IPsec VPN Server Deployment Guide For Remote Workers 8AL90345ENAA 4 en PDF

IPsec VPN Deployment Guide for Remote Workers for
DeskPhones and Premium DeskPhones s Serie
July 2017
8AL90345ENAA Ed. 04
Legal notice
The information presented is subject to change without notice.
ALE International assumes no responsibility for inaccuracies contained herein.
Copyright © ALE International, 2017
Disclaimer
While efforts were made to verify the completeness and accuracy of the information contained in this
documentation, this document is provided “as is”. To get more accurate content concerning Cross
Compatibilities, Product Limits, Software Policy and Feature Lists, please refer to the accurate
documents published on the Business Partner Web Site.
In the interest of continued product development, ALE International reserves the right to make
improvements to this documentation and the products it describes at any time, without notice or
obligation.
The CE mark indicates that this product conforms to the following Council Directives:
• 2014/53/EU for radio equipment
• 2014/35/EU and 2014/30/EU for non-radio equipment (including wired Telecom Terminal Equipment)
• 2014/34/EU for ATEX equipment
• 2011/65/EU (RoHS)
Table of
contents IPsec VPN Deployment Guide for
Remote Workers for DeskPhones and
Premium DeskPhones s Serie
1 General .................................................................................. 7
1.1 Overview ............................................................................................................. 7
1.2 Services provided .............................................................................................. 7
1.3 Terminology ....................................................................................................... 8
1.3.1 Glossary ............................................................................................................. 8
1.3.2 Graphical conventions ........................................................................................ 8
2 Architecture ........................................................................... 9
3 Description .......................................................................... 10
3.1 Basic Description............................................................................................. 10
3.2 Technical Description ...................................................................................... 10
3.2.1 On Corporate LAN ........................................................................................... 10
3.2.2 On remote worker LAN..................................................................................... 12
3.2.3 Emergency calls ............................................................................................... 12
3.3 Configuration in a nutshell.............................................................................. 13
4 Communication system configuration ............................. 16

4.1 Reference design ............................................................................................. 16
4.2 OXO Connect and OmniPCX Enterprise configuration ................................ 16
5 VPN server configuration ................................................... 17

5.1 General interactions ........................................................................................ 17
5.1.1 Authentication (IKE V1) .................................................................................... 17
5.1.2 Parameters negotiation .................................................................................... 17
5.1.3 Tunnel and NAT setup ..................................................................................... 18
5.2 Engineering rules............................................................................................. 18
5.2.1 Limits ................................................................................................................ 18
5.2.2 Internationalization/localization ........................................................................ 18
8AL90345ENAA Ed. 04 - July 2017 - IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s Serie
3/66
Table of
6 Step by step example: Fortigate 30E ................................ 19

6.1 Characteristics ................................................................................................. 19
6.2 Server configuration using the Web Based Management (WBM) ................ 19
6.2.1 Connecting to the Fortigate 30E ....................................................................... 19
6.2.2 Creating users for remote worker authentication .............................................. 20
6.2.3 Adding a user group ......................................................................................... 22
6.2.4 Configuring the network Interface .................................................................... 23
6.2.5 Configuring LAN interface ................................................................................ 23
6.2.6 Configuring WAN interface ............................................................................... 24
6.2.7 Specifying the corporate LAN/WAN default gateway ....................................... 25
6.2.8 Creating IPsec tunnels ..................................................................................... 26
6.2.9 Configuring the IPsec tunnel network parameters ............................................ 26
6.2.10 Configuring the IPsec tunnel authentication method ........................................ 27
6.2.11 Configuring the IPsec IKE phase 1 for IPsec tunnel ......................................... 27
6.2.12 Configuring the IPsec IKE phase 2 for IPsec tunnel ......................................... 28
6.2.13 Configuring firewall rules and IP routes ............................................................ 29
6.2.14 Verifying the list of policy rules ......................................................................... 32
6.3 Server configuration using the Command Line and Configuration file ...... 33
7 Step by step example: Fortigate 60D ................................ 37

7.1 Characteristics ................................................................................................. 37
7.1.1 Hardware aspects ............................................................................................ 37
7.1.2 Software aspects .............................................................................................. 37
7.2 Server configuration using the Web Based Management (WBM) ................ 37
7.3 Server configuration using the Command Line and Configuration file ...... 37
8 IP phones VPN configuration (with PIN solution)............ 42

8.1 General case..................................................................................................... 42
8.1.1 Entering the configuration menu (step 1) ......................................................... 43
8.1.2 Entering the VPN menu (step 2) ...................................................................... 44
4/66
Table of
8.1.3 Configuring the VPN Config submenu (step3) ................................................. 45

8.1.4 Configuring the VPN TFTP submenu (step 4) .................................................. 46
8.1.5 Configuring the VPN Auth submenu (step 5) ................................................... 47
8.1.6 Configuring the VPN PIN code submenu (step 6) ............................................ 48
8.1.7 Special cases ................................................................................................... 49
8.2 Case of the 8001/8001G DeskPhone .............................................................. 50
8.2.1 Environment and topology................................................................................ 50
8.2.2 Set configuration using 8001 Web Management.............................................. 51
8.2.3 OPEN VPN server configuration ...................................................................... 55
9 Maintenance procedures ................................................... 58

9.1 Troubleshooting............................................................................................... 58
9.1.1 Phase 1: points to check .................................................................................. 58
9.1.2 Phase 2: points to check .................................................................................. 58
9.2 Other problems ................................................................................................ 58
9.3 Activity logs...................................................................................................... 58
9.4 Network traffic .................................................................................................. 61
10 Appendix ............................................................................. 64
10.1 ALE IP phones VPN configuration (without PIN code solution) .................. 64
10.1.1 VPN configuration removal on phones ............................................................. 65
10.1.2 Communication systems .................................................................................. 65
10.1.3 Fortigate VPN server ........................................................................................ 65
10.2 IPSec VPN and Thales feature ........................................................................ 65
10.3 Prompt Info of phone ....................................................................................... 65
5/66
Chapter
1 1 General
This document presents the IPsec VPN deployment guide / reference design to be used for ALE
communication systems with IP phones (OXE R12 MD1/MD2, OXO Connect 2.1, OTEC 2.3) supporting
the remote worker feature with ALE IP phones.
1.1 Overview
IPsec remote worker solution is based on the usage of a VPN to allow secure communications between
the communication systems and remote workers.
This document is the reference design for the VPN implementation on the VPN server and ALE IP
phones.
The document is split into three parts:
- A general architecture presentation, showing the principles of the deployment of the solution, which is
agnostic to the communication server or VPN server type. It is a typical infrastructure, from which the
real case can be deduced.
- A practical configuration guide, done for different VPN servers (not intended to be exhaustive), and for
the phones.
- A troubleshooting guide.
The remote worker feature is introduced with OXO Connect R 2.1 but there is no dependency with
communication systems.
1.2 Services provided

