Server Deployment Guide for Remote Workers using

Deskphones

October 2021

8AL90345ENAA Ed. 11a

Legal notice
www.al-enterprise.com The Alcatel-Lucent name and logo are trademarks of Nokia used under license by
ALE. To view other trademarks used by affiliated companies of ALE Holding, visit: www.al-
enterprise.com/en/legal/ trademarks-copyright. All other trademarks are the property of their respective
owners.
The information presented is subject to change without notice. Neither ALE Holding nor any of its affiliates
assumes any responsibility for inaccuracies contained herein.
© 2021 ALE International, ALE USA Inc. All rights reserved in all countries.

Disclaimer
While efforts were made to verify the completeness and accuracy of the information contained in this
documentation, this document is provided “as is”. To get more accurate content concerning Cross
Compatibilities, Product Limits, Software Policy and Feature Lists, please refer to the accurate documents
published on MyPortal.
In the interest of continued product development, ALE International reserves the right to make
improvements to this documentation and the products it describes at any time, without notice or
obligation.

The CE mark indicates that this product conforms to the following Council Directives:
• 2014/53/EU for radio equipment
• 2014/35/EU and 2014/30/EU for non-radio equipment (including wired Telecom Terminal Equipment)
• 2014/34/EU for ATEX equipment
• 2011/65/EU (RoHS)
• 2012/19/EU (WEEE)
 Table of
contents
Server deployment guide for remote
workers using deskphones

1 General .................................................................................. 7
1.1 Overview ............................................................................................................. 7
1.2 Terminology ....................................................................................................... 7
1.2.1 Glossary ............................................................................................................. 7
1.2.2 Graphical conventions ........................................................................................ 8

2 Remote worker deployment using IPsec VPN ................... 9

2.1 Overview ............................................................................................................. 9
2.2 Architecture ........................................................................................................ 9
2.3 Basic Description............................................................................................. 10
2.4 Technical Description ...................................................................................... 10
2.4.1 On the corporate LAN ...................................................................................... 10
2.4.2 On the remote worker LAN............................................................................... 12
2.4.3 Emergency calls ............................................................................................... 13
2.5 Configuration in a nutshell.............................................................................. 14
2.6 System configuration ...................................................................................... 17
2.6.1 Reference design ............................................................................................. 17
2.6.2 OXO Connect and OmniPCX Enterprise configuration .................................... 17
2.7 VPN server configuration ................................................................................ 17
2.7.1 General interactions ......................................................................................... 17
2.7.2 Engineering rules ............................................................................................. 19
2.7.3 Overview table for VPN servers tested............................................................. 19
2.7.4 Overview table for Configuration ...................................................................... 20
2.8 Step by step example: Fortigate 30E ............................................................. 21
2.8.1 Characteristics ................................................................................................. 21
2.8.2 IKEv1 Main Mode ............................................................................................. 21
2.8.3 IKEv1 Aggressive Mode ................................................................................... 41
2.8.4 IKEv2 – PSK .................................................................................................... 45

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 3/170
 Table of
contents
Server deployment guide for remote
workers using deskphones

2.8.5 IKEv2 – Certificate ........................................................................................... 49

2.9 Step by step example: Fortigate 60D ............................................................. 55
2.9.1 Characteristics ................................................................................................. 55
2.9.2 Server configuration using the Web Based Management (WBM) .................... 55
2.9.3 Server configuration using the Command Line and Configuration file .............. 55
2.10 Step by step example: Zyxel USG40 .............................................................. 60
2.10.1 Server configuration using the Web Configurator ............................................. 60
2.10.2 Server configuration using the Command Line and Configuration file .............. 67
2.11 Maintenance procedures ................................................................................. 67
2.11.1 Troubleshooting ............................................................................................... 67
2.11.2 Other problems ................................................................................................ 68
2.11.3 Activity logs ...................................................................................................... 68
2.11.4 Network traffic .................................................................................................. 71
2.12 Appendix .......................................................................................................... 73
2.12.1 IP phones VPN configuration (with PIN solution) ............................................. 73
2.12.2 ALE IP phones VPN configuration (without PIN code solution) ........................ 83
2.12.3 ALE IP phones VPN configuration in SIP mode ............................................... 85
2.12.4 IPSec VPN and Thales feature ........................................................................ 89
2.12.5 Prompt Info of phone ........................................................................................ 90
2.12.6 The 8088 Android VPN configuration ............................................................... 91

3 Remote worker deployment using OPEN VPN .............. 113

3.1 Overview ......................................................................................................... 113
3.2 Environment and topology............................................................................ 113
3.3 Set configuration using 8001 Web Management......................................... 114
3.3.1 Uploading trusted certificates to 8001 DeskPhone ......................................... 114
3.3.2 Configuring 8001 VPN parameters ................................................................ 115
3.3.3 Configuring 8001 DeskPhone remote worker parameters.............................. 117
3.4 OPEN VPN server configuration ................................................................... 117
3.4.1 Installing the OpenVPN server ....................................................................... 117

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 4/170
 Table of
contents
Server deployment guide for remote
workers using deskphones

3.4.2 Generating certificate files for the OpenVPN server and 8001 DeskPhone ... 118
3.4.3 Setting the Open VPN server configuration.................................................... 120
3.4.4 Loading the client’s certificates and configuration file to local PC .................. 121
3.4.5 Configuring routing ......................................................................................... 121
3.4.6 Enabling the Open VPN service ..................................................................... 121

4 Remote worker deployment with SBC and Reverse Proxy

............................................................................................ 122
4.1 Overview ......................................................................................................... 122
4.2 Setting the Certificate Trust List (CTL) ........................................................ 123
4.2.1 Signing the CTL with a 8088 Smart DeskPhone connected to the OmniPCX
Enterprise ....................................................................................................... 123
4.2.2 Signing the CTL with a 8082 My IC Phone connected to an OpenTouch server
....................................................................................................................... 125
4.3 Configuring the Reverse Proxy .................................................................... 128
4.3.1 Configuring the Reverse Proxy settings ......................................................... 128
4.3.2 Configuring the OmniVista 8770 to authenticate the RP ................................ 128
4.4 Configuring the Session Border Controller ................................................. 128
4.4.1 Configuring Session Border Controller settings.............................................. 129
4.4.2 Verifying the SBC license ............................................................................... 130
4.4.3 Configuring the SBC certificate for Remote Workers ..................................... 130
4.4.4 Enabling mutual authentication (SBC- 80xx phones) ..................................... 130
4.4.5 Specific SBC configuration for 8001 Deskphones using secret identity ......... 132
4.5 Configuring the 8001 Deskphones for remote workers .............................. 133
4.5.1 Configuring 8001 Deskphones on the OmniVista 8770 .................................. 133
4.5.2 Configuring the 8001 Deskphone settings (file download URL and auto
provision)........................................................................................................ 134
4.6 8770: Configuring the devices profiles for remote workers ....................... 135
4.7 User creation and remote worker device association ................................ 143
4.7.1 8770: User creation with SIP device parameters ........................................... 143
4.7.2 Real deskphone association .......................................................................... 150

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 5/170
 Table of
contents
Server deployment guide for remote
workers using deskphones

4.8 Appendix ........................................................................................................ 152

4.8.1 Phone SIP upgrade tips ................................................................................. 152

5 Zero touch deployment for IPSEC VPN .......................... 155

5.1 Introduction .................................................................................................... 155
5.2 Phone compatibility ....................................................................................... 155
5.3 Getting access to EDS ................................................................................... 155
5.4 Architecture view – General principles ........................................................ 157
5.4.1 What is EDS ................................................................................................... 157
5.4.2 Workflow of data ............................................................................................ 157
5.4.3 Pre-requisites for reaching EDS by NOE phones ........................................... 158
5.5 Provisioning process, step by step.............................................................. 159
5.5.1 Step1 : create VPN common part xml file....................................................... 159
5.5.2 Step2: create VPN device part excel file ........................................................ 160
5.5.3 Step3: create VPN profile in EDS ................................................................... 161
5.5.4 Step4: create devices in EDS and map them to the profile ............................ 162
5.6 Modifying the VPN settings........................................................................... 166
5.7 Zero touch deployments ............................................................................... 167
5.8 Moving the phone between inside and outside of the company ............... 167
5.9 Appendix ........................................................................................................ 168
5.9.1 APPENDIX 1: List of VPN settings ................................................................. 168
5.9.2 APPENDIX 2: adding Developer menu in Excel ............................................. 169
5.9.3 APPENDIX 3: Example for XML file, usable for common settings. ................ 170

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 6/170
 Chapter

1 1 General

1.1 Overview
When remote workers move outside the company (off-site), they can use ALE International IP deskphones
and have the same level of service as local users on the company LAN.
Secure connections must be established between the remote worker’s deskphone and the corresponding
communication system. The remote worker feature is terminal-oriented and not related to a communication
system. It is introduced with OXO Connect R2.1 but there is no dependency with communication systems.
The remote worker’s deskphone can connect to the company LAN either:
- Over a VPN connection established through either an IPsec VPN or OPEN VPN server
All ALE International IP deskphones use IPsec VPN, except for the 8001 Deskphone, which uses
OPEN VPN.
- Via a secured network infrastructure including:
• A Reverse Proxy used to secure all data communications (device management) through HTTPS
connections
• A Session Border Controller used to secure voice communications through SIP/TLS signaling
and SRTP flows

1.2 Terminology

1.2.1 Glossary
DH : Diffie-Hellman. Key exchange method
DMZ : Demilitarized zone
DNAT : Destination NAT
ESP : Encapsulating Security Payload
FW : Firewall
IKE : Internet Key Exchange
IPsec : Internet Protocol Security
NAT : Network Address Translation
NAPT : Also PAT, NATP, Masquerading, Overloading. Many-to-one NAT based on outgoing port.
NAT-T : Nat Traversal, UDP encapsulation of IPsec packets
PSK : Pre-shared key
RP : Reverse Proxy
RSC : Remote Service Center
SBC : Session Border Controller
SNAT : Source NAT

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 7/170
Chapter 1 General

UDP : User Datagram Protocol

VPN : Virtual Private Network

1.2.2 Graphical conventions

Access gateway

IP Router

Communication system

VPN server

Workstation

Firewall

Deskphone

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 8/170
 Chapter

Remote worker deployment using

2
2

IPsec VPN

2.1 Overview
The VPN server offers secure connections between the communication systems and a remote worker with
ALE IP phones by providing confidentiality, integrity and authentication, based on the IPsec protocol.

2.2 Architecture
The network reference architecture is the following:

Remote worker 1
Corporate LAN

VPN client
Access router/Box
OXO

Communication Access router

system + firewall
VPN server
INTERNET
Port forwarding

Access router/Box VPN client

Remote worker 2

VPN

Figure 1: Network architecture

- The VPN tunnels are established between the VPN server and remote worker’s phones. There are as
many tunnels as remote workers connected on the communication system.
- Remote workers are always communication system users; it is not possible to connect external users
via VPN.
- A tunnel can be used only by one remote worker. In case there are several remote workers connected
on a single LAN in the same physical premise, then each remote worker has his own VPN.
- A workstation connected on the PC connector of the phone only has access to the remote worker’s
LAN, workstation IP traffic is never tunneled.
- IP Traffic between two distinct remote workers: both remote worker phones have a NOE signaling link
established with the communication system in the corporate LAN. VoIP media traffic between two
remote workers is not managed by the communication system. The VPN gateway directly forwards
media traffic from one VPN to the second VPN, and must be configured to do so.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 9/170
Chapter 2 Remote worker deployment using IPsec VPN

2.3 Basic Description

The VPN creation request is initiated by the phone during its initialization phase. The phone gets its local
IP parameters from the remote worker local DHCP (or via static settings), but VPN parameters must be
managed statically either by the remote worker or by an administrator.
DHCP configuration is preferred, as it is much easier to deploy for the end user.
Typically, there is no need to change firewall settings on the remote worker access router, since initial traffic
is outgoing. On the corporate LAN some settings must be configured in addition to VPN server settings
on the access router (redirection), to accept incoming VPN connection requests, and also on local router(s)
to route VPN traffic to VPN gateway.
To prevent network address overlap between remote workers and the corporate LANs, two virtual IP
addresses are used for tunnel endpoints (one on the VPN server, the other one is sent to the remote worker
phone).
CAUTION: Special care must be taken to ensure that the remote worker LAN where the phone runs,
is not in the same sub-network as the VPN server virtual addresses range.
Once a tunnel is established with the VPN server, the phone has access to the corporate LAN so it can
initialize with the communication systems and join any other ALE IP phone with direct RTP.

2.4 Technical Description

In this reference design, the communication system, the VPN gateway and remote worker IP phone, have
all private addresses, not routable on the public network.
The following points are mandatory:
- Each access gateway must have a public IP address to send data on the Internet.
- On the corporate LAN access gateway, the ports used for IKE and NAT-T (default ports are 500 and
4500) must be forwarded to the VPN gateway.
- Outbound IPsec connections must be enabled on the remote worker access gateway.

2.4.1 On the corporate LAN

2.4.1.1 Communication systems
Even if the remote worker feature has been introduced with a given call server version, this call server is not
impacted. Other communication system release can also benefit from the remote worker feature.

2.4.1.2 VPN server

The VPN solution uses static built-in settings in the phone.
The VPN server settings must be compliant with them.
Settings required on VPN server:
- IP addresses for VPN tunnels
- User credentials declared in the VPN server for each remote worker (login + password for each
remote worker). The installer must share these credentials with each remote worker.
- Static PSK key compatible with ALE IP Phone VPN static settings. An example of configuration is
given in this document and must be customized by the installer to adapt to existing network topology
and VPN credentials.

Restrictions on character entry:

The VPN configuration requests PSK, User login and User Password.
These are defined by the VPN server administrator, but must be entered on the phone’s keyboard, which
leads to limitations.
8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 10/170
Chapter 2 Remote worker deployment using IPsec VPN

The available characters depend on the phone model (with or without mini keyboard), and the field to
complete:

User login User password, PSK and Local-ID

0…9 a…z A…Z 0…9 a…z A…Z

8008, 8018
| - _ + . , : ; ? ! < > | - _ + . , : ; ? ! < >

80x8S 0…9 a…z A…Z 0…9 a…z A…Z

ALE- - _ + . - _ + . , : ; ? ! < > @ & $
20/20h/30h @ $ % / % # ' * = / ( )
300/400/500

Recommended common charset for all phones:

User login User password, PSK and Local-ID

0…9 a…z A…Z 0…9 a…z A…Z

All phones
- _ + . - _ + . , : ; ? ! < >

Note: Characters mapping is provided in § 2.12.1.

2.4.1.3 Access router

Port forwarding on access router:
Port forwarding is required on the access router to forward incoming VPN traffic (from Internet) to the internal
VPN server (IP address + Port number).

2.4.1.4 Router
A specific routing policy is required to route all IP traffic between the corporate LAN and remote workers.
This route policy allows the remote worker device to reach all IP devices connected on the LAN and vice-
versa. Specific routes must therefore be setup on all LAN routers to force remote workers IP traffic to be
forwarded by the VPN server on corporate the LAN, in order to reach the communication system or any
other ALE IP phone.
All remote IP phones get an IP address from the VPN server. These addresses are configured as a range
of IP addresses (typically a dedicated IP subnet in the corporate LAN). This subnet must be routed to VPN
server in corporate LAN.
Corporate LAN VPN IP traffic routing policy:
- A default router must be specified in the communication system, so that all VPN IP traffic (with
destination IP address inside VPN IP range) are sent to default router.
- A specific route must be set up on the default router to forward VPN IP traffic to the VPN server.
- The VPN server automatically forwards IP traffic to the corresponding VPN tunnel based on
destination IP address.
Configuring a routing policy can be more complicated when the communication system and ALE IP phones
are connected to several IP subnets on the corporate LAN. Configuring routing policy on each router is then
required. Dynamic IP routing activation can be an alternative.
An alternative solution for a basic network topology could be to use the VPN gateway as communication
system default gateway. However, this is not recommended since the VPN gateway must then route all
non-local communication system IP traffic.
8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 11/170
Chapter 2 Remote worker deployment using IPsec VPN

2.4.2 On the remote worker LAN

2.4.2.1 Remote worker access router
Typically, there is no impact on the remote worker Internet access router.
By default, the access router already:
- Provides IP parameters (local IP address, subnet, default router IP, DNS IP) to the phones
- Allows outgoing IP traffic (especially VPN establishment requests from the phone)
- Provides the Port Address Translation (PAT). PAT assigns a port number to each device on the LAN,
it is added to the single public router address. No configuration is required.
- Must have the IPSec passthrough option deactivated if this option is available (otherwise several
phones connected behind the router will not succeed in establishing the VPN).
In this scenario there is no additional configuration to do on the access router to support remote worker
phones. In other cases, the Internet access router must be managed accordingly.

2.4.2.2 Remote worker phone

Due to implementation and release reasons, there are two sets of VPN local MMI menu configuration:
without PIN authentication and with PIN authentication. This is described in details in another chapter of
this document. The version without PIN authentication must be considered as legacy version.
On each ALE IP phone supporting IPSec feature, there are fixed VPN settings and VPN settings that must
be customized:
• Fixed VPN settings (can neither be displayed nor modified)
- Supported cipher protocols and algorithms: AES-256, SHA256, Diffie-Hellman group 16, 14 and 5
- PSK method for authentication
• VPN settings that must be customized
- VPN server public IP address
- Communication systems private IP address (in TFTP field)
- IKE version:
 IKEv1 (IKEv1 + PSK + Xauth)
 IKEv2 (IKEv2 + PSK + EAP-MSCHAPv2)
Note: For IKEv1, there is an option to activate the Aggressive mode. If it is not activated, the main
mode is used as negotiation mode. The Aggressive mode is inherently flawed, as a hash of the
PSK is transmitted in clear. A hacker can attack the PSK using an offline dictionary method. It is
strongly advised to avoid using the Aggressive mode.
- PSK shared with VPN server (can be unique for all remote workers on a same installation or can
be specific to each remote worker)
- XAuth can be enabled or disabled
- Remote worker login + password when XAuth is enabled

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 12/170
Chapter 2 Remote worker deployment using IPsec VPN

2.4.3 Emergency calls

Specific settings are required on the communication system to manage remote worker emergency calls
properly, according to their localization.
For more information, please refer to the following documents:
• OmniPCX Enterprise Expert - User Services (8AL91003), chapter on Emergency Call.
• OXO Connect - User Services (8AL91202), chapter Emergency Call.
• OXO Connect Evolution - User Services (8AL91220), chapter Emergency Call.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 13/170
 2.5 Configuration in a nutshell
The addresses used in this figure are provided as examples only.
Global topology:

Corporate LAN
172.25.17.210
Public IP of Remote worker
Access router

OX 82.125.10.46 83.100.1.10
O
VPN server / Firewall
Communication system Virtual @
10.100.1.1
172.25.17.209 172.25.17.211 10.0.0.1 Access router INTERNET Local @
Lan Wan 192.168.0.1 192.168.0.100
Router
Add route
10.100.1.0/255.255.255.0 Ports
To 172.25.17.211 500 & 4500
PHONE 1
forwarding Box/Router
Virtual adresses required
(VPN): to 10.0.0.1
Phone1 10.100.1.1
172.25.17.212 Phone2 10.100.1.2
Phone3 …
DHCP
preferred
Different sub-network ! Manual entry :
• VPN server @
82.125.10.46
• Communication Server
Deployment must be done in order to avoid any change in the remote worker’s access router settings. TFTP @
172.25.17.210
In consequence, the virtual addresses defined in the VPN server for the phones must be different from the • PSK
common addresses used in the home access router or box • Login
• Password
(credentials declared in VPN
server)

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 14/170
 In the remote location, use dynamic IP address setting, which is much simpler for the end user. The phones coming out of the box are configured to get IP through
DHCP. So this is straightforward installation.
Static IP is also possible from phone perspective. In this case, select a free IP address for static IP. This IP address must not be included in the IP address range
allocated by DHCP.

Corporate LAN
INCOMING PACKETS ROUTE
172.25.17.210
Remote worker

OXO

VPN server / Firewall

Communication
system 10.100.1.1
172.25.17.211
Access router INTERNET
Lan Wan
Router

Box/Router PHONE 1

VPN
Signaling
Media

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 15/170
 Corporate LAN
OUTGOING PACKETS ROUTE
172.25.17.210
Remote worker
Packet to
10.100.1.1
OXO

VPN server / Firewall

Communication
system 10.100.1.1
172.25.17.211
Access router INTERNET
Lan Wan
Router

Box/Router PHONE 1
Packet to
10.100.1.1
172.25.17.212

VPN
Signaling
Media

The outgoing packets have a destination address out of the LAN, so they are sent to the default gateway (router) which sends them to the VPN server address
(here 172.25.17.211).

