Avaya Solution & Interoperability Test Lab Application Notes for Configuring NetScreen 50, NetScreen 25 and NetScreen-Remote Client Software with Avaya IP Office and Avaya PhoneManager - Issue 1.0 Abstract These Application Notes present a sample configuration for NetScreen 50 and NetScreen 25 security devices, as well as NetScreen-Remote Client working with Avaya IP Office and Avaya PhoneManager in an IPSec VPN environment. The objective of this test is to verify interoperability between Avaya IP Office, Avaya PhoneManager and NetScreen Products. Information in these notes has been obtained through compliance testing and additional technical discussions. Testing was conducted via the DeveloperConnection Program at the Avaya Solution and Interoperability Test Lab. 1 of 28
1. Introduction These Application Notes describe the compliance-tested configuration utilizing NetScreen 25 and 50 security devices working with Avaya IP Office 2.0, as well as NetScreen-Remote client working with Avaya PhoneManager 2.0. The NetScreen 25 and 50 are configured to provide a Site-to-Site IPSec Tunnel between Site A and Site B, and the NetScreen-Remote client is configured to supply a remote IPSec tunnel between a PhoneManager on Site C and the NetScreen 25 on Site A. Static and Port NAT will also be tested in a site-to-site tunnel environment. The administration for Avaya P333T-PWR is not covered in these Application Notes. Figure 1 displays the network configuration used for verification. Avaya P333T-PWR Avaya 4620 IP Telephone Avaya 6408 Digital Telephone IPSec tunnels Avaya P333R Stackable Switch NetScreen-50 PhoneManager Site B Avaya P333T-PWR Avaya IP Office 403 PhoneManager Avaya IP Office 412 Avaya 4620 IP Telephone IPSec tunnels Avaya 6408 Digital Telephone Site A NetScreen-25 Site C PhoneManager With NetScreen-Remote Client Figure 1: Network Configuration 2 of 28
Table 1 lists the IP addresses and subnet masks for devices used for testing. Device Interface IP Address/Mask Gateway Avaya IP Office 412 LAN 1 (Private) 150.1.1.1/24 Default: 100.1.1.3 LAN 2 (Public) 100.1.1.2/24 Avaya IP Office 403 LAN 10.10.42.1/24 Default: 10.10.42.4 NetScreen 25 NetScreen 50 Avaya P333R Ethernet 1 (Private) Ethernet 2 (Public) Ethernet 1 (Private) Ethernet 2 (Public) Vlan90 (to NS25) Vlan80 (to NS50) Vlan1 (to Site C) 100.1.1.3/24 90.1.1.1/24 10.10.42.4/24 80.1.1.1/24 90.1.1.2/24 80.1.1.2/24 115.1.1.1/24 100.1.1.2 90.1.1.2 10.10.42.2 80.1.1.2 90.1.1.1 80.1.1.1 Table 1: IP Address/Mask Assignment 2. Equipment and Software Validated Table 2 shows the equipment and software used for the sample configuration provided: Equipment Software Avaya IP Office 412 2.0 Avaya IP Office 403 2.0 Avaya PhoneManager 2.0.13 Avaya 4620 IP Telephone 2.0 Avaya 6408 Digital Telephone N/A Avaya P333R Switch 4.0.8 Avaya P333T-PWR Switch 4.0.17 NetScreen-50 5.0.r3.0 NetScreen-25 5.0.r3.0 NetScreen-Remote 10.0.0 (Build 10) Table 2: Equipment and Software Used in Testing 3. Site-to-Site IPSec Tunnel between the NetScreen 25 and NetScreen 50 Since the configuration is identical for both the NetScreen 25 and NetScreen 50 devices, only the configuration from the NetScreen 25 is presented in these Application Notes. 3 of 28
3.1. Configure the NetScreen 25 The site-to-site VPN tunnel between the NetScreen 25 and NetScreen 50 is configured based on the following parameters: Authentication Encryption Hash Key Group Phase 1 (IKE) Pre-shared key Triple DES MD5 2 Phase 2 VPN Triple DES MD5 A route-based VPN tunnel is used in this configuration. Route-based VPN is a feature in NetScreenOS where the endpoint of a VPN tunnel is seen as a network interface instead of a policy. A route-based VPN behaves from a routing standpoint very similar to other point-to-point WAN technologies like Frame Relay or ATM. ******* Set up service for H.323 signaling protocol ********** set service "Q931" protocol tcp src-port 1-65535 dst-port 1720-1720 timeout 2160 set service "ras" protocol udp src-port 1-65535 dst-port 1719-1719 timeout 2160 ******* Setup login name and password ********** set hostname ns25 set admin name "NetScreen" set admin password "NetScreen" set admin auth timeout 10 **** Create the physical interfaces and assign them to zones *********** set interface e1 zone Trust set interface e1 route set interface e1 ip 100.1.1.3/24 set interface e2 zone Untrust set interface e2 route set interface e2 ip 90.1.1.1/24 **** Create the virtual tunnel interface, which is the virtual tunnel endpoint. ***** **** Assign the tunnel interface into the "trust" zone. ***** set interface tunnel.1 zone Trust set interface tunnel.1 route set interface tunnel.1 ip unnumbered interface e1 4 of 28