The VPN server offers secure connections between the communication systems and a remote worker with
ALE IP phones by providing confidentiality, integrity and authentication, based on the IPsec protocol.
Remote workers have the same level of service as local users on LAN.
8AL90345ENAA - Ed. 04 - July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 7/66
Chapter 1 General
1.3 Terminology
1.3.1 Glossary
DH : Diffie-Hellman. Key exchange method
DMZ : Demilitarized zone
DNAT : Destination NAT
ESP : Encapsulating Security Payload
IKE : Internet Key Exchange
IPsec : Internet Protocol Security
NAT : Network Address Translation
NAPT : Also PAT, NATP, Masquerading, Overloading. Many-to-one NAT based on outgoing port.
NAT-T : Nat Traversal, UDP encapsulation of IPsec packets
PSK : Pre-shared key
RSC : Remote Service Center
SNAT : Source NAT
UDP : User Datagram Protocol
VPN : Virtual Private Network
1.3.2 Graphical conventions
Access gateway
IP Router
Communication system
VPN server
Workstation
Firewall
8/66
Chapter
2 2 Architecture
The network reference architecture is the following:
Remote worker 1
Corporate LAN
VPN client
Access router/Box
OXO
Communication Access
system router
+ firewall
VPN server
INTERNET
Access router/Box
Port forwarding
VPN client
VPN Remote worker 2

Signaling
Media
Figure 1: Network architecture
- The VPN tunnels are established between the VPN server and remote worker’s phones. There are as
many tunnels as remote workers connected on the communication system.
- Remote workers are always communication system users; it is not possible to connect external users
via VPN.
- A tunnel can be used only by one remote worker. In case there are several remote workers connected
on a single LAN in the same physical premise, then each remote worker has his own VPN.
- Workstation connected on the PC connector of the phone only have access to remote worker’s LAN,
workstation IP traffic is never tunneled.
- IP Traffic between two distinct remote workers: both remote worker phones have a NOE signaling link
established with the communication system in the corporate LAN. VoIP media traffic between two
remote workers is not managed by communication system. VPN gateway forwards directly media
traffic from one VPN to the second VPN, and must be configured to do so.
Serie 9/66
Chapter
3 3 Description
3.1 Basic Description

The VPN creation request is initiated by the phone during its initialization phase. The phone gets its local
IP parameters from remote worker local DHCP (or via static settings), but VPN parameters must be
managed statically either by remote worker himself or by an administrator.
DHCP configuration is preferred, as it is much easier to deploy for the end user.
Usually there is no need to change any firewall setting on remote worker access router since initial traffic
is outgoing. On corporate LAN side some settings are required in addition to VPN server settings on
access router (redirection) to accept incoming VPN connection request and also on local router(s) to route
VPN traffic to VPN gateway.
To prevent network address overlap between remote worker and corporate LANs, two virtual IP
addresses are used for tunnel endpoints (one on VPN server side, the other one is sent to the remote
worker phone).
CAUTION: Special care must be taken to avoid that the remote worker LAN where the phone runs,
is not in the same sub-network than the VPN server virtual addresses range.
Once tunnel is established with VPN server, the phone has access to corporate LAN so it can initialize
with the communication systems and join any other ALE IP phone with direct RTP.
3.2 Technical Description

In this reference design, the communication system, the VPN gateway and remote worker IP phone, have
all private addresses, not routable on the public network.
The following points are mandatory:
- Each access gateway must have a public IP address to send data on the Internet.
- On the corporate LAN access gateway, the ports used for IKE and NAT-T (default ports are 500 and
4500) must be forwarded to the VPN gateway.
- Outbound IPsec connections must be enabled on the remote worker access gateway.
3.2.1 On Corporate LAN

3.2.1.1 Communication systems
The remote worker feature is introduced with OXO Connect R2.1 but communication system is not
impacted. Other communication system release can also benefit from the remote worker feature.
3.2.1.2 VPN server

This first version of the VPN solution uses some static built-in settings in the phone.
The VPN server settings must be compliant with them.
Settings required on VPN server:
- IP addresses for VPN tunnels
- User credentials declared in the VPN server for each remote worker (login + password for each
remote worker). Installer must share these credentials with each remote worker.
- Static PSK key compatible with ALE IP Phone VPN static settings. An example of configuration is
given in this document, and must be customized by installer to be adapted to existing network
topology and VPN credentials.
Serie 10/66
Chapter 3 Description
Restrictions on character entry:
The VPN configuration asks for PSK, User login and User Password.
These are defined by the VPN server administrator, but must be entered through the phone’s keyboard,
which leads to limitations.
Here are the available characters, depending on the phone model (with or without mini keyboard), and the
field to be entered:
User login User password and PSK
0…9 a…z A…Z 0…9 a…z A…Z

8018
| - + . , : ; \ ? ! < > | - + . , : ; \ ? ! < >
0…9 a…z A…Z 0…9 a…z A…Z

80x8S - + . - + . , : ; \ ?
@ $ % / ! < > @ & $ % # ' * = / ( )
Recommended common charset for all phones:
User login User password and PSK
0…9 a…z A…Z 0…9 a…z A…Z

All phones
- _ + . - _ + . , : ; \ ? ! < >
3.2.1.3 Access router

Port forwarding on access router:
Port forwarding is required on access router to forward incoming VPN traffic (from Internet) to internal
VPN server (IP address + Port number).
3.2.1.4 Router
A specific routing policy is required in order to route all IP traffic between corporate LAN and remote
workers. This route policy allows remote worker device to reach all IP devices connected on LAN and
vice-versa. Specific routes must therefore be setup on all LAN routers to force remote workers IP traffic to
be forwarded by VPN server on corporate LAN in order to reach communication system or any other ALE
IP phone.
All remote IP phones get an IP address from the VPN server. These addresses are configured as a range
of IP addresses (usually a dedicated IP subnet in corporate LAN). This subnet must be routed to VPN
server in corporate LAN.
Corporate LAN VPN IP traffic routing policy:
- A default router must be specified in the communication system. So all VPN IP traffic (with destination
IP address inside VPN IP range) will be sent to default router.
- A specific route must be setup on default router to forward VPN IP traffic to VPN server.
- VPN server automatically forwards IP traffic to the corresponding VPN tunnel based on destination IP
address.
8AL90345ENAA Ed. 04 - July 2017 - IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 11/66
Configuring routing policy can be more complex in case communication system and ALE IP phones are
connected on several IP subnets on corporate LAN. Configuring routing policy on each router is then
required. Dynamic IP routing activation can also be an alternative.
Alternative solution for a basic network topology could be to use VPN gateway as communication system
default gateway. However this is not recommended since VPN gateway will then have to route all non-
local communication system IP traffic.
3.2.2 On remote worker LAN

3.2.2.1 Remote worker access router
Usually remote worker’s Internet access router is not impacted.
By default, the access router already:
- Provides IP parameters (local IP address, subnet, default router IP, DNS IP) to the phones.
- Allows outgoing IP traffic (especially VPN establishment request requested by the phone).
- Provides the Port Address Translation (PAT). The PAT assigns to each device on the LAN a port
number, which is added appended to the single public router address. No configuration is required.
- Must have the IPSec passthrough option deactivated if this option is available (otherwise several
phones connected behind the router will not succeed in establishing the VPN).
Under this scenario there is no additional configuration to do on access router in order to support remote
worker phones. Otherwise Internet access router must be managed accordingly.
3.2.2.2 Remote worker phone

Due to implementation and release reasons, there are 2 sets of VPN local MMI menu configuration:
without PIN authentication and with PIN authentication, which will be described in detail in chapter below.
The version without PIN authentication must be considered as a legacy version.
On each ALE IP phone supporting IPSec feature, there are fixed VPN settings and VPN settings that
must be customized:
• Fixed VPN settings (can neither be displayed nor modified)
- Supported cipher protocols and algorithms: IKEv1 + EAP-Xauth, AES-256, SHA256, Diffie-
Hellmann group 16, 14 and 5
- PSK method for authentication
• VPN settings that must be customized
- VPN server public IP address
- Communication systems private IP address (in TFTP field)
- PSK shared with VPN server (can be unique for all remote workers on a same installation or can
be specific to each remote worker)
- XAuth can be enabled or disabled
- Remote worker login + password when XAuth is enabled
3.2.3 Emergency calls