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 16/170
2.6 System configuration

2.6.1 Reference design

VPN server reference : Fortigate 60D – Software version 5.4.4
Communication system : OXO Connect release 2.1

2.6.2 OXO Connect and OmniPCX Enterprise configuration

Typically, a default route is already specified during OXO Connect installation and does not need to be
changed.
Nevertheless here is how to change the default router in OXO Connect with OMC:

For OmniPCX Enterprise: use menu 8 (‘Routing’) from the netadmin -m command

2.7 VPN server configuration

It is not possible to give an exhaustive description of the configuration of many models and brands of VPN
servers. Even within one brand, different models may have different syntaxes.
Based on the previous architectural description, the required configuration steps for some VPN servers are
described in this section.

2.7.1 General interactions

2.7.1.1 Main mode and Aggressive mode (IKE V1)
The IKE version is configured to version 1, and both Main and Aggressive modes are supported by VPN
server.
Note that the Aggressive mode is inherently flawed, as a hash of the PSK is transmitted in clear. A hacker
can attack the PSK using an offline dictionary. It is strongly advised to avoid using aggressive mode.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 17/170
Chapter 2 Remote worker deployment using IPsec VPN

2.7.1.2 Authentication (IKE V1)

The server authentication is done through the use of a pre-shared key, configured on the VPN server and
stored locally in the ALE IP phone.
The client authentication is done through XAuth (eXtended authentication) optionally, which forces the client
to send a login and a password to identify itself. XAuth authentication can be disabled in case a specific
PSK is used for each remote worker.
Caution:
The option to use several PSK on a given server is not supported by all VPN server vendors.
Warning:
- XAuth login/password must be specific to each remote worker
- Never disable XAuth when a single PSK is used for all remote workers
- Ensure the selected XAuth login/password can be entered through the phone keyboard
See sections 2.4.1.2 and 2.12.1 for the recommended characters set for all phones.
- For XAuth configuration on phone, refer to the IP phones VPN configuration chapter

2.7.1.3 Authentication (IKE V2)

The server authentication is done through the use of pre-shared key, configured on the VPN server and
stored locally in the ALE IP phone.
The client authentication is done through EAP-MSCHAPv2 optionally, which forces the client to send a login
and a password to identify itself. EAP authentication can be disabled in case a specific PSK is used for each
remote worker.
Warning:
- EAP login/password must be specific to each remote worker
- Never disable EAP when a single PSK is used for all remote workers
- Ensure the selected EAP login/password can be entered through the phone keyboard
See sections 2.4.1.2 and 2.12.1 for the recommended characters set for all phones.
- For EAP configuration on phone, refer to the IP phones VPN configuration chapter

2.7.1.4 Parameters negotiation

During the negotiation, a match must be found between the security parameters:
- Phase 1: encryption algorithm, hash algorithm, dh_group
- Phase 2: encryption algorithm, authentication algorithm, dh-group
Thus, common security parameters values must be configured in the VPN server to match the phone VPN
client, depending on the minimum level of security desired, and the legal possibilities in the concerned
countries.
Example of a possible configuration:
Example on the Fortigate 60D:
Phase 1:
set proposal aes256-sha256
set dhgrp 16 14 5

Phase 2:
set proposal aes256-sha256
set dhgrp 16 14 5

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 18/170
Chapter 2 Remote worker deployment using IPsec VPN

The security parameters values authorized on the VPN server, which match with the phones capability are:
- Phase 1 encryption algorithms : aes256.
- Phase 1 hash algorithms : sha256.
- Phase 1 dh group : 5, 14, 16,
- Phase 2 encryption algorithm : aes256.
- Phase 2 authentication algorithms : sha256.
- Phase 2 dh group : 5, 14, 16

2.7.1.5 Tunnel and NAT setup

For information, during the phase1, an IP address is sent by the VPN server to remote worker phone to be
used as a virtual IP address, which is the client end of the tunnel. IPsec security policies have to be set
accordingly and removed when the tunnel is closed. No action is needed here.

2.7.2 Engineering rules

2.7.2.1 Limits
For information, one of the VPN gateways used for this reference design (Fortigate 60D) can handle up to
500 client-to-gateway IPSec tunnels. No action is needed here.

2.7.2.2 Internationalization/localization
The country where the VPN server and the client are deployed might impose some restrictions on the cipher
used (algorithm, key length).

2.7.3 Overview table for VPN servers tested

8078s/8068s/8058s 8088 Android
/8028s/8018/8008
VPN Server VPN Tunnel Type
ALE-500/400/300 native client forticlient StrongSwan
ALE-30h/20h/20
IKEv1 Main PSK/XAUTH Test Passed Test Passed Test Passed Not supported
IKEv1 Aggressive
Fortigate Test Passed Test Passed Test Passed Not supported
PSK/XAUTH
30E/60D/300C IKEv2 PSK/MSCHAPv2 Test Passed Not supported Not supported Not supported
IKEv2 EAP (certificate) Not supported Not supported Not supported Test Passed
IKEv1 Main PSK/XAUTH Test Passed Test Passed Not tested Not supported
IKEv1 Aggressive
Not tested Not tested Not tested Not supported
ZYXEL USG40 PSK/XAUTH
IKEv2 PSK/MSCHAPv2 Not tested Not supported Not supported Not supported
IKEv2 EAP (certificate) Not tested Not supported Not supported Not tested

Note for FortiOS versions on Fortigate VPN servers:

• The guide has been built based on versions 5.4.5, running on the 30E/60D models. The principles stay
the same on newer generations of servers, with possible User Interface changes.
• The evolution to 5.6.0 and after removed the user group support (mentioned in this guide chapters). No
consequence on the VPN deployment method, just the parameter not available.
• The version 7.0 has been tested successfully with the below proposed configurations.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 19/170
 Chapter 2 Remote worker deployment using IPsec VPN

2.7.4 Overview table for Configuration

2.7.4.1 Phone supported features: IPSEC with PSK+XAUTH
PSK only or PSK+XAuth/EAP
IKEv1 Main mode IKEv1 Aggressive mode IKEv2
Phone Type Phase DH Encrypt/Hash/PFS Peer- DH Encrypt/Hash/PFS Peer- DH Encrypt/Hash/PFS Peer-
Group ID Group ID Group ID
(1)
8008/8018/ P1 5,14,16 AES256 String 5,14,16 AES256 String 5,14,16 AES256 String
80x8s/ SHA256 (2) SHA256 SHA256
ALE- P2 5,14,16 AES256 String 5,14,16 AES256 String 5,14,16 AES256 String
20/20h/30h SHA256 SHA256 SHA256
300/400/500 PFS enable PFS enable PFS enable
8088 Native P1 2 AES256/AES128/3DES/DES %any 2 AES256/AES128/3DES/DES
Client SHA256/SHA1/MD5 SHA256/SHA1/MD5
P2 NA AES256/AES128/3DES/DES %any NA AES256/AES128/3DES/DES
SHA1/MD5 SHA1/MD5
PFS disable PFS disable
8088 P1 2,5,14 AES128/3DES/DES %any
Forticlient SHA1/MD5
P2 2,5,14 AES128/3DES/DES %any
SHA1/MD5
PFS enable
8088 P1
Strongswan P2

Notes:
(1) Diffie-Hellmann Group: Configured on client side
a) If noted with / (ex: 2/5/14), means only one of them can be selected a time: exclusive.
b) A notation with comma (ex: 5,14,16) means all of them can be selected for the negotiation.
Depending on the VPN client, there is or not access to these parameters.
(2) A string can be entered on both sides (server and phone) with constraints given in chap. 2.4.1.2

2.7.4.2 Phone supported features: IPSEC with Certificates

Certificate/Signature
IKEv1 IKEv2
Phone Type Phase DH Encrypt/Hash/PFS Peer- CA DH Encrypt/Hash/PFS Peer- CA Certs
Group ID Certs Group ID
8008/8018/ P1
80x8s
ALE-
20/20h/30h P2
/300/400/500
8088 Native P1
Client P2
8088 P1
FortiClient P2
8088 P1 2,5,14,16 DES/3DES/AES128/AES192/AES256 CN of CA
StronSwan MD5/SHA1/SHA256/SHA384/SHA512 Server certificate
Cert of Server
Cert
P2 2,5,14,16 DES/3DES/AES128/AES192/AES256 CN of CA
MD5/SHA1/SHA256/SHA384/SHA512 Server certificate
PFS enable/disable Cert of Server
Cert

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 20/170
Chapter 2 Remote worker deployment using IPsec VPN

2.8 Step by step example: Fortigate 30E

2.8.1 Characteristics
Fortigate VPN server hardware: Fortigate 30E
This reference design applies to the firmware FortiOS 5.4.5.
There are some changes from FortiOS 5.6.0, which impact the server configuration. Some related hint
during configuration is described in the chapters below.

2.8.2 IKEv1 Main Mode

2.8.2.1 Server configuration using the Web Based Management (WBM)
The menu aspects of the WBM may change from one version to the other. Therefore, the CLI usage may
be considered as an alternative. See corresponding chapter below.

2.8.2.1.1 Connecting to the Fortigate 30E

Fortigate VPN configuration can be easily customized by using Web Based Management (WBM).
Administrator can access it through FortiExplorer (client connected to Fortigate USB management port) or
using web browsers (e.g. Firefox, Chrome) if Fortigate is already connected on LAN.
If Fortigate LAN is not configured, connect a PC to its USB Management port and launch a serial
connection session.
1. Login as Admin without password (default from factory)
2. Launch the following command with LAN Fortigate IP address (172.25.17.211 as example):
config system interface
edit "lan"
set vdom "root"
set ip 172.25.17.211 255.255.255.240
set allowaccess ping https ssh
set type hard-switch
set role lan
next
end

You can now connect to the Web Based Management (WBM) using a web browser (for example: Firefox or
Chrome) and entering the following URL: https://172.25.17.211/ (Fortigate LAN IP address)

Do not forget to change administrator password.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 21/170
Chapter 2 Remote worker deployment using IPsec VPN

Log in with admin account and password (by default, the password is empty) to access all configurable
settings.

2.8.2.1.2 Creating users for remote worker authentication

1: Create a user definition (one user definition per remote worker)

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 22/170
Chapter 2 Remote worker deployment using IPsec VPN

1: Select Local User and click Next

1: Enter the VPN user name and password and click Next

1: Enter email address and click Next

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 23/170
Chapter 2 Remote worker deployment using IPsec VPN

Click Create

2.8.2.1.3 Adding a user group

Create one group (“remote_phones” in this example) common to all remote workers and include all users
inside.
1: Create a VPN user group

1: Enter a user group name

2: Add members

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 24/170
Chapter 2 Remote worker deployment using IPsec VPN

2.8.2.1.4 Configuring the network Interface

Double click LAN or WAN to configure interface

2.8.2.1.5 Configuring LAN interface

LAN interface setting already exists if you use WBM with Internet brower. You must create the LAN interface
when using FortiExplorer client connected on USB management port.
1: LAN interface IP address/netmask is already configured if using WBM
2: Select Restrict Access and select the following check boxes: HTTPS, PING and SSH

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 25/170
Chapter 2 Remote worker deployment using IPsec VPN

2.8.2.1.6 Configuring WAN interface

1: Select Manual in the Addressing mode field
2: Enter the WAN interface IP address and netmask in the corresponding field
3: Select Restrict Access and select the following check boxes: HTTPS, SSH and PING

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 26/170
Chapter 2 Remote worker deployment using IPsec VPN

2.8.2.1.7 Configuring the DNS

The remote worker phone may need to do name resolution (for example the 8088 android phone which may
need to update the rainbow application).
The default setting in the fortigate server uses Fortiguard servers. This may not work. In this case, setup
the DNS as follows:

1 : Go to Network
2 : Go to DNS
3 : Select Specify tab
4 & 5 : Fill with a specific DNS server present on the LAN network.

2.8.2.1.8 Specifying the corporate LAN/WAN default gateway

1: Create LAN and WAN static gateway if they are different from Fortigate

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 27/170
Chapter 2 Remote worker deployment using IPsec VPN

1: In the Device field, select WAN or LAN

2: Enter the gateway IP address

1: After LAN/WAN gateway creation, “Static Routes” are displayed

2: The “Routing Monitor” content is dynamic

2.8.2.1.9 Creating IPsec tunnels

1: Create a new IPsec tunnel

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 28/170
Chapter 2 Remote worker deployment using IPsec VPN

1: Enter the IPsec tunnel name

2: Select Custom, and Next

2.8.2.1.10 Configuring the IPsec tunnel network parameters

1. Verify the IPsec tunnel name
2. In the Remote Gateway field, select Dialup User
3. In the Interface field, select Wan
4. Select Mode Config
5. Select Use System DNS in Mode Config
6. Enter VPN client IP address range
7. Enter VPN client IP address netmask
8. Uncheck IPV4 Split Tunnel
9. Enable the NAT Traversal

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 29/170
Chapter 2 Remote worker deployment using IPsec VPN

2.8.2.1.11 Configuring the IPsec tunnel authentication method

Caution:
From the version FortiOS 5.2 included, in IKEv1 main mode with dialupgroup, it is no more possible
to use several different PSK on a given server.
It is possible to use IKEv1 in Agressive mode instead of Main mode (not recommended due to possible
security flaw), or IKEv2 to solve this limitation.
1. In the Method field, select Pre-shared Key
2. Enter a pre-shared key
3. Select IKE Version “1”
4. In the Mode field, select Main (ID protection)
5. In the Accept Types field, select Peer ID from dialup group (*)
6. In the User group field, select the user group created previously (“remote phones”)

(*): From FortiOS 5.6.0, the option Peer ID from dialup group is no more supported. The option Any Peer
ID can be used.

Important:
If the Peer ID from dialup group is configured, while the FortiOS version is less than 5.6, and the FortiOS
must be upgraded to 5.6.x or later, please set the Peer Options to Any peer ID before upgrading,
otherwise the related IPSec tunnel will be lost after upgrade. If it is the case, the administrator will need to
manually add it after upgrade.

Another option is to specify a specific PEER-ID. This is possible in the phones from version 5.45.40. See
on chapter 2.12.1.5 for the phone configuration.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 30/170
Chapter 2 Remote worker deployment using IPsec VPN

The option Specific peer ID must be selected and then enter the string value chosen.

2.8.2.1.12 Configuring the IPsec IKE phase 1 for IPsec tunnel

1: Select AES256 in the Encryption field, and SHA256 in the Authentication field
2: In the Diffie-Hellman Groups field, select the following check boxes: 5, 14, and 16
3: Phase 1 SA Key Lifetime must be set longer than 1,5 hours (example: 3H)

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 31/170
Chapter 2 Remote worker deployment using IPsec VPN

1: Select Auto Server

2: Select “remote phones”

Due to implementation reason of IPSec client in terminal side, the Phase1 SA Key Lifetime must be set to
longer than 1.5 hour.
Attention: if the Key lifetime is misconfigured in fortigate server, this will result in periodic
connection loss of the tunnel.

2.8.2.1.13 Configuring the IPsec IKE phase 2 for IPsec tunnel

Open advanced:
1: Select AES256 in the Encryption field, and SHA256 in the Authentication field
2: In the Diffie-Hellman Groups field, select the following check boxes: 5, 14, and 16
3: In phase 2 SA Key Lifetime, keep default value 43200s

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 32/170
Chapter 2 Remote worker deployment using IPsec VPN

Due to implementation reason of IPSec client in terminal side, the Phase2 SA Key Lifetime must be set
to longer than 0.5 hour.
Attention: if the Key lifetime is misconfigured in Fortigate server, this will result in periodic
connection loss of the tunnel.

2.8.2.1.14 Configuring firewall rules and IP routes

2.8.2.1.14.1 Configuring Remote Users IP range address

1: Create a new address

1: Enter a rule name

2: Select IP Range in the Type field
3: In the Subnet/IP Range field, enter the first VPN IP address and the last IP address of the IP range
4: Keep any in the Interface field

2.8.2.1.14.2 Configuring Local_wan IP range address

1: Create a new address

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 33/170
Chapter 2 Remote worker deployment using IPsec VPN

1: Enter a rule name

2: Select IP/Netmask in the Type field
3: In the Subnet/IP Range field, enter the WAN network IP address and netmask
4: Select wan in the Interface field

2.8.2.1.14.3 Adding a rule in IPv4 policy

1: Initially, you must only have one rule for IPv4 policy ( “Implicite Deny”)
2: Create a new rule

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 34/170
Chapter 2 Remote worker deployment using IPsec VPN

2.8.2.1.14.4 Configuring a policy rule: LAN to remote users

1. Enter a rule name
2. In the Incoming Interface field, select lan
3. In the Outgoing Interface field, select “RemoteUsers”
4. In the Source field, select all
5. In the Destination Address field, select “IPRemoteUsers_Range”
6. In the Service field, select ALL
7. Disable NAT

2.8.2.1.14.5 Configuring a policy rule: remote users to LAN

1. Enter a rule name
2. In the Incoming Interface field, select “RemoteUsers”
3. In the Outgoing Interface field, select lan
4. In the Source field, select “IPRemoteUsers_Range”
5. In the Destination Address field, select all
6. In the Service field, select ALL
7. Disable NAT

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 35/170
Chapter 2 Remote worker deployment using IPsec VPN

2.8.2.1.14.6 Configuring a policy rule: remote users to remote users

1. Enter a rule name
2. In the Incoming Interface field “RemoteUsers”
3. In the Outgoing Interface field, select “RemoteUsers”
4. In the Source field, select “IPRemoteUsers_Range”
5. In the Destination Address field, select “IPRemoteUsers_Range”
6. In the Service field, select ALL
7. Disable NAT

2.8.2.1.15 Verifying the list of policy rules

Attention: When two phones behind two tunnels on the same VPN server need to communicate
together, two IPv4 policy rules must be created, including the two related VPN interfaces, in order
to avoid any white communication (no audio). Each rule will enable the bridge from one tunnel to
the other.
For example, consider we have configured 2 VPN tunnels on same fortigate: RemoteUsers and
Remote8088
2 policies should be added as shown below if the administrator wants the two remote workers
behind these two tunnels to call each other.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 36/170
Chapter 2 Remote worker deployment using IPsec VPN

1 : IPV4 policies for VPN tunnel RemoteUsers

2 : IPV4 policies for VPN tunnel Remote8088
3 : IPV4 policies for the two related VPN tunnel RemoteUsers and Remote8088

2.8.2.2 Server configuration using the Command Line and Configuration file
Administrator can also configure the VPN through FORTIGATE 30E Command Line Interface (CLI) instead
of Web Based Management (WBM).
The template contains all CLI commands required to configure a Fortigates “out of the box”.
The yellow-highlighted items must be customized to suit to your configuration.
To select the CLI commands on the left only: press Alt and select.
config user local
edit "user1"
set type password
set email-to "[email protected]"
set passwd 1245
next
edit "user2" Create a user for each remote worker
set type password
set passwd 6789
next
end

config user group

edit "remote_phones"
set member "user1" "user2"
Create a user group for all remote
next
workers and include users
end

config system interface

edit "lan"
set vdom "root"
set ip 172.25.17.211 255.255.255.240 Configure LAN interface
set allowaccess ping https ssh
set type hard-switch
set role lan
next

edit "wan"
set vdom "root"

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 37/170
Chapter 2 Remote worker deployment using IPsec VPN

set mode static

set ip 10.0.0.1 255.255.255.0 Configure WAN interface
set allowaccess ping https ssh
set type physical
set role wan
next
end

config system dns

set primary 172.26.46.7
set secondary 172.26.46.14 Optional: configure LAN DNS
end

config firewall address

edit "IPRemoteUsers_range" Add firewall rules to accept IP traffic
set type iprange
set comment "VPN remote users address range"
set start-ip 10.100.1.1
set end-ip 10.100.1.100
next

edit "Local_wan"
set associated-interface "wan"
set subnet 10.0.0.0 255.255.255.0
next
end

config router static

edit 1
set gateway 172.25.17.209
set device "lan"
set comment "DMZ gateway" Add static route to default gateway
next
end

config vpn ipsec phase1-interface Add IPsec VPN phase 1 settings

edit "RemoteUsers"
set type dynamic
set interface "wan"
set ip-version 4
set ike-version 1
set local-gw 0.0.0.0
set keylife 10800
set authmethod psk
set mode main
set peertype dialup When using FortiOS 5.6.x, peertype
set mode-cfg enable should be set to any instead of dialup
set ipv4-wins-server1 0.0.0.0
set ipv4-wins-server2 0.0.0.0
set proposal aes256-sha256
set add-route enable

