Académique Documents
Professionnel Documents
Culture Documents
July 2017
8AL90345ENAA Ed. 04
Legal notice
The information presented is subject to change without notice.
ALE International assumes no responsibility for inaccuracies contained herein.
Copyright © ALE International, 2017
Disclaimer
While efforts were made to verify the completeness and accuracy of the information contained in this
documentation, this document is provided “as is”. To get more accurate content concerning Cross
Compatibilities, Product Limits, Software Policy and Feature Lists, please refer to the accurate
documents published on the Business Partner Web Site.
In the interest of continued product development, ALE International reserves the right to make
improvements to this documentation and the products it describes at any time, without notice or
obligation.
The CE mark indicates that this product conforms to the following Council Directives:
• 2014/53/EU for radio equipment
• 2014/35/EU and 2014/30/EU for non-radio equipment (including wired Telecom Terminal Equipment)
• 2014/34/EU for ATEX equipment
• 2011/65/EU (RoHS)
Table of
contents IPsec VPN Deployment Guide for
Remote Workers for DeskPhones and
Premium DeskPhones s Serie
1 General .................................................................................. 7
1.1 Overview ............................................................................................................. 7
1.2 Services provided .............................................................................................. 7
1.3 Terminology ....................................................................................................... 8
1.3.1 Glossary ............................................................................................................. 8
1.3.2 Graphical conventions ........................................................................................ 8
2 Architecture ........................................................................... 9
3 Description .......................................................................... 10
3.1 Basic Description............................................................................................. 10
3.2 Technical Description ...................................................................................... 10
3.2.1 On Corporate LAN ........................................................................................... 10
3.2.2 On remote worker LAN..................................................................................... 12
3.2.3 Emergency calls ............................................................................................... 12
3.3 Configuration in a nutshell.............................................................................. 13
8AL90345ENAA Ed. 04 - July 2017 - IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s Serie
3/66
Table of
contents IPsec VPN Deployment Guide for
Remote Workers for DeskPhones and
Premium DeskPhones s Serie
8AL90345ENAA Ed. 04 - July 2017 - IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s Serie
4/66
Table of
contents IPsec VPN Deployment Guide for
Remote Workers for DeskPhones and
Premium DeskPhones s Serie
10 Appendix ............................................................................. 64
10.1 ALE IP phones VPN configuration (without PIN code solution) .................. 64
10.1.1 VPN configuration removal on phones ............................................................. 65
10.1.2 Communication systems .................................................................................. 65
10.1.3 Fortigate VPN server ........................................................................................ 65
10.2 IPSec VPN and Thales feature ........................................................................ 65
10.3 Prompt Info of phone ....................................................................................... 65
8AL90345ENAA Ed. 04 - July 2017 - IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s Serie
5/66
Chapter
1 1 General
This document presents the IPsec VPN deployment guide / reference design to be used for ALE
communication systems with IP phones (OXE R12 MD1/MD2, OXO Connect 2.1, OTEC 2.3) supporting
the remote worker feature with ALE IP phones.
1.1 Overview
IPsec remote worker solution is based on the usage of a VPN to allow secure communications between
the communication systems and remote workers.
This document is the reference design for the VPN implementation on the VPN server and ALE IP
phones.
The document is split into three parts:
- A general architecture presentation, showing the principles of the deployment of the solution, which is
agnostic to the communication server or VPN server type. It is a typical infrastructure, from which the
real case can be deduced.
- A practical configuration guide, done for different VPN servers (not intended to be exhaustive), and for
the phones.
- A troubleshooting guide.
The remote worker feature is introduced with OXO Connect R 2.1 but there is no dependency with
communication systems.
8AL90345ENAA - Ed. 04 - July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 7/66
Chapter 1 General
1.3 Terminology
1.3.1 Glossary
DH : Diffie-Hellman. Key exchange method
DMZ : Demilitarized zone
DNAT : Destination NAT
ESP : Encapsulating Security Payload
IKE : Internet Key Exchange
IPsec : Internet Protocol Security
NAT : Network Address Translation
NAPT : Also PAT, NATP, Masquerading, Overloading. Many-to-one NAT based on outgoing port.