Some specific settings are required on communication system in order to manage remote worker
emergency calls properly especially regarding their localization.
For more information, please refer to Expert Documentation: User Services (8AL91202), chapter on
Emergency Call.
8AL90345ENAA Ed. 04 - July 2017 - IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 12/66
3.3 Configuration in a nutshell
The following addresses used in the figure are EXAMPLES.
Global topology:
Corporate LAN
172.25.17.210
Public IP of Remote worker
Access router
OX 82.125.10.46 83.100.1.10
O
VPN server / Firewall
Communication system Virtual @
10.100.1.1
172.25.17.209 10.0.0.1
INTERNET
172.25.17.211 Access router Local @
Lan Wan 192.168.0.1 192.168.0.100
Router
Add route
10.100.1.0/255.255.255.0 Ports
To 172.25.17.211 500 & 4500
PHONE 1
forwarding Box/Router
Virtual adresses required
(VPN): to 10.0.0.1
Phone1 10.100.1.1
172.25.17.212 Phone2 10.100.1.2
Phone3 …
DHCP
preferred
Different sub-network ! Manual entry :
• VPN server @
82.125.10.46
• Communication Server
TFTP @
172.25.17.210
• PSK
The deployment must be done in order to avoid any change in the remote worker’s access router settings. • Login
• Password
In consequence, the Virtual addresses defined in the VPN server for the phones must avoid the common ones (credentials declared in VPN
used in the home access router or boxes server)
8AL90345ENAA - Ed. 04 - July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s Serie 13/66
On home worker side, it is recommended to use dynamic IP address setting, which is much simpler for the end user. The phones coming out of the box are
configured to get IP through DHCP. So this is straightforward installation.
Static IP is also possible from phone perspective. In this case, select a free IP address for static IP. This IP address must not be included in the IP address range
allocated by DHCP.
Corporate LAN
INCOMING PACKETS ROUTE
172.25.17.210
Remote worker
OXO

Communication
system 10.100.1.1
INTERNET
172.25.17.211
Access router
Lan Wan
Router
Box/Router PHONE 1
VPN
Signaling
Media
8AL90345ENAA - Ed. 04 - July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s Serie 14/66
Corporate LAN
OUTGOING PACKETS ROUTE
172.25.17.210
Remote worker
Packet to
10.100.1.1
OXO

Communication
system 10.100.1.1
172.25.17.211
Access router INTERNET
Lan Wan
Router
Box/Router PHONE 1
Packet to
10.100.1.1
172.25.17.212
VPN
Signaling
Media
The outgoing packets have a destination address out of the LAN, so they are sent to the default gateway (router) which sends them to the VPN server address
(here 172.25.17.211).
8AL90345ENAA - Ed. 04 - July 2017 - IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s Serie 15/66
Chapter
4 4 Communication system configuration
4.1 Reference design

VPN server reference : Fortigate 60D – Software version 5.4.4
Communication system : OXO Connect release 2.1
4.2 OXO Connect and OmniPCX Enterprise configuration

Usually, a default route is already specified during OXO Connect installation and does not need to be
changed.
Nevertheless here is how to change the default router in OXO Connect with OMC:
For OmniPCX Enterprise: use menu 8 (‘Routing’) from the netadmin -m command
Serie 16/66
Chapter
5 5 VPN server configuration
It is not possible to give an exhaustive description of the configuration of many models and brands of VPN
servers. Even within one brand, different models may have different syntaxes.
Based on the previous architectural description, the required configuration steps for some VPN servers
are described in this section.
5.1 General interactions
5.1.1 Authentication (IKE V1)

The server authentication is done through the use of a pre-shared key, configured on the VPN server and
stored locally in the ALE IP phone.
The client authentication is done through XAuth (eXtended authentication) optionally, which forces the
client to send a login and a password to identify itself. XAuth authentication can be disabled in case a
specific PSK is used for each remote worker.
Warning:
- XAuth login/password must be specific to each remote worker
- Never disable XAuth when a single PSK is used for all remote workers
- Ensure the selected XAuth login/password can be entered through the phone keyboard
- For XAuth configuration on phone, refer to the IP phones VPN configuration chapter
5.1.2 Parameters negotiation

During the negotiation, a match must be found between the security parameters:
- Phase 1: encryption algorithm, hash algorithm, dh_group
- Phase 2: encryption algorithm, authentication algorithm, dh-group
Thus, common security parameters values must be configured in the VPN server to match the phone VPN
client, depending on the minimum level of security desired, and the legal possibilities in the concerned
countries.
Example of a possible configuration:
Example on the Fortigate 60D:
Phase 1:
set proposal aes256-sha256
set dhgrp 16 14 5
Phase 2:
set dhgrp 16 14 5
The security parameters values authorized on the VPN server, which match with the phones capability
are:
- Phase 1 encryption algorithms : aes256.
Serie 17/66
Chapter 5 VPN server configuration
- Phase 1 hash algorithms : sha256.

- Phase 1 dh group : 5, 14, 16,
- Phase 2 encryption algorithm : aes256.
- Phase 2 authentication algorithms : sha256.
- Phase 2 dh group : 5, 14, 16
5.1.3 Tunnel and NAT setup

For information, during the phase1, an IP address is sent by the VPN server to remote worker phone to be
used as a virtual IP address, which is the client end of the tunnel. IPsec security policies have to be set
accordingly, and removed when the tunnel is closed. No action is needed here.
5.2 Engineering rules
5.2.1 Limits
For information, one of the VPN gateways used for this reference design (Fortigate 60D) can handle up to
500 client-to-gateway IPSec tunnels. No action is needed here.
5.2.2 Internationalization/localization
The country where the VPN server and the client are deployed might impose some restrictions on the
cipher used (algorithm, key length).
8AL90345ENAA – Ed. 04- July 2017- IPsec VPN Deployment Guide for Remote Workers for DeskPhones and Premium DeskPhones s
Serie 18/66
Chapter
6 6 Step by step example: Fortigate 30E
6.1 Characteristics
Fortigate VPN server hardware: Fortigate 30E
This reference design applies to the firmware FortiOS 5.4.5.
6.2 Server configuration using the Web Based Management (WBM)

The menu aspects of the WBM may change from one version to the other. Therefore the CLI usage may
be considered as an alternative. See corresponding chapter below.
6.2.1 Connecting to the Fortigate 30E

Fortigate VPN configuration can be easily customized by using Web Based Management (WBM).
Administrator can access it through FortiExplorer (client connected to Fortigate USB management port) or
using web browsers (e.g. Firefox, Chrome) if Fortigate is already connected on LAN.
If Fortigate LAN is not configured, connect a PC to its USB Management port and launch a serial
connection session.
1. Login as Admin without password (default from factory)
2. Launch the following command with LAN Fortigate IP address (172.25.17.211 as example):
config system interface
edit "lan"
set vdom "root"
set ip 172.25.17.211 255.255.255.240
set allowaccess ping https ssh
set type hard-switch
set role lan
next
end
You can now connect to the Web Based Management (WBM) using a web browser (for example: Firefox
or Chrome) and entering the following URL: https://172.25.17.211/ (Fortigate LAN IP address)
Serie 19/66
Chapter 6 Step by step example: Fortigate 30E
Do not forget to change administrator password.