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 38/170
Chapter 2 Remote worker deployment using IPsec VPN

set exchange-interface-ip disable

set localid ''
set localid-type auto
set negotiate-timeout 30
set fragmentation enable
set dpd on-demand
set forticlient-enforcement disable
set comments "VPN: RemoteUsers"
set npu-offload enable
set dhgrp 16 14 5
set suite-b disable
set wizard-type custom
set xauthtype auto
set reauth disable
set authusrgrp "remote_phones"
set usrgrp "remote_phones"
When using FortiOS 5.6.x, usrgrp is not
set idle-timeout disable
supported, so please remove this line
set ha-sync-esp-seqno enable
set auto-discovery-sender disable
set auto-discovery-receiver disable
set auto-discovery-forwarder disable
set nattraversal enable
set default-gw 0.0.0.0
set default-gw-priority 0
set assign-ip enable
set assign-ip-from range
set ipv4-start-ip 10.100.1.1
set ipv4-end-ip 10.100.1.100
set ipv4-netmask 255.255.255.0
set dns-mode auto
set ipv4-split-include ''
set split-include-service ''
set ipv6-start-ip ::
set ipv6-end-ip ::
set ipv6-prefix 128
set ipv6-split-include ''
set unity-support disable
set psksecret 123456789 Pre-shared key must be strong enough and
set distance 15 must be kept secret.
set priority 0
set dpd-retrycount 3 Caution:
set dpd-retryinterval 20
From the version FortiOS 5.2 included,
next
in IKEv1 main mode with dialupgroup, it
end
is no more possible to use several
different PSK on a given server.

config vpn ipsec phase2-interface Add IPsec VPN phase 2 settings

edit "OXOremUsers"
set phase1name "RemoteUsers"
set proposal aes256-sha256
set pfs enable

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 39/170
Chapter 2 Remote worker deployment using IPsec VPN

set dhgrp 16 14 5
set replay enable
set keepalive disable
set add-route phase1
set auto-discovery-sender phase1
set auto-discovery-forwarder phase1
set keylife-type seconds
set single-source disable
set route-overlap use-new
set encapsulation tunnel-mode
set comments "VPN: RemoteUsers"
set protocol 0
set src-addr-type subnet
set src-port 0
set dst-addr-type subnet
set dst-port 0
set keylifeseconds 43200
set src-subnet 0.0.0.0 0.0.0.0
set dst-subnet 0.0.0.0 0.0.0.0
next
end

config firewall policy Configure firewall policies

edit 1
set name "RemoteUsers_to_LAN" Allow incoming traffic (remote users to
set srcintf "RemoteUsers" corporate LAN)
set dstintf "lan"
set srcaddr "IPRemoteUsers_range"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat disable
next

edit 2 Allow outgoing traffic (corporate LAN to

set name "LAN_to_RemoteUsers" remote users)
set srcintf "lan"
set dstintf "RemoteUsers"
set srcaddr "all"
set dstaddr "IPRemoteUsers_range"
set action accept
set schedule "always"
set service "ALL"
set nat disable
next

edit 3
set name "RemoteUsers_to_RemoteUsers" Allow traffic between remote workers
set srcintf "RemoteUsers"
set dstintf "RemoteUsers"

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 40/170
Chapter 2 Remote worker deployment using IPsec VPN

set srcaddr "IPRemoteUsers_range"

set dstaddr "IPRemoteUsers_range"
set action accept
set schedule "always"
set service "ALL"
set nat disable
next
end

2.8.3 IKEv1 Aggressive Mode

2.8.3.1 Server configuration using the Web Based Management (WBM)
The menus of the WBM may change from one version to another. Therefore, using the CLI may be
considered as an alternative (see: § 2.8.3.2).
Please refer to the section 2.8.2 for the configuration via the WBM (procedure similar to that of IKEv1 Main
Mode), except for the configuration of the IPsec tunnel authentication mode which differs as follows:
1. In the Method field, select Pre-shared Key
2. Enter a pre-shared key
3. Select IKE Version “1”
4. In the Mode field, select Aggressive
5. In the Accept Types field, select Any peer ID

2.8.3.2 Server configuration using the Command Line and Configuration file
Administrator can also configure the VPN through FORTIGATE 30E Command Line Interface (CLI) instead
of Web Based Management (WBM).
The template contains all CLI commands required to configure a Fortigates “out of the box”.
The yellow-highlighted items must be customized to suit to your configuration.
To select the CLI commands on the left only: press Alt and select.
config user local
edit "user1"
set type password
set email-to "[email protected]"
set passwd 1245 Create a user for each remote worker
next
edit "user2"
set type password

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 41/170
Chapter 2 Remote worker deployment using IPsec VPN

set passwd 6789

next
end

config user group

edit "remote_phones"
set member "user1" "user2"
Create a user group for all remote
next
workers and include users
end

config system interface

edit "lan"
set vdom "root"
set ip 172.25.17.211 255.255.255.240 Configure LAN interface
set allowaccess ping https ssh
set type hard-switch
set role lan
next

edit "wan"
set vdom "root" Configure WAN interface
set mode static
set ip 10.0.0.1 255.255.255.0
set allowaccess ping https ssh
set type physical
set role wan
next
end

config firewall address

edit "IPRemoteUsers_range" Add firewall rules to accept IP traffic
set type iprange
set comment "VPN remote users address range"
set start-ip 10.100.1.1
set end-ip 10.100.1.100
next

edit "Local_wan"
set associated-interface "wan"
set subnet 10.0.0.0 255.255.255.0
next
end

config router static

edit 1
set gateway 172.25.17.209
set device "lan"
set comment "DMZ gateway" Add static route to default gateway
next
end

config vpn ipsec phase1-interface Add IPsec VPN phase 1 settings

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 42/170
Chapter 2 Remote worker deployment using IPsec VPN

edit "RemoteUsers"
set type dynamic
set interface "wan"
set ip-version 4
set ike-version 1
set local-gw 0.0.0.0
set keylife 10800
set authmethod psk
set mode aggressive
set peertype any
set mode-cfg enable
set ipv4-wins-server1 0.0.0.0
set ipv4-wins-server2 0.0.0.0
set proposal aes256-sha256
set add-route enable
set exchange-interface-ip disable
set localid ''
set localid-type auto
set negotiate-timeout 30
set fragmentation enable
set dpd on-demand
set forticlient-enforcement disable
set comments "VPN: RemoteUsers"
set npu-offload enable
set dhgrp 16 14 5
set suite-b disable
set wizard-type custom
set xauthtype auto
set reauth disable
set authusrgrp "remote_phones"
set idle-timeout disable
set ha-sync-esp-seqno enable
set auto-discovery-sender disable
set auto-discovery-receiver disable
set auto-discovery-forwarder disable
set nattraversal enable
set default-gw 0.0.0.0
set default-gw-priority 0
set assign-ip enable
set assign-ip-from range
set ipv4-start-ip 10.100.1.1
set ipv4-end-ip 10.100.1.100
set ipv4-netmask 255.255.255.0
set dns-mode auto
set ipv4-split-include ''
set split-include-service ''
set ipv6-start-ip ::
set ipv6-end-ip ::
set ipv6-prefix 128
set ipv6-split-include ''
set unity-support disable Pre-shared key must be strong enough and
set psksecret 123456789 must be kept secret.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 43/170
Chapter 2 Remote worker deployment using IPsec VPN

set distance 15
set priority 0
set dpd-retrycount 3
set dpd-retryinterval 20
next
end

config vpn ipsec phase2-interface Add IPsec VPN phase 2 settings

edit "OXOremUsers"
set phase1name "RemoteUsers"
set proposal aes256-sha256
set pfs enable
set dhgrp 16 14 5
set replay enable
set keepalive disable
set add-route phase1
set auto-discovery-sender phase1
set auto-discovery-forwarder phase1
set keylife-type seconds
set single-source disable
set route-overlap use-new
set encapsulation tunnel-mode
set comments "VPN: RemoteUsers"
set protocol 0
set src-addr-type subnet
set src-port 0
set dst-addr-type subnet
set dst-port 0
set keylifeseconds 43200
set src-subnet 0.0.0.0 0.0.0.0
set dst-subnet 0.0.0.0 0.0.0.0
next
end

config firewall policy Configure firewall policies

edit 1
set name "RemoteUsers_to_LAN" Allow incoming traffic (remote users to
set srcintf "RemoteUsers" corporate LAN)
set dstintf "lan"
set srcaddr "IPRemoteUsers_range"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat disable
next

edit 2
set name "LAN_to_RemoteUsers" Allow outgoing traffic (corporate LAN to
set srcintf "lan" remote users)
set dstintf "RemoteUsers"
set srcaddr "all"

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 44/170
Chapter 2 Remote worker deployment using IPsec VPN

set dstaddr "IPRemoteUsers_range"

set action accept
set schedule "always"
set service "ALL"
set nat disable
next

edit 3
set name "RemoteUsers_to_RemoteUsers"
Allow traffic between remote workers
set srcintf "RemoteUsers"
set dstintf "RemoteUsers"
set srcaddr "IPRemoteUsers_range"
set dstaddr "IPRemoteUsers_range"
set action accept
set schedule "always"
set service "ALL"
set nat disable
next
end

2.8.4 IKEv2 – PSK

2.8.4.1 Server configuration using the Web Based Management (WBM)
The menus of the WBM may change from one version to another. Therefore, using the CLI may be
considered as an alternative (see: § 2.8.4.2).
Please refer to the section § 2.8.2 for the configuration via the WBM (procedure similar to that of IKEv1
Main Mode), except for the configuration of the IPsec tunnel authentication mode which differs as follows:
1. In the Method field, select Pre-shared Key
2. Enter a pre-shared key
3. Select IKE Version “2”
4. In the Accept Types field, select Any peer ID

To enable EAP MSCHAPv2 authentication, launch the CLI console and add the following commands:
set eap enable
set eap-identity send-request
set authusrgrp “remote_phones”

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 45/170
Chapter 2 Remote worker deployment using IPsec VPN

2.8.4.2 Server configuration using the Command Line and Configuration file
Administrator can also configure the VPN through FORTIGATE 30E Command Line Interface (CLI) instead
of Web Based Management (WBM).
The template contains all CLI commands required to configure a Fortigates “out of the box”.
The yellow-highlighted items must be customized to suit to your configuration.
To select the CLI commands on the left only: press Alt and select.
config user local
edit "user1"
set type password
set email-to "[email protected]"
set passwd 1245
next
Create a user for each remote
edit "user2"
worker
set type password
set passwd 6789
next
end

config user group

edit "remote_phones"
set member "user1" "user2"
Create a user group for all remote
next
workers and include users
end

config system interface

edit "lan"
set vdom "root"
set ip 172.25.17.211 255.255.255.240 Configure LAN interface
set allowaccess ping https ssh
set type hard-switch
set role lan
next

edit "wan"
set vdom "root" Configure WAN interface
set mode static
set ip 10.0.0.1 255.255.255.0
set allowaccess ping https ssh
set type physical
set role wan
next
end

config firewall address

edit "IPRemoteUsers_range" Add firewall rules to accept IP traffic
set type iprange
set comment "VPN remote users address
range"

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 46/170
Chapter 2 Remote worker deployment using IPsec VPN

set start-ip 10.100.1.1

set end-ip 10.100.1.100
next

edit "Local_wan"
set associated-interface "wan"
set subnet 10.0.0.0 255.255.255.0
next
end

config router static

edit 1
set gateway 172.25.17.209
set device "lan"
set comment "DMZ gateway" Add static route to default gateway
next
end

config vpn ipsec phase1-interface Add IPsec VPN phase 1 settings

edit "RemoteUsers"
set type dynamic
set interface "wan"
set ip-version 4
set ike-version 2
set local-gw 0.0.0.0
set keylife 10800
set authmethod psk
set peertype any
set mode-cfg enable
set ipv4-wins-server1 0.0.0.0
set ipv4-wins-server2 0.0.0.0
set proposal aes256-sha256
set add-route enable
set exchange-interface-ip disable
set localid ''
set localid-type auto
set negotiate-timeout 30
set fragmentation enable
set dpd on-demand
set forticlient-enforcement disable
set comments "VPN: RemoteUsers"
set npu-offload enable
set dhgrp 16 14 5
set eap enable
set eap-identity send-request
set suite-b disable
set wizard-type custom
set reauth disable
set authusrgrp "remote_phones"
set idle-timeout disable
set ha-sync-esp-seqno enable
set auto-discovery-sender disable

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 47/170
Chapter 2 Remote worker deployment using IPsec VPN

set auto-discovery-receiver disable

set auto-discovery-forwarder disable
set nattraversal enable
set default-gw 0.0.0.0
set default-gw-priority 0
set assign-ip enable
set assign-ip-from range
set ipv4-start-ip 10.100.1.1
set ipv4-end-ip 10.100.1.100
set ipv4-netmask 255.255.255.0
set dns-mode auto
set ipv4-split-include ''
set split-include-service ''
set ipv6-start-ip ::
set ipv6-end-ip ::
set ipv6-prefix 128
set ipv6-split-include ''
set unity-support disable
set psksecret 123456789 Pre-shared key must be strong enough
set distance 15 and must be kept secret.
set priority 0
set dpd-retrycount 3
set dpd-retryinterval 20
next
end

config vpn ipsec phase2-interface Add IPsec VPN phase 2 settings

edit "OXOremUsers"
set phase1name "RemoteUsers"
set proposal aes256-sha256
set pfs enable
set dhgrp 16 14 5
set replay enable
set keepalive disable
set add-route phase1
set auto-discovery-sender phase1
set auto-discovery-forwarder phase1
set keylife-type seconds
set single-source disable
set route-overlap use-new
set encapsulation tunnel-mode
set comments "VPN: RemoteUsers"
set protocol 0
set src-addr-type subnet
set src-port 0
set dst-addr-type subnet
set dst-port 0
set keylifeseconds 43200
set src-subnet 0.0.0.0 0.0.0.0
set dst-subnet 0.0.0.0 0.0.0.0
next

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 48/170
Chapter 2 Remote worker deployment using IPsec VPN

end

config firewall policy Configure firewall policies

edit 1
set name "RemoteUsers_to_LAN" Allow incoming traffic (remote
set srcintf "RemoteUsers" users to corporate LAN)
set dstintf "lan"
set srcaddr "IPRemoteUsers_range"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat disable
next

edit 2
set name "LAN_to_RemoteUsers" Allow outgoing traffic (corporate
set srcintf "lan" LAN to remote users)
set dstintf "RemoteUsers"
set srcaddr "all"
set dstaddr "IPRemoteUsers_range"
set action accept
set schedule "always"
set service "ALL"
set nat disable
next

edit 3
set name "RemoteUsers_to_RemoteUsers" Allow traffic between remote
set srcintf "RemoteUsers" workers
set dstintf "RemoteUsers"
set srcaddr "IPRemoteUsers_range"
set dstaddr "IPRemoteUsers_range"
set action accept
set schedule "always"
set service "ALL"
set nat disable
next
end

2.8.5 IKEv2 – Certificate

2.8.5.1 Server configuration using the Web Based Management (WBM)
The menu aspects of the WBM may change from one version to the other. Therefore the CLI usage may
be considered as an alternative. See corresponding chapter below.
Please refer to chapter 2.8.2 for all configuration except the following steps (corresponding to chapter
2.8.2.1.11).

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 49/170
Chapter 2 Remote worker deployment using IPsec VPN

2.8.5.2 Import CA certificate/Server certificate

1. Prepare your server certificate and the CA certificate(s) sign it.
2. In the SystemCertificates field, Press Import CA certificate to import the CA certificates, then
Import Local certificate to import the server certificate, when the certificates are successfully imported,
you can find it in SystemCertificates.

2.8.5.3 Configuring the IPsec tunnel authentication method

1. In the Method field, select Signature
2. Select the server certificate which is imported in § 2.8.5.2
3. Select IKE Version “2”
4. In the Accept Types field, select Any peer ID

To enable EAP MSCHAPv2 authentication, launch CLI console and add commands:
set eap enable
set eap-identity send-request
set authusrgrp “remote_phones”

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 50/170
Chapter 2 Remote worker deployment using IPsec VPN

2.8.5.4 Configuring the IPsec IKE phase 1 for IPsec tunnel

1. Select AES256 in the Encryption field, and SHA256 in the Authentication field
2. In the Diffie-Hellmann Groups field, select the following check boxes: 5,14,16 as wanted
3. In the Local ID, input the subject of server certificate which can be found in § 2.8.5.2
Attention: Choices of Encryption/Authentication algorithm and DH Group are free, but must be
consistent on server side and phone side, in the Strongswan client. If there is already a tunnel
configured for other purpose, please setup the corresponding configuration on the phone client
side.

2.8.5.5 Server configuration using the Command Line and Configuration file
Administrator can also configure the VPN through FORTIGATE 30E Command Line Interface (CLI) instead
of Web Based Management (WBM).
The template contains all CLI commands required to configure a Fortigates “out of the box”.
The yellow-highlighted items must be customized to suit to your configuration.
To select the CLI commands on the left only: press Alt and select.
config user local
edit “user1”
set type password
set email-to “[email protected]”
set passwd 1245
next
edit “user2”
set type password
set passwd 6789
next
end

config user group

edit “remote_phones”
set member “user1” “user2”
next
end

config system interface

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 51/170
Chapter 2 Remote worker deployment using IPsec VPN

edit “lan”
set vdom “root”
set ip 172.25.17.211 255.255.255.240
set allowaccess ping https ssh
set type hard-switch
set role lan
next

edit “wan”
set vdom “root”
set mode static
set ip 10.0.0.1 255.255.255.0
set allowaccess ping https ssh
set type physical
set role wan
next
end

config firewall address

edit “IPRemoteUsers_range”
set type iprange
set comment “VPN remote users address range”
set start-ip 10.100.1.1
set end-ip 10.100.1.100
next

edit “Local_wan”
set associated-interface “wan”
set subnet 10.0.0.0 255.255.255.0
next
end

config router static

edit 1
set gateway 172.25.17.209
set device “lan”
set comment “DMZ gateway”
next
end

config vpn ipsec phase1-interface

edit “RemoteUsers”
set type dynamic
set interface “wan”
set ip-version 4
set ike-version 2
set local-gw 0.0.0.0
set keylife 10800
set authmethod signature
set peertype any
set mode-cfg enable
set ipv4-wins-server1 0.0.0.0

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 52/170
Chapter 2 Remote worker deployment using IPsec VPN

set ipv4-wins-server2 0.0.0.0

set proposal aes256-sha256
set add-route enable
set exchange-interface-ip disable
set localid ''CN of imported certificate”
set localid-type auto
set negotiate-timeout 30
set fragmentation enable
set dpd on-demand
set forticlient-enforcement disable
set comments “VPN: RemoteUsers”
set npu-offload enable
set dhgrp 15
set eap enable
set eap-identity send-request
set certificate “Name of server certificate”
set suite-b disable
set wizard-type custom
set reauth disable
set authusrgrp “remote_phones”
set idle-timeout disable
set ha-sync-esp-seqno enable
set auto-discovery-sender disable
set auto-discovery-receiver disable
set auto-discovery-forwarder disable
set nattraversal enable
set default-gw 0.0.0.0
set default-gw-priority 0
set assign-ip enable
set assign-ip-from range
set ipv4-start-ip 10.100.1.1
set ipv4-end-ip 10.100.1.100
set ipv4-netmask 255.255.255.0
set dns-mode auto
set ipv4-split-include ''
set split-include-service ''
set ipv6-start-ip ::
set ipv6-end-ip ::
set ipv6-prefix 128
set ipv6-split-include ''
set unity-support disable
set distance 15
set priority 0
set dpd-retrycount 3
set dpd-retryinterval 20
next
end

config vpn ipsec phase2-interface

edit “OXOremUsers”
set phase1name “RemoteUsers”
set proposal aes256-sha256

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 53/170
Chapter 2 Remote worker deployment using IPsec VPN

set pfs enable

set dhgrp 16 14 5
set replay enable
set keepalive disable
set add-route phase1
set auto-discovery-sender phase1
set auto-discovery-forwarder phase1
set keylife-type seconds
set single-source disable
set route-overlap use-new
set encapsulation tunnel-mode
set comments “VPN: RemoteUsers”
set protocol 0
set src-addr-type subnet
set src-port 0
set dst-addr-type subnet
set dst-port 0
set keylifeseconds 43200
set src-subnet 0.0.0.0 0.0.0.0
set dst-subnet 0.0.0.0 0.0.0.0
next
end

config firewall policy

edit 1
set name “RemoteUsers_to_LAN”
set srcintf “RemoteUsers”
set dstintf “lan”
set srcaddr “IPRemoteUsers_range”
set dstaddr “all”
set action accept
set schedule “always”
set service “ALL”
set nat disable
next

edit 2
set name “LAN_to_RemoteUsers”
set srcintf “lan”
set dstintf “RemoteUsers”
set srcaddr “all”
set dstaddr “IPRemoteUsers_range”
set action accept
set schedule “always”
set service “ALL”
set nat disable
next

edit 3
set name “RemoteUsers_to_RemoteUsers”
set srcintf “RemoteUsers”
set dstintf “RemoteUsers”

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 54/170
Chapter 2 Remote worker deployment using IPsec VPN

set srcaddr “IPRemoteUsers_range”

set dstaddr “IPRemoteUsers_range”
set action accept
set schedule “always”
set service “ALL”
set nat disable
next
end

2.9 Step by step example: Fortigate 60D

2.9.1 Characteristics
2.9.1.1 Hardware aspects
Supported Fortigate VPN server hardware: Fortigate 30D / 50D / 60D
Latest Fortigate hardware 50E /60E should also be supported (not tested yet).
High-end Fortigate gateways (Eg: 300/1000) are also compatible but these models are usually not deployed
in SMBs.

