Nortel has released UNIStim firmware 4.0 for their IP phones;
- 0621C7A for IP Phone 2007,
- 0623C7F, 0624C7F, 0625C7F and 0627C7F for IP Phone 1110, 1120E, 1140E and 1150E respectively and
- 062AC7F for IP Phone 1210, 1220, and 1230
No UNIStim software release 4.0 is being offered for the Phase II IP Phone 2001, Phase II IP Phone 2002, and Phase II IP Phone 2004. The Nortel IP Phone 200x series (except the 2007) was manufacture discontinued as of November 29, 2009.
The enhancements available with UNIStim software release 4.0 for IP Phones include:
- UNIStim VPN Client (UVC) in the IP Phone 1100 series
- Feature and Application Licensing
- Secure Signaling using DTLS
- Secure Call Recording (SCR)
- Designed for Operability (DfO)
- Enhancements to Certificate Support
The product bulletin for the 4.0 release listed the same fixes (two of which were for the 2004 model) as the previous UNIStim 3.4 release. I’m going to guess that someone forgot to update that section of the product bulletin with some relevant information.
The big news with this release is the built in VPN client for the IP Phone 1100 series, the UNIStim VPN Client (UVC). Unfortunately this initial release doesn’t support encrypting/tunneling the traffic to/from the PC port, only the traffic to/from the Signaling Server and Voice Gateway Media Cards is encrypted with the VPN connection. The initial release is certified to work wtih Nortel VPN Router (NVR) family running software release 8.00 or greater. (NVR software release 8.00 has been qualified on the NVR 1010, 1050, 1100, 600, 1600, 17xx, 27×0, 4600 and 5000).
Please refer to the release notes and the product bulletin for complete details.
Cheers!
Not encrypting the traffic through the PC port was deliberate to prevent a huge security hole. Take an example of a home user connecting a WiFi router into the PC port and unintentionally not using any security over the WiFi. Any drive-by/neighbour WiFi snooper would then have direct access into your corporate network if the data through the PC port was also tunneled over the VPN.
Hi Gord,
It would have been nice for Nortel to have left that decision up to the user/customer. I wonder how difficult MAC security would be to implement on the PC port?
In any event I can understand the desire to keep voice and data traffic separate and as you commented a lot of organizations already have remote access solutions in place.
Thanks for the comment!
Has anyone attempted to configure this tunnel with software release lower that 8?
Hi Steve,
I haven’t personally tried it but I’ve learned over the years that just because something isn’t supported doesn’t necessarily mean it won’t work. With that said if you did get it to work you might have to weigh the risk of going into a production environment with an unsupported configuration.
I have two 1700s and one 1740 all running 7.x software. I could probably test it out for you if you are really curious… or it might become immediately clear that it won’t work without some feature in 8.x software.
Cheers!
UNIStim 4.1 was just released. It allows interop between the UNIStim VPN Client in the 1120E/1140E/1150E/1165E and Avaya (formerly Nortel) VPN Gateway family running software release 8.01 or greater.
We are using a Contivity 1010 running version 4_85.160 and it terminates these11xx tunnels without a problem. As a matter of fact, they work great.
Hi Jephph,
Thanks for sharing that information… when I have the opportunity I hope to test the 1120e UVC wtih the Nortel VPN Router 1700 running V07_05.350.
Thanks again!
There are SIP versions of firmware available for the 1165E, and the rest of the 11x0E family as well. The recent SIP firmware loads have much higher levels of security than what is offered with UNIstim.
hi all:
i’m intending to establish a VPN connection between Nortel 1140E phone behind a an ADSL SOHO router and a Cisco ASA 5510 appliance, but the connection doesn’t come up, i configured the PSK user id and password, the XAUTH user ID and passowrd on the phone but with no use, the error that keeps showing up on cisco ASA is:
unknown tunnel-group id.
can any one confirm to me if the cpn client on the Nortel 1140E phone is compatible with Cisco ASA appliances or not???
Regards
The integrated VPN Client in the 1140E is only tested for compatability with Avaya (formerly Nortel) appliances.
Has anyone tried and got this working with Cisco ASA, I cant image Avaya would of made a custom IPSec client and not just natively create an IPSec client that is universal. I mean IPSec is IPSec
Hi Novice,
I’m not so sure I would agree with your assumption that IPSec is IPsec. I’ve had years of pure fun (being cynical) building branch VPN tunnels across different platforms using Cisco, Nortel, CheckPoint, Juniper, Linux, etc.
It’s possible that it might work but someone needs to test it out and see if actually works.
Thanks for the comment!
I’ve attempted to get this working but it appears there is a IKEv1 Policy Mismatch as every attempt displays “All IKE SA proposals found unacceptable!”.
Does anyone know what IKE Proposals the 1140e sends at phase 1?
Chris.
I’ve been fight this fo r days. I think the answer per usual is to bad so sad. It appears that the Avaya/Nortel VPN clients sends a proprietary attribute. I see this causing no proposal match on my ipsec-tools (linux raccon) implementation against a profile the regularly works with “Cisco VPN” profiles (i.e. iOS, Max, Windows Cisco). So once again vendor BS goes beyond “not supported” to “doesn’t work”
Hi Colin,
I know the UNIStim VPN Client (UVC) worked fine between an 1120E and an Avaya VPN 1700 Router.
You’re suggesting that Avaya intentionally made it incompatible with third-party VPN routers? I don’t know if that’s the case or if there was some underlying technical issue. I don’t ever believe reading that the UVC was intended to be used with anything other than an Avaya VPN router so I’m not sure it was even in the “not supported” realm.
Thanks for the comment!
You know as well as I know that “intentional” in this business is a grey area. I don’t pretend to be a know it all in this area especially on the phone side, but as far as I can seem to tell no-one has gotten this to connect with an ASA for example on recent UNIStim firmwares. And as I said I have a racoon profile that works for Cisco Windows client, OSX Cisco Client and iOS Cisco Client…fails with “Avaya VPN” as the protocol for UNIStim… which is the only available option as far as I can see for PSK/XAuth authentication.
IPSec is and always has been a messy combination of too many options and too many implementations. No surprise I suppose that they expect “all in” with Avaya platforms as the only supported. So far I’ve had no luck, I even hacked racoon to simply accept the offending proposal attribute…get’s past that phase but doesn’t seem to be handling the NAT-T payloads in the next step…but I could easily be missing something. Shame really I was hoping I could support these phones on an open platform.. But even the Avaya VPN Windows client sends the 32767 attribute and on top of that sends DH 8 which I believe is some Elliptical curve stuff which racoon developers have stated they will not implement as there are patentable elements in those areas.
Cheers