Log in with admin account and password (by default, the password is empty) to access all configurable
settings.
6.2.2 Creating users for remote worker authentication

1: Create a user definition (one user definition per remote worker)
1: Select Local User and click Next
Serie 20/66
1: Enter the VPN user name and password and click Next
1: Enter email address and click Next
Click Create
Serie 21/66
6.2.3 Adding a user group

Create one group (“remote_phones” in this example) common to all remote workers and include all users
inside.
1: Create a VPN user group
1: Enter a user group name

2: Add members
Serie 22/66
6.2.4 Configuring the network Interface
Double click LAN or WAN to configure interface
6.2.5 Configuring LAN interface

LAN interface setting already exists if you use WBM with Internet brower. You must create the LAN
interface when using FortiExplorer client connected on USB management port.
1: LAN interface IP address/netmask is already configured if using WBM
2: Select Restrict Access and select the following check boxes: HTTPS, PING and SSH
Serie 23/66
6.2.6 Configuring WAN interface

1: Select Manual in the Addressing mode field
2: Enter the WAN interface IP address and netmask in the corresponding field
3: Select Restrict Access and select the following check boxes: HTTPS, SSH and PING
Serie 24/66
6.2.7 Specifying the corporate LAN/WAN default gateway

1: Create LAN and WAN static gateway if they are different from Fortigate
1: In the Device field, select WAN or LAN

2: Enter the gateway IP address
1: After LAN/WAN gateway creation, “Static Routes” are displayed

2: The “Routing Monitor” content is dynamic
Serie 25/66
6.2.8 Creating IPsec tunnels
1: Create a new IPsec tunnel
l
1: Enter the IPsec tunnel name
2: Select Custom, and Next
6.2.9 Configuring the IPsec tunnel network parameters

1. Verify the IPsec tunnel name
2. In the Remote Gateway field, select Dialup User
3. In the Interface field, select Wan
4. Select Mode Config
5. Select Use System DNS in Mode Config
6. Enter VPN client IP address range
7. Enter VPN client IP address netmask
8. Uncheck IPV4 Split Tunnel
9. Enable the NAT Traversal
Serie 26/66
6.2.10 Configuring the IPsec tunnel authentication method

1. In the Method field, select Pre-shared Key
2. Enter a pre-shared key
3. Select IKE Version “1”
4. In the Mode field, select Main(ID protection)
5. In the Accept Types field, select Peer ID from dialup group
6. In the User group field, select the user group created previously (“remote phones”)
6.2.11 Configuring the IPsec IKE phase 1 for IPsec tunnel

1: Select AES256 in the Encryption field, and SHA256 in the Authentication field
Serie 27/66
2: In the Diffie-Hellmann Groups field, select the following check boxes: 5, 14, and 16
3: Phase 1 SA Key Lifetime must be set longer than 1,5 hours (example: 3H)
1: Select Auto Server
2: Select “remote phones”
Due to implementation reason of IPSec client in terminal side, the Phase1 SA Key Lifetime must be set to
longer than 1.5 hour.
Attention: if the Key lifetime is misconfigured in fortigate server, this will result in periodic
connection loss of the tunnel.
6.2.12 Configuring the IPsec IKE phase 2 for IPsec tunnel

Open advanced:
1: Select AES256 in the Encryption field, and SHA256 in the Authentication field
2: In the Diffie-Hellmann Groups field, select the following check boxes: 5, 14, and 16
3: In phase 2 SA Key Lifetime, keep default value 43200s
Serie 28/66
Due to implementation reason of IPSec client in terminal side, the Phase2 SA Key Lifetime must be set
to longer than 0.5 hour.
Attention: if the Key lifetime is misconfigured in Fortigate server, this will result in periodic
connection loss of the tunnel.
6.2.13 Configuring firewall rules and IP routes

6.2.13.1 Configuring Remote Users IP range address
1: Create a new address
1: Enter a rule name

2: Select IP Range in the Type field
3: In the Subnet/IP Range field, enter the first VPN IP address and the last IP address of the IP range
4: Keep any in the Interface field
Serie 29/66
6.2.13.2 Configuring Local_wan IP range address

1: Create a new address
1: Enter a rule name

2: Select IP/Netmask in the Type field
3: In the Subnet/IP Range field, enter the WAN network IP address and netmask
4: Select wan in the Interface field
6.2.13.3 Adding a rule in IPv4 policy

1: Initially, you must only have one rule for IPv4 policy ( “Implicite Deny”)
2: Create a new rule
Serie 30/66
6.2.13.4 Configuring a policy rule: LAN to remote users

1. Enter a rule name
2. In the Incoming Interface field, select lan
3. In the Outgoing Interface field, select “RemoteUsers”
4. In the Source field, select all
5. In the Destination Address field, select “IPRemoteUsers_Range”
6. In the Service field, select ALL
7. Disable NAT
6.2.13.5 Configuring a policy rule: remote users to LAN

2. In the Incoming Interface field, select “RemoteUsers”
3. In the Outgoing Interface field, select lan
4. In the Source field, select “IPRemoteUsers_Range”
5. In the Destination Address field, select all
7. Disable NAT
Serie 31/66
6.2.13.6 Configuring a policy rule: remote users to remote users

2. In the Incoming Interface field “RemoteUsers”
3. In the Outgoing Interface field, select “RemoteUsers”
4. In the Source field, select “IPRemoteUsers_Range”
5. In the Destination Address field, select “IPRemoteUsers_Range”
7. Disable NAT
6.2.14 Verifying the list of policy rules
Serie 32/66
6.3 Server configuration using the Command Line and Configuration file
Administrator can also configure the VPN through FORTIGATE 30E Command Line Interface (CLI)
instead of Web Based Management (WBM).
The template contains all CLI commands required to configure a Fortigates “out of the box”.
The yellow-highlighted items must be customized to suit to your configuration.
To select the CLI commands on the left only: press Alt and select.
config user local
edit "user1"
set type password
set email-to "john.doe@al-enterprise.com"
set passwd 1245
next
Create a user for each OXO remote
edit "user2"
worker
set type password
set passwd 6789
next
end
config user group

edit "remote_phones"
set member "user1" "user2"
Create a user group for all OXO remote
next
workers and include users
end

edit "lan"
set vdom "root"
set ip 172.25.17.211 255.255.255.240 Configure LAN interface
set role lan
next
edit "wan"
set vdom "root" Configure WAN interface
set mode static
set ip 10.0.0.1 255.255.255.0
set type physical
set role wan
next
end
config firewall address

edit "IPRemoteUsers_range" Add firewall rules to accept IP traffic
set type iprange
set comment "VPN remote users address range"
set start-ip 10.100.1.1
set end-ip 10.100.1.100
next
Serie 33/66
edit "Local_wan"
set associated-interface "wan"
set subnet 10.0.0.0 255.255.255.0
next
end
config router static

edit 1
set gateway 172.25.17.209
set device "lan"
set comment "DMZ gateway" Add static route to default gateway
next
end
config vpn ipsec phase1-interface Add IPsec VPN phase 1 settings

