############################################################# ## Avaya 46VPN IP Telephone Settings Script ## File Created on: 05/21/2007 ## See the LAN Administrators Guide for ## more details on using this file. ## Use "##" without quotes to comment out a line. ## To activate a setting below, set the parameter ## to the appropriate value for your network and ## remove the "## " from the beginning of the line. ## To include whitespaces in a value, ## the entire value must be enclosed in double quotes. ## example: ## SET PARAM "value1 value2" ## To set different set types to different values, use ## the "IF" keyword statement. ## See the LAN Administrators Guide for more details. ## Some of the values listed below have default settings which ## are used by the IP Telephones even if they are commented out ## in this file. For a list of those settings and their default ## values, see the LAN Administrators Guide. ## ## ############################################################################## ## NOTE : It is highly recommended to use the 46vpnsetting_template.txt ## for building the customized 46vpnsetting.txt file for your VPN environment. ############################################################################## ## Variable Name : NVVPNMODE ## Valid Values ## 0 DISABLE ## 1 BOOT ## 2 SCRIPT ## Default Value ## 2 SCRIPT ## Description ## This variable dictates when the VPN Client is started. If it's value is ## 1, VPN Client is started immediately after TCP/IP stack is initialized, ## If it's value is 2, VPN Client is started after downloading and processing ## script file(s) from file server. ## Example : Setting VPN startup mode to BOOT. ## SET NVVPNMODE 1 ## Variable Name : NVVPNCFGPROF ## Valid Values ## 1 Avaya Security Gateway ## 2 Checkpoint ## 3 Cisco Xauth with Preshared Key ## 5 Juniper/Netscreen Xauth with Preshared Key ## 6 Generic Preshared key ## 8 Cisco xauth with certificates ## 9 Juniper Xauth with certificates. ## 11 Nortel contivity ## Default Value ## NONE ## Description ## Set this to 1 if Security Gateway Vendor is Avaya. ## Set this to 3 if Security Gateway Vendor is Cisco and Xauth is used for ## authenticating phone user. ## Set this to 5 if Security Gateway Vendor is Juniper, Xauth is used for ## authenticating phone user. ## Set this to 6 if Security Gateway Vendor does not support Xauth. ## Following Variables are set to specified value when NVVPNCFGPROF = 1 ## NVIKECONFIGMODE 2 ## Following Variables are set to specified value when NVVPNCFGPROF = 3 ## NVIKECONFIGMODE 1 ## NVIKEIDTYPE 11 ## NVIKEXCHGMODE 1 ## Following Variables are set to specified value when NVVPNCFGPROF = 5 ## NVIKECONFIGMODE 1 ## NVIKEIDTYPE 3 ## NVIKEXCHGMODE 1 ## Following Variables are set to specified value when NVVPNCFGPROF = 6 ## NVIKECONFIGMODE 2 ## NVIKEIDTYPE 3 ## NVIKEXCHGMODE 1 ## Following variables are set to specified value when NVVPNCFGPROF = 2 ## NVIKECONFIGMODE 1 ## NVIKEIDTYPE 11 ## NVIKEOVERTCP 1 ## NVIKEXCGMODE 2 ## Following variables are set to specified value when NVVPNCFGPROF = 11 ## NVIKECONFIGMODE 1 ## NVIKEIDTYPE 11 ## NVIKEXCGMODE 1 ## Following variables are set to specified value when NVVPNCFGPROF = 8 ## NVIKECONFIGMODE 1 ## NVIKEIDTYPE 11 ## NVIKEXCGMODE 1 ## Following variables are set to specified value when NVVPNCFGPROF = 9 ## NVIKECONFIGMODE 1 ## NVIKEIDTYPE 3 ## NVIKEXCGMODE 1 ## NOTE : SET commands for all the dependent variables mentioned above must ## appear after SET command for NVVPNCFGPROF. ## Example : Setting VPN Configuration profile to "Avaya Security Gateway" ## SET NVVPNCFGPROF 1 ## Variable Name : NVVPNAUTHTYPE ## Valid Values ## 1 CHAP ## 2 PAP ## Default Value ## 2 ## Description ## This variable is valid only if NVVPNCFGPROF is 1. If firmware version of ## Avaya Security Gateway Version is 4 or above, the default value need not ## be changed. ## Example : Setting authentication method to CHAP ## SET NVVPNAUTHTYPE 1 ## Variable Name : NVSGIP ## Valid Values ## String. Length of the string cannot exceed 30 characters. ## Description ## This variable contains the ip address or fully qualified domain name of ## the primary security gateway. ## Example : Setting primarysg.mycompany.com as the primary security gateway's ## FQDN. ## SET NVSGIP primarysg.mycompany.com ## ## Example : Setting 10.1.1.1 as the primary security gateway's IP address. ## SET NVSGIP 