NAT-T : Nat Traversal, UDP encapsulation of IPsec packets
PSK : Pre-shared key
RSC : Remote Service Center
SNAT : Source NAT
UDP : User Datagram Protocol
VPN : Virtual Private Network
Access gateway
IP Router
Communication system
VPN server
Workstation
Firewall
8AL90345ENAA Ed. 04 - July 2017 - IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s Serie
8/66
Chapter
2 2 Architecture
Remote worker 1
Corporate LAN
VPN client
Access router/Box
OXO
Communication Access
system router
+ firewall
VPN server
INTERNET
Access router/Box
Port forwarding
VPN client
- The VPN tunnels are established between the VPN server and remote worker’s phones. There are as
many tunnels as remote workers connected on the communication system.
- Remote workers are always communication system users; it is not possible to connect external users
via VPN.
- A tunnel can be used only by one remote worker. In case there are several remote workers connected
on a single LAN in the same physical premise, then each remote worker has his own VPN.
- Workstation connected on the PC connector of the phone only have access to remote worker’s LAN,
workstation IP traffic is never tunneled.
- IP Traffic between two distinct remote workers: both remote worker phones have a NOE signaling link
established with the communication system in the corporate LAN. VoIP media traffic between two
remote workers is not managed by communication system. VPN gateway forwards directly media
traffic from one VPN to the second VPN, and must be configured to do so.
8AL90345ENAA - Ed. 04 - July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 9/66
Chapter
3 3 Description
8AL90345ENAA - Ed. 04 - July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 10/66
Chapter 3 Description
The VPN configuration asks for PSK, User login and User Password.
These are defined by the VPN server administrator, but must be entered through the phone’s keyboard,
which leads to limitations.
Here are the available characters, depending on the phone model (with or without mini keyboard), and the
field to be entered:
3.2.1.4 Router
A specific routing policy is required in order to route all IP traffic between corporate LAN and remote
workers. This route policy allows remote worker device to reach all IP devices connected on LAN and
vice-versa. Specific routes must therefore be setup on all LAN routers to force remote workers IP traffic to
be forwarded by VPN server on corporate LAN in order to reach communication system or any other ALE
IP phone.
All remote IP phones get an IP address from the VPN server. These addresses are configured as a range
of IP addresses (usually a dedicated IP subnet in corporate LAN). This subnet must be routed to VPN
server in corporate LAN.
Corporate LAN VPN IP traffic routing policy:
- A default router must be specified in the communication system. So all VPN IP traffic (with destination
IP address inside VPN IP range) will be sent to default router.
- A specific route must be setup on default router to forward VPN IP traffic to VPN server.
- VPN server automatically forwards IP traffic to the corresponding VPN tunnel based on destination IP
address.
8AL90345ENAA Ed. 04 - July 2017 - IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 11/66
Chapter 3 Description
Configuring routing policy can be more complex in case communication system and ALE IP phones are
connected on several IP subnets on corporate LAN. Configuring routing policy on each router is then
required. Dynamic IP routing activation can also be an alternative.
Alternative solution for a basic network topology could be to use VPN gateway as communication system
default gateway. However this is not recommended since VPN gateway will then have to route all non-
local communication system IP traffic.
8AL90345ENAA Ed. 04 - July 2017 - IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 12/66
3.3 Configuration in a nutshell
The following addresses used in the figure are EXAMPLES.