***** Define the security gateway parameters for phase 1 proposal using 3DES-MD5, **** ***** and bind it to the outgoing interface Ethernet2. **** set ike gateway ns50-gw address 80.1.1.1 outgoing-interface e2 preshare netscreen proposal pre-g2-3des-md5 ***** Define the VPN parameters for phase 2 proposal using 3DES-MD5. Configure **** ***** the firewall to copy QoS bits from the original packets into the IP header of **** ***** the encrypted packets. Bind the tunnel to the outgoing interface **** set vpn ns50-vpn gateway ns50-gw idletime 0 proposal g2-esp-3des-md5 set vpn ns50-vpn monitor set vpn ns50-vpn df-bit copy set vpn ns50-vpn bind interface tunnel.1 ***** Define the local and remote networks, and the traffic to ***** ***** be encrypted by the tunnel. ***** set vpn ns50-vpn proxy-id local-ip 100.1.1.0/24 remote-ip 10.10.42.0/24 any ***** Set route into the VPN tunnel for the remote network. ***** set route 150.1.1.0/24 gateway 100.1.1.2 set route 80.1.1.0/24 gateway 90.1.1.2 set route 10.10.42.0/24 interface tunnel.1 3.2. Configure the NetScreen 25 with NAT This section describes the steps necessary to enable NAT on NetScreen 25. In order for the signaling information to reach both IP Offices correctly, the static NAT must be used for both IP Offices. Other IP end points are configured to use Port NAT. The IP address translation is done based on the following: Devices Original IP Address Translated IP Address NetScreen 25 150.1.1.1 (IP Office 412) 90.1.1.79 (Static NAT) Other IP endpoints 150.1.1.0 90.1.1.80 (Port NAT) NetScreen 50 10.10.42.1 (IP Office 403) 80.1.1.79 (Static NAT) Other IP endpoints 10.10.42.0 80.1.1.80 (Port NAT) 5 of 28
Due to the similarities in the configuration, only the NAT related configuration for the NetScreen 25 is presented below. ****** Create a zone for the VPN to apply the policies between the internal ****** ****** network and the VPN tunnel. ****** set zone name vpn set interface tunnel.1 zone vpn set interface tunnel.1 route set interface tunnel.1 ip unnumbered interface e1 ****** Create the address object to implement NAT ****** set address trust local-net 150.1.1.0/24 "Local network at Site A" set address vpn remote-net 10.10.42.0/24 "Remote network at Site B" set address trust ipoffice 150.1.1.1/32 "IP Office 412" **** Define the network address translation (NAT). Note that port address translation **** **** (PAT) translates all traffic into the tunnel with the exception of IP Office itself. **** **** All outgoing traffic will be source translated to 90.1.1.80. Because IP Office **** **** needs to be reachable from the remote side, a one-to-one static NAT is **** **** configured to translate the IP Office address 150.1.1.1 to 90.1.1.79. The virtual **** **** router is set to the trust-vr, which is the default for all interfaces. **** set interface tunnel.1 dip 90.1.1.80 90.1.1.80 set interface tunnel.1 mip 90.1.1.79 host 150.1.1.1 netmask 255.255.255.255 vr trust-vr **** Create policies from the trust zone to the vpn zone. Tunnel policies are not ***** **** configured because the route-based VPN tunnel is used. ***** set policy from vpn to global remote-net MIP(90.1.1.79) any permit log set policy from trust to vpn local-net remote-net any nat src dip-id 4 permit log **** Set IP route for the NATed address ***** set route 80.1.1.0/24 interface tunnel.1 6 of 28
4. Configure the Avaya IP Office This section describes the steps necessary to configure the IP Office. Two IP Office models, IP Office 412 and 403, are used in this testing. Since the configurations are identical, only the configuration for IP Office 412 is presented in these Application Notes. 4.1. Configure the IP Office 412 Parameters IP Office 412 is configured using the IP Office Manager application. The LAN1 interface is used for protected network connectivity, and the LAN 2 interface is used for public network connectivity. Step Description 1. Configuring interface LAN1 Using the IP Office Manager, browse the configuration tree and select System Configuration and click on the LAN1 tab. Set IP Address to 150.1.1.1 and IP Mask to 255.255.255.0. Leave the Primary Trans. IP Address field blank. Leave the Enable NAT box unchecked. For the DHCP Mode, select Disabled. In the described configuration, static IP addresses are assigned to devices at all sites. 7 of 28
