06-23-2011 09:36 AM
I was wondering if somebody can help me with this problem: I have a mini laptop with Windows 7 64 bit that was successfully running Avaya Phone Manager Pro (PC Softphone) for quite a long time via a VPN tunnel that was run between a Linux Firewall called IP Cop and a VPN client called OpenVPN, worked like a charm.Recently I started experimenting with Avaya VPN phones and switched my router/firewall to a Juniper SSG20. I followed the Avaya document "Configuring the Juniper SSG as and IPSec VPN Head-end to support the Avaya VNPremote Phone and Avaya Phone Manager Pro with Avaya IP Office - Issue 1.0" and was able to get my VPN phones working great but not my mini laptop. Since NetRunner for Windows 7 is not available I was able to successfully establish the VPN tunnel using Shrew and following the how-to document you find at Shrew.net but every time I start my Phone Manger I see it logging in to the extension but seconds after I get the "Failed to register" message and I am out.
I have tried a lot of thing but my lack of experience with SSG20 is not helping much:
I have ALG - H323 disabled (un-checked) as per the above document but when I enable it I can get the Phone Manager on my mini laptop to register but no voice traffic goes through, my VPN phones register OK but it is also a no go on voice traffic.
I have tried keeping the ALG – H323 enabled and updating the policy for the VPN phones by adding under service H323, VOIP and selecting IGNORE under Application the result is that they register OK but it is no go on voice traffic.
I then tried the opposite and I uncheck ALG-H323 to keep my VPN phones working OK and I tried ignoring H.323, PING, RTSP, TFTP, UUCP, VOIP in the policy for the Laptop but my laptop is not able to login or see the IP Office control unit.
I believe it is a policy issue but my lack of experience with the SSG20 is not helping and was wondering if somebody out there that may be running VPN phone and Phone Manager Soft Phones using shrew can guide me on how to properly configure the SSG20 or tell me if what I am trying to do is not supported.
I am currently running Firmware 6.2.0r9.0, I am not sure if it is going to make much of a difference to upgrade 6.3 I but will appreciate any help I can get.
06-24-2011 09:25 AM
I know Shrew is not supported but I believe the client is irrelevant in this situation because the VPN tunnel is properly established and it is clearly not the problem and I really don’t want to go through all the pain of downloading the NCP spending time configuring it because I know that in the end I will have the same problem, however is somebody out has had the experiance and knows that this could be part of the problem I am willing to try NCP.
I have been playing with the policies and I have been checking the logs, so far I added to the ignore list all the protocols my SSG-20 has denied traffic for the Phone Manager and I am finally down to UDP PORT 50796 the last one to be denied. The SSG-20 is not letting me ignore UDP-ANY and I tried to create a custom protocol by going to Policy – Policy Elements
– Services – Custom and created the following new service:
Transport Protocol and Parameters: UDP src port: 50796-50796, dst port: 50796-50796
I added the service to my ignore list but the SSG-20 keeps denying the traffic, am I missing something? How do you setup the SSG-20 to allow traffic for UPP Port 50796?