Global topology:
Corporate LAN
172.25.17.210
Public IP of Remote worker
Access router
OX 82.125.10.46 83.100.1.10
O
VPN server / Firewall
Communication system Virtual @
10.100.1.1
172.25.17.209 10.0.0.1
INTERNET
172.25.17.211 Access router Local @
Lan Wan 192.168.0.1 192.168.0.100
Router
Add route
10.100.1.0/255.255.255.0 Ports
To 172.25.17.211 500 & 4500
PHONE 1
forwarding Box/Router
Virtual adresses required
(VPN): to 10.0.0.1
Phone1 10.100.1.1
172.25.17.212 Phone2 10.100.1.2
Phone3 …
DHCP
preferred
Different sub-network ! Manual entry :
• VPN server @
82.125.10.46
• Communication Server
TFTP @
172.25.17.210
• PSK
The deployment must be done in order to avoid any change in the remote worker’s access router settings. • Login
• Password
In consequence, the Virtual addresses defined in the VPN server for the phones must avoid the common ones (credentials declared in VPN
used in the home access router or boxes server)
8AL90345ENAA - Ed. 04 - July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s Serie 13/66
On home worker side, it is recommended to use dynamic IP address setting, which is much simpler for the end user. The phones coming out of the box are
configured to get IP through DHCP. So this is straightforward installation.
Static IP is also possible from phone perspective. In this case, select a free IP address for static IP. This IP address must not be included in the IP address range
allocated by DHCP.
Corporate LAN
INCOMING PACKETS ROUTE
172.25.17.210
Remote worker
OXO
Box/Router PHONE 1
VPN
Signaling
Media
8AL90345ENAA - Ed. 04 - July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s Serie 14/66
Chapter 3 Description
Corporate LAN
OUTGOING PACKETS ROUTE
172.25.17.210
Remote worker
Packet to
10.100.1.1
OXO
Box/Router PHONE 1
Packet to
10.100.1.1
172.25.17.212
VPN
Signaling
Media
The outgoing packets have a destination address out of the LAN, so they are sent to the default gateway (router) which sends them to the VPN server address
(here 172.25.17.211).
8AL90345ENAA - Ed. 04 - July 2017 - IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s Serie 15/66
Chapter
For OmniPCX Enterprise: use menu 8 (‘Routing’) from the netadmin -m command
8AL90345ENAA - Ed. 04 - July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 16/66
Chapter
It is not possible to give an exhaustive description of the configuration of many models and brands of VPN
servers. Even within one brand, different models may have different syntaxes.
Based on the previous architectural description, the required configuration steps for some VPN servers
are described in this section.
The security parameters values authorized on the VPN server, which match with the phones capability
are:
- Phase 1 encryption algorithms : aes256.
8AL90345ENAA - Ed. 04 - July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 17/66
Chapter 5 VPN server configuration
5.2.1 Limits
For information, one of the VPN gateways used for this reference design (Fortigate 60D) can handle up to
500 client-to-gateway IPSec tunnels. No action is needed here.
5.2.2 Internationalization/localization
The country where the VPN server and the client are deployed might impose some restrictions on the
cipher used (algorithm, key length).
8AL90345ENAA – Ed. 04- July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 18/66
Chapter
6.1 Characteristics
Fortigate VPN server hardware: Fortigate 30E
This reference design applies to the firmware FortiOS 5.4.5.