2.9.1.2 Software aspects

This reference design applies to the firmware FortiOS 5.4.4.
Older versions may work also but they have not been tested. In the following, the configuration settings may
not be relevant for older versions of firmware. Upgrading may be considered if issues occur.

2.9.2 Server configuration using the Web Based Management (WBM)

The menu layout of the WBM may change from one version to the other.
Even if the Fortigate 60D interface differs in some points, it is possible to follow the step by step example
provided for Fortigate 30E.
In this section, we only focus on the VPN server configuration using the Command Line and Configuration
file.

2.9.3 Server configuration using the Command Line and Configuration file
The template contains all CLI commands required to configure a Fortigate “out of the box”.
The yellow-highlighted items must be customized to suit to your configuration.
To select the CLI commands on the left only: press Alt and select.

config user local

edit "user1"
set type password
set email-to "[email protected]" Create a user for each OXO
set passwd 1245 remote worker
next
edit "user2"
set type password
set passwd 6789

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 55/170
Chapter 2 Remote worker deployment using IPsec VPN

next
end

config user group

edit "remote_phones"
set member "user1" "user2" Create a user group for all OXO
next remote workers and include users
end

config system interface

edit "internal"
set vdom "root"
set ip 172.25.17.211 255.255.255.240
Configure LAN interface
set allowaccess ping https ssh
set type hard-switch
set role lan
next

edit "wan1"
set vdom "root"
set mode static
set ip 10.0.0.1 255.255.255.0
set allowaccess ping https ssh Configure WAN interface
set type physical
set role wan
next
end

config firewall address

edit "OXOremUsers_range"
Add firewall rules to accept IP
set type iprange
traffic
set comment "VPN remote users address range"
set start-ip 10.100.1.1
set end-ip 10.100.1.49
next

edit "Local_WAN1"
set associated-interface "wan1"
set subnet 10.0.0.0 255.255.255.0
next
end

config router static

edit 1
set gateway 172.25.17.209
Add static route to default
set device "internal"
gateway
set comment "DMZ gateway"
next
end

config vpn ipsec phase1-interface Add IPsec VPN phase 1 settings

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 56/170
Chapter 2 Remote worker deployment using IPsec VPN

edit "OXOremUsers"
set type dynamic
set interface "wan1"
set ip-version 4
set ike-version 1
set local-gw 0.0.0.0
set keylife 10800
set authmethod psk
set mode main
set peertype dialup
set mode-cfg enable
set ipv4-wins-server1 0.0.0.0
set ipv4-wins-server2 0.0.0.0
set proposal aes256-sha256
set add-route enable
set exchange-interface-ip disable
set localid ''
set localid-type auto
set negotiate-timeout 30
set fragmentation enable
set dpd on-demand
set forticlient-enforcement disable
set comments "VPN: OXOremUsers"
set npu-offload enable
set dhgrp 16 14 5
set suite-b disable
set wizard-type custom
set xauthtype auto
set reauth disable
set authusrgrp "remote_phones"
set usrgrp "remote_phones"
set idle-timeout disable
set ha-sync-esp-seqno enable
set auto-discovery-sender disable
set auto-discovery-receiver disable
set auto-discovery-forwarder disable
set nattraversal enable
set default-gw 0.0.0.0
set default-gw-priority 0
set assign-ip enable
set assign-ip-from range
set ipv4-start-ip 10.100.1.1
set ipv4-end-ip 10.100.1.49
set ipv4-netmask 255.255.255.0
set dns-mode auto
set ipv4-split-include ''
set split-include-service ''
set ipv6-start-ip::
set ipv6-end-ip::
set ipv6-prefix 128
set ipv6-split-include ''
set unity-support disable

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 57/170
Chapter 2 Remote worker deployment using IPsec VPN

set psksecret 123456789

set distance 15 Pre-shared key must be strong
set priority 0 enough and must be kept secret.
set dpd-retrycount 3
set dpd-retryinterval 20 Caution:
next From the version FortiOS 5.2
end included, in IKEv1 main mode with
dialupgroup, it is no more
possible to use several different
PSK on a given server.

config vpn ipsec phase2-interface

edit "OXOremUsers"
set phase1name "OXOremUsers"
set proposal aes256-sha256
set pfs enable
set dhgrp 16 14 5
set replay enable
set keepalive disable
set add-route phase1
set auto-discovery-sender phase1
set auto-discovery-forwarder phase1
set keylife-type seconds
set single-source disable Add IPsec VPN phase 2 settings
set route-overlap use-new
set encapsulation tunnel-mode
set comments "VPN: OXOremUsers"
set protocol 0
set src-addr-type subnet
set src-port 0
set dst-addr-type subnet
set dst-port 0
set keylifeseconds 43200
set src-subnet 0.0.0.0 0.0.0.0
set dst-subnet 0.0.0.0 0.0.0.0
next
end

config firewall policy

edit 1
set name "RemUsers_to_LAN"
set srcintf "OXOremUsers" Configure firewall policies
set dstintf "internal"
set srcaddr "OXOremUsers_range" Allow incoming traffic (remote
set dstaddr "all" users to corporate LAN)
set action accept
set schedule "always"
set service "ALL"
set nat disable
next

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 58/170
Chapter 2 Remote worker deployment using IPsec VPN

edit 2
set name "LAN_to_RemUsers"
set srcintf "internal"
set dstintf "OXOremUsers" Allow outgoing traffic (corporate
set srcaddr "all" LAN to remote users)
set dstaddr "OXOremUsers_range"
set action accept
set schedule "always"
set service "ALL"
set nat disable
next

edit 3
set name "RemUsers_to_RemUsers"
set srcintf "OXOremUsers"
set dstintf "OXOremUsers"
set srcaddr "OXOremUsers_range"
set dstaddr "OXOremUsers_range"
set action accept Allow traffic between remote
set schedule "always" workers
set service "ALL"
set nat disable
next
end

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 59/170
Chapter 2 Remote worker deployment using IPsec VPN

2.10 Step by step example: Zyxel USG40

2.10.1 Server configuration using the Web Configurator

The menus of the Web Configurator may change from one version to another.
The following configuration example is given for an IKEv1 in MAIN mode VPN.

2.10.1.1 Connecting to the Zyxel USG40

Zyxel VPN configuration can be easily customized using the Web Configurator.
Administrator can access the Zyxel through a web browser provided that the Zyxel is already connected to
the LAN. The out of the box address is http://192.168.1.1.

The default Username is “admin” and default password is “1234”.

Refer to the USG40 user manual for more details.

2.10.1.2 Creating users for remote worker authentication

Create the user credentials (one user definition per remote worker).
1. Go to: Configuration > Object > User/Group > User
2. Configure the following parameters:

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 60/170
Chapter 2 Remote worker deployment using IPsec VPN

2.10.1.3 Creating a subnet for the VPN local policy

Create one group (“VPN-POOL-TEST” in this example) common to all remote workers.
1. Go to: Configuration > Object > Address/Geo IP > Address
2. Configure the following parameters:

2.10.1.4 Configuring the DHCP IP range Address Pool

1. Go to: Configuration > Object > Address/Geo IP > Address
2. Configure the following parameters:

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 61/170
Chapter 2 Remote worker deployment using IPsec VPN

2.10.1.5 Configuring the IPsec IKE phase 1 for IPsec tunnel

1. Go to: Configuration > VPN > IPSec VPN > VPN Gateway

2. Enter the VPN Gateway name (“Poste_IP” in this example)

3. Define the PSK for authentication
4. Set the Peer ID Type field to Any to allow all declared users to have access. It is possible to restrict
the access to a group or a single user only.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 62/170
Chapter 2 Remote worker deployment using IPsec VPN

5. Set the SA life Time field to at least 5400 seconds (see remark below)
6. Create an AES256/SHA256 proposal
7. In the Diffie-Hellman Groups field, select one of the following options: 5, 14, or 16
8. Enable the XAuth (extended authentication) and allow ANY user (All previously declared users can
connect)
Due to the implementation of IPSec client in the terminal, the Phase1 SA Key Lifetime must be set to more
than 1.5 hour.
Attention: if the Key lifetime is misconfigured in Zyxel server, this will result in periodic connection
loss of the tunnel.
If the phones still reset after about 1 hour, consider using static Virtual IP option (see chapter 2.12.1.3).

Using PEER-ID / LOCAL-ID field

Another option is to specify a specific PEER-ID. This is possible in the phones from version 5.45.40. See
on chapter 2.12.1.5 for the phone configuration.
The option of the Peer ID Type field must be set to E-mail, and enter the string value chosen to filter the
users based on this field.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 63/170
Chapter 2 Remote worker deployment using IPsec VPN

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 64/170
Chapter 2 Remote worker deployment using IPsec VPN

1. Go to: Configuration > VPN > IPSec VPN > VPN Connection

2. Define the VPN connection name (“Poste_IP” in the example), and enable the connection
3. Select the Server Role in the Application Scenario field
4. Select the previously defined VPN Gateway (“Poste-IP” for WAN1 in the example)
5. Define the local policy as applying on the group named (“VPN-POOL-TEST” in the example)

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 65/170
Chapter 2 Remote worker deployment using IPsec VPN

2.10.1.6 Configuring the IPsec IKE phase 2 for IPsec tunnel

1. Go to: Configuration > VPN > IPSec VPN > VPN Connection

2. Define the Address Pool (“POOL_VPN” as defined previously)

3. Keep the default SA life time (see remark below)
4. Create an AES256/SHA256 proposal
5. In the Diffie-Hellman Groups field, select one of the following options: 5, 14, or 16
Due to the implementation of IPSec client in the terminal, the Phase2 SA Key Lifetime must be set to
more than 0.5 hour.
Attention: if the Key lifetime is misconfigured in Zyxel server, this will result in periodic connection
loss of the tunnel.
If the phones still reset after about 20 minutes, consider using static Virtual IP option (see chapter 2.12.1.3)
inside the phone.

Caution: if you go for static Virtual IP in the phone, the configuration of the server depends on the server
firmware version:
• For Zyxel FW <= V4.30, you can use the settings described above.
• For Zyxel FW >= V4.38, you must disable the “MODE CONFIG” in order to have connection success.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 66/170
Chapter 2 Remote worker deployment using IPsec VPN

2.10.1.7 Provisionning activation

1. Go to: Configuration > VPN > IPSec VPN > Configuration Provisionning
2. Add a configuration for the VPN connection and the associated user allowed on this connection

2.10.2 Server configuration using the Command Line and Configuration file
Administrator can also configure the VPN through the Zyxel USG40 Command Line Interface (CLI) instead
of the Web Configurator.
This is not described in this document. Please refer to the reference manual of the USG40.

2.11 Maintenance procedures

2.11.1 Troubleshooting
In case of problems to establish a tunnel, it might be necessary to check the logs on the VPN server, to
identify the phase of the tunnel establishment in which the problem occurs (IKE phase1 or phase2).

2.11.1.1 Phase 1: points to check

Phase 1 problems are related to the connection, the security parameters or the authentication.
- Check the address of the VPN gateway. The gateway must have a public IP address.
- Check that the right IKE port (default 500) and NAT-T port (default 4500) are forwarded on the access
gateway to the Fortigate, on the ports 500 and 4500.
- If non-standard IKE and NAT-T ports are used, the access gateway may block the reverse traffic. Try
with standard ports to see if the connection is established.
- Check that the local ID is defined and that the value is the public address of the VPN server.
- Check the security parameters: encryption, authentication and DH group. A match must be found
between the client and the server.
- In IKEv1, check the PSK, the login and the password used.
- Check the configured key lifetime is more than 1.5h.

2.11.1.2 Phase 2: points to check

Phase 2 problems are related to the security parameters.
- Check the security parameters: encryption, authentication and DH group. A match must be found
between the client and the server for the phase 2. The parameters need not be the same than for the
phase 1.
- Check the configured key lifetime is more than 0.5h.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 67/170
Chapter 2 Remote worker deployment using IPsec VPN

Several phones behind a remote worker router may not connect. If on the remote site, one phone
connects properly, but adding other devices makes the connection fail, verify that the IPSec passthrough
option of the router (if available) is disabled.

2.11.2 Other problems

- Check that the ippool parameter “arp-reply” has the value “disable”.
- Check that the firewall settings are correctly set, to allow the traffic between the communication systems
and the workstation behind the VPN server.
- If the key lifetime is correctly set, and the phones still reset after an hour or 20 minutes for example,
consider using static Virtual IP (see chapter 2.12.1.3)
- If the 8088 cannot update applications (as the Rainbow client for example), consider to setup the DNS
servers in the VPN server configuration (see chapter 2.8.2.1.7 )

2.11.3 Activity logs

First of all, one has to activate the logs, if they are not available:

It’s also necessary to choose the events to log:

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 68/170
Chapter 2 Remote worker deployment using IPsec VPN

This can also be done through the web interface:

The relevant logs for a VPN failure are available in the web interface:

This window displays different pieces of information to help find the reason behind a failure.
It can for example inform that the error occurs during phase 1 or phase 2 of the tunnel setup, and that a
tunnel parameter of the client does not match the local configuration.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 69/170
Chapter 2 Remote worker deployment using IPsec VPN

The status of current VPNs is also available:

The logs can also give some information about the parameters used for the tunnel, when it is successful
(encryption, hash, IP addresses …):

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 70/170
Chapter 2 Remote worker deployment using IPsec VPN

2.11.4 Network traffic

It is possible to dump network traffic on the Fortigate.
To dump all traffic:

To dump traffic for a single interface (here wan1):

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 71/170
Chapter 2 Remote worker deployment using IPsec VPN

Traffic entering in or emerging from the tunnel can also be dumped:

The name of the VPN interface (here oxovpn_0) can be found in the following menu:

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 72/170
Chapter 2 Remote worker deployment using IPsec VPN

2.12 Appendix
In the following, screen shots come from different type of phones like 8018 (black/white) or 8068s (color),
but the content of the menus are the same and show the same options.

2.12.1 IP phones VPN configuration (with PIN solution)

It is easy to identify whether PIN code is supported in the phone: if after the *# sequence, there is a VPN
entry, you are in this configuration. Otherwise please check Annex.
The PIN code is fully managed by end user and dedicated to the VPN menu. End user must set it when he
tries to activate or modify the VPN configuration for the first time; 5 successive failure authentications will
erase both IPSec VPN configuration and PIN code.

The menu access policy has the following principle:

• All Read Only entries have free access
• Entries with modification capability may be locked by the ADMIN password (depends on the
communication system type and configuration).
• The VPN related entries (for modification) needs:
- either an end user PIN code
- or the ADMIN password to be entered
Depending on the system, the access to the sub-menus may be restricted. Usually on OXO Connect
systems, all menus have free access, for OmniPCX Enterprise, depending on the communication system
configuration, the system ADMIN passcode may apply on some menus.
In the following example, we suppose that the system has an ADMIN password defined for the phones.

Characters mapping:
On 8008 and 8018, there is no mini keyboard, but the user must press the “123<>abc” button to access
to character mode.
The characters have been mapped on the dial pad as follows:
Key 0: + . , \ ? ! < >
Key 1: space | - _ 1
Keys 2 to 9: 2…9 and a…z
Key *: nothing
Key #: nothing
Access to capitals through long press on * (toggle caps switch)
On phones with mini keyboard, the characters are directly available through the keyboard markings,
except for the “&” character which can be reached through:
+ SHIFT + E = &

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 73/170
Chapter 2 Remote worker deployment using IPsec VPN

2.12.1.1 Entering the configuration menu (step 1)

To enter the phone configuration:
1. Power on the phone
2. When the STEP 2 is reached (symbolized by the number 2 on the screen and Network setup), type *
then #
The root of the configuration menu opens (free access). The following screen is an example of the root
menu content.
Press the DOWN navigation key if needed until the VPN entry is displayed, and press the associated soft
key.
The VPN menu is displayed. The VPN menu position may differ from one phone type to the other.

2.12.1.2 Entering the VPN menu (step 2)

Following VPN configuration MMI is captured from 8028s, but the same structure is used on all VPN capable
phones.
If it is the first-time end user enters the VPN menu (or in other word, if no PIN code exists), a window will
pop up to ask end user to set a new PIN code

The new PIN code can be entered directly: 4 digits. Then validate it with the top left key.
Otherwise, the VPN Settings will be displayed:

If the new PIN code has not been defined yet, pressing a soft key beside every submenu item for
modification will require a PIN/Password authentication

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 74/170
Chapter 2 Remote worker deployment using IPsec VPN

It is possible to select (through press 3rd left soft key) to use PIN code or Password for the authentication (if
a password is defined in the communication system for the phones).

3. In case there is no local password set, there is no such option.

After the authentication is passed, there will be no more need to re-enter the PIN or Password to access
other submenu which require the same level of authentication.

2.12.1.3 Configuring the VPN Config submenu (step 3)

1. Press VPN Config
2. Select Enable VPN
3. Fill the VPN server IP address (3-digit fields. For example: for 25, enter 025; for 8, enter 008)
4. Fill PSK (refer to the key character mapping described above)
5. Select the IKE version to be used, with the relevant options
6. Press 1st left soft key to save and return to up level menu.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 75/170
Chapter 2 Remote worker deployment using IPsec VPN

Select IKE version with multiple press

Initial PSK field

Typing in clear

Reading later, the

field has stars

Choose Aggressive with caution (see below)

This option can help passing firewalls
Use this in case the VPN server does not
maintain the same Virtual IP during
session. (see below)

Notes:
 The Aggressive mode is inherently flawed, as a hash of the PSK is transmitted in the clear. A hacker
can attack the PSK using an offline dictionary. It is strongly advised to avoid using the Aggressive
mode.
 The IKE force encap option forces UDP encapsulation for ESP packets even if no NAT situation is
detected. This may help to surmount restrictive firewalls. In order to force the peer to encapsulate
packets, NAT detection payloads are faked.
 The Static Virtual IP option with the VIP Addr field below (available from R500, versions 5.40+) are
used to force the phone to manage its virtual address by itself. When this option is not selected, the
VPN server does assign a VIP (Virtual IP) automatically. In some servers this VIP may change when
the re-keying occurs (usually after 1 hour, but can be defined by a parameter). If this occurs, the phone
will need to reboot, as the VIP address known by the call server has changed.
To avoid this, select the Static Virtual IP checkbox, and enter the wanted phone address in the VPI
Addr field. The format for this field is described below.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 76/170
Chapter 2 Remote worker deployment using IPsec VPN

 The input address is an IP address: xxx.yyy.zzz.aaa (last part aaa not set to 000), then the
given static virtual IP address will be used without any change (manual forced VIP)

Example of static Virtual IP Address

 The input address is an IP network with the formats :
• Class A: xxx.000.000.000 xxx from 000 to 127 Range of 16.7Million VIP
• Class B: xxx.yyy.000.000 xxx from 128 to 191 Range of 65534 VIP
• Class C: xxx.yyy.zzz.000 xxx from 192 to 223 Range of 254 VIP
then a static virtual IP address will be automatically computed by the phone into the
given network using a random algorithm before establishing the vpn session.
All ‘000’ parts will be changed by a random value to get the static virtual IP.

Example of Virtual IP Network (Class B)

 The default value in this field is a Class B network 180.178.000.000. Following the random
VIP computation, the phone may for example select the VIP=180.178.025.132
 Note that if the computed address is already in use, one of the phones will reset and
compute a random address again. So, it is recommended to select the network class the
right way to have an address range much bigger than the number of phones, or to
force manually the VIP in the field (see above).
 Do not forget to setup the route for the selected VIP, following the same procedure than in
the standard configuration, described in chapter 2.4.1.4

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 77/170
Chapter 2 Remote worker deployment using IPsec VPN

Since R410 (versions 5.35), the server IP address is now input through a new menu as it can be set as an
IPv4 address or a FQDN address. Press the ‘VPN Server’ soft key to enter menu:

Pressing the ‘Check FQDN server’ soft key, the DNS resolver is called to check the input FQDN address.
A status message is displayed on title line.

