Description:

If an Alcatel OXO Connect (Premium) DeskPhone is operated at a remote location (e.g. in a branch or home office), it cannot connect directly to the Alcatel OXO Connect PBX.

Since the desk phones support VPN connections, it is possible to establish a VPN connection to the headquarters without the use of a VPN router at the branch office.

This article describes how to set up VPN connection using IKEv1 between an Alcatel DeskPhone and a LANCOM router.

How to connect an Alcatel OXO Connect PBX to a LANCOM VoIP router is described in this Knowledge Base article .

Important:
When using an IKEv1 connection in main mode, only one desk phone at a branch office can connect to the headquarters via VPN because authentication is based on the WAN IP address of the Internet connection.

In 2019 the IETF (Internet Engineering Task Force) has designated IKEv1 as deprecated and insecure and therefore it should not be used anymore. LANCOM Systems instead recommends to use the current standard IKEv2.

The IKEv1 functionality in LANCOM devices remains intact and can still be used for scenarios where devices without IKEv2 support are used. However LANCOM Systems will not provide any support regarding the troubleshooting of connection problems with IKEv1 connections. Also there won't be any bug fixes or new features for IKEv1.

In rare cases a disconnect can occur during rekeying. In such a case it can be useful to increase the lifetimes, so that the disconnects occur less often.

The configuration of an IKEv2 connection between an Alcatel DeskPhone and a LANCOM router is described in this Knowledge Base article.



Requirements:

  • LANCOM router with Voice Call Manager and VPN support at the headquarters:
    • LANCOM 883 VoIP
    • LANCOM 884 VoIP
    • LANCOM 178x (some models additionally require the All-IP option )
    • LANCOM 179x (some models additionally require the All-IP option )
    • LANCOM ISG 1000
    • LANCOM ISG 4000
  • LCOS as of version 9.24 ( download latest version )
  • LANtools as of version 9.24 ( download latest version )
  • One of the following Alcatel OXO Connect (Premium) DeskPhones:
    • 8008
    • 8008G
    • 8018
    • 8028
    • 8028s
    • 8038
    • 8058s
    • 8068
    • 8068s
    • 8078s
  • Existing network connection on the desk phone (static or dynamic)


Scenario:

The general scenario is as follows:

  • The LANCOM router is located at the headquarters and the Alcatel OXO Connect PBX registers with the LANCOM router.
  • An Alcatel Premium DeskPhone (remote worker) in a branch office connects to the LANCOM router at the headquarters via VPN so that it can connect to the OXO Connect PBX.

Image showing a technical configuration menu with options for VPN, LancomSBC, Remote Worker, Premium Desk phones, OXO Connect, and Fax settings.


Procedure:

1) Configuring the LANCOM router:

1.1) Open the configuration of the LANCOM router in LANconfig, switch to the menu VPN → General and activate the VPN feature by setting Virtual Private Network to Activated .

Screenshot of a virtual private network (VPN) configuration interface showing activated settings, including remote network selection, IPSec over HTTPS, flexible identity comparison, and NAT traversal options.

1.2) Switch to the menu VPN -> IKE/IPSec→ IKE proposals .

Screenshot of a VPN configuration interface displaying options for IKEvVPN connections, network rules, logging and monitoring settings, and IPSec proposals.

1.3) Create a new entry and enter the following parameters:

  • Identification : Enter a descriptive name.
  • Encryption: From the drop-down menu, select AES-CBC.
  • Key length : Enter the value
  • Hash: From the drop-down menu, select SHA-256.
  • Authentication: Make sure that this is set to Preshared key.
  • Lifetime : Set these values to 5400 seconds and 0 kbytes .

Image showing a partial view of a technical configuration interface with settings related to AES CBC encryption and pre-shared key authentication.

1.4) Navigate to the menu IKE proposal lists .

Screenshot of a VPN configuration interface displaying options for connections, proposals, authentication methods, and security protocols.

1.5) Create a new IKE proposal list and modify the following parameters:

  • Identification : Enter a descriptive name.
  • Proposal : From the drop-down menu, select the IKE proposal created in step 1.3.

Image displaying a fragmented view of a technical configuration menu, possibly related to a desk phone system, with repetitive incomplete options and settings.

1.6) Navigate to the menu IKE keys and identities .

Screenshot of a VPN configuration interface displaying options for IKEv VPN connections, logging and monitoring settings, communication proposals, routing protocols, and default encryption settings.

1.7) Create a new entry and adjust the following parameters:

  • Identification : Enter a descriptive name.
  • Preshared key : Assign a Preshared key that is as complex as possible.
  • Local identity type: Leave the entry on No identity .
  • Remote identity type: Leave the entry on No identity .

Image of a technical user interface with partially visible options including power settings, password generation, and identity type configuration.

1.8) Switch to the menu IPSec proposals .

The image shows a technical configuration interface for VPN connections, including sections for IKEvVPN settings, proposals for SA negotiations, routing protocols, preshared keys, IKE keys, IPSec proposals, and various authentication methods.

1.9) Create a new entry and enter the following parameters:

  • Identification : Enter a descriptive name.
  • Mode: Leave the setting as Tunnel.
  • Encryption: From the drop-down menu, select AES-CBC.
  • Key length : Enter the value
  • Authentication: From the drop-down menu, select HMAC-SHA-256.
  • Lifetime : Set these values to 43200 seconds and 0 kbytes .