You can now connect to the Web Based Management (WBM) using a web browser (for example: Firefox
or Chrome) and entering the following URL: https://172.25.17.211/ (Fortigate LAN IP address)
8AL90345ENAA - Ed. 04 - July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 19/66
Chapter 6 Step by step example: Fortigate 30E
8AL90345ENAA – Ed. 04- July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 20/66
Chapter 6 Step by step example: Fortigate 30E
1: Enter the VPN user name and password and click Next
Click Create
8AL90345ENAA – Ed. 04- July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 21/66
Chapter 6 Step by step example: Fortigate 30E
8AL90345ENAA – Ed. 04- July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 22/66
Chapter 6 Step by step example: Fortigate 30E
8AL90345ENAA – Ed. 04- July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 23/66
Chapter 6 Step by step example: Fortigate 30E
8AL90345ENAA – Ed. 04- July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 24/66
Chapter 6 Step by step example: Fortigate 30E
8AL90345ENAA – Ed. 04- July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 25/66
Chapter 6 Step by step example: Fortigate 30E
l
1: Enter the IPsec tunnel name
2: Select Custom, and Next
8AL90345ENAA – Ed. 04- July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 26/66
Chapter 6 Step by step example: Fortigate 30E
8AL90345ENAA – Ed. 04- July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 27/66
Chapter 6 Step by step example: Fortigate 30E
2: In the Diffie-Hellmann Groups field, select the following check boxes: 5, 14, and 16
3: Phase 1 SA Key Lifetime must be set longer than 1,5 hours (example: 3H)
Due to implementation reason of IPSec client in terminal side, the Phase1 SA Key Lifetime must be set to
longer than 1.5 hour.
Attention: if the Key lifetime is misconfigured in fortigate server, this will result in periodic
connection loss of the tunnel.
8AL90345ENAA – Ed. 04- July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 28/66
Chapter 6 Step by step example: Fortigate 30E
Due to implementation reason of IPSec client in terminal side, the Phase2 SA Key Lifetime must be set
to longer than 0.5 hour.
Attention: if the Key lifetime is misconfigured in Fortigate server, this will result in periodic
connection loss of the tunnel.
8AL90345ENAA – Ed. 04- July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 29/66
Chapter 6 Step by step example: Fortigate 30E
8AL90345ENAA – Ed. 04- July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 30/66
Chapter 6 Step by step example: Fortigate 30E
8AL90345ENAA – Ed. 04- July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 31/66
Chapter 6 Step by step example: Fortigate 30E
8AL90345ENAA – Ed. 04- July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 32/66
Chapter 6 Step by step example: Fortigate 30E
6.3 Server configuration using the Command Line and Configuration file
Administrator can also configure the VPN through FORTIGATE 30E Command Line Interface (CLI)
instead of Web Based Management (WBM).
The template contains all CLI commands required to configure a Fortigates “out of the box”.
The yellow-highlighted items must be customized to suit to your configuration.
To select the CLI commands on the left only: press Alt and select.
config user local
edit "user1"
set type password
set email-to "john.doe@al-enterprise.com"
set passwd 1245
next
Create a user for each OXO remote
edit "user2"
worker
set type password
set passwd 6789
next
end
edit "wan"
set vdom "root" Configure WAN interface
set mode static
set ip 10.0.0.1 255.255.255.0
set allowaccess ping https ssh
set type physical
set role wan
next
end
8AL90345ENAA – Ed. 04- July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 33/66
Chapter 6 Step by step example: Fortigate 30E
edit "Local_wan"
set associated-interface "wan"
set subnet 10.0.0.0 255.255.255.0
next
end
8AL90345ENAA – Ed. 04- July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 34/66
Chapter 6 Step by step example: Fortigate 30E
8AL90345ENAA – Ed. 04- July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 35/66
Chapter 6 Step by step example: Fortigate 30E
edit 1
set name "RemoteUsers_to_LAN" Allow incoming traffic (remote users to
set srcintf "RemoteUsers" corporate LAN)
set dstintf "lan"
set srcaddr "IPRemoteUsers_range"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat disable
next
edit 2
set name "LAN_to_RemoteUsers" Allow outgoing traffic (corporate LAN to
set srcintf "lan" remote users)
set dstintf "RemoteUsers"
set srcaddr "all"
set dstaddr "IPRemoteUsers_range"
set action accept
set schedule "always"
set service "ALL"
set nat disable
next
edit 3
set name "RemoteUsers_to_RemoteUsers"
set srcintf "RemoteUsers" Allow traffic between remote workers
set dstintf "RemoteUsers"
set srcaddr "IPRemoteUsers_range"
set dstaddr "IPRemoteUsers_range"
set action accept
set schedule "always"
set service "ALL"
set nat disable
next
end
8AL90345ENAA – Ed. 04- July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 36/66
Chapter
7.1 Characteristics
7.3 Server configuration using the Command Line and Configuration file
The template contains all CLI commands required to configure a Fortigate “out of the box”.
