Description:
If an Alcatel OXO Connect (Premium) DeskPhone is operated at a remote location (e.g. in a branch or home office), it cannot connect directly to the Alcatel OXO Connect PBX.
Since the desk phones support VPN connections, it is possible to establish a VPN connection to the headquarters without the use of a VPN router at the branch office.
This article describes how to set up VPN connection using IKEv1 between an Alcatel DeskPhone and a LANCOM router.
How to connect an Alcatel OXO Connect PBX to a LANCOM VoIP router is described in this Knowledge Base article .
Important:
When using an IKEv1 connection in main mode, only one desk phone at a branch office can connect to the headquarters via VPN because authentication is based on the WAN IP address of the Internet connection.
In 2019 the IETF (Internet Engineering Task Force) has designated IKEv1 as deprecated and insecure and therefore it should not be used anymore. LANCOM Systems instead recommends to use the current standard IKEv2.
The IKEv1 functionality in LANCOM devices remains intact and can still be used for scenarios where devices without IKEv2 support are used. However LANCOM Systems will not provide any support regarding the troubleshooting of connection problems with IKEv1 connections. Also there won't be any bug fixes or new features for IKEv1.
In rare cases a disconnect can occur during rekeying. In such a case it can be useful to increase the lifetimes, so that the disconnects occur less often.
The configuration of an IKEv2 connection between an Alcatel DeskPhone and a LANCOM router is described in this Knowledge Base article.
Requirements:
- LANCOM router with Voice Call Manager and VPN support at the headquarters:
- LANCOM 883 VoIP
- LANCOM 884 VoIP
- LANCOM 178x (some models additionally require the All-IP option )
- LANCOM 179x (some models additionally require the All-IP option )
- LANCOM ISG 1000
- LANCOM ISG 4000
- LCOS as of version 9.24 ( download latest version )
- LANtools as of version 9.24 ( download latest version )
- One of the following Alcatel OXO Connect (Premium) DeskPhones:
- 8008
- 8008G
- 8018
- 8028
- 8028s
- 8038
- 8058s
- 8068
- 8068s
- 8078s
- Existing network connection on the desk phone (static or dynamic)
Scenario:
The general scenario is as follows:
- The LANCOM router is located at the headquarters and the Alcatel OXO Connect PBX registers with the LANCOM router.
- An Alcatel Premium DeskPhone (remote worker) in a branch office connects to the LANCOM router at the headquarters via VPN so that it can connect to the OXO Connect PBX.
Procedure:
1) Configuring the LANCOM router:
1.1) Open the configuration of the LANCOM router in LANconfig, switch to the menu VPN → General and activate the VPN feature by setting Virtual Private Network to Activated .
1.2) Switch to the menu VPN -> IKE/IPSec→ IKE proposals .
1.3) Create a new entry and enter the following parameters:
- Identification : Enter a descriptive name.
- Encryption: From the drop-down menu, select AES-CBC.
- Key length : Enter the value
- Hash: From the drop-down menu, select SHA-256.
- Authentication: Make sure that this is set to Preshared key.
- Lifetime : Set these values to 5400 seconds and 0 kbytes .
1.4) Navigate to the menu IKE proposal lists .
1.5) Create a new IKE proposal list and modify the following parameters:
- Identification : Enter a descriptive name.
- Proposal : From the drop-down menu, select the IKE proposal created in step 1.3.
1.6) Navigate to the menu IKE keys and identities .
1.7) Create a new entry and adjust the following parameters:
- Identification : Enter a descriptive name.
- Preshared key : Assign a Preshared key that is as complex as possible.
- Local identity type: Leave the entry on No identity .
- Remote identity type: Leave the entry on No identity .
1.8) Switch to the menu IPSec proposals .
1.9) Create a new entry and enter the following parameters:
- Identification : Enter a descriptive name.
- Mode: Leave the setting as Tunnel.
- Encryption: From the drop-down menu, select AES-CBC.
- Key length : Enter the value
- Authentication: From the drop-down menu, select HMAC-SHA-256.
- Lifetime : Set these values to 43200 seconds and 0 kbytes .
1.10) Navigate to the menu IPSec proposal lists .
1.11) Create a new IPSec proposal list and modify the following parameters:
- Identification : Enter a descriptive name.
- Proposal : From the drop-down menu, select the IPSec proposal created in step 1.9.
1.12) Switch to the menu Connection parameters .
1.13) Create a new entry and adjust the following parameters:
- Identification : Enter a descriptive name.
- PFS group : From the drop-down menu, select 16 (MODP-4096).
- IKE group : From the drop-down menu, select 16 (MODP-4096).
- IKE proposals : From the drop-down menu, select the IKE proposal list created in step 1.5.
- IKE key : From the drop-down menu, select the IKE key and identities created in step 1.7.
- IPSec proposals : From the drop-down menu, select the IPSec proposal list created in step 1.11.
1.14) Switch to the menu Connection list .
1.15) Create a new entry and adjust the following parameters:
- Name of connection : Enter a descriptive name.
- Short hold time: Since it is the Premium DeskPhone that establishes the VPN connection, the short hold time is left at 0.
- Dead Peer Detection : Set the value to 90 seconds,
- Gateway: Enter the public IP address or the DynDNS name of the remote branch where the Premium DeskPhone is located.
- Connection parameters : From the drop-down menu, select the Connection parameters created in step 1.13.
- IKE exchange : Check that the value is set to Main Mode.
- IKE-CFG: Select Server from the drop-down menu so that the LANCOM router can assign an IP address from the local network at the headquarters to the Premium DeskPhone.
- Rule Creation : Set Rule Creation to Manual.
- IPv4 rules : Select the predefined VPN rule RAS-WITH-CONFIG-PAYLOAD from the dropdown menu.
1.16) Go to the menu IPv4 → Addresses and enter the dial-in address range (First and Last address) from an address range that is different to the local network.
Important:
The address range where the Alcatel DeskPhones dial-in must be in a different network to the local network.
1.17) This concludes the configuration of the router. Write the configuration back to the router.
2) Configuring the Alcatel DeskPhones:
2.1) Start the (Premium) DeskPhone and, during “Boot Phase 2”, press the buttons <*> + <#> to access the Main Menu.
2.2) In the Main Menu, select the menu item VPN.
2.3) Switch to the menu VPN Config .
2.4) The first time you enter the menu VPN Config you have to set a PIN code . This has to be entered each time this menu is accessed.
2.5) Adjust the following parameters, confirm the adjustments by clicking the green checkmark and quit the menu by clicking on the Back button:
- Enable VPN: Activate VPN by ticking the box.
- VPN Server: Enter the public IP address or the DynDNS name of the LANCOM router at the headquarters.
- VPN PSK: Enter the Preshared key set in step 1.7.
- IKE version : Select IKEv1.
2.6) Switch to the menu VPN Tftp .
2.7) Adjust the following parameters, confirm the adjustments by clicking the green checkmark and quit the menu by clicking on the Back button:
- Set a checkmark next to Use TFTP servers .
- Tftp 1: Enter the IP address of the Alcatel OXO Connect at the headquarters.
2.8) Click the red arrow to quit the Main menu. The desk phone then restarts and establishes the VPN connection.