Step Description 2. Configuring interface LAN2 Click the LAN2 tab. Set IP Address to 100.1.1.2 and IP Mask to 255.255.255.0. Leave the Primary Trans. IP Address field blank Leave the Enable NAT box unchecked For the DHCP Mode, select Disabled Click OK when done. 8 of 28
Step Description 3. Configuring default gateway Using the IP Office Manager, browse the configuration tree and select IP Route. Leave the IP Address and IP Mask fields blank. Enter 100.1.1.3 (IP address of NetScreen 25 private interface) as gateway IP address Select LAN2 as gateway interface. Enter 1 in Metric field and click OK. 9 of 28
Step Description 4. Configuring line options Using the IP Office Manager, browse the configuration tree and select Line. Enter 02 in the Line Number field Enter description in Telephone Number field (optional) Enter 2 as Incoming Group and Outgoing Group ID Enter 20 as voice and data channels as shown in figure below 10 of 28
Step Description Click the VoIP tab to enter H.323 trunk configuration. In the Gateway IP Address field, enter 10.10.42.1. This is the IP address of the IP Office 403 at Site B. In the Compression Mode field, select Automatic Selection. In the H.450 Support field, select H.450. The Silence Suppression box may remain unchecked. Select the Enable Faststart checkbox. Leave the Fax Transport Support box unchecked. Leave the Local Hold Music box unchecked. Leave the Local Tones box unchecked. Select the Out of Band DTMF checkbox. Select the Allow Direct Media Path checkbox. Leave the Voice Networking box checked. Click OK when done. 11 of 28
Step Description 5. Configuring Shortcode Configure the shortcode so that the IP Office 412 will route the calls to IP Office 403 using the H.323 trunk defined in step 4. Using the IP Office Manager, browse the configuration tree and select Shortcode. Enter 4xxxx in the Short Code field Enter. in the Telephone Number field to pass all the dialed digits. Enter 4 in the Line Group ID field Select Dial in the Feature field Click OK when done. 12 of 28
Step Description 6. Configuring a user In IP Office, every extension created requires a user associated with it. The following example shows how to configure a user for a PhoneManager using extension 30002. Using the IP Office Manager, browse the configuration tree and select User. Enter information in the fields as shown in the Figure below 13 of 28
Step Description Click the Telephony tab Select VoIP in the Phone Manager Type field Leave the other parameters as default Click OK when done. 14 of 28
Step Description 7. Configuring an extension Using the IP Office Manager, browse the configuration tree and select Extension. Right click Extension and select Add. Extension ID 8004 is assigned by IP Office, leave it unchanged. Enter 30002 in the Extension field. Configure and select other parameters as shown in figure below. 15 of 28
Step Description Select the VoIP tab. Enter 150.1.1.101 in the field of IP Address (this is the IP address of the PC where the PhoneManager is installed). Configure the other parameters as shown in figure below. Click OK when done. 8. Save changes to the IP Office Under the Manager File Menu item, select Save. At the Sending Config to dialog box, select the option to immediately reboot and press OK. If the IP Office Server IP address has been changed, update the IP address of the PC running Manager and edit the Manager Preferences setting under the File menu before reconnecting. 16 of 28