The yellow-highlighted items must be customized to suit to your configuration.
To select the CLI commands on the left only: press Alt and select.
8AL90345ENAA - Ed. 04 - July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 37/66
Chapter 7 Step by step example: Fortigate 60D
edit "wan1"
set vdom "root"
set mode static
set ip 10.0.0.1 255.255.255.0
set allowaccess ping https ssh Configure WAN interface
set type physical
set role wan
next
end
edit "Local_WAN1"
set associated-interface "wan1"
set subnet 10.0.0.0 255.255.255.0
next
end
8AL90345ENAA – Ed. 04- July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 38/66
Chapter 7 Step by step example: Fortigate 60D
8AL90345ENAA – Ed. 04- July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 39/66
Chapter 7 Step by step example: Fortigate 60D
next
end
edit 2
set name "LAN_to_RemUsers" Allow outgoing traffic (corporate
set srcintf "internal" LAN to remote users)
set dstintf "OXOremUsers"
set srcaddr "all"
set dstaddr "OXOremUsers_range"
set action accept
set schedule "always"
set service "ALL"
8AL90345ENAA – Ed. 04- July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 40/66
Chapter 7 Step by step example: Fortigate 60D
edit 3
set name "RemUsers_to_RemUsers"
set srcintf "OXOremUsers"
set dstintf "OXOremUsers"
set srcaddr "OXOremUsers_range"
set dstaddr "OXOremUsers_range" Allow traffic between remote
set action accept workers
set schedule "always"
set service "ALL"
set nat disable
next
end
8AL90345ENAA – Ed. 04- July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 41/66
Chapter
8AL90345ENAA - Ed. 04 - July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 42/66
Chapter 8 IP phones VPN configuration (with PIN solution)
Main Menu
Main Menu
IP Memory Ethernet
802.1x Certificate
Main Menu
Characters mapping:
On 8018, there is no mini keyboard, but the user must press the “123<>abc” button to access to
character mode.
The characters have been mapped on the dial pad as follows:
Key 0: + . , : ; \ ? ! < >
Key 1: space | - _ 1
Keys 2 to 9: 2…9 and a…z
Key *: nothing
Key #: nothing
Access to capitals through long press on * (toggle caps switch)
On phones with mini keyboard, the characters are directly available through the keyboard markings.
8AL90345ENAA – Ed. 04- July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 43/66
Chapter 8 IP phones VPN configuration (with PIN solution)
The root of the configuration menu opens (free access). The following screen is an example of the root
menu content.
Press the DOWN navigation key until the VPN entry is displayed, and press the associated soft key.
The VPN menu is displayed. The VPN menu position may differ from one phone type to the other.
The new PIN code can be entered directly: 4 digits. Then validate it with the top left key.
Otherwise, the VPN Settings will be displayed:
If the new PIN code has not been defined yet, pressing a soft key beside every submenu item for
modification will require a PIN/Password authentication
It is possible to select (through press 3rd left soft key) to use PIN code or Password for the authentication
(if a password is defined in the communication system for the phones).
8AL90345ENAA – Ed. 04- July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 44/66
Chapter 8 IP phones VPN configuration (with PIN solution)
After the authentication is passed, there will be no more need to re-enter the PIN or Password to access
other submenu which require the same level of authentication.