10.1.1.1 ## Variable Name : NVBACKUPSGIP ## Valid Values ## Comma seperated multiple strings. Length of individual string must not ## exceed 30 characters and total number of strings cannot exceed 4. ## Description ## This variable contains the ip address or fully qualified domain name of ## the backup security gateways. VPN Client tries to connect to the security ## gateways in this list if it could not connect with the primary security ## gateway. ## Example : Setting bk1sg.mycompany.com,bk2.mycompany.com and 10.1.1.2 as the ## backup security gateways. ## SET NVBACKUPSGIP bk1sg.mycompany.com,bk2.mycompany.com,10.1.1.2 ## Variable Name : NVVPNUSER ## Valid Values ## String, Length of the string cannot exceed 30 characters. ## Description ## This variable contains the VPN User Name. In most cases this value will ## be unique to each phone hence should not be specified here. However it ## is possible to force the VPN client in the phone to use phone's mac ## address or serial number as user name thus eliminating the need to enter ## user name by the phone user via phone keypad. In such cases you need to ## add each phone's serial number or mac address in your authentication ## database. ## Example : Setting phone's mac address as VPN user name. ## SET NVVPNUSER %MACADDR% ## Example : Setting phone's serial number as VPN user name. ## SET NVVPNUSER %SERIALNUM% ## Variable Name : NVVPNPSWDTYPE ## Valid Values ## 1 Save in Flash. ## 2 Erase on power-off. ## 3 Numeric One Time Password. ## 4 Alpha-Numeric One Time Password. ## Description ## This variables determines how password should be treated. By default ## password type is set to 1. You must set this variable to 3 or 4 if ## using One Time Password such as SecureID from RSA. ## Note ## Setting password type to 3 will not let the user select "Alpahbets" ## while entering password. This might look like an obvious choice when ## using RSA secure ID tokens. However under some conditions user may ## need to respond back by entering 'y' or 'n' in the password field. ## This could happen if RSA ACE server is configured to generate PIN ## instead of letting the user select a PIN. ## Example : Setting password type to 2 (Erase on power-off) ## SET NVVPNPSWDTYPE 2 ## Variable Name : NVVPNFILESRVR ## Valid Values ## String. Length of the string cannot exceed 30 characters. ## Description ## This variable contains the URL of the file server. A file server URL ## consist of following components ## (1) Download Method (HTTP,HTTPS,TFTP). ## (2) FQDN or actual IP address of the file server. ## (3) Service port (80 for HTTP and 411 for HTTPS). ## (4) Path (NONE). ## All the components specfied above except for the FQDN/IP Address has a ## default value. If download method is omitted from the URL, Phone attempts ## to download the script file using all the methods. ## Example ## (1) SET NVVPNFILESRVR tftp://srv.domain.com/phone/ ## (2) SET NVVPNFILESRVR tftp://10.1.1.1/phone/ ## (3) SET NVVPNFILESRVR http://10.1.1.1:8080/phone ## (4) SET NVVPNFILESRVR https://10.1.1.1/phone ## (5) SET NVVPNFILESRVR 10.1.1.1 ## The 1st Example above will set the download method to TFTP, ## TFTPDIR to phone and TFTP Server FQDN to srv.domain.com ## The 2nd Example above will set the download method to TFTP, ## TFTPDIR to phone and TFTP Server IP Address to 10.1.1.1 ## The 3rd Example above will set the download method to HTTP, ## HTTP Server port to 8080,HTTPDIR to phone and HTTP Server ## IP Address to 10.1.1.1 ## The 4th Example above will set the download method to HTTPS, ## HTTP Server port to 1443, HTTPDIR to phone and HTTP Server ## IP Address to 10.1.1.1 ## The 5th Example above will set the download method to ALL. ## In this example phone will first attempt HTTPS if that fails ## it tries HTTP and finally TFTP. ## ## Note : 4625 models donot support HTTPS or HTTP download mecthod. If phone ## population consist of mix of 4620SW and 4625 phones use IF command to ## conditionally deliver File Server URLs. ## ## Note : Service port is ignored if download method is HTTPS or TFTP. ## ## Example : Delivering TFTP url to 4625 models and HTTP to 4620SW and 4610 ## models. In this example we assume that TFTP and HTTP service is running ## on the same machine. ## ## IF $MODEL4 SEQ 4625 goto tftpmethod ## SET NVVPNFILESRVR http://10.1.1.1 ## goto flsrvrend ## # tftpmethod ## SET NVVPNFILESRVR