edit "RemoteUsers"
set type dynamic
set interface "wan"
set ip-version 4
set ike-version 1
set local-gw 0.0.0.0
set keylife 10800
set authmethod psk
set mode main
set peertype dialup
set mode-cfg enable
set ipv4-wins-server1 0.0.0.0
set add-route enable
set exchange-interface-ip disable
set localid ''
set localid-type auto
set negotiate-timeout 30
set fragmentation enable
set dpd on-demand
set forticlient-enforcement disable
set comments "VPN: RemoteUsers"
set npu-offload enable
set dhgrp 16 14 5
set suite-b disable
set wizard-type custom
set xauthtype auto
set reauth disable
set authusrgrp "remote_phones"
set usrgrp "remote_phones"
set idle-timeout disable
set ha-sync-esp-seqno enable
set auto-discovery-sender disable
set auto-discovery-receiver disable
set auto-discovery-forwarder disable
Serie 34/66
set nattraversal enable

set default-gw 0.0.0.0
set default-gw-priority 0
set assign-ip enable
set assign-ip-from range
set ipv4-start-ip 10.100.1.1
set ipv4-end-ip 10.100.1.100
set ipv4-netmask 255.255.255.0
set dns-mode auto
set ipv4-split-include ''
set split-include-service ''
set ipv6-start-ip ::
set ipv6-end-ip ::
set ipv6-prefix 128
set unity-support disable
set psksecret 123456789 Pre-shared key must be strong enough and
set distance 15 must be kept secret.
set priority 0
set dpd-retrycount 3
set dpd-retryinterval 20
next
end

edit "OXOremUsers"
set phase1name "RemoteUsers"
set pfs enable
set dhgrp 16 14 5
set replay enable
set keepalive disable
set add-route phase1
set auto-discovery-sender phase1
set auto-discovery-forwarder phase1
set keylife-type seconds
set single-source disable
set route-overlap use-new
set encapsulation tunnel-mode
set comments "VPN: RemoteUsers"
set protocol 0
set src-addr-type subnet
set src-port 0
set dst-addr-type subnet
set dst-port 0
set keylifeseconds 43200
set src-subnet 0.0.0.0 0.0.0.0
set dst-subnet 0.0.0.0 0.0.0.0
next
end
config firewall policy Configure firewall policies
Serie 35/66
edit 1
set name "RemoteUsers_to_LAN" Allow incoming traffic (remote users to
set srcintf "RemoteUsers" corporate LAN)
set dstintf "lan"
set srcaddr "IPRemoteUsers_range"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat disable
next
edit 2
set name "LAN_to_RemoteUsers" Allow outgoing traffic (corporate LAN to
set srcintf "lan" remote users)
set dstintf "RemoteUsers"
set srcaddr "all"
set dstaddr "IPRemoteUsers_range"
set action accept
set service "ALL"
set nat disable
next
edit 3
set name "RemoteUsers_to_RemoteUsers"
set srcintf "RemoteUsers" Allow traffic between remote workers
set dstintf "RemoteUsers"
set srcaddr "IPRemoteUsers_range"
set dstaddr "IPRemoteUsers_range"
set action accept
set service "ALL"
set nat disable
next
end
Serie 36/66
Chapter
7 7 Step by step example: Fortigate 60D
7.1 Characteristics
7.1.1 Hardware aspects

Supported Fortigate VPN server hardware: Fortigate 30D / 50D / 60D
Latest Fortigate hardware 50E /60E should also be supported (not tested yet).
High-end Fortigate gateways (Eg: 300/1000) are also compatible but these models are usually not
deployed in SMBs.
7.1.2 Software aspects

This reference design applies to the firmware FortiOS 5.4.4.
Older versions may work also but they have not been tested. In the following, the configuration settings
may not be relevant for older versions of firmware. Upgrading may be considered if issues occur.
7.2 Server configuration using the Web Based Management (WBM)

The menu layout of the WBM may change from one version to the other.
Even if the Fortigate 60D interface differs in some points, it is possible to follow the step by step example
provided for Fortigate 30E.
In this section, we only focus on the VPN server configuration using the Command Line and Configuration
file.
7.3 Server configuration using the Command Line and Configuration file
The template contains all CLI commands required to configure a Fortigate “out of the box”.
The yellow-highlighted items must be customized to suit to your configuration.
To select the CLI commands on the left only: press Alt and select.
config user local

edit "user1"
set type password
set email-to "john.doe@al-enterprise.com"
set passwd 1245
Create a user for each OXO
next
remote worker
edit "user2"
set type password
set passwd 6789
next
end
config user group Create a user group for all OXO
Serie 37/66
Chapter 7 Step by step example: Fortigate 60D
edit "remote_phones" remote workers and include users

set member "user1" "user2"
next
end

edit "internal"
set vdom "root"
set ip 172.25.17.211 255.255.255.240
Configure LAN interface
set role lan
next
edit "wan1"
set vdom "root"
set mode static
set ip 10.0.0.1 255.255.255.0
set allowaccess ping https ssh Configure WAN interface
set type physical
set role wan
next
end
config firewall address

edit "OXOremUsers_range"
Add firewall rules to accept IP
set type iprange
traffic
set comment "VPN remote users address range"
set start-ip 10.100.1.1
set end-ip 10.100.1.49
next
edit "Local_WAN1"
set associated-interface "wan1"
set subnet 10.0.0.0 255.255.255.0
next
end
config router static

edit 1
set gateway 172.25.17.209
Add static route to default
set device "internal"
gateway
set comment "DMZ gateway"
next
end

edit "OXOremUsers"
set type dynamic
set interface "wan1"
set ip-version 4
set ike-version 1
Serie 38/66
set local-gw 0.0.0.0

set keylife 10800
set authmethod psk
set mode main
set peertype dialup
set mode-cfg enable
set add-route enable
set exchange-interface-ip disable
set localid ''
set localid-type auto
set negotiate-timeout 30
set fragmentation enable
set dpd on-demand
set forticlient-enforcement disable
set comments "VPN: OXOremUsers"
set npu-offload enable
set dhgrp 16 14 5
set suite-b disable
set wizard-type custom
set xauthtype auto
set reauth disable
set authusrgrp "remote_phones"
set usrgrp "remote_phones"
set idle-timeout disable
set ha-sync-esp-seqno enable
set auto-discovery-sender disable
set auto-discovery-receiver disable
set auto-discovery-forwarder disable
set nattraversal enable
set default-gw 0.0.0.0
set default-gw-priority 0
set assign-ip enable
set assign-ip-from range
set ipv4-start-ip 10.100.1.1
set ipv4-end-ip 10.100.1.49
set ipv4-netmask 255.255.255.0
set dns-mode auto
set split-include-service ''
set ipv6-start-ip::
set ipv6-end-ip::
set ipv6-prefix 128
set unity-support disable
set psksecret 123456789
set distance 15
set priority 0
set dpd-retrycount 3 Pre-shared key must be strong
set dpd-retryinterval 20 enough and must be kept secret.
Serie 39/66
next
end
config vpn ipsec phase2-interface

edit "OXOremUsers"
set phase1name "OXOremUsers"
set pfs enable
set dhgrp 16 14 5
set replay enable
set keepalive disable
set add-route phase1
set auto-discovery-sender phase1
set auto-discovery-forwarder phase1
set keylife-type seconds
set single-source disable
Add IPsec VPN phase 2 settings
set route-overlap use-new
set encapsulation tunnel-mode
set comments "VPN: OXOremUsers"
set protocol 0
set src-addr-type subnet
set src-port 0
set dst-addr-type subnet
set dst-port 0
set keylifeseconds 43200
set src-subnet 0.0.0.0 0.0.0.0
set dst-subnet 0.0.0.0 0.0.0.0
next
end
config firewall policy

edit 1
set name "RemUsers_to_LAN"
set srcintf "OXOremUsers" Configure firewall policies
set dstintf "internal"
set srcaddr "OXOremUsers_range" Allow incoming traffic (remote
set dstaddr "all" users to corporate LAN)
set action accept
set service "ALL"
set nat disable
next
edit 2
set name "LAN_to_RemUsers" Allow outgoing traffic (corporate
set srcintf "internal" LAN to remote users)
set dstintf "OXOremUsers"
set srcaddr "all"
set dstaddr "OXOremUsers_range"
set action accept
set service "ALL"
Serie 40/66
set nat disable

next
edit 3
set name "RemUsers_to_RemUsers"
set srcintf "OXOremUsers"
set dstintf "OXOremUsers"
set srcaddr "OXOremUsers_range"
set dstaddr "OXOremUsers_range" Allow traffic between remote
set action accept workers
set service "ALL"
set nat disable
next
end
Serie 41/66
Chapter
8 IP phones VPN configuration (with