8AL90345ENAA – Ed. 04- July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 45/66
Chapter 8 IP phones VPN configuration (with PIN solution)
Typing in clear
8AL90345ENAA – Ed. 04- July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 46/66
Chapter 8 IP phones VPN configuration (with PIN solution)
8AL90345ENAA – Ed. 04- July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 47/66
Chapter 8 IP phones VPN configuration (with PIN solution)
Typing in clear
8AL90345ENAA – Ed. 04- July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 48/66
Chapter 8 IP phones VPN configuration (with PIN solution)
If the VPN Pincod option is turned ON (by checking Request Pin on Boot), everytime during phone’s
initialization procedure, an authentication window will popup and ask for PIN or Password (if defined), and
the VPN will only be launched when the authentication is passed. If it is not checked, the phone starts the
VPN without any user authentication.
This is useful if the phone is used in home context and enterprise context alternatively. By just
pressing the BACK key at PIN prompt, the phone can start in the enterprise context, without navigating
in the settings to disable the VPN.
8AL90345ENAA – Ed. 04- July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 49/66
Chapter 8 IP phones VPN configuration (with PIN solution)
During the running of IPSec VPN client, there will be some display info to help end user to understand the
status of the connection, the detail info can be found in Annex.
Topology example:
8AL90345ENAA – Ed. 04- July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 50/66
Chapter 8 IP phones VPN configuration (with PIN solution)
INTERNET INTRANET
Port forwarding
required
WAN IP Address:
116.228.56.173
Home router
Access router
+ firewall 8001
Private IP Address:
30.1.202.33
Notes:
The packets between intranet and remote worker are forwarded via the Open VPN server (routing).
On Open VPN server, the UDP port 1194 must be configured to be forwarded to the IP address of Open VPN
server on the access router.
The Open VPN port number can be verified using server.conf
1. From the administration computer, open a web browser, and enter the 8001 DeskPhone IP address
2. From the 8001 Web Management home page, go to Security > Trusted certificates upload and
upload the trusted certificates to 8001 DeskPhone
8AL90345ENAA – Ed. 04- July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 51/66
Chapter 8 IP phones VPN configuration (with PIN solution)
After upload, the trusted certificates are displayed under Trusted certificates
Notes:
8001 does not support PSK method so far. Only certificate method must be used for OpenVPN
connection.
To avoid security issues, customer must generate different client certificates for 8001/8001G DeskPhone
sets. If sharing the same certificate, security risks may occur when the 8001 DeskPhone set is lost or
stolen.
8AL90345ENAA – Ed. 04- July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 52/66
Chapter 8 IP phones VPN configuration (with PIN solution)
From the web management home page, go to Phone Status and verify that the VPN IP address field is
completed with the OPEN VPN IP address.
8AL90345ENAA – Ed. 04- July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 53/66
Chapter 8 IP phones VPN configuration (with PIN solution)
Notes:
• If VPN connection is broken, it automatically relaunches the connection.
• The keep-alive directive causes ping-like messages to be sent back and forth over the link so that each
side knows when the other side has gone down. Ping every 10 seconds. Assume that remote peer is
down, if no ping is received during a 120 second time period.
• The current intervals are configured in the VPN server configuration file.
Note:
The 8001 DeskPhone set needs active remote work for update or download configuration file from
OmniPCX Office RCE. In home network, the set can get IP address via DHCP, but it cannot get option 67
(OmniPCX Office URI https://30.1.202.7:10443/dmcfg) via DHCP.