2.12.1.4 Configuring the VPN TFTP submenu (step 4)

The TFTP addresses are also able to be specified to override the one configured in IP Parameters; it is
normally used when the IP mode is configured to dynamic. Refer to your administrator instructions to know
if it must be activated.
1. Press VPN Tftp
2. Select Use TFTP servers
3. Fill Tftp1 with 1st communication system’s IP address
4. Fill Tftp 2 with 2nd communication system’s IP address (Optionally)
5. Fill Tftp Port (Optionally)
6. Press 1st left soft key to save and return to up level menu.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 78/170
Chapter 2 Remote worker deployment using IPsec VPN

2.12.1.5 Configuring the VPN Auth submenu (step 5)

XAuth will be configured to be enabled or not. Refer to your administrator instructions to know if it must be
activated.
1. Press VPN Auth
2. Select Use authentication, if needed
3. Fill “User” with XAuth username (refer to key character mapping described above)
4. Fill “Pass” with XAuth password. Just type the password: the [empty] message disappears
5. Select if the LOCAL-ID has to be forced or kept with default value (see below)
6. Press 1st left soft key to save and return to up level menu

The LOCAL-ID / PEER-ID field

Since the version 5.45.40, there is an additional parameter available for the authentication: LOCAL-ID.
This is a free string (based on the available character set, same as PSK, see chapter 2.4.1.2 ).
This string needs to be the same than the one configured on the VPN server side in order to get
authenticated. It is useful to make additional routings on the LAN, based on this string value (differentiated
access to the company network for example). This routing is done in the VPN server, but is out of the scope
of this document.
“PEER” means “The other side”, this is why this same string is named:
• LOCAL-ID on the phone side
• PEER-ID on the server side

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 79/170
Chapter 2 Remote worker deployment using IPsec VPN

Remote worker 1
Corporate LAN

OXO
LOCAL-ID=RandD
VPN server
Communication
system

PEER-ID= RandD
INTERNET
LOCAL-ID= RandD

VPN Remote worker 2

Initial Password field

Typing in clear

Reading later, the

field has stars

And the LOCAL-ID field can be forced.

If not forced it will take the default value which is the local IP address in the homeworker network.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 80/170
Chapter 2 Remote worker deployment using IPsec VPN

192.168.0.100

RandD

2.12.1.6 Configuring the VPN PIN code submenu (step 6)

This step is optional. It allows to define if the PIN code must be requested at each phone startup, and to
change the PIN code.

Press VPN Pincod

Press 1st left soft key to save and return to up level menu.

If the VPN Pincod option is turned ON (by checking Request Pin on Boot), everytime during phone’s
initialization procedure, an authentication window will popup and ask for PIN or Password (if defined), and
the VPN will only be launched when the authentication is passed. If it is not checked, the phone starts the
VPN without any user authentication.

2.12.1.7 Special cases

Starting without VPN
If the authentication fails 5 times, VPN settings will be restored to default, disabled, and PIN code will also
be erased;
If the BACK key (1st right soft key) is pressed during authentication, VPN connection will be aborted only
this time, and phone starts without VPN.

VPN temporary
VPN validated deactivation

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 81/170
Chapter 2 Remote worker deployment using IPsec VPN

This is useful if the phone is used in home context and enterprise context alternatively. By just pressing
the BACK key at PIN prompt, the phone can start in the enterprise context, without navigating in the
settings to disable the VPN.
Resetting all VPN settings
To restore the default VPN Settings, enter VPN Default Settings.
Press 1st left soft key to reset the configuration and return to up level menu.
Press 1st right soft key to return to up level menu.

During the running of IPSec VPN client, there will be some display info to help end user to understand the
status of the connection, the detail info can be found in Annex.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 82/170
Chapter 2 Remote worker deployment using IPsec VPN

2.12.2 ALE IP phones VPN configuration (without PIN code solution)

A legacy phone configuration solution existed in some beginning version of 8018.
It is easy to identify whether PIN code is supported in the phone, if after the *# sequence, there is no VPN
entry, you are in this configuration.
To enrich the VPN configuration and simplify the operation of end user, in latest VPN implementation, a PIN
code mechanism is introduced in latest phones, a 4-digit PIN code is added to allow modify IPSec
configuration and authenticate the IPSec connection during boot (if configured).
Following VPN configuration MMI is captured from 8008 and 8018:
Power on terminal, and press */# alternately, enter the admin settings (if there is password prompt info,
please enter password)
Main Menu

MAC Address IP Param

Soft Infos Hard Infos

Main Menu

IP Memory Ethernet

802.1x Certificate

Main Menu

SIP Down. LLDP

Port Mirror VPN

Fully accessible and no Password/PIN authentication is required

No authentication is required to read configuration, but PIN/Password is required to

change writable configuration
No authentication is required to read configuration, but Password is required to
change writable configuration

All read/write operation require password authentication

In “IP Parameters”, press down key until “VPN disable” is displayed:

Then press the softkey beside this line, and enter VPN configuration menu:

082.125.010.046

To enable VPN, select the check box of “Use VPN”, and the IP address of Fortigate in VRout.
Press down key and enter Pre-shared Key, in below example it is 123456789.

082.125.010.046

When every parameters in VPN menu is filled, press 1st left softkey to save and return to “IP Parameter”,
configure TFTP1/TFTP2 if needed, then save and terminal will reboot automatically.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 83/170
Chapter 2 Remote worker deployment using IPsec VPN

Then at the end of step 2 of initialization, there will be a popup window to ask for login username and
password:

Enter the correct username/password (in example, is user1/1245 or user2/6789), press 1st left softkey and
continue the initalization.

2.12.2.1 VPN configuration removal on phones

To disable VPN, just like the way to enable it, simply deselect the checkbox of “Use VPN”, then press 1st
left softkey to save.

2.12.2.2 Communication systems

As mentioned previously, there is no difference on communication systems when we deploy a legacy phone
comparing to deploying a latest phone.

2.12.2.3 Fortigate VPN server

In Fortigate VPN server side, please refer to 2.8, and remember to always enable XAuth.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 84/170
Chapter 2 Remote worker deployment using IPsec VPN

2.12.3 ALE IP phones VPN configuration in SIP mode

The IPsec VPN function can be configured by the following ways:

 During the initialization, at “step 2”, press “*” “#” to enter local MMI menu.

Go to “Phone” -> “VPN”

 After initialization successfully, enter local MMI menu.

Go to “Phone” -> “VPN”

2.12.3.1 Entering the configuration menu (step 1)

Press the DOWN navigation key until the VPN entry is displayed, and press the associated soft key.
The VPN menu is displayed. The VPN menu position may differ from one phone type to the other.

2.12.3.2 Entering the VPN menu (step 2)

Following VPN configuration MMI is captured from 8058s, but the same structure is used on all VPN capable
phones.
If it is the first-time end user enters the VPN menu (or in other word, if no PIN code exists), a window will
pop up to ask end user to set a new PIN code

The new PIN code can be entered directly: 4 digits. Then press “OK” key to save.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 85/170
Chapter 2 Remote worker deployment using IPsec VPN

Otherwise, the VPN Settings will be displayed:

If the new PIN code has not been defined yet, pressing a soft key beside every submenu item for
modification will require a PIN/Admin Password authentication
It is possible to select (through press 3rd left soft key) to use PIN code or Admin Password for the
authentication.

After the authentication is passed, there will be no more need to re-enter the PIN or Password to access
other submenu which require the same level of authentication.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 86/170
Chapter 2 Remote worker deployment using IPsec VPN

2.12.3.3 Configuring the VPN Config submenu (step3)

1. Press VPN Config
2. Select Enable VPN
3. Fill the VPN server IP address (3-digit fields. For example: for 25, enter 025; for 8, enter 008)
4. Fill PSK
5. Select IKEv1 or IKEv2 by press right soft key
6. Check or uncheck IKEv1 aggressive
7. Press “OK” key to save and return to up level menu.

2.12.3.4 Configuring the VPN DM URL submenu (step 4)

The DM server addresses are also able to be specified to override the one configured in IP Parameters; it
is normally used when the IP mode is configured to dynamic. Refer to your administrator instructions to
know if it must be activated.
1. Press VPN DM URL
2. Fill URL with 1st download server’s IP address
3. Fill URL Bak with 2nd download server’s IP address (Optionally)
4. Press “OK” to save and return to up level menu.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 87/170
Chapter 2 Remote worker deployment using IPsec VPN

2.12.3.5 Configuring the VPN Auth submenu (step 5)

XAuth will be configured to be enabled or not. Refer to your administrator instructions to know if it must be
activated.
1. Press VPN Auth
2. Select Use authentication, if needed
3. Fill “User” with XAuth username (refer to key character mapping described above)
4. Fill “Pass” with XAuth password. Just type the password: the [empty] message disappears
5. Press “OK” key to save and return to up level menu

When IKEv1 is applied, VPN Authentication configuration means the username/password of XAuth,
When IKEv2 is applied, VPN Authentication configuration means the username/password of EAP.

This step is optional.

2.12.3.6 Configuring the VPN PIN code submenu (step 6)

This step is optional. It allows to define if the PIN code must be requested at each phone startup, and to
change the PIN code.

Press VPN Pincode.

Press “OK” key to save and return to up level menu.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 88/170
Chapter 2 Remote worker deployment using IPsec VPN

If the VPN Pincode option is turned ON (by checking Request Pin on Boot), everytime during phone’s
initialization procedure, an authentication window will popup and ask for PIN or Password (if defined), and
the VPN will only be launched when the authentication is passed. If it is not checked, the phone starts the
VPN without any user authentication.

2.12.3.7 Reset all VPN settings

To restore the default VPN Settings, enter VPN Default Settings.
Press “OK” key to reset the configuration and return to up level menu.
Press ”C” key to return to up level menu.

2.12.4 IPSec VPN and Thales feature

Please pay attention to the fact that IPSec VPN feature cannot coexist with Thales feature, in other word
please ensure the status of the phone is able to be deployed as an IPSec VPN remote worker or not:
If the phone is installed with export version software, it will be no restriction to apply IPSec VPN;
If the phone is installed with full version software, it must be ensured that the phone can only enable IPSec
VPN feature when the security mode is bypass.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 89/170
Chapter 2 Remote worker deployment using IPsec VPN

2.12.5 Prompt Info of phone

After all VPN related configuration on phone and end user is completed, press 1st right softkey

Phone will launch VPN client and the screen will return to initialization screen with a prompt info:

Display result when the session is successfully established:

And some info will also be displayed when the PIN authentication is aborted during the initialization:

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 90/170
Chapter 2 Remote worker deployment using IPsec VPN

2.12.6 The 8088 Android VPN configuration

There are 3 solutions for 8088 Android to support VPN connection:
 Native VPN Client
And 3rd party VPN apps to get IPSec connection:
 strongSwan
 forticlient

2.12.6.1 StrongSwan
StrongSwan client on 8088 supports IKEv2 only and the according server configuration can be referred to
§ 2.8.4.
Install StrongSwan app on 8088 phone set using the private store and configure it by launching from private
store application on the 8088.
Once StrongSwan is installed, it is possible to launch it even without the private store application.
It can be found in the “more” menu (top-left corner next to create VPN).

2.12.6.1.1 Import CA certificate

Open StrongSwan, press the button beside ADD VPN PROFILE,

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 91/170
Chapter 2 Remote worker deployment using IPsec VPN

Press CA certificate

Press the button beside the search icon and press Import certificate to import the CA certificate we
previously imported in server (2.12.6.1.1)

And user can see it in IMPORTED tab

2.12.6.1.2 Configuration of the VPN profile

Press ADD VPN PROFILE

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 92/170
Chapter 2 Remote worker deployment using IPsec VPN

1. Enter server address

2. Select IKEv2 EAP (Username/Password) as VPN Type
3. Enter Username
4. Enter Password
5. Check Select automatically in CA certificate.
6. Enter server address
7. Select IKEv2 EAP (Username/Password) as VPN Type

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 93/170
Chapter 2 Remote worker deployment using IPsec VPN

8. Enter Username
9. Enter Password
10. Check Select automatically in CA certificate.
11. In Server identity, enter server ID which is configured in § 2.8.5

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 94/170
Chapter 2 Remote worker deployment using IPsec VPN

12. Uncheck Send certificate requests,

13. Uncheck Use OSCP to check certificate,
14. Uncheck Use CRL to check certificate,
15. In Algorithms settings, set IKEv2 Algorithms to the one configured in § 2.8.5
16. In Algorithms settings, set IPsec/ESP Algorithms to the one configured in § 2.8.5
Press Save to save the profile.

Press the profile created to launch the VPN connection, if everything works well, it will show “Connected”

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 95/170
Chapter 2 Remote worker deployment using IPsec VPN

2.12.6.1.3 Split tunneling configuration

Split tunneling is a VPN concept which allows a VPN client to split the flow of data going through VPN tunnel
or not. This means on 8088 android you can select some applications which can access directly to internet
and not through VPN tunnel. This conserves bandwidth as Internet traffic does not have to pass through
the VPN server.

StrongSwan support split tunnelling configuration, to configure it:

1 : Open VPN strongswan settings and underadvanced settings go to split tunneling configuration
2 : Click on All appilcations use the VPN

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 96/170
Chapter 2 Remote worker deployment using IPsec VPN

3 : Choose “Exclude selected applications from the VPN

4 : Click “Select applications”

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 97/170
Chapter 2 Remote worker deployment using IPsec VPN

5 : All applications are listed, choose the applications you don’t to go through VPN tunnel

6 : Now you will see the number of applications selected

7 : Click save to save your configuration

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 98/170
Chapter 2 Remote worker deployment using IPsec VPN

2.12.6.1.4 Trouble shooting

In any time, user can access the log through press the key beside the ADD VPN PROFILE button

Press View log

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 99/170
Chapter 2 Remote worker deployment using IPsec VPN

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 100/170
Chapter 2 Remote worker deployment using IPsec VPN

2.12.6.2 FortiClient
The forticlient supports IKEv1+PSK, and the configuration in server side is similar to the one described in
2.8.22.8.2 except need add special special cipher-suite proposal
On Fortigate server with VPN Tunnel IKEV1 configured for NOE 3G EE add :
Encryption AES 128 and authentication SHA1 for phase1 and phase 2 (AES256 is not available on
Forticlient encryption list and only IKEV1 is available)

Install Forticlient app on 8088 phone set using private store and configure it from private store app

Enter to Server settings

Enter VPN NAME and select IPsec VPN as VPN Type

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 101/170
Chapter 2 Remote worker deployment using IPsec VPN

Fill 1 to 4 see below

Enter VPN server IP address

Select Pre-shared Key

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 102/170
Chapter 2 Remote worker deployment using IPsec VPN

Enter a pre-shared key

Select Main Mode (ID protection)

Enter to IPsec Phase 1 settings

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 103/170
Chapter 2 Remote worker deployment using IPsec VPN

For phase 1 check Encryption AES128 and Authentication SHA1 is select

For phase 1 check DH GROUP 2 ; 5 ; 14 is checked

Enter to IPsec Phase 2 settings

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 104/170
Chapter 2 Remote worker deployment using IPsec VPN

For phase 2, check Encryption AES128 and Authentication SHA1 is select

For phase 2 check DH GROUP only 1 group must be configured

Enter to IPsec XAuth settings

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 105/170
Chapter 2 Remote worker deployment using IPsec VPN

Enter VPN Username created on Fortinet server and check XAuth is enabled
To have Forticlient VPN available in android VPN settings launch internally a 1st VPN connection from
private store application and cancel it, after this Forticlient appears in VPN android settings

Launch Forticlient from private store

Enter user login/password created on Fortigate server

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 106/170
Chapter 2 Remote worker deployment using IPsec VPN

Connection will fail as we are still internally connected, the purpose is only to have forticlient available in
VPN android settings

Forticlient is available in android VPN settings

2.12.6.3 Android Native Client

Native VPN client on android support IKEv1+PSK+Xauth, the configuration is kind of fixed:
Aggressive mode/Main mode
Phase1: AES256/AES128-SHA256/SHA1 + DH Group 2
Phase2: AES256/AES128-SHA1 + No PFS group
The server configuration can be mostly referred to § 2.8.2 & § 2.8.3, and be care that:
1. Set Peer Options as Any Peer ID.

2. Include correct cipher-suite in phase1

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 107/170
Chapter 2 Remote worker deployment using IPsec VPN

3. Include correct cipher-suite in phase2, disable PFS

Attention: it is reported that in special network environment, it is possible that the VPN tunnel is
created but the communication fails. In such cases, downgrading the phase 2 encryption algorithm
from AES256 to 3DES may help to resolve the problem.
Native Client proposed cipher-suite:
Phase1: AES256/AES128/3DES/DES – SHA256/SHA1/MD5; DH Group 2; Lifetime 28800s
Phase2: AES256/AES128/3DES/DES – SHA256*/SHA1/MD5; PFS disabled; Lifetime 28800s
*Not use SHA256 in phase2 because it will result communication problem.

When Zyxel server is configured with 8088 Android Native client, the configuration need adjustment
Configuration > VPN > IPSec VPN > VPN Connection

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 108/170
Chapter 2 Remote worker deployment using IPsec VPN

1: In the Encryption field, select AES256

2: In the Authentication field, select SHA256
3: In the Perfect Forward Secrecy (PFS) field, select none

Attention: If a 8088 android remote phone is connected through VPN behind an ADSL box, if the
VPN connection is established but the phone cannot connect to call server, prefer these settings:
1: In the Encryption field, select 3DES
2: In the Authentication field, select SHA1 or MD5

In 8088 side, Native VPN client can be accessed through Settings

Add VPN profile through right-up “+” button, which will ask you to setup the lock screen PIN or password,
setup it as you want.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 109/170
Chapter 2 Remote worker deployment using IPsec VPN

Press OK to set up the PIN code or password

1. Enter a Name for the VPN profile

2. Setup the Type as IPSec Xauth PSK
3. Configure the address of Server Address
4. If left IPSec identifier empty, main mode will be used, otherwise enter a FQDN string will launch
aggressive mode
5. Enter PSK in IPSec pre-shared key
Attention: when using the native client with fortigate server, a disconnect will happen at IKE
rekeying. The timing of the issue is linked to the IKEv1 lifetime (up to 2 days) configured on fortigate.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 110/170
Chapter 2 Remote worker deployment using IPsec VPN

2.12.6.4 “Always-on VPN” option

Find “Always-on VPN” option, and select the VPN you want to always run, so that the VPN configuration
will be launched in every initialization phase and keep running in all time.

Remark: It is recommended to put this option at none when coming back in the office, because the phone
will continue to connect through the VPN, even if this is not necessary.

2.12.6.5 Launch VPN

To launch it, click the created VPN icon in SettingsVPN

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 111/170
Chapter 2 Remote worker deployment using IPsec VPN

2.12.6.6 TFTP settings

Before running VPN client app on 8088, please setup the TFTP1 or TFTP2 correctly.
Change IP mode from static to dynamic

TFTP1 is still OK

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 112/170
 Chapter

Remote worker deployment using

3
3

OPEN VPN

3.1 Overview
To describe the deployment of an 8001 Deskphone remote worker over internet with OPEN VPN, the
OmniPCX Office RCE has been selected as communication system.

3.2 Environment and topology

Below is the detailed device information used in deployment demonstration guide:
SIP Server:
- OmniPCX Office RCE 10.2/10.3
8001 Deskphone:
- HW 2.1.1
- SW 4.0.0.3-10581
- Kernel 3.0.2
- OPEN VPN client version: 2.0.9
Open VPN server:
- OPEN VPN version: OpenVPN 2.3.2 x86_64-pc-linux-gnu
- Server OS: Linux ubuntu14 3.19.0-25-generic

Topology example:

INTERNET INTRANET

Port forwarding
required
WAN IP Address:
116.228.56.173

Home router
Access router
+ firewall 8001
Private IP Address:
30.1.202.33

OPEN VPN Server

8001 Public IP Address: 116.228.56.182
LAN IP Address: 192.168.100.19 Private IP Address: 30.1.1.22 OXO SIP Server
Tunnel End Point Address: 10.8.0.6 Tunnel End Point Address: 10.8.0.6 Private IP Address: 30.1.107.16

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 113/170
Chapter 3 Remote Worker deployment using OPEN VPN

Notes:
The packets between intranet and remote worker are forwarded via the Open VPN server (routing).
On Open VPN server, the UDP port 1194 must be configured to be forwarded to the IP address of Open VPN
server on the access router.
The Open VPN port number can be verified using server.conf

3.3 Set configuration using 8001 Web Management

3.3.1 Uploading trusted certificates to 8001 DeskPhone

The OPEN VPN client trusted certificates must contain ca.crt, client.crt, and client.key:

1. From the administration computer, open a web browser, and enter the 8001 DeskPhone IP address
2. From the 8001 Web Management home page, go to Security > Trusted certificates upload and upload
the trusted certificates to 8001 DeskPhone

After upload, the trusted certificates are displayed under Trusted certificates

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 114/170
Chapter 3 Remote Worker deployment using OPEN VPN

Notes:
8001 does not support PSK method so far. Only certificate method must be used for OpenVPN connection.
To avoid security issues, customer must generate different client certificates for 8001/8001G DeskPhone
sets. If sharing the same certificate, security risks may occur when the 8001 DeskPhone set is lost or stolen.

3.3.2 Configuring 8001 VPN parameters

1. From the 8001 Web Management, go to Network > Advanced > VPN Settings
2. Complete the following fields:
• Enable VPN
• In VPN Type field, select OPEN VPN
• Upload VPN client configuration file to 8001 DeskPhone set

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 115/170
Chapter 3 Remote Worker deployment using OPEN VPN

Below picture is OPEN VPN client configuration file:

From the web management home page, go to Phone Status and verify that the VPN IP address field is
completed with the OPEN VPN IP address.