5. Remote IPSec Tunnel between the NetScreen 25 and NetScreen-Remote Client This section describes the steps necessary to configure the NetScreen 25 and the NetScreen- Remote client to establish a dynamic IPSec tunnel. 5.1. Configure the NetScreen 25 The NetScreen 25 is configured as a VPN tunnel endpoint for NetScreen-Remote Client. To support a generic VPN installation packet and avoid user specific configuration on the VPN client, the user should be configured to authenticate with a password, either maintained locally on the firewall or on a RADIUS server. **** Create one common user for general authentication of the NetScreen-Remote **** **** software to the gateway. Configure that single user as a member of a group, **** **** which will be referenced later in the IKE gateway configuration. **** set user nsr ike-id u-fqdn testing@testing share-limit 100 set user nsr type ike set user nsr enable set user-group ike-users user nsr **** Create the local VPN users "avaya" and "netscreen" and add them to a **** **** user group "remote users". Create an IKE gateway for NSR. **** set user avaya password abc123 set user avaya type xauth set user netscreen password abc123 set user netscreen type xauth set user-group remote-users location local set user-group remote-users user avaya set user-group remote-users user Netscreen set ike gateway nsr-gw dialup ike-users preshare netscreen proposal pre-g2-3des-md5 set ike gateway nsr-gw nat-traversal set ike gateway nsr-gw xauth server local user-group remote-users ***** Alternatively a RADIUS server could be used for user authentication, The ****** ***** configuration below shows how to set up a RADIUS server for user ****** ***** authentication. Use either Local or RADIUS authentication, not both at some time. * set auth-server my-radius type radius set auth-server my-radius server-name 1.1.1.1 set auth-server my-radius secret password set auth-server my-radius account-type xauth 17 of 28
set user-group remote-users location external set user-group remote-users type xauth set ike gateway nsr-gw dialup ike-users preshare netscreen proposal pre-g2-3des-md5 set ike gateway nsr-gw nat-traversal set ike gateway nsr-gw xauth server my-radius user-group remote-users **** Create the VPN tunnel and monitor the status of the tunnel as well ***** set vpn nsr-vpn gateway nsr-gw proposal g2-esp-3des-sha set vpn nsr-vpn monitor **** Set up policies for the VPN tunnel "nsr-vpn". The NetScreen 25 only allows **** **** authenticated NSR clients to connect to internal resource "local-net" on "any" **** **** service. "Untrust" is the outside zone and "Trust" is the inside zone. **** **** "Dial-up VPN" is a reserved keyword for NSR clients. **** set address trust local-net 115.1.1.0/24 "This is our internal network" set policy from untrust to trust "Dial-up VPN" local-net any tunnel vpn nsrvpn log 18 of 28
5.2. Configure the NetScreen-Remote Client Step Description 1. Configuring client connection Launch the NetScreen Remote client by selecting Start Programs NetScreen- Remote Security Policy Editor. Right click the folder My Connections and select Add Connection. Name the new connection as Netscreen Testing. Select Secure for Connection Security Select IP Subnet for ID Type Enter 115.1.1.0 in the field of Subnet and 255.255.255.0 in the field of Mask, Select All in the Protocol field and Secure Gateway Tunnel in the Connect using field. Check the Connect using box. Select IP Address in the IP Type field and enter 90.1.1.1 (IP Address of NetScreen 25 public interface) as the tunnel endpoint IP Address. 19 of 28
Step Description 2. Configuring client identity Expand the Netscreen testing folder and select My Identity. Select Any in the Name field under the Internet Interface. Leave other fields as default. Click Pre-Shared Key under My Identity. Click Enter Key and type key in the field Click OK when done 20 of 28
Step Description 3. Configuring phase 1 proposal Expand folder Security Policy Authentication (Phase 1) Proposal 1. Select Pre-Shared Key; Extended Authentication under Authentication Method. Select Triple DES for Encrypt Alg, and SHA-1 for Hash Alg. Select Unspecified for SA Life, and Diffe-Hellman Group 2 for Key Group. 21 of 28
Step 4. Description Configuring phase 2 proposal Expand folder Security Policy Key Exchange (Phase 2) Proposal 1. Select Unspecified for SA Life, and None for Compression. Check the Encapsulation Protocol (ESP) box. Select Triple DES for Encrypt Alg, and SHA-1 for Hash Alg. Select Tunnel for Encapsulation. 5. Saving the configuration At top of the menu, open the File Save to save the configuration Or Click the floppy disk icon from the tool bar to save the configuration. 22 of 28