8AL90345ENAA – Ed. 04- July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 54/66
Chapter 8 IP phones VPN configuration (with PIN solution)
8.2.3.2 Generating certificate files for the OpenVPN server and 8001 DeskPhone
1. Open a terminal window
2. Enter the directory used to generate the certificate files (may vary between different versions)
root@ubuntu14:~# cd /etc/openvpn/easy-rsa
3. Enter the following commands:
root@ubuntu14:/etc/openvpn/easy-rsa# export D=`pwd`
root@ubuntu14:/etc/openvpn/easy-rsa# export KEY_CONFIG=$D/openssl.cnf
root@ubuntu14:/etc/openvpn/easy-rsa# export KEY_DIR=$D/keys
root@ubuntu14:/etc/openvpn/easy-rsa# export KEY_SIZE=1024
root@ubuntu14:/etc/openvpn/easy-rsa# export KEY_COUNTRY=CN
root@ubuntu14:/etc/openvpn/easy-rsa# export KEY_PROVINCE=SH
root@ubuntu14:/etc/openvpn/easy-rsa# export KEY_CITY=SH
root@ubuntu14:/etc/openvpn/easy-rsa# export KEY_ORG="al-enterprise.com"
root@ubuntu14:/etc/openvpn/easy-rsa# export KEY_EMAIL=admin@al-enterprise.com
4. Generate a CA certificate
root@ubuntu14:/etc/openvpn/easy-rsa# ./clean-all
root@ubuntu14:/etc/openvpn/easy-rsa# ./build-ca
8AL90345ENAA – Ed. 04- July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 55/66
Chapter 8 IP phones VPN configuration (with PIN solution)
Note: the “easy-rsa” is integrated in the “OpenVPN” package from the website.
If you do not know where is located the ‘server.conf’ directory, you can use below command to find it and
copy it to the directory “openvpn”
root@ubuntu14:~# find / -name 'server.conf'
8AL90345ENAA – Ed. 04- July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 56/66
Chapter 8 IP phones VPN configuration (with PIN solution)
4. Edit the file “server.conf” according to your current network environment and save the change
root@ubuntu14:/etc/openvpn# vi server.conf
Note: Push a single or a multiple router to 8001 DeskPhone client depends on customer’s topology.
8AL90345ENAA – Ed. 04- July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 57/66
Chapter
9 9 Maintenance procedures
9.1 Troubleshooting
In case of problems to establish a tunnel, it might be necessary to check the logs on the Fortigate, to
identify the phase of the tunnel establishment in which the problem occurs (IKE phase1 or phase2).
8AL90345ENAA - Ed. 04 - July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 58/66
Chapter 9 Maintenance procedures
8AL90345ENAA – Ed. 04- July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 59/66
Chapter 9 Maintenance procedures
The relevant logs for a VPN failure are available in the web interface:
This window displays different pieces of information to help find the reason behind a failure.
It can for example inform that the error occurs during phase 1 or phase 2 of the tunnel setup, and that a
tunnel parameter of the client does not match the local configuration.
The status of current VPNs is also available:
8AL90345ENAA – Ed. 04- July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 60/66
Chapter 9 Maintenance procedures
The logs can also give some information about the parameters used for the tunnel, when it is successful
(encryption, hash, IP addresses …):
8AL90345ENAA – Ed. 04- July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 61/66
Chapter 9 Maintenance procedures
8AL90345ENAA – Ed. 04- July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 62/66
Chapter 9 Maintenance procedures
The name of the VPN interface (here oxovpn_0) can be found in the following menu:
8AL90345ENAA – Ed. 04- July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 63/66
Chapter
10 10 Appendix
082.125.010.046
To enable VPN, select the check box of “Use VPN”, and the IP address of Fortigate in VRout.
Press down key and enter Pre-shared Key, in below example it is 123456789.
082.125.010.046
When every parameters in VPN menu is filled, press 1st left softkey to save and return to “IP Parameter”,
configure TFTP1/TFTP2 if needed, then save and terminal will reboot automatically.
Then at the end of step 2 of initialization, there will be a popup window to ask for login username and
password:
8AL90345ENAA - Ed. 04 - July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 64/66
Chapter 10 Erreur ! Source du renvoi introuvable.
Enter the correct username/password (in example, is user1/1245 or user2/6789), press 1st left softkey and
continue the initalization.
Phone will launch VPN client and the screen will return to initialization screen with a prompt info:
8AL90345ENAA – Ed. 04- July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 65/66
Chapter 10 Erreur ! Source du renvoi introuvable.
And some info will also be displayed when the PIN authentication is aborted during the initialization:
END OF DOCUMENT
8AL90345ENAA – Ed. 04- July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 66/66