8 PIN solution)
8.1 General case

It is easy to identify whether PIN code is supported in the phone: if after the *# sequence, there is a VPN
entry, you are in this configuration. Otherwise please check Annex.
The PIN code is fully managed by end user, and dedicated to the VPN menu. End user must set it when
he tries to activate or modify the VPN configuration for the first time; 5 successive failure authentications
will erase both IPSec VPN configuration and PIN code.
Depending on the system, the access to the sub-menus may be restricted. Usually on OXO Connect
systems, all menus have free access, for OmniPCX Enterprise, depending on the communication system
configuration, the system ADMIN passcode may apply on some menus.
The menu access policy has the following principle:
• All Read Only entries have free access
• Entries with modification capability may be locked by the ADMIN password (depends on the
communication system type and configuration).
• The VPN related entries (for modification) needs:
- either an end user PIN code
- or the ADMIN password to be entered
In the following example, we suppose that the system has an ADMIN password defined for the phones.
Serie 42/66
Chapter 8 IP phones VPN configuration (with PIN solution)
Main Menu
MAC Address IP Param
Soft Infos Hard Infos
Main Menu
IP Memory Ethernet
802.1x Certificate
Main Menu
SIP Down. LLDP
Port Mirror VPN
Fully accessible and no Password/PIN authentication is required
No authentication is required to read configuration, but PIN/Password is required to

change writable configuration
No authentication is required to read configuration, but Password is required to
change writable configuration
All read/write operation require password authentication
Characters mapping:
On 8018, there is no mini keyboard, but the user must press the “123<>abc” button to access to
character mode.
The characters have been mapped on the dial pad as follows:
Key 0: + . , : ; \ ? ! < >
Key 1: space | - _ 1
Keys 2 to 9: 2…9 and a…z
Key *: nothing
Key #: nothing
Access to capitals through long press on * (toggle caps switch)
On phones with mini keyboard, the characters are directly available through the keyboard markings.
8.1.1 Entering the configuration menu (step 1)

To enter the phone configuration:
1. Power on the phone
2. When the STEP 2 is reached (symbolized by the number 2 and Network setup), type * then #
Serie 43/66
The root of the configuration menu opens (free access). The following screen is an example of the root
menu content.
Press the DOWN navigation key until the VPN entry is displayed, and press the associated soft key.
The VPN menu is displayed. The VPN menu position may differ from one phone type to the other.
8.1.2 Entering the VPN menu (step 2)

Following VPN configuration MMI is captured from 8028s, but the same structure is used on all VPN
capable phones.
If it is the first-time end user enters the VPN menu (or in other word, if no PIN code exists), a window will
pop up to ask end user to set a new PIN code
The new PIN code can be entered directly: 4 digits. Then validate it with the top left key.
Otherwise, the VPN Settings will be displayed:
If the new PIN code has not been defined yet, pressing a soft key beside every submenu item for
modification will require a PIN/Password authentication
It is possible to select (through press 3rd left soft key) to use PIN code or Password for the authentication
(if a password is defined in the communication system for the phones).
Serie 44/66
In case there is no local password set, there is no such option.
After the authentication is passed, there will be no more need to re-enter the PIN or Password to access
other submenu which require the same level of authentication.
8.1.3 Configuring the VPN Config submenu (step3)

1. Press VPN Config
2. Select Enable VPN
3. Fill the VPN server IP address (3-digit fields. For example: for 25, enter 025; for 8, enter 008)
4. Fill PSK (refer to the key character mapping described above)
5. Press 1st left soft key to save and return to up level menu.
Serie 45/66
Initial PSK field
Typing in clear
Reading later, the

field has stars
8.1.4 Configuring the VPN TFTP submenu (step 4)

The TFTP addresses are also able to be specified to override the one configured in IP Parameters; it is
normally used when the IP mode is configured to dynamic. Refer to your administrator instructions to
know if it must be activated.
1. Press VPN Tftp
2. Select Use TFTP servers
3. Fill Tftp1 with 1st communication system’s IP address
4. Fill Tftp 2 with 2nd communication system’s IP address (Optionally)
5. Fill Tftp Port (Optionally)
6. Press 1st left soft key to save and return to up level menu.
Serie 46/66
8.1.5 Configuring the VPN Auth submenu (step 5)

XAuth will be configured to be enabled or not. Refer to your administrator instructions to know if it must be
activated.
1. Press VPN Auth
2. Select Use authentication, if needed
3. Fill “User” with XAuth username (refer to key character mapping described above)
4. Fill “Pass” with XAuth password. Just type the password: the [empty] message disappears
5. Press 1st left soft key to save and return to up level menu
Serie 47/66
Initial Password field
Typing in clear
Reading later, the

field has stars
8.1.6 Configuring the VPN PIN code submenu (step 6)

This step is optional. It allows to define if the PIN code must be requested at each phone startup, and to
change the PIN code.
Press VPN Pincod

Press 1st left soft key to save and return to up level menu.
Serie 48/66
If the VPN Pincod option is turned ON (by checking Request Pin on Boot), everytime during phone’s
initialization procedure, an authentication window will popup and ask for PIN or Password (if defined), and
the VPN will only be launched when the authentication is passed. If it is not checked, the phone starts the
VPN without any user authentication.
8.1.7 Special cases

8.1.7.1 Starting without VPN
If the authentication fails 5 times, VPN settings will be restored to default, disabled, and PIN code will also
be erased;
If the BACK key (1st right soft key) is pressed during authentication, VPN connection will be aborted only
this time, and phone starts without VPN.
This is useful if the phone is used in home context and enterprise context alternatively. By just
pressing the BACK key at PIN prompt, the phone can start in the enterprise context, without navigating
in the settings to disable the VPN.
8.1.7.2 Resetting all VPN settings

To restore the default VPN Settings, enter VPN Default Settings.
Press 1st left soft key to reset the configuration and return to up level menu.
Press 1st right soft key to return to up level menu.
Serie 49/66
During the running of IPSec VPN client, there will be some display info to help end user to understand the
status of the connection, the detail info can be found in Annex.
8.2 Case of the 8001/8001G DeskPhone

Remote worker is a terminal-oriented feature which is not related to a communication system. To describe
the deployment of an 8001 DeskPhone remote worker over internet with OPEN VPN, the OmniPCX Office
RCE has been selected as communication system.
8.2.1 Environment and topology