Notes:
• If VPN connection is broken, it automatically relaunches the connection.
• The keep-alive directive causes ping-like messages to be sent back and forth over the link so that each
side knows when the other side has gone down. Ping every 10 seconds. Assume that remote peer is
down, if no ping is received during a 120 second time period.
• The current intervals are configured in the VPN server configuration file.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 116/170
Chapter 3 Remote Worker deployment using OPEN VPN

3.3.3 Configuring 8001 DeskPhone remote worker parameters

1. From the 8001 Web Management, go to Phone Maintenance > Advanced > Auto Provisioning
2. Active remote worker, select HTTPS, and complete the software server URL as follows:

Note:
The 8001 DeskPhone set needs active remote work for update or download configuration file from
OmniPCX Office RCE. In home network, the set can get IP address via DHCP, but it cannot get option 67
(OmniPCX Office URI https://30.1.202.7:10443/dmcfg) via DHCP.

3.4 OPEN VPN server configuration

This chapter describes how to set up the OPEN VPN server in office. The Open VPN Server must be
downloaded from OpenVPN website: https://openvpn.net/.

3.4.1 Installing the OpenVPN server

Open a terminal window
1. Update the server before installing OpenVPN:
 root@ubuntu14: ~# apt-get ugrade
 root@ubuntu14: ~# apt-get update
2. Enter the following command to download OpenVPN installation package and install this package
root@ubuntu14: ~# apt-get install openvpn

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 117/170
Chapter 3 Remote Worker deployment using OPEN VPN

3.4.2 Generating certificate files for the OpenVPN server and 8001 DeskPhone
1. Open a terminal window
4. Configure the easy-rsa directory used to generate the certificate files:
a. Enter the following command: root@ubuntu14: ~# apt-get install easy-rsa
The easy-rsa directory is created under /usr/share/easy-rsa
b. Copy the easy-rsa directory under /etc/openvpn:
cp /usr/share/easy-rsa /etc/openvpn/
c. Edit the vars file:
nano /etc/openvpn/easy-rsa/vars
d. Fill all these parameters in the vars file:

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 118/170
Chapter 3 Remote Worker deployment using OPEN VPN

chown –R $USER /etc/openvpn/easy-rsa

cd /etc/openvpn/easy-rsa

source ./vars
At this stage, the CA certificates can be created in the same place than the parameters entered in
the vars file above

2. Generate a CA certificate
root@ubuntu14:/etc/openvpn/easy-rsa# ./clean-all
root@ubuntu14:/etc/openvpn/easy-rsa# ./build-ca
3. Generate a certificate for the OpenVPN server
root@ubuntu14:/etc/openvpn/easy-rsa# ./build-key-server server
4. Generate a certificate for the client
root@ubuntu14:/etc/openvpn/easy-rsa# ./build-key client
5. Generate a dh1204.pem file for the server
root@ubuntu14:/etc/openvpn/easy-rsa# ./build-dh
If the screen prompts the following information, you can enter the following command to generate a
dh1024.pem file:
root@ubuntu14:/etc/openvpn/easy-rsa# openssl dhparam 1024.pem 1024

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 119/170
Chapter 3 Remote Worker deployment using OPEN VPN

All the certificate files are generated in the directory “root@ubuntu14:/etc/openvpn/easy-rsa/keys#”.

Note: the “easy-rsa” is integrated in the “OpenVPN” package from the website.

3.4.3 Setting the Open VPN server configuration

1. Copy the certificate files (ca.crt, server.crt, server.key, and dh1024.pem) required for the server to the
directory ”openvpn” created above (access path: /etc/openvpn)
2. Copy the “server.conf” file to the directory “openvpn” created above

If you do not know where is located the ‘server.conf’ directory, you can use below command to find it and
copy it to the directory “openvpn”
root@ubuntu14:~# find / -name 'server.conf'

server.conf is located in the directory: /usr/share/doc/openvpn/examples/sample-config-files/

3. Edit the file “server.conf” according to your current network environment and save the change
root@ubuntu14:/etc/openvpn# vi server.conf

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 120/170
Chapter 3 Remote Worker deployment using OPEN VPN

Note: Push a single or a multiple router to 8001 DeskPhone client depends on customer’s topology.

3.4.4 Loading the client’s certificates and configuration file to local PC

1. Find client’s configuration file and copy it to the local PC
root@ubuntu14:~# find / -name 'client.conf'
client.conf is located in the directory: /usr/share/doc/openvpn/examples/sample-config-files/
2. Copy client’s certificates (ca.crt, client.crt, and client.key) to the local PC

3.4.5 Configuring routing

1. On the OpenVPN server, 10.8.0.0/24 is the VPN IP network. The following commands must be
launched before enabling the OpenVPN services:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
apt-get install iptables-persistent
Answer Yes when the system prompts if you want to keep IPV4/IPV6 rules
2. On the gateway of OXO Connect VLAN, add a static route to redirect all IP VPN IP addresses to the IP
address of OpenVPN server which manage them

3.4.6 Enabling the Open VPN service

To enable the OPEN VPN service, enter the command: root@ubuntu14:/etc/openvpn# service openvpn
start

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 121/170
 Chapter

Remote worker deployment with SBC

4
4

and Reverse Proxy

4.1 Overview
ALE SIP deskphones can be used by remote workers outside the company, operating off-site transparently
with the in-premise corporate call server thanks to a secured network infrastructure composed of:
- An Internal and an external firewall surrounding a corporate DMZ, with suitable polices,
- A Reverse Proxy (RP) in DMZ, which controls all https data flows exchanged between the
deskphones running off-site and the OmniVista 8770 DM server on corporate LAN,
The RP is reachable from internet via its public FQDN, which must be declared in the settings of the
remote worker deskphones. A redirection rule must be set in the RP to redirect the deskphone
HTTPS flows to the OmniVista 8770 DM server private FQDN.
- A Session Border Controller (SBC) in DMZ, which secures the VoIP communications performed
with the deskphones on internet domain thanks to SIP/TLS signaling and SRTP flows.
The SBC is reachable from the internet via its public FQDN, which is provided to deskphones via their
configuration file.
Hardware and software compatibility: The ALE deskphones compatible with an off-site use with RP and
SBC are:
- 8001, 8008CE and 8008GCE (SIP only phones),
- 8008, 8008G, 8018 and 8028s dual stack NOE/SIP switched to SIP mode.
The 80x8(s) minimum recommended SIP software version is 1.51.4. With this minimum version, the
phone deployment can be done directly at the final user location. Some Out of box 80x8(s) and CE
deskphones may run 1.20.xx SIP version. They must be upgraded before their use in remote worker mode.
Methods to do that are described in chapter 4.8.1.

Company network

DMZ
Company LAN
Private
SBC SBC OXE
public private
FQDN SBC FQDN
FQDN

Firewall Firewall OmniPCX

Internet Intranet Private
Enterprise
8770
FQDN
Deskphone RP RP
(remote worker) public private
FQDN RP FQDN
OmniVista 8770
(set configuration file)

Redirection rule:
RP public FQDN/DM/dmictouch
is routed to
OmniVista 8770 private FQDN/DM/dmictouch

: SIP/TLS and SRTP flows for SIP communications on WAN

: SIP/UDP and RTP flows for SIP communications on LAN

: HTTPS flows for data communications (set configuration file and binaries)

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 122/170
Chapter 4 Remote Worker deployment using OPEN VPN

4.2 Setting the Certificate Trust List (CTL)

To allow trust in the flows exchange, remote deskphone must authenticate the RP and SBC devices thanks
to a CTL file that includes the CA root certificate (and SubCA if any) used to sign the SBC and RP server
certificates. During its initialization process, remote deskphone will try to download this CTL file from the
DM server. If it succeeds, is valid and complete, RP and SBC will be authenticated provided that their
current certificate is still valid (not expired).
Depending on the security policies of the company, a single CTL file may be used for both local and remote
deskphones, or not.
In case of using a single CTL file, the original one must be edited and signed.
If not, the DM OmniVista 8770 server must provide:
- a generic CTL for deskphones on corporate LAN (i.e. the deskphones belonging to the OmniPCX
Enterprise IP network),
- a specific CTL for remote deskphones working with RP and SBC.

To sign the CTL, you can use one of these deskphone types:
- A 8088 Smart DeskPhone declared as SIP device on the OmniPCX Enterprise (see: § 4.2.1)
- A 8082 My IC Phone declared on an OpenTouch server (if available on the customer site) (see: § 4.2.2)

4.2.1 Signing the CTL with a 8088 Smart DeskPhone connected to the OmniPCX
Enterprise
Before you start:
A 8088 Smart DeskPhone is declared as SIP device on OmniPCX Enterprise server. (The 8088 Smart
DeskPhone configuration and commissioning are described in the OXE System: Dedicated sets document
reference: 8AL91024).
To build a CTL including the RP and SBC certificates:
1. Declare the 8088 Smart DeskPhone as signing set:
a) On the OmniVista 8770 server, go to: 8770/data/DM/deploy/VHE8082/
b) Edit the configuration file of the 8088 Smart DeskPhone (config.<MAC address>.xml)
The set configuration file includes CTL fields filled with default values
Example:

c) In the DmCtlSigningMacaddr field, enter the MAC address of the 8088 Smart DeskPhone
Example:

d) Restart the 8088 Smart DeskPhone

The deskphone downloads the updated configuration file

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 123/170
Chapter 4 Remote Worker deployment using OPEN VPN

2. On OmniVista 8770 DM server, go to: 8770/data/DM/deploy/VHE8082/

3. Copy/paste the generic CTL file (ctl_VHE8082) and rename it (for example: ctl_VHE8082_remote)
Two CTL files must be present (ctl_VHE8082 and ctl_VHE8082_remote)
4. Edit the ctl_VHE8082_remote file and perform the following operations:
a) Delete all tags identified by <…> and </…>
b) Delete the signature section at the end of the file (after the tag <signature encodage="base64">)
c) Keep the BEGIN CERTIFICATE/ END CERTIFICATE sections
The yellow-highlighted items displayed below must be deleted in the ctl file.
Example of initial CTL file:
<trust_store_info>
<cert>
-----BEGIN CERTIFICATE-----
MIIDDDCCAfagAwIBAgIQAVvMvy6HZfOIBo3GjaCYsTALBgkqhkiG9w0BAQUwVTEL
.....
0+ca3SwkkU15/xnVpQqPcA==
-----END CERTIFICATE-----</cert>
<CA_ICT>
-----BEGIN CERTIFICATE-----
MIIDtTCCAp2gAwIBAgIKE5R/5gAAAAAABDANBgkqhkiG9w0BAQUFADBeMQswCQYD
.....
Q60IIaAuN/bs6vwfWeuzo6ATcIFdiCcphZvI3eXP95W4PLLawKXgls0=
-----END CERTIFICATE-----
</CA_ICT>
<CTL>
-----BEGIN CERTIFICATE-----
MIIEBjCCAu6gAwIBAgIQTQQhGG1woYtCsMzfN9pRyDANBgkqhkiG9w0BAQUFADBe
.....
n7nc1SCVb6Q6IAQgW6UsRn/3E7CUFII4/FQ=
-----END CERTIFICATE-----

<signature encodage="base64">
rPL1XquWLyxKM0QdQlY/nbtpaj1gOVOG5xGjnuJ8WmZDXYt32RctnBikS+DCCcyf
VvW11sU67bGQ4uhPfZaio0RW3TUj38ef2n1GGrwVoHHIRH8KpDHBhsQ9tlwrJw+n
Cvzanr442gvmEzznxMcDT7QuXs/hnIdHvMvFL5fB84Y=
</signature>
</CTL>
</trust_store_info>
Example of updated CTL file:
-----BEGIN CERTIFICATE-----
MIIDDDCCAfagAwIBAgIQAVvMvy6HZfOIBo3GjaCYsTALBgkqhkiG9w0BAQUwVTEL
.....
0+ca3SwkkU15/xnVpQqPcA==
-----END CERTIFICATE-----</cert>
…..
-----BEGIN CERTIFICATE-----
MIIDtTCCAp2gAwIBAgIKE5R/5gAAAAAABDANBgkqhkiG9w0BAQUFADBeMQswCQYD
.....
Q60IIaAuN/bs6vwfWeuzo6ATcIFdiCcphZvI3eXP95W4PLLawKXgls0=
-----END CERTIFICATE-----
….
-----BEGIN CERTIFICATE-----
MIIEBjCCAu6gAwIBAgIQTQQhGG1woYtCsMzfN9pRyDANBgkqhkiG9w0BAQUFADBe
.....
n7nc1SCVb6Q6IAQgW6UsRn/3E7CUFII4/FQ=
-----END CERTIFICATE-----

5. Add the RP and the SBC Root CA certificates (and SubCA if any) in the ctl_VHE8082_remote file:
a. Edit the ctl_VHE8082_remote file
8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 124/170
Chapter 4 Remote Worker deployment using OPEN VPN

b. Add the certificate(s) in a BEGIN CERTIFICATE/END CERTIFICATE section and save it.
6. Sign the new CTL file with the 8088 Smart DeskPhone defined as signing deskphone (see step 1.):
a. Copy and paste the ctl_VHE8082_remote file on a USB key under /trust_store directoy, and rename
it ict8000ctl.pem
The path and filename on the USB key must be: /trust_store/ict8000ctl.pem
b. Plug in the USB key to the signing deskphone
c. On the deskphone, access the Settings application and log in as administrator
d. Go to Security > Certificates
e. Set the CTLActivateCADeployment to True and press the back key
f. Reboot the deskphone
g. At initialization step 3: Configuration file download, log in as administrator and go to the Settings
application
h. Set the CTLActivateSigning to True
The USB key contains a new ict8000ctl.xml file which is signed with the Root certificate(s)
i. Unplug the USB key
7. Plug in the USB key to the OmniVista 8770 server and copy the file to the directory:
8770/data/DM/deploy/VHE8082/
8. Rename the ict8000ctl.xml file to ctl_VHE8082_remote
9. Get the CTLMD5 data of the ctl_VHE8082_remote file using an external tool (for example:
e6ce0f8d802b7b96a00327e9ef659acc).
If the OmniVista 8770 server is installed on a computer on which Windows 7 is running, you can use
the command: CertUtil –hashfile c:\ ctl_VHE8082_remote.

After updating CTL, the following information must be collected:

- MAC address of the signing deskphone
- CTLMD5 data calculated with the external tool
- CTL path (/DM/VHE8082/ctl_VHE8082_remote)
This information is requested upon remote deskphone configuration (see: § 4.5.2 and § 4.6)

4.2.2 Signing the CTL with a 8082 My IC Phone connected to an OpenTouch server
Before you start:
Ensure that the customer site includes an OpenTouch server, and a VHE deskphone (8082 My IC Phone)
is declared as signing set. For more information on the signing set configuration, refer to the section
Certificate deployment of the OpenTouch System Documentation (reference: 8AL90510).
If there is no OpenTouch server available on customer site, you must either use an OpenTouch server (and
a VHE signing set) at another site, or sign the CTL with a 8088 Smart DeskPhone connected to the
OmniPCX Enterprise (see: § 4.2.1).

To build a CTL including the RP certificate:

1. On the OmniVista 8770 server, go to: 8770/data/DM/deploy/VHE8082/
2. Copy/paste the generic CTL file (ctl_VHE8082) and rename it (for example: ctl_VHE8082_remote)
Two CTL files must be present (ctl_VHE8082 and ctl_VHE8082_remote)
8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 125/170
Chapter 4 Remote Worker deployment using OPEN VPN

3. Edit the ctl_VHE8082_remote file and perform the following operations:

a) Delete all tags identified by <…> and </…>
b) Delete the signature section at the end of the file (after the tag <signature encodage="base64">)
c) Keep the BEGIN CERTIFICATE/ END CERTIFICATE sections
The yellow-highlighted items displayed below must be deleted in the ctl file.

Example of initial CTL file:

<trust_store_info>
<cert>
-----BEGIN CERTIFICATE-----
MIIDDDCCAfagAwIBAgIQAVvMvy6HZfOIBo3GjaCYsTALBgkqhkiG9w0BAQUwVTEL
.....
0+ca3SwkkU15/xnVpQqPcA==
-----END CERTIFICATE-----</cert>
<CA_ICT>
-----BEGIN CERTIFICATE-----
MIIDtTCCAp2gAwIBAgIKE5R/5gAAAAAABDANBgkqhkiG9w0BAQUFADBeMQswCQYD
.....
Q60IIaAuN/bs6vwfWeuzo6ATcIFdiCcphZvI3eXP95W4PLLawKXgls0=
-----END CERTIFICATE-----
</CA_ICT>
<CTL>
-----BEGIN CERTIFICATE-----
MIIEBjCCAu6gAwIBAgIQTQQhGG1woYtCsMzfN9pRyDANBgkqhkiG9w0BAQUFADBe
.....
n7nc1SCVb6Q6IAQgW6UsRn/3E7CUFII4/FQ=
-----END CERTIFICATE-----

<signature encodage="base64">
rPL1XquWLyxKM0QdQlY/nbtpaj1gOVOG5xGjnuJ8WmZDXYt32RctnBikS+DCCcyf
VvW11sU67bGQ4uhPfZaio0RW3TUj38ef2n1GGrwVoHHIRH8KpDHBhsQ9tlwrJw+n
Cvzanr442gvmEzznxMcDT7QuXs/hnIdHvMvFL5fB84Y=
</signature>
</CTL>
</trust_store_info>

Example of updated CTL file:

-----BEGIN CERTIFICATE-----
MIIDDDCCAfagAwIBAgIQAVvMvy6HZfOIBo3GjaCYsTALBgkqhkiG9w0BAQUwVTEL
.....
0+ca3SwkkU15/xnVpQqPcA==
-----END CERTIFICATE-----</cert>
…..
-----BEGIN CERTIFICATE-----
MIIDtTCCAp2gAwIBAgIKE5R/5gAAAAAABDANBgkqhkiG9w0BAQUFADBeMQswCQYD
.....
Q60IIaAuN/bs6vwfWeuzo6ATcIFdiCcphZvI3eXP95W4PLLawKXgls0=
-----END CERTIFICATE-----
….
-----BEGIN CERTIFICATE-----
MIIEBjCCAu6gAwIBAgIQTQQhGG1woYtCsMzfN9pRyDANBgkqhkiG9w0BAQUFADBe
.....
n7nc1SCVb6Q6IAQgW6UsRn/3E7CUFII4/FQ=
-----END CERTIFICATE-----
4. Add the RP and the SBC Root CA certificates (and SubCA if any) in the ctl_VHE8082_remote file:
a. From the RP, get the public certificate
b. Edit the file and copy the certificate
c. Add the certificate to the ctl_VHE8082_remote file in a BEGIN CERTIFICATE/END CERTIFICATE
8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 126/170
Chapter 4 Remote Worker deployment using OPEN VPN

section
5. Add the SBC certificate in the ctl_VHE8082_remote file:
a. From the SBC, get the public certificate
b. Edit the file and copy the certificate
c. Add the certificate to the ctl_VHE8082_remote file in a BEGIN CERTIFICATE/END CERTIFICATE
section
6. Sign the new CTL certificate with a signing deskphone connected to an OpenTouch server.
For more information, refer to section section Certificate deployment of the OpenTouch System
Documentation (reference: 8AL90510). The signed CTL certificate must be available on a USB key
(ict8000ctl.xml file signed with the RP certificate).
7. Plug in the USB key to the OmniVista 8770 server and copy the file to the directory:
8770/data/DM/deploy/VHE8082/
8. Rename the ict8000ctl.xml file to ctl_VHE8082_remote
9. Get the CTLMD5 data of the ctl_VHE8082_remote file using an external tool (for example:
e6ce0f8d802b7b96a00327e9ef659acc).
If the OmniVista 8770 server is installed on a computer on which Windows 7 is running, you can use
the command: CertUtil –hashfile c:\ ctl_VHE8082_remote.

After updating CTL, the following information must be collected:

- MAC address of the signing deskphone
- CTLMD5 data
- CTL path (/DM/VHE8082/ctl_VHE8082_remote)
This information is requested upon remote deskphone configuration (see: § 4.5.2 and § 4.6)

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 127/170
Chapter 4 Remote Worker deployment using OPEN VPN

4.3 Configuring the Reverse Proxy

ALE International recommends the use of the reverse proxy references listed by the Alcatel-Lucent
Application Partner Program (AAPP). The NGINX Reverse Proxy is tested and certified by AAPP.
80x8 SIP remote workers have been tested with NGINX 1.13.9

4.3.1 Configuring the Reverse Proxy settings

The following operations must be performed on the RP:
1. Generating an RP server type certificate and associated private key (if not already available)
2. Generating an RP user type certificate and associated private key
3. Setting a rule that:
a. redirects the requests of remote deskphones to the OmniVista 8770 server, and,
b. sends the RP server type certificate to the remote worker deskphones for authentication of
the RP server (mandatory)
c. sends the RP user type certificate to the OmniVista 8770 for it to authenticate requests
coming from the RP (optional – according configuration must be made on OmniVista 8770
server, see § 4.3.2: CN attribute)
HTTPS requests to the <RP public FQDN>/DM/dmictouch must be routed to the <OmniVista 8770
private FQDN>/DM/dmictouch.
Remark: 8770 does not authenticate RP by certificate in a classic way: it just compares the content of
the RP certificate CN attribute with the RP CN value previously declared in the 8770.