6. Configure the Avaya PhoneManager This section describes the steps necessary to configure the PhoneManager connecting to the IP Office via a remote VPN tunnel. Step Description 1. Configuring PhoneManager Launch Avaya PhoneManager by selecting Start Programs IP Office PhoneManager from the PC where the PhoneManager is installed. Configure the PhoneManager to use IP Office as a Call Server by selecting Configure PBX. 23 of 28
Step Description In the UserName field, select Phone Manager 30002 previously created from IP Office Manager. In the Password field, enter the password previously defined. In the PBX Address field, enter the IP Office s private interface IP Address 150.1.1.1. Click Login >> to log into IP Office. 24 of 28
Step Description 2. To set codec preferences for the PhoneManager, select Configure Preferences Highlight the codec and move it up or down by clicking the up or down button. Check the Enable FastStart box. Click OK when done. 7. Interoperability Compliance Testing Interoperability compliance tests included feature and functionality testing. Both site-to-site and remote IPSec VPN tunnels were tested and validated. Feature and functionality testing examined the Avaya IP Office, Avaya IP telephone and Avaya PhoneManager abilities to work with NetScreen security device in IPSec environment. Feature and functionality testing was verified using manual methods. 7.1. General Test Approach All interoperability and feature testing was performed manually. An IP protocol analyzer was used to verify the IPSec encryption for VoIP packets. 25 of 28
7.2. Test Results All tests were completed successfully. 8. Verification Steps The following verification steps can be used in these Application Notes to verify correct system operation: Make a call from the IP telephone on site A to the digital telephone at site B, and verify that the voice quality is good. Use a protocol analyzer to decode the VoIP packets, and verify that the packets are encapsulated with IPSec header. Launch the NetScreen-Remote client and verify that the remote VPN tunnel is established between the NetScreen-Remote client and the NetScreen 25. Launch the PhoneManager and verify that the PhoneManager can register with the IP Office successfully. Make a call from the PhoneManager at site C to the IP telephone at site A, and verify that the voice quality is good. Make a call from digital telephone at site A to the PhoneManager at site C. While the call is active, conference the IP Telephone at site B and verify that all three parties are in conference, and the voice quality is good. 9. Support For technical support of NetScreen products, call 408-543-6768 or 1-877-638-7273, or email customerservice@netscreen.com. For sales support, visit http://www.netscreen.com/contacts/sales/index.jsp on the Internet. 10. Conclusion These Application Notes describe the configuration steps necessary to allow Avaya IP Office, Avaya PhoneManager to work with NetScreen 25, NetScreen 50, as well as NetScreen VPN client. All configurations have been compliance tested and all test cases were successful. 11. Additional References For Avaya IP Office related documentation, visit http://support.avaya.com/ on the Internet. 26 of 28
11.1. Glossary Technical Term LAN WAN DIP MIP IKE ESP VPN IPSec 3DES SHA Codec DiffServ NAT Definition as it pertains to this document Local Area Network Wide Area Network Dynamic IP Pool Mapped IP Address Internet Key Exchange Encapsulation Protocol Virtual Private Network IP Security Triple Data Encryption Standard (168-Bit Key) Secure Hash Algorithm Coder/Decoder Differentiated Services Network Address Translation 27 of 28
Avaya and the Avaya Logo are trademarks of Avaya Inc. All trademarks identified by and are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners. The information provided in these Application Notes is subject to change without notice. The configurations, technical data, and recommendations provided in these Application Notes are believed to be accurate and dependable, but are presented without express or implied warranty. Users are responsible for their application of any products specified in these Application Notes. Please e-mail any questions or comments pertaining to these Application Notes along with the full title name and filename, located in the lower right corner, directly to the Avaya DeveloperConnection Program at devconnect@avaya.com. 28 of 28