Below is the detailed device information used in deployment demonstration guide:
SIP Server:
- OmniPCX Office RCE 10.2/10.3
8001 DeskPhone:
- HW 2.1.1
- SW 4.0.0.3-10581
- Kernel 3.0.2
- OPEN VPN client version: 2.0.9
Open VPN server:
- OPEN VPN version: OpenVPN 2.3.2 x86_64-pc-linux-gnu
- Server OS: Linux ubuntu14 3.19.0-25-generic
Topology example:
Serie 50/66
INTERNET INTRANET
Port forwarding
required
WAN IP Address:
116.228.56.173
Home router
Access router
+ firewall 8001
Private IP Address:
30.1.202.33
OPEN VPN Server

8001 Public IP Address: 116.228.56.182
LAN IP Address: 192.168.100.19 Private IP Address: 30.1.1.22 OXO SIP Server
Tunnel End Point Address: 10.8.0.6 Tunnel End Point Address: 10.8.0.6 Private IP Address: 30.1.107.16
Notes:
The packets between intranet and remote worker are forwarded via the Open VPN server (routing).
On Open VPN server, the UDP port 1194 must be configured to be forwarded to the IP address of Open VPN
server on the access router.
The Open VPN port number can be verified using server.conf
8.2.2 Set configuration using 8001 Web Management

8.2.2.1 Uploading trusted certificates to 8001 DeskPhone
The OPEN VPN client trusted certificates must contain ca.crt, client.crt, and client.key:
1. From the administration computer, open a web browser, and enter the 8001 DeskPhone IP address
2. From the 8001 Web Management home page, go to Security > Trusted certificates upload and
upload the trusted certificates to 8001 DeskPhone
Serie 51/66
After upload, the trusted certificates are displayed under Trusted certificates
Notes:
8001 does not support PSK method so far. Only certificate method must be used for OpenVPN
connection.
To avoid security issues, customer must generate different client certificates for 8001/8001G DeskPhone
sets. If sharing the same certificate, security risks may occur when the 8001 DeskPhone set is lost or
stolen.
8.2.2.2 Configuring 8001 VPN parameters

1. From the 8001 Web Management, go to Network > Advanced > VPN Settings
2. Complete the following fields:
• Enable VPN
• In VPN Type field, select OPEN VPN
• Upload VPN client configuration file to 8001 DeskPhone set
Serie 52/66
Below picture is OPEN VPN client configuration file:
From the web management home page, go to Phone Status and verify that the VPN IP address field is
completed with the OPEN VPN IP address.
Serie 53/66
Notes:
• If VPN connection is broken, it automatically relaunches the connection.
• The keep-alive directive causes ping-like messages to be sent back and forth over the link so that each
side knows when the other side has gone down. Ping every 10 seconds. Assume that remote peer is
down, if no ping is received during a 120 second time period.
• The current intervals are configured in the VPN server configuration file.
8.2.2.3 Configuring 8001 DeskPhone remote worker parameters

1. From the 8001 Web Management, go to Phone Maintenance > Advanced > Auto Provisioning
2. Active remote worker, select HTTPS, and complete the software server URL as follows:
Note:
The 8001 DeskPhone set needs active remote work for update or download configuration file from
OmniPCX Office RCE. In home network, the set can get IP address via DHCP, but it cannot get option 67
(OmniPCX Office URI https://30.1.202.7:10443/dmcfg) via DHCP.
Serie 54/66
8.2.3 OPEN VPN server configuration

This chapter describes how to set up the OPEN VPN server in office. The Open VPN Server must be
downloaded from OpenVPN website: https://openvpn.net/.
8.2.3.1 Installing the OpenVPN server

1. Open a terminal window
2. Enter the following command to download OpenVPN installation package and install this package
root@ubuntu14: ~# apt-get install openvpn
8.2.3.2 Generating certificate files for the OpenVPN server and 8001 DeskPhone
1. Open a terminal window
2. Enter the directory used to generate the certificate files (may vary between different versions)
root@ubuntu14:~# cd /etc/openvpn/easy-rsa
3. Enter the following commands:
root@ubuntu14:/etc/openvpn/easy-rsa# export D=`pwd`
root@ubuntu14:/etc/openvpn/easy-rsa# export KEY_CONFIG=$D/openssl.cnf
root@ubuntu14:/etc/openvpn/easy-rsa# export KEY_DIR=$D/keys
root@ubuntu14:/etc/openvpn/easy-rsa# export KEY_SIZE=1024
root@ubuntu14:/etc/openvpn/easy-rsa# export KEY_COUNTRY=CN
root@ubuntu14:/etc/openvpn/easy-rsa# export KEY_PROVINCE=SH
root@ubuntu14:/etc/openvpn/easy-rsa# export KEY_CITY=SH
root@ubuntu14:/etc/openvpn/easy-rsa# export KEY_ORG="al-enterprise.com"
root@ubuntu14:/etc/openvpn/easy-rsa# export KEY_EMAIL=admin@al-enterprise.com
4. Generate a CA certificate
root@ubuntu14:/etc/openvpn/easy-rsa# ./clean-all
root@ubuntu14:/etc/openvpn/easy-rsa# ./build-ca
Serie 55/66
5. Generate a certificate for the OpenVPN server

root@ubuntu14:/etc/openvpn/easy-rsa# ./build-key-server server
6. Generate a certificate for the client
root@ubuntu14:/etc/openvpn/easy-rsa# ./build-key client
7. Generate a dh1204.pem file for the server
root@ubuntu14:/etc/openvpn/easy-rsa# ./build-dh
If the screen prompts the following information, you can enter the following command to generate a
dh1024.pem file:
root@ubuntu14:/etc/openvpn/easy-rsa# openssl dhparam 1024.pem 1024
All the certificate files are generated in the directory “root@ubuntu14:/etc/openvpn/easy-rsa/keys#”.
Note: the “easy-rsa” is integrated in the “OpenVPN” package from the website.
8.2.3.3 Setting the Open VPN server configuration
1. Create a new directory “openvpn” located in the path /etc

root@ubuntu14: mkdir /etc/openvpn
2. Copy the certificate files (ca.crt、server.crt、server.key、dh1024.pem) required for the server to the
directory ”openvpn” created above
3. Copy the “server.conf” file to the directory “openvpn” created above
If you do not know where is located the ‘server.conf’ directory, you can use below command to find it and
copy it to the directory “openvpn”
root@ubuntu14:~# find / -name 'server.conf'
Serie 56/66
4. Edit the file “server.conf” according to your current network environment and save the change
root@ubuntu14:/etc/openvpn# vi server.conf
Note: Push a single or a multiple router to 8001 DeskPhone client depends on customer’s topology.
8.2.3.4 Loading the client’s certificates and configuration file to local PC

1. Find client’s configuration file and copy it to the local PC
root@ubuntu14:~# find / -name 'client.conf'
2. Copy client’s certificates (ca.crt, client.crt, and client.key) to the local PC
8.2.3.5 Enabling the Open VPN service

To enable the OPEN VPN service, enter the command: root@ubuntu14:/etc/openvpn# service openvpn
start
Serie 57/66
Chapter
9 9 Maintenance procedures
9.1 Troubleshooting
In case of problems to establish a tunnel, it might be necessary to check the logs on the Fortigate, to
identify the phase of the tunnel establishment in which the problem occurs (IKE phase1 or phase2).
9.1.1 Phase 1: points to check

Phase 1 problems are related to the connection, the security parameters or the authentication.
- Check the address of the VPN gateway. The gateway must have a public IP address.
- Check that the right IKE port (default 500) and NAT-T port (default 4500) are forwarded on the access
gateway to the Fortigate, on the ports 500 and 4500.
- If non-standard IKE and NAT-T ports are used, the access gateway may block the reverse traffic. Try
with standard ports to see if the connection is established.
- Check that the local ID is defined and that the value is the public address of the Fortigate.
- Check the security parameters: encryption, authentication and DH group. A match must be found
between the client and the server.
- In IKEv1, check the PSK, the login and the password used.
- Check the configured key lifetime is more than 1.5h.
9.1.2 Phase 2: points to check