4.3.2 Configuring the OmniVista 8770 to authenticate the RP

The RP must be declared on the OmniVista 8770 server:
1. Start an OmniVista 8770 client using an administrator account granted with security rights
2. Access the Setup/Security application and go to nmc > ReverseProxyManagement
3. Access the contextual menu and select Create > Reverse Proxy
4. Complete the following fields:
Name Enter a display name for the RP
FQDN Enter the private FQDN of the RP
CN attribute (optional – to fill in for RP authentication on 8770 by client/user
type certificate – to leave empty if not) Enter the Common
Name value of the RP user certificate (e.g : cn=<RP name> or
cn=< RP private FQDN>)
5. Click the validate icon to apply your modifications

4.4 Configuring the Session Border Controller

ALE International uses AudioCodes as Session Border Controller (SBC). The complete installation and
configuration of an AudioCodes SBC are described in the document OpenTouch Session Border Controler
Configuration Guide (reference: 8AL90065USAI) available on the MyPortal:
https://myportal.al-enterprise.com/alebp/s/PN/8AL90065USAI

The following paragraphs only focus on SBC configuration for remote workers.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 128/170
Chapter 4 Remote Worker deployment using OPEN VPN

4.4.1 Configuring Session Border Controller settings

The minimum recommended SBC version is 7.20A.152.009
Skip this section if an SBC is already deployed on customer premises and configured to secure the VoIP
communications performed from OTC PC applications running off-site. The 8001 and 80x8(s) deskphones
and OTC PC applications (associated to Connection users) use the same SBC configuration when they run
off-site, except if TLS mutual authentication is enabled for 80xx phones and not for OTC clients. In that case
a dedicated SIP Interface with mutual authentication enabled must be used for 80xx phones (see § 4.4.4)
To simplify the AudioCodes SBC configuration, you can use the SBC embedded configuration wizard
(recommended) or use the external wizard downloadable from MyPortal.
External configuration wizard must be installed on a computer that can access internet for updates.
Launch the SBC configuration wizard and configure the SBC settings:
1. From the wizard welcome page, click Next
2. Complete the customer information and click Next
3. If a SIP trunk is also deployed, configure the General Setup by selecting Alcatel-Lucent Remote
Users – Gamma SIP Trunk in the Template (Interop) field, then click Next
4. For troubleshooting, select the Enable Syslog radio button and enter the syslog server IP Address,
then click Next
5. Complete the LAN interface parameters and click Next
In the LAN interface, the IP Address field must be completed with the SBC private IP address
6. Complete the WAN interface parameters and click Next
In the WAN interface, the IP Address field must be completed with the SBC public IP address
7. Skip the IP-BPX configuration and click Next
8. Complete the OmniPCX Enterprise network parameters and click Next
The IP Address field must be completed with the OmniPCX Enterprise private FQDN
9. Select the OTCT (OXE) radio button and complete the following fields:
Transport Type Select TLS
Media Protocol Select SRTP
Listening Port Select the port number used to connect to the public SIP
interface of the SBC (recommended port: 5261)
SIP Domain Enter the SBC public FQDN
10. Click Next
After successfully completed the SBC configuration wizard, a configuration file is generated.
11. Click Save File and use the browser to select the folder on which the configuration file must be saved
12. Click Finish
13. Open the management console of the SBC and click the Maintenance tab
14. Go to: Software Update > Configuration file
15. Use the browser to select the configuration file saved on the computer and click Load INI File
A message indicates that the SBC restarts

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 129/170
Chapter 4 Remote Worker deployment using OPEN VPN

4.4.2 Verifying the SBC license

The SBC license must allow remote workers.
1. From the management console of the AudioCodes SBC, click the Maintenance tab, and go to:
Software Update > Software Upgrade Key
2. Verify license content: the ‘FEU’ field must exist. The numerical value set is the max quantity of
simultaneous Remote Workers registered.
Example:

4.4.3 Configuring the SBC certificate for Remote Workers

Skip this section if an SBC is already deployed on customer premises and configured to secure the VoIP
communications performed from OTC PC applications running off-site.
SBC must provide a certificate to remote workers to allow its authentication and enabling SIP/TLS and
SRTP secured communications with them.
To configure the SBC certificate, refer to the section 3.3.16 Configure certificate based security of the
document OpenTouch Session Border Controler Configuration Guide (reference: 8AL90065USAI) available
on the MyPortal:
https://myportal.al-enterprise.com/alebp/s/PN/8AL90065USAI

4.4.4 Enabling mutual authentication (SBC- 80xx phones)

This can be done through three steps:
1) The phone authenticates the SBC thanks to the updated CTL (see § 4.2) downloaded by the phone
when it starts and to the certificate it gets from the SBC device. This step is mandatory, whatever
the configuration of the TLS mutual authentication (enabled or not).
2) For the SBC authenticating the phones: all 80xx phones incorporate an ‘alcatel-lucent’ default
certificate. A new pkcs12 certificate can be downloaded on the phones. Root CA certificates that
were used to sign the 80xx phones client certificates must be imported in the SBC TLS context
used with the remote worker phones. To do this, go to TLS Context page and click on the Trusted
Root Certificates link and import them using Import button then Save:

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 130/170
Chapter 4 Remote Worker deployment using OPEN VPN

3) Enable the mutual authentication in the SBC configuration: follow

SETUPSignaling&MediaCore EntitiesSIP Interface Table
Select the SIP Interface used with 80xx phones in remote worker mode, click “Edit”, double-check
for the TLS Context value, Enable TLS Mutual Authentication, Apply then Save:

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 131/170
Chapter 4 Remote Worker deployment using OPEN VPN

Important notes:
1. With the mutual authentication enabled, the SBC will use the certificate sent by the phone to check if the
certificate chain is correct, or not. If correct, SBC simply authenticates the phone as an ALE phone. It will
not authenticate each phone individually based on the CN=MAC@ content of its certificate.
2. Mutual authentication may not fit with OTCT clients. If your SBC device is also securing some OTCT
clients in remote worker mode, configure preferably a separate SIP interface for 80xx phones to enable the
TLS mutual authentication.

4.4.5 Specific SBC configuration for 8001 Deskphones using secret identity
The following management is optional and only applies to specific use cases.
In case the Anonymous Call feature is activated on 8001 Deskphones, the P-Preferred-Identity header is
used to provide the extension number for SIP authentication. A dedicated message manipulation must be
added to the SBC:
1. From the management console of the SBC, select the Configuration tab and go to: VoIP > SIP
Definitions > Msg Policy & Manipulation > Message Manipulations
2. Add a new index with the following values:

Note: To see if the Anonymous Call feature is activated on 8001 Deskphone, access its web
management interface and perform the following operations:
a) Open a web browser and enter the URL: http://<deskphone IP address>
b) Enter the root credentials in the login window (root/root)
c) From the web management interface, go to SIP Account > Account1
d) In the Call section, verify that the Anonymous call field is set to on

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 132/170
Chapter 4 Remote Worker deployment using OPEN VPN

4.5 Configuring the 8001 Deskphones for remote workers

The following paragraphs only focuses on the operations required to allow any existing 8001 devices
associated to users to operate in remote worker (off-site) mode. They do not detail:
- 8001 Deskphone creation and association to a remote worker
- 8001 Deskphone settings, such as: prefixes, call settings, time, audio, display, and codecs
- 8001 Deskphone commissioning (connection and initialization mode (dynamic or static))
The 8001 Deskphone configuration and commissioning are described in the OXE System: Dedicated sets
document (reference: 8AL91024).

4.5.1 Configuring 8001 Deskphones on the OmniVista 8770

1. From the OmniVista 8770 client, access the Users application
2. Expand the tree structure and select a 8001 Deskphone associated to a remote user
3. In the General tab, review/modify the following field:
Remote Device Select the check box
4. In the SIP User tab, review/modify the following field:
Outbound proxy Enter the public FQDN of the SBC (for example: <SBC public
server FQDN>:<SIP port> (listening SIP port defined in the SBC))
5. In the Maintenance tab, review/modify the following field:
Reverse proxy Enter the public FQDN of the RP
server address
6. In the Security tab, review/modify the following fields:
Attention: These parameters are only displayed on screen if the Remote Device
check box is selected in the General tab.
CTL path Enter the access path to the Certificate Trust List (CTL)
reviewed for remote deskphones deployed behind an RP (see:
§ 4.2 Setting the Certificate Trust List (CTL))
MAC addr. Of Enter the MAC address of the SIP deskphone used to sign the
signing device CTL.
The MAC address must be entered, separated by colons (for
example: 00:80:9f:xx:yy:zz)
MD5 hash of CTL Enter the MD5 code of the CTL
7. Click the validate icon to apply your modifications
Note: You can apply this configuration to a set of 8001 Deskphones using device profiles. In this case,
perform the following operations:
a) From the Devices application of the OmniVista 8770 (Parameters tab), create a device profile
including the RP, SBC and CTL settings
Attention: The CTL settings are only displayed on screen if the Remote Device check box is
selected in the General tab.
b) From the Users application, select a 8001 Deskphone associated to a remote user and select the
device profile in the OXE device profile field (General tab)

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 133/170
Chapter 4 Remote Worker deployment using OPEN VPN

4.5.2 Configuring the 8001 Deskphone settings (file download URL and auto
provision)
This operation consists in configuring the file download URL and auto provision in the 8001 Deskphone
settings. This can be done directly on the deskphone, or using the web management interface of the
deskphone. The deskphone IP address is required to access the web management interface.

4.5.2.1 Configuring settings on the phone

1. From the home screen of the 8001 Deskphone, press the OK button or Menu soft key, and go to
System Settings > Advanced Settings > Advanced
2. Select Auto Provision
3. In the URL field, enter the access path for file download through the RP: https/<RP public
FQDN>/DM/dmictouch/
The file download URL must be declared on the deskphone. This URL is used by the deskphone to
download its configuration file and binaries.
4. In the Protocol field, use the soft keys to select HTTPS
5. Press the Save soft key
6. Restart the deskphone to apply your modifications

4.5.2.2 Configuring settings using the web management interface

1. Open a web browser and enter the URL: http://<desphone IP address>
2. Enter the root credentials in the login window (root/root)
3. Go to Phone Maintenance > Advanced > Auto Provisioning
4. Complete the following fields:
Auto Provision Click the radio button
Protocol Use the drop-down menu to select HTTPS
Software Server Enter the access path for file download through the RP:
URL https://<RP public FQDN>/DM/dmictouch/
Auto download Click the radio button
Software
Auto download Click the radio button
Kernel
Auto Download Click the radio button
Config File
5. Apply the changes
Note: A manual auto provisioning can be performed by pressing Auto Provision now.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 134/170
Chapter 4 Remote Worker deployment using OPEN VPN

4.6 8770: Configuring the devices profiles for remote workers

It is recommended to create and use devices profiles to simplify and homogenize devices configuration.
Hereafter are, as an example, the 8770 screenshots for 8008 SIP devices used in remote worker mode,
which implies some specific settings.
Principles and important fields are same for other ALE 80x8 deskphone types used in remote worker mode.
1. Using the ‘Devices’ application, create a device profile under tab ‘Parameters’
2. Tab ‘General’:
Values to be set:

Remote device Click the radio button

Binary Binary package to be deployed on phones (if already made
available under ‘Application’ tab)
Apply the changes.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 135/170
Chapter 4 Remote Worker deployment using OPEN VPN

3. Tab ‘Network’:
To be set:

Outbound Proxy fields:

Server address <SBC public URL>
Server port <SIP port values> 5261 is recommended for OXE users

SRTP Mode Strict

SRTP Authentication Click the radio button
SIP DSCP 40
SSL version TLS1.2
SNTP server address <Public FQDN or IP address>
Apply the changes.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 136/170
Chapter 4 Remote Worker deployment using OPEN VPN

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 137/170
Chapter 4 Remote Worker deployment using OPEN VPN

4. Tab ‘Vocoders’:

Framings
Codec G.711a 20ms (default)
Codec G.711mu 20ms (default)
Codec G.729a 20ms (default)
Codecs The Codec type settings are currently missing in profiles for
8008, 8018 and 8028s. A Service Request is ongoing to fix it.

Apply the changes.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 138/170
Chapter 4 Remote Worker deployment using OPEN VPN

5. Tab ‘Telephony’:
Check for the services to enable.
Tests have been done with:
Dialing tone Click the radio button
Transfer Click the radio button
Apply the changes.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 139/170
Chapter 4 Remote Worker deployment using OPEN VPN

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 140/170
Chapter 4 Remote Worker deployment using OPEN VPN

6. Tab ‘Device’:
To be set:

Allow USB (8018 and 8028s only) Can help for maintenance
operations. IT decision to enable it or not.
Language User Interface language
Internal ring melody Select the melody for internal incoming calls
External ring melody Select the melody for external incoming calls
Appointment ring Select the melody for appointment reminder
melody
Audio TOS/diffserv 46
Tone Country Select the Country
VAD Not selected (default value).
Apply the changes.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 141/170
Chapter 4 Remote Worker deployment using OPEN VPN

7. Tab ‘Advanced parameters’:

To be set:

Binary update params: To enable and schedule automatic binary deployments

from 8770 DM
- time control,
- start time,
- period,
- update
Config update polling 86400 – once a day (default)
timer
Timezone Select your suitable default time zone
CTL Path Set the path on 8770 to access the CTL file
MAC address of signing Set the MAC address of the deskphone used to sign the
device CTL file
MD5 hash of CTL Set the md5 hash of the CTL file

Apply the changes.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 142/170
Chapter 4 Remote Worker deployment using OPEN VPN

4.7 User creation and remote worker device association

4.7.1 8770: User creation with SIP device parameters

There are two possible ways of associating the SIP device parameters to the SIP extension user by using
a device profile:
- Straightforward at user creation (see § 4.7.1.1)
- Separately after user creation (see § 4.7.1.2)

4.7.1.1 SIP parameters setting straightforward at user creation

- Create an OXE user of ‘SIP extension’ type,
- Set the relevant remote worker 80x8 device profile previously created ,
- Apply: the device object is created and associated to the user object straight afterwards.

Note: by applying the device profile directly at user creation, the identification key and password are
fostered for identifying the deskphone at first start and authorize its association. It is possible however
to set instead the deskphone MAC address as the authorization criteria for the first device association.
For this, select the device object, set the correct value in the 'MAC address' field and apply.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 143/170
Chapter 4 Remote Worker deployment using OPEN VPN

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 144/170
Chapter 4 Remote Worker deployment using OPEN VPN

4.7.1.2 Sip parameters setting after the creation of the user

This procedure enables also two possible means for the real deskphone first identification and association
to the system:
o by Device identity (MAC address), or
o by identification key (the DN value by default) + identification password (to be set by admin)

- Create an OXE user of ‘SIP extension’ device type without setting-up a device profile at this step:

- Apply: the user is created without the SIP device parameters.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 145/170
Chapter 4 Remote Worker deployment using OPEN VPN

4.7.1.2.1 Option 1: Set SIP parameters for device identification by MAC address
- Select the new user, right click: select Associate SIP device, New, <your device type>:

- Set the <Device identity (MAC address)> and the right OXE device profile:

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 146/170
Chapter 4 Remote Worker deployment using OPEN VPN

- Apply: SIP parameters are all set according to the device profile used, with identification by device
MAC address.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 147/170
Chapter 4 Remote Worker deployment using OPEN VPN

4.7.1.2.2 Option 2: Set SIP parameters for device identification by id key and password
- Select the new user, right click: select Associate SIP device, New, <your device type>:

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 148/170
Chapter 4 Remote Worker deployment using OPEN VPN

- set an identification password (2 input fields),

- Set the relevant <OXE device profile>:

- Apply: SIP parameters are all set according to the device profile used, with device identification by key
(user DN value) and id password.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 149/170
Chapter 4 Remote Worker deployment using OPEN VPN

4.7.2 Real deskphone association

Depending on the type of device identification chosen by administrator at the user and device creation, the
real deskphone first association to the system will occur:
o by Device identity (MAC address), or
o by identification key (the DN value by default) + identification password (previously set by
administrator).

Important: The real deskphone first identification and association can be done from the internet domain
provided that its SIP software version is 1.51.4 or higher.
If SIP version is lower than 1.51.4, the deskphone must first be upgraded from LAN domain. (see §
4.8.1).

4.7.2.1 Specific actions required on dual stack deskphones (8008, 8018, 8028s only):
Dual stack phones start in NOE mode by default.
To be used in SIP remote worker mode, they must be switched to SIP mode:
1. Start the deskphone directly on WAN
2. During its initialization, at “step 2”, press “*” “#” to enter local MMI menu. Deskphone requires a
password: fill in ‘123456’ (default value)
3. Go to Admin / IP params menu to check that the deskphone network operates in dynamic (DHCP)
mode
4. Go to Soft Infos menu and check the Run Mode value. If NOE, select Set Mode SIP and Apply (‘V’
button):

The deskphone restarts in SIP mode.

4.7.2.2 Actions required for a first start and identification with identification username
and password
5. Start the deskphone directly on WAN
6. During its initialization, at “step 2”, press “*” “#” to enter local MMI menu. Deskphone requires a
password: fill in ‘123456’ (default value)
7. Go to DM menu, select the Backup URL and fill in the https secured 8770 DM public URL of your
system, i.e. https://<8770-DM-public-name>/DM/dmictouch
8. Validate using OK button.
9. The deskphone restarts.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 150/170
Chapter 4 Remote Worker deployment using OPEN VPN

10. After a time, the deskphone shows the Device login screen:

11. Fill in Username with the <identification key value> and Password field with the <identification
password value> previously set for your device at user/device creation.
12. The deskphone connects to the DM, get its configuration and CTL files, restarts and start operating in
remote worker mode.

4.7.2.3 Actions required for a first start and identification by device MAC address:
13. Start the deskphone directly on WAN
14. During its initialization, at “step 2”, press “*” “#” to enter local MMI menu. Deskphone requires a
password: fill in ‘123456’ (default value)
15. Go to DM menu, select the Backup URL and fill in the https secured 8770 DM public URL of your
system, i.e. https://<8770-DM-public-name>/DM/dmictouch
16. Validate using OK button.
17. The deskphone restarts.
18. The deskphone connects to the DM, get its configuration and CTL files, restarts and start operating in
remote worker mode.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 151/170
Chapter 4 Remote Worker deployment using OPEN VPN

4.8 Appendix

4.8.1 Phone SIP upgrade tips

In the following we indicate the principles of upgrading available. These are not the full step by step
methods. For this please refer to the relevant documentation.

4.8.1.1 With the 8770 and a NOE mode running phone

If the phones run in NOE only mode, the automatic upgrade is managing only the NOE software. The
embedded SIP software will not be upgraded.
To get NOE & SIP software upgrade, the phones must be declared in a domain with survivability. So, to
upgrade the SIP, follow these steps:
• Declare an IP domain with SIP survivability in the 8770: this is just to trigger the upgrade

• The field must have a value, whatever it is, only SIP Survivability Mode = YES is important.
• Configure the DHCP to serve IP addresses in the SIP survivability range.
• Declare one or more users with the number and password, for upgrade purpose. DO NOT use the
encryption mode.
• Then connect a phone, put it in service and the upgrade NOE & SIP will happen if needed.
• Unplug the phone and repeat with another one.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 152/170
Chapter 4 Remote Worker deployment using OPEN VPN

4.8.1.2 With a SIP mode running phone

The phone upgrade is done automatically on 8770.
In any case, the device management server address (DM) URL can be setup either through DHCP option,
or manually in the phone configuration menu. Then after reset, the phone will fetch the binary on this server
through TFTP, HTTP or HTTPS (as indicated in the URL).

4.8.1.3 Manually on a NOE or SIP mode running phone

A manual upgrade solution, phone by phone is possible:
• Connect to the phone with SSH (the SSH for the phone must be opened first through the system
management)
• Put the SIP (or even NOE) binaries on a TFTP server. This may be the OXE/OXO server or a simple
PC
• Type the following
• dwl set server IP@ (for a TFTP server)
• dwl set url <URL> (for a HTTP, HTTPS or TFTP server)
• dwl go f (launches the upgrade)

The dwl command availability depends on the software version of the phone.

