VPN client configuration.

Thank you.
0
 

Author Comment

by:Ashvinv82
ID: 37777695
will try that and see if that makes a difference.
0
 

Author Comment

by:Ashvinv82
ID: 37780547
This is the error im getting on the Phone itself, and the settings on the phone are below.

Here is a list of the current settings on the Avaya VPN phone:-

Server = x.x.x.x
Username = vpnphone-ike
Password = t0talstay
Group name = vpnphone-grp
Group PSK = t0talStay
VPN Starter Mode = BOOT
Password type = Save in Flash
Encapsulation = 4500 – 4500
Syslog = Blank / No setting
IAE Parameters = DH2 – ANY – ANY
IPSEC Parameters = NOPFS – ANY –ANY
Protected Nets = Blank / No Settings
Copy TOS = No
File Srvr = Blank / No Settings
Connectivity Check = Never
QTest = Disable

Profile = Juniper Xauth with PSK
_ _ _ _ _ _ _ _ _

The phone reports the following errors when trying to connect:-

Error 1/2
IKE Phase1 no response
Error code = 3997700:0
Module = IKMPD:142

Error 2/2
IKE Phase1 no response
Error code = 3997700:0
Module = IKCFG:459
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 37781250
Avaya phone would not initiate a VPN tunnel to SSG20. I thought the user is remote user and you are using netscreen remote VPN client.

Take Avaya phone out of picture now; first get the remote VPN connect successfully to SSG.

Once VPN is successful, then hook avaya like a normal device behind SSG and we can look at access and other details.

Thank you.
0
 

Author Comment

by:Ashvinv82
ID: 37785933
ok i will try this, is there another client i can use other than netscreen?
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 37786320
On the same link; they have used shrew soft client. You can use any other client; but I would not be able to help with configuration of that client.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Join & Write a Comment

I recently purchased an HP EliteBook 2540p notebook/laptop. It has two video ports on it – VGA and DisplayPort. HP offers an optional docking station for the 2540p that also has both a VGA port and a DisplayPort. There are numerous online reports do…
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now