Phase 2 problems are related to the security parameters.
- Check the security parameters: encryption, authentication and DH group. A match must be found
between the client and the server for the phase 2. The parameters need not be the same than for the
phase 1.
- Check the configured key lifetime is more than 0.5h.
Several phones behind a remote worker router may not connect. If on the remote site, one phone
connects properly, but adding other devices makes the connection fail, verify that the IPSec passthrough
option of the router (if available) is disabled.
9.2 Other problems

- Check that the ippool parameter “arp-reply” has the value “disable”.
- Check that the firewall settings are correctly set, to allow the traffic between the communication
systems and the workstation behind the Fortigate.
9.3 Activity logs

First of all, one has to activate the logs, if they are not available:
Serie 58/66
Chapter 9 Maintenance procedures
It’s also necessary to choose the events to log:
This can also be done through the web interface:
Serie 59/66
The relevant logs for a VPN failure are available in the web interface:
This window displays different pieces of information to help find the reason behind a failure.
It can for example inform that the error occurs during phase 1 or phase 2 of the tunnel setup, and that a
tunnel parameter of the client does not match the local configuration.
The status of current VPNs is also available:
Serie 60/66
The logs can also give some information about the parameters used for the tunnel, when it is successful
(encryption, hash, IP addresses …):
9.4 Network traffic

It is possible to dump network traffic on the Fortigate.
To dump all traffic:
Serie 61/66
To dump traffic for a single interface (here wan1):
Traffic entering in or emerging from the tunnel can also be dumped:
Serie 62/66
The name of the VPN interface (here oxovpn_0) can be found in the following menu:
Serie 63/66
Chapter
10 10 Appendix
10.1 ALE IP phones VPN configuration (without PIN code solution)

A legacy phone configuration solution existed in some beginning version of 8018.
It is easy to identify whether PIN code is supported in the phone, if after the *# sequence, there is no VPN
entry, you are in this configuration.
To enrich the VPN configuration and simplify the operation of end user, in latest VPN implementation, a
PIN code mechanism is introduced in latest phones, a 4-digit PIN code is added to allow modify IPSec
configuration and authenticate the IPSec connection during boot (if configured).
Following VPN configuration MMI is captured from 8018:
Power on terminal, and press */# alternately, enter the admin settings (if there is password prompt info,
please enter password)
In “IP Parameters”, press down key until “VPN disable” is displayed:
Then press the softkey beside this line, and enter VPN configuration menu:
082.125.010.046
To enable VPN, select the check box of “Use VPN”, and the IP address of Fortigate in VRout.
Press down key and enter Pre-shared Key, in below example it is 123456789.
082.125.010.046
When every parameters in VPN menu is filled, press 1st left softkey to save and return to “IP Parameter”,
configure TFTP1/TFTP2 if needed, then save and terminal will reboot automatically.
Then at the end of step 2 of initialization, there will be a popup window to ask for login username and
password:
Serie 64/66
Chapter 10 Erreur ! Source du renvoi introuvable.
Enter the correct username/password (in example, is user1/1245 or user2/6789), press 1st left softkey and
continue the initalization.
10.1.1 VPN configuration removal on phones

To disable VPN, just like the way to enable it, simply deselect the checkbox of “Use VPN”, then press 1st
left softkey to save.
10.1.2 Communication systems

As mentioned previously, there is no difference on communication systems when we deploy a legacy
phone comparing to deploying a latest phone.
10.1.3 Fortigate VPN server

In Fortigate VPN server side, please refer to section 6, and remember to always enable XAuth.
10.2 IPSec VPN and Thales feature

Please pay attention to the fact that IPSec VPN feature cannot coexist with Thales feature, in other word
please ensure the status of the phone is able to be deployed as an IPSec VPN remote worker or not:
If the phone is installed with export version software, it will be no restriction to apply IPSec VPN;
If the phone is installed with full version software, it must be ensured that the phone can only enable
IPSec VPN feature when the security mode is bypass.
10.3 Prompt Info of phone

After all VPN related configuration on phone and end user is completed, press 1st right softkey
Phone will launch VPN client and the screen will return to initialization screen with a prompt info:
Display result when the session is successfully established:
Serie 65/66
Chapter 10 Erreur ! Source du renvoi introuvable.
And some info will also be displayed when the PIN authentication is aborted during the initialization:
END OF DOCUMENT
Serie 66/66

IPsec VPN Server Deployment Guide For Remote Workers 8AL90345ENAA 4 en PDF

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

IPsec VPN Server Deployment Guide For Remote Workers 8AL90345ENAA 4 en PDF

Transféré par

Droits d'auteur :

Formats disponibles

IPsec VPN Deployment Guide for Remote Workers for

DeskPhones and Premium DeskPhones s Serie

4 Communication system configuration ............................. 16

5 VPN server configuration ................................................... 17

6 Step by step example: Fortigate 30E ................................ 19

7 Step by step example: Fortigate 60D ................................ 37

8 IP phones VPN configuration (with PIN solution)............ 42

8.1.3 Configuring the VPN Config submenu (step3) ................................................. 45

9 Maintenance procedures ................................................... 58

1.2 Services provided

1.3.2 Graphical conventions

The network reference architecture is the following:

VPN Remote worker 2

Figure 1: Network architecture

3.1 Basic Description

3.2 Technical Description

3.2.1 On Corporate LAN

3.2.1.2 VPN server

Restrictions on character entry:

User login User password and PSK

0…9 a…z A…Z 0…9 a…z A…Z

0…9 a…z A…Z 0…9 a…z A…Z

Recommended common charset for all phones:

User login User password and PSK

0…9 a…z A…Z 0…9 a…z A…Z

3.2.1.3 Access router

3.2.2 On remote worker LAN

3.2.2.2 Remote worker phone

3.2.3 Emergency calls

VPN server / Firewall

VPN server / Firewall

4 4 Communication system configuration

4.1 Reference design

4.2 OXO Connect and OmniPCX Enterprise configuration

5 5 VPN server configuration

5.1 General interactions

5.1.1 Authentication (IKE V1)

5.1.2 Parameters negotiation

- Phase 1 hash algorithms : sha256.

5.1.3 Tunnel and NAT setup

5.2 Engineering rules

6 6 Step by step example: Fortigate 30E

6.2 Server configuration using the Web Based Management (WBM)

6.2.1 Connecting to the Fortigate 30E

Do not forget to change administrator password.

6.2.2 Creating users for remote worker authentication

1: Select Local User and click Next

1: Enter email address and click Next

6.2.3 Adding a user group

1: Enter a user group name

6.2.4 Configuring the network Interface

Double click LAN or WAN to configure interface

6.2.5 Configuring LAN interface

6.2.6 Configuring WAN interface

6.2.7 Specifying the corporate LAN/WAN default gateway

1: In the Device field, select WAN or LAN

1: After LAN/WAN gateway creation, “Static Routes” are displayed

6.2.8 Creating IPsec tunnels

1: Create a new IPsec tunnel

6.2.9 Configuring the IPsec tunnel network parameters

6.2.10 Configuring the IPsec tunnel authentication method

6.2.11 Configuring the IPsec IKE phase 1 for IPsec tunnel

1: Select Auto Server