4.8.1.4 With a standalone phone

When the phone is connected to nothing, just powered, it is possible to trigger an upgrade through an USB
key.
On an USB key formatted in FAT32 (NTFS not supported),
• create a folder named upgrade
• put inside the phone binaries and plug the USB key into the USB connector

From here there are two methods

Method 1 : through embedded menu

• Start the phone and once in STEP 1, press * and # keys one after the other. This will enter the local
MMI menu
• Enter the Software Infos menu

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 153/170
Chapter 4 Remote Worker deployment using OPEN VPN

• Select the Upgrade menu, then select Upgrade from USB now

• A message indicating that upgrade is running is displayed into title line as well as all leds are blinking.
Blinking will be fast in a first time while binary files on the USB are checked before upgrading. When
upgrade is really started, leds blinking will become slow during all the upgrade procedure. If upgrade is
successful, the phone will reboot by itself.

Method 2: Key press during phone start, at blue Welcome screen

There is another way to launch the USB upgrade procedure using a multikey press during initialization of
the phone.
• Prepare the USB flash device in the same way as described before.
• Plug the USB flash device
• Reboot the phone
• When first blue display is there: wait about 5 seconds, then press the 3 following keys on dial pad at
same time: (‘info’ ‘u’ ‘p’ ‘g’)
 8 7 4 for 80x8S models
123<>abc 8 7 4 for 8018 model
 all leds are lit for 2 seconds to indicate that multikey press has been recognized
 after step 2, the upgrade procedure starts:

The USB key upgrade availability depends on the software version of the phone. It is supported from the
release R410.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 154/170
 Chapter

Zero touch deployment for IPSEC

5
5

VPN

5.1 Introduction

In order to deploy ALE desk-phones, especially in NOE mode, the previous chapters show the actions to be
done locally on the phone, and enter the minimum information needed to establish the VPN and reach the
call server.
Another method to facilitate this deployment is based on a cloud server contacted by the phone through
Internet, which will push these settings into the phone.

This chapter describes the way to use this automatic provisioning of the VPN settings into the NOE phones
through the ALE EDS server (Easy Deployment Server).

5.2 Phone compatibility

The NOE phones supporting this feature are given in this table:
Models Minimum Software version

8008, 8008G, 8018 5.45.60.4310

8028s, 8058s, 8068s, 8078s 5.45.60.4310

ALE-20, ALE-20h, ALE-30h 1.01.02.642

ALE-300, ALE-400, ALE-500 1.01.02.643

Note : The phones should have these minimum versions to use EDS deployment.
With earlier versions it is possible to deploy the VPN, but with manual configuration on the phone.

5.3 Getting access to EDS

Each Business Partner or Administrator can request access to EDS. This access can be used to manage
several installations through profiles.
For access request, follow the two steps process:
Connect to EDS login page
Follow this link: https://admin.eds.al-enterprise.com
You will see the login page, and press the “Sign Up” link

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 155/170
Chapter 5 Zero touch deployment for IPSEC VPN

This leads to the access request form.

Request access.
EDS is used for several applications. Please request an ENTERPRISE account.

The name of the person

owning the account

Please add a comment to

request the
ENTERPRISE type of
account

The requester then receives a mail with a link to create the account password. The account creation needs
a human operation inside Alcatel-Lucent Enterprise, so the delay may be around one day.
Once the account creation mail received (stays valid 3 days), click on the link inside and give the same
email address as in the access request, then enter your chosen new password.
Welcome !

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 156/170
Chapter 5 Zero touch deployment for IPSEC VPN

5.4 Architecture view – General principles

5.4.1 What is EDS

EDS server is an ALE Cloud service offering an easy deployment mechanism of ALE terminals by
automatically redirecting them to reach the right provisioning server, without entering manually the
Provisioning Server address in the phone.
This server takes into account, in a transparent way, some phone network settings such as VPN, before
reaching the provisioning server, which is a TFTP OXE/OXO server in case of phones running in NOE.

Remote worker
Corporate LAN

VPN client
Access router/Box
OXO
3
Communication Access router
system + firewall
VPN server

Port forwarding INTERNET

1 2
EDS
VPN Server
Administrator
Internet Connection

5.4.2 Workflow of data

The main steps are:

1. The administrator registers the phone MAC address in the EDS, one by one or through a bulk way (mass
provisioning), and associates it (them) with a profile describing the VPN settings
2. At the boot, phone out of the box is connecting to EDS and requests its profile based on its MAC address
 EDS answers with the Profile including the VPN settings, common and specific per device
3. Phone establishes a VPN tunnel with the VPN gateway and connects to the OXO/OXE TFTP server

The VPN settings are split into two separate files, which are imported into the EDS:
• VPN settings – common part: describes all the settings which are common between the devices, such
as VPN gateway address, VPN policy (PSK…) ,..
• VPN settings – device part: describes the settings per device, such as user login, user password for
VPN authentication, and mandatory VPN PIN code as used in manual configuration for protecting VPN
local menu. See chapter 2.12.1 for detailed VPN settings.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 157/170
Chapter 5 Zero touch deployment for IPSEC VPN

The next diagram describes the high-level workflow.

5.4.3 Pre-requisites for reaching EDS by NOE phones

The NOE terminal will reach the EDS in the following cases, at the boot:
• Out of the box or after a reset to factory, in DHCP mode (dynamic) and if the phone doesn’t find
TFTP address configured manually or in the current DHCP option returned by the DHCP server
• in DHCP mode and not in DHCP survivability, if DHCP “next server” option is equal to
Router/Gateway field returned by the DHCP server (case of French ISP box/router such as Freebox,
Orange, SFR,…).
• in DHCP mode and not in DHCP survivability, if it detects a previous failure for getting lanpbx file
(ex no TFTP response, meaning if none of the two TFTP configured addresses respond).
• in VPN mode, at the boot when it detects a previous VPN connection failure (case for example when
VPN parameter changed on server side, or just the server was down), or fails in reaching the TFTP
server.
• in static mode, and the TFTP address has not been configured manually

The following cases may prevent the phone reaching EDS:

• Static IP address entered, not corresponding to the network it is installed on
• VLAN or User Class defined when running on a home network (remote worker)
To prevent any issue for the easy deployment through EDS, it is recommended to first reset the
settings to the factory defaults (“Reset to Defaults” menu in the local Config MMI of the phone).
The out of the box phones are ready to use, no need to reset to factory settings.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 158/170
Chapter 5 Zero touch deployment for IPSEC VPN

5.5 Provisioning process, step by step

The main steps are the following:
Step1 : create VPN common part xml file
Step2: create VPN device part excel file
Step3: create VPN profile in EDS
Step4: create devices in EDS and map them to the profile
Depending on the security policy requested, several methods can be defined to provision VPN settings.
Low security level with same credentials for all the users/devices. In that case, VPN PSK, VPN Username,
VPN User password (if authentication is required) are identical. Then, a single VPN common part xml file is
enough. No need to create/import VPN profile per device in the Pre-configure area of the device menu.
Medium security level with same VPN PSK for all the users/devices and unique VPN Username/password
per user. Then, VPN common part xml (with PSK) and VPN device part xml (with Username/password) are
needed to be imported in EDS.
High security level with unique VPN PSK, VPN Username and password. Then, VPN common part xml and
VPN device part xml (with PSK, Username/password) are needed to be imported in EDS.
If different VPN servers are used, dedicated profiles should be created for each. Profiles may also be used
to manage several customer sites for the Administrator.
The next steps describe a “medium security level” example.

5.5.1 Step1 : create VPN common part xml file

5.5.1.1 Overview
• The Admin gets the ALE excel VPN “Common template” describing the common part which is
included/attached in this document.
• The Admin creates the VPN settings common part excel file, from the Common template,
configuring the common VPN settings describing the target VPN connections, using existing
standard editor/tool available on PC/laptop.
• The Admin exports that excel file into an XML file.

5.5.1.2 Detailed procedures

Here is an example of the VPN excel Common template
for the common part below.
Each cell can display the description of the setting by
clicking on it with the mouse, and with the possible values
to be selected.

Note: the column “override” should be set to true for future

compatibility. This parameter is not read by the phones and considered as always set to true.
In consequence ALL VPN parameters coming from EDS override the local corresponding
parameter values.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 159/170
Chapter 5 Zero touch deployment for IPSEC VPN

Once the excel file is filled, it must be exported into an xml file.

If the Developer menu doesn’t appear see Appendix 2 of this chapter to display it.
An example of the Xml file generated is described in Appendix 3.

5.5.2 Step2: create VPN device part excel file

5.5.2.1 Overview
• The Admin gets the ALE excel VPN “Specific template” describing the device part which is
included/attached in this document.
• The Admin creates the VPN settings for device part excel file, from the Specific template, configuring
the specific VPN settings for each device (Xauth credentials, PIN code)
Note: this file is needed as the PIN code is mandatory to enable the VPN.

5.5.2.2 Detailed procedures

Here is an example of the ALE excel Specific template for the device part below, allowing to import the MAC
address in a “bulk” mode.

The name of the Profile Name must be the exact Profile name defined in the EDS.
The column Remark is an optional information field, which can be filled by any characters.
In that example, VpnUser and Vpn password are unique per device/user. As said above, if these credentials
are identical for all devices/users, they can be duplicated for each device MAC address in that file or define
them (VpnUser, VpnPasswd, VpnPincode, VpnPincodeEnable) into the other VPN Common template file.

Note: to ensure the password could be entered from the phone interface if needed, please
refer to the supported character set in chapter 2.4.1.2.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 160/170
Chapter 5 Zero touch deployment for IPSEC VPN

5.5.3 Step3: create VPN profile in EDS

5.5.3.1 Overview
• The Admin logs to EDS (see chapter 5.3) and creates a new VPN profile .
• The Admin imports the VPN settings common part xml file into the Pre-configured area in that profile

5.5.3.2 Detailed procedures

In the EDS home page, goes to Profile management and click on Add.

Enter the name of the profile for provisioning the VPN settings and click on Pre-configure area.

In that Pre-configure Area, import xml file generated at the step1.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 161/170
Chapter 5 Zero touch deployment for IPSEC VPN

When the file is imported, the pre-configure area is filled with the xml settings.

Then click on OK twice to save the new created profile.

5.5.4 Step4: create devices in EDS and map them to the profile
5.5.4.1 Overview
• The Admin goes to device management menu and either
o Types in the information phone by phone
o Imports the VPN settings Specific template excel file. Here no need to convert in XML,
native Excel is supported
• EDS then creates all the devices entries with their pre-configured area filled by specific VPN settings
through an XML file

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 162/170
Chapter 5 Zero touch deployment for IPSEC VPN

5.5.4.2 Detailed procedures

From the Device management menu, add the device individually or through a “bulk” mode.

5.5.4.2.1 Adding device one by one:

Click on Add button.

Select the VPN profile created in the step3, fill the MAC address and click on the Add, click on Pre-configure
area and enter the following XML code which is the minimum mandatory parameter needed :
<setting id="VpnPincode" value="1234" override="true"/>
And disable the Pincode request at phone start to have zero touch deployment (optional, see 5.7):
<setting id="VpnPincodeEnable" value="disable" override="true"/>
If this is omitted, the Admin must give the defined PIN code to the final user in order to start the VPN.
Then OK twice to save this device. In that case, it means that the VPN credentials for the user/device are
configured in the VPN profile.

If we want to fill the Pre-configure area for that device with the specific credential, we need either configure
the VPN settings directly through an XML format, or import an excel device file containing only the
credentials of that device/user (see next section for importing excel file).

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 163/170
Chapter 5 Zero touch deployment for IPSEC VPN

As the PIN code is mandatory to start the VPN the minimum lines in the preconfigure area is the first one in
the following picture:
<setting id="VpnPincode" value="1234" override="true"/>

5.5.4.2.2 Adding devices in bulk mode:

Click on Import button in Device management

Then, import the VPN Specific template excel file describing the devices and their credentials.

When the import process has been correctly done, it displays it on the screen.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 164/170
Chapter 5 Zero touch deployment for IPSEC VPN

Then, the Device management menu displays all the new devices imported. Some columns can be checked:
• Binding time: time at which the device MAC address has been associated to the profile
• Last connected time: last time at which the phone has reached the EDS. It doesn’t indicate that the
VPN settings are correctly taken into account by the phone. When the entry is empty, it means that
the phone never reached the EDS.

The specific VPN settings of the devices can be checked by editing the device and clicking on the Pre-
configure area. The XML VPN settings will be displayed.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 165/170
Chapter 5 Zero touch deployment for IPSEC VPN

Note: If the same setting is defined both in the Pre-configure area of the Profile and in the Pre-configured
area of the device, the priority is done by the one in the device part.

5.6 Modifying the VPN settings

The VPN settings provisioned by the EDS server are taken into account at the first boot step of the phone.
Once the VPN tunnel is successfully set-up, the phone will not reach the EDS at the next boot, and uses
the saved VPN settings in its memory.
When some settings change in the EDS (password, security policy,…), the phone has to reach the EDS for
downloading them. There is no notification mechanism from EDS to the phone. The cases for which the
phone is able to get the VPN settings from EDS are:
• NOE phone out-of box
• Reset to factory of NOE phone
• VPN connection failure detected by the phone at the boot (automatic): the Phone boots in VPN
mode and tries to start the VPN tunnel. If it fails after several retries, the phone will reach EDS.
• Last VPN connection failure memorized by the phone did generate a reset (automatic): the Phone
is running a VPN tunnel. The tunnel is stopped for any reasons (new PSK changed at the VPN
Gateway side,…), the phone memorizes this VPN failure, resets and at the startup reaches EDS.
• The VPN did succeed but the TFTP server is not reachable, which after a while does lead to a
phone reset. At startup it reaches EDS.

Therefore, when there is a need to change the security data of a running VPN, it is recommended to:
• First edit the relevant data in EDS: configuration files are ready with the new parameters. Most of
the phones are still running their VPN, and if they restart they continue with their parameters saved
locally. The final user is not impacted.
• Then change the settings in the VPN server: as soon as the changes are committed, the phones
will lose their VPN connection and reset to get the new config file from EDS.
When some settings are needed to be modified in the EDS, several methods can be used depending on

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 166/170
Chapter 5 Zero touch deployment for IPSEC VPN

the level of the changes:

• Editing the Pre-configure area of the Profile or of Device and modifying directly the XML file.
• Or deleting the pre-configured area of the Profile and importing a new XML file
• Or deleting the devices objects and import new devices excel file.

5.7 Zero touch deployments

The standard deployment method does need to access to the phone local MMI to enter parameters. This is
still available. Depending on the configuration chosen, the final user may need to enter a PIN code to start-
up the VPN.
But it is possible to have a full zero-touch deployment for the VPN settings, seen from the final user. This
means no manual action at all on the phone.
For having that, the setting VpnPinCodeEnable must be configured with Disable (but a PIN must be
defined anyway). Then the Phone will not require the user to enter a PIN code at each VPN tunnel
connection (at each boot), but this PIN is defined by the configuration file (if provided), and requested to
access the VPN configuration in the phone.
In addition, it improves the security of the solution. The user doesn’t know his PIN code, so he can’t access
the VPN credentials in the local MMI of the phone. If he tries to access to the VPN menu with a wrong
password, after 5 failures all the saved VPN settings are erased. The phone will finally try to reach EDS for
a configuration again and become functional.
It is also easy to centrally revoke a stolen installed phone based on its MAC@, even in low or mid level
security deployments:
• Remove the stolen phone MAC@ from EDS lists
• AND trigger a VPN connection failure by changing the connection parameters to the VPN server.
On the phone side which lose their VPN connection, this will start a new connection trial to EDS to get the
right parameters and the stolen phone will reboot in loop as there are no more parameters for him.
For high security deployments (each phone has his own credentials), the revocation can be done on VPN
server side only.

5.8 Moving the phone between inside and outside of the company
It is possible to use the same phone sometimes inside the company, connected on the LAN, and sometimes
as a home worker, going through a VPN over the Internet.
The switch from Company to Home and reverse can be made easy for the final user (no action at all for the
final user, just plugin) by following these rules:
• IP dynamic mode. Any static setting in the phone for company LAN, will lead to failure to get the
connection to Internet from home.
• DHCP: no UserClass forced though phone menu.
• VLAN: no VLAN forced though phone menu
The UserClass and VLAN, if needed inside the company network., can be provisioned through
DHCP options configured in the DHCP server.
These are the default settings after having done a Reset to Defaults action through the local MMI
menu.
Combined with the setting VpnPinCodeEnable=Disable mentioned in previous chapter, this permits a
fully automatic capability of moving the phones.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 167/170
Chapter 5 Zero touch deployment for IPSEC VPN

5.9 Appendix

5.9.1 APPENDIX 1: List of VPN settings

The available settings related to VPN are listed below

Setting Description Default value Mandatory

VpnEnable Enable/disable VPN disable
VpnServer VPN server IPV4 address x
VpnServerType Type of VPN server address (IPV4, IPV6, IPV4
FQDN)
VpnServer6 VPN server IPV6 address
VpnServerFqdn VPN server FQDN
VpnIkeVersion VPN IKE version (IKEv1 or IKEv2) IKEV1
VpnPSK VPN PSK key x
VpnIke1Aggressive VPN IKE1 aggressive enable/disable disable
VpnIkeForceEncap VPN IKE force encapsulation disable
enable/disable
VpnPincode VPN PIN code x
VpnPincodeEnable VPN PIN code authentication disable
enable/disable. Request user to enter or
not PIN code at each VPN connection
VpnAuthEnable VPN user authentication (Xauth) disable
enable/disable
VpnUser VPN User name
VpnPasswd VPN user password
VpnVipsEnable Static Virtual IP address enable/disable. It disable
forces the phone to manage its virtual
address by itself
VpnVipsAddr Static Virtual IP address 180.178.000.000 (1)
VpnUseLocalID Force local-ID (ON/OFF) OFF
VpnLocalID Local-ID (string)
VpnTftpEnable Overrides TFTP address disable
VpnTftpAddr0 OXE/OXO TFTP 1 IP address 0.0.0.0
VpnTftpAddr1 OXE/OXO TFTP 2 IP address 255.255.255.255
VpnTftpPort OXE/OXO TFTP port 69

Note (1) : the VIP is a random number starting with 180.178.

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 168/170
Chapter 5 Zero touch deployment for IPSEC VPN

5.9.2 APPENDIX 2: adding Developer menu in Excel

If Developer menu is not displayed, activate it by selecting File/Options/customize Ribbon/Developer

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 169/170
Chapter 5 Zero touch deployment for IPSEC VPN

5.9.3 APPENDIX 3: Example for XML file, usable for common settings.

<?xml version="1.0" encoding="UTF-8" standalone="true"?>

<settings>
<!-- switch SIP or not-->
<setting override="true" value="SIP" id="RunMode"/>
<!-- global OXE/OXO Server, setting not used for VPN -->
<setting override="true" value="www.xxx.yyy.zzz" id="TftpAddr0"/>
<setting override="true" value="0.0.0.0" id="TftpAddr1"/>
<setting override="true" value="69" id="TftpPort"/>
<!-- VPN parameter-->
<setting override="true" value="enable" id="VpnEnable"/>
<!-- VpnServerType Allowed value "IPv4" "IPv6" "FQDN"-->
<setting override="true" value="IPv4" id="VpnServerType"/>
<setting override="true" value="aaa.bbb.ccc.ddd" id="VpnServer"/>
<setting override="true" value="::" id="VpnServer6"/>
<setting override="true" value="" id="VpnServerFqdn"/>
<setting override="true" value="ThisIsTheKey" id="VpnPSK"/>
<setting override="true" value="IKEV1" id="VpnIkeVersion"/>
<setting override="true" value="disable" id="VpnIke1Aggressive"/>
<setting override="true" value="disable" id="VpnIkeForceEncap"/>
<setting override="true" value="enable" id="VpnAuthEnable"/>
<setting override="true" value="Bob" id="VpnUser"/>
<setting override="true" value="BobPassword" id="VpnPasswd"/>
<setting override="true" value="8246" id="VpnPincode"/>
<setting override="true" value="disable" id="VpnPincodeEnable"/>
<setting override="true" value="disable" id="VpnVipsEnable"/>
<setting override="true" id="VpnVipsAddr"/>
<!-- VpnUseLocalID Allowd value ON/OFF -->
<setting override="true" value="OFF" id="VpnUseLocalID"/>
<setting override="true" id="VpnLocalID"/>
<!—OXO/OXE Server information, used for VPN -->
<setting override="true" value="enable" id="VpnTftpEnable"/>
<setting override="true" value="ddd.eee.fff.ggg" id="VpnTftpAddr0"/>
<setting override="true" id="VpnTftpAddr1"/>
<setting override="true" value="69" id="VpnTftpPort"/>
</settings>

Note: This file is a global template for several scenarii (VPN provisioning, Switch from NOE to SIP, Provision
OXE/OXO TFTP address in a LAN (without VPN).
The settings RunMode, TftpAddrx, TftpPort are not used for VPN settings provisioning.

END OF DOCUMENT

8AL90345ENAA Ed. 11a - October 2021 – Server Deployment Guide for Remote Workers using Deskphones 170/170