Image displaying a partially visible and unclear technical diagram or configuration menu with random fragmented text.

1.10) Navigate to the menu IPSec proposal lists .

Image of a technical configuration interface showing settings for VPN connections, IKE proposals, encryption, authentication, logging, and certificates, with various options to manage and monitor network protocols and security parameters.

1.11) Create a new IPSec proposal list and modify the following parameters:

  • Identification : Enter a descriptive name.
  • Proposal : From the drop-down menu, select the IPSec proposal created in step 1.9.

Image depicting a partial view of a technical configuration interface with options related to DESKPHONEIPSEC and other unclear settings.

1.12) Switch to the menu Connection parameters .

Screenshot of a technical configuration interface for managing VPN connections, featuring sections for IKE proposals, IPsec proposals, logging and monitoring options, routing protocols, shared key authentication, and default encryption settings.

1.13) Create a new entry and adjust the following parameters:

  • Identification : Enter a descriptive name.
  • PFS group : From the drop-down menu, select 16 (MODP-4096).
  • IKE group : From the drop-down menu, select 16 (MODP-4096).
  • IKE proposals : From the drop-down menu, select the IKE proposal list created in step 1.5.
  • IKE key : From the drop-down menu, select the IKE key and identities created in step 1.7.
  • IPSec proposals : From the drop-down menu, select the IPSec proposal list created in step 1.11.

Screenshot of a technical configuration menu for setting up identification and security parameters, including DESKPHONEPARAM, MODPv for both PESgroup and IKEgroup, and various IPSec proposals and keys.

1.14) Switch to the menu Connection list .

Screenshot of a VPN configuration interface displaying options for IKEvVPN connections, proposals for SA negotiation, routing protocols, shared keys authentication, and IPsec proposals along with settings for encryption, authentication, and compression.

1.15) Create a new entry and adjust the following parameters:

  • Name of connection : Enter a descriptive name.
  • Short hold time: Since it is the Premium DeskPhone that establishes the VPN connection, the short hold time is left at 0.
  • Dead Peer Detection : Set the value to 90 seconds,
  • Gateway: Enter the public IP address or the DynDNS name of the remote branch where the Premium DeskPhone is located.
  • Connection parameters : From the drop-down menu, select the Connection parameters created in step 1.13.
  • IKE exchange : Check that the value is set to Main Mode.
  • IKE-CFG: Select Server from the drop-down menu so that the LANCOM router can assign an IP address from the local network at the headquarters to the Premium DeskPhone.
  • Rule Creation : Set Rule Creation to Manual.
  • IPv4 rules : Select the predefined VPN rule RAS-WITH-CONFIG-PAYLOAD from the dropdown menu.

Image of a technical configuration interface showing options for Dynamic VPN connections, IP address transmission methods, and security settings.

1.16) Go to the menu IPv4 → Addresses and enter the dial-in address range (First and Last address) from an address range that is different to the local network.

Important:
The address range where the Alcatel DeskPhones dial-in must be in a different network to the local network.

This image displays a technical configuration interface for setting up network addresses and DNS settings, featuring sections like 'First address', 'Last address', 'Primary DNS', and 'Secondary NBNS'.

1.17) This concludes the configuration of the router. Write the configuration back to the router.



2) Configuring the Alcatel DeskPhones:

2.1) Start the (Premium) DeskPhone and, during “Boot Phase 2”, press the buttons <*> + <#> to access the Main Menu.

2.2) In the Main Menu, select the menu item VPN.

The image displays a technical configuration menu with options including 'MainMenu,' 'Security,' 'SoftwareInfos,' 'Hardware,' and 'Servicing Reset.'

2.3) Switch to the menu VPN Config .

Image showing a technical configuration menu with options for VPN settings, FTP, authentication, and pin code entry.

2.4) The first time you enter the menu VPN Config you have to set a PIN code . This has to be entered each time this menu is accessed.

Screenshot of a VPN configuration interface displaying a pin code entry field labeled 'GiveVPNPincode'.

2.5) Adjust the following parameters, confirm the adjustments by clicking the green checkmark and quit the menu by clicking on the Back button:

  • Enable VPN: Activate VPN by ticking the box.
  • VPN Server: Enter the public IP address or the DynDNS name of the LANCOM router at the headquarters.
  • VPN PSK: Enter the Preshared key set in step 1.7.
  • IKE version : Select IKEv1.

Image of a VPN configuration menu displaying options to enable VPN, set VPN server, and select IKE version.

2.6) Switch to the menu VPN Tftp .

Screenshots of a technical configuration interface displaying VPN settings, FTP, authentication options, and pin code entry.

2.7) Adjust the following parameters, confirm the adjustments by clicking the green checkmark and quit the menu by clicking on the Back button:

  • Set a checkmark next to Use TFTP servers .
  • Tftp 1: Enter the IP address of the Alcatel OXO Connect at the headquarters.

Image showing a fragmented view of a configuration interface with options for VPN, TFTP servers, and port settings.

2.8) Click the red arrow to quit the Main menu. The desk phone then restarts and establishes the VPN connection.

A screenshot of a technical user interface displaying menu options such as MainMenu, Security, Software, Hardware, and Reset.

 

All LANCOM products and software versions are subject to LANCOM Software Lifecycle Management.
You can find information on our website at https://www.lancom-systems.com/products/firmware/software-lifecycle-management

© 2025 LANCOM Systems GmbH