tftp://10.1.1.1 ## # flsrvrend ## Variable Name : NVVPNCOPYTOS ## Valid Values ## 1 YES ## 2 NO ## Description ## Value of this variable decides whether TOS bits should be copied from ## inner header to outer header or not. If it's value is 1, TOS bits are ## copied otherwise not. By default TOS bits are not copied from inner ## header to outer header. Some Internet Service Provider don't route the ## IP packets properly if TOS bits are set to anything other than 0. ## ## Example ## SET NVVPNCOPYTOS 1 ## Note ## It is highly recommended that this value should not be changed if phone ## is downloading the script over the VPN tunnel in order to avoid ## overriding end user setting due to ISP specific issues. For example you ## can set this value to 1 while provisioning phone with VPN firmware so ## that phone can take advantage of QOS service provided by home router but ## if the phone's ISP (Few percent cases) does not handle properly the ## packets with non-zero TOS bits in IP header, phone user will have to ## revert back this value to 2. Under such circumstances it is desirable ## the user's choice don't get overriden every time script is downloaded. ## ## Example : Setting NVVPNCOPYTOS to 1 if script is not downloaded over VPN ## tunnel. ## ## IF $VPNACTIVE SEQ 1 goto skipcopytos ## SET NVVPNCOPYTOS 1 ## # skipcopytos ## Variable Name : NVVPNENCAPS ## Valid Values ## 0 4500-4500 ## 1 Disable ## 2 2070-500 ## 4 RFC (As per RFC 3947 and 3948) ## Description ## Type of UDP encapsulation method to use if there is a NAT device between ## phone and the security gateway. By default UDP Encapsulation 4500-4500 ## is used. ## If NVVPNENCAPS is 0, ike negotiation starts with source port of 2070 ## and destination port 500. Negotiation switches to port source port ## 4500 and destination port 4500 if peer supports port floating (Ref ## RFC 3947,3948). Finally IPsec traffic is send inside UDP packets ## from/to port 4500 if supported by peer or port 2070<->500 if port ## floating is not supported but UDP encapsulation is supported as ## published in the initial draft versions of RFC 3947 and 3948. ## If NVVPNENCAPS is 1, ike nat traversal is completly disabled. ## If NVVPNENCAPS is 2, Port floating is disabled during IKE nat traversal. ## If NVVPNENCAPS is 4, ike negotiation starts with source port of 500 and ## destination port 500. Negotiation switches to port source port 4500 ## and destination port 4500 if peer supports port floating (Ref RFC 3947 ## and 3948). Finally IPsec traffic is send inside UDP packets from/to ## port 4500 if supported by peer or port 500<->500 if port floating is ## not supported but UDP encapsulation is supported as published in the ## initial draft versions of RFC 3947 and 3948. ## Note ## UDP Encapsulation causes overhead hence it might be desirable to disable ## udp encapsulation if NAT device supports IPsec pass through and there is ## only one IPsec client behind the NAT connecting to the same security ## gateway. However not all devices support IPsec pass through hence this ## value must not be pushed if phone is downloading the script over the VPN ## tunnel. ## ## Example : Setting NVVPNENCAPS to 1 if script is not downloaded over VPN tunnel. ## ## IF $VPNACTIVE SEQ 1 goto skipencaps ## SET NVVPNENCAPS 1 ## # skipencaps ## ## The example above will set NVVPNENCAPS to 1 if script is not downloaded over the ## tunnel. ## Variable Name : NVVPNCONCHECK ## Valid Values ## 1 First time ## 2 Never ## 3 Always ## Description ## A tunnel connectivity check is performed after tunnel is setup. If ## connectivity check fails, tunnel is setup with a different encapsulation ## method until all the available encapsulation method are attempted or ## connectivity check is successful. This variable decides if this check ## should be performed at the end of tunnel setup process and if it has to ## be performed, how it should behave in the event of connectivity check ## failure. By default it's value is 1 which means that tunnel connectivity ## check is performed the very first time only and it's value is changed ## to 2 after completion of connectivity check (success or failure). ## If this variable's value is 3 tunnel connectivity check is always ## performed after tunnel is setup. ## ## Example : Disabling tunnel connectivity check. ## SET NVVPNCONCHECK 2 ## Variable Name : VPNMONFRQ ## Valid Values ## Integer greater than or equal to 5 ## Description ## If a syslog server ip address is specified (LOGSRVR) and VPNMONFRQ ## contains a valid value, phone sends a syslog message every VPNMONFRQ ## minutes. This message contains following data points ## (1) Duration for which phone has been up in minutes. ## (2) Number of times phone lost contact with the Security Gateway but ## successfully recovered without rebooting. ## (3) IP Address of the Security Gateway to which the phone is connected. ## (4) Cumulative IPsec stats (Packets sent, recieved, errors encountered) ## ## Example : Setting VPN monitoring frequency to 20 minutes ## SET VPNMONFRQ 20 ######################################################################## ## Variables listed below from this point onwards are not applicable ## ## if NVVPNCFGPROF is 1 ## ######################################################################## ####### ## Variable Name : NVIKEPSK ## Valid Values ## String. Length of the string cannot exceed 30 characters. ## Description ## Preshared Key to use during phase 1 negotiation. ## Note ## It is recommened that user enter his/her Preshared Key using phone's ## dialpad. However if you don't want to share PSK with the end user ## because it's common for multiple users you can use this variable to ## push PSK (Group password) to each phone and the end user will never ## know what the PSK is. But if you are doing this, make sure that the file ## server is on an isolated network and is used only for provisioning ## VPN parameters to the phones. ## Example : Setting abc1234 as Preshared Key ## SET NVIKEPSK abc1234 ## Variable Name : NVIKEID ## Valid Values ## String. Length of the string cannot exceed 30 characters. ## Description ## Phone uses this string as IKE Identifier during phase 1 negotiation. ## Some XAuth documentation refer to this variable as group name because ## same IKE Id is shared among a group of user and indvidual user ## authentication is done using XAuth after establishing IKE phase 1 ## security association. ## Note ## If this variable is left uninitialized, phone uses "VPNPHONE" as the IKE ## Identifier. ## ## Example : Setting IKE Id as phones@sales.com ## SET NVIKEID phones@sales.com ## Variable Name ## NVIKEIDTYPE ## Valid Values ## 1 IP Address ## 2 FQDN ## 3 User-FQDN (E-Mail) ## 9 Directory-Name ## 11 KEY-ID (Opaque) ## Description ## Phone uses this variable as the IKE Identifier type for the ## IKE-ID specified via NVIKEID variable. ## Note ## This variable default value depends on the value of variable ## NVVPNCFGPROF. ## ## Example : Setting IKE ID type to FQDN ## SET NVIKEIDTYPE 2 ## Variable Name : NVIPSECSUBNET ## Valid Values ## Comma separated list of strings containing subnet and masks. Number of ## strings cannot exceed 5. ## Description ## This variable contains IP subnets protected by the security gateway. ## By default phone assumes that all the network resources are behind ## the security gateway hence it negotiates for a security association ## between it's IP address (or Virtual IP if delevired via IKE Config ## mode) and 0.0.0.0 with the security gateway. If your security gateway ## is configured to allow building security association for only selected ## subnets, you can specify them here. ## ## Example : ## Configuring 10.1.12.0/24 and 172.16.0.0/16 as the subnets protected by ## the Security Gateway ## SET NVIPSECSUBNET 10.1.12.0/24,172.16.0.0/16 ## OR ## SET NVIPSECSUBNET 10.1.12.0/255.255.255.0,172.16.0.0/255.255.0.0 ## Variable Name : NVIKEDHGRP ## Valid Values ## 1 Diffie-Hellman Group 1 ## 2 Diffie-Hellman Group 2 ## 5 Diffie-Hellman Group 5 ## Description ## This variable contains the value of DH group to use during phase 1 ## negotiation. By default phone uses Group 2. ## ## Example : Setting DH Group 1 for phase 1. ## SET NVIKEDHGRP 1 ## Variable Name : NVPFSDHGRP ## Valid Values ## 0 No-PFS ## 1 Diffie-Hellman Group 1 ## 2 Diffie-Hellman Group 2 ## 5 Diffie-Hellman Group 5 ## Description ## This variable contains the value of DH group to use during phase 2 ## negotiation for establishing IPsec security associations also known ## as perfect forward secrecy (PFS). ## By default PFS is disabled. ## ## Example : Setting DH Group 2 for phase PFS. ## SET NVPFSDHGRP ## Variable Name : NVIKEP1ENCALG ## Valid Values ## 0 ANY ## 1 AES-128 ## 2 3DES ## 3 DES ## 4 AES-192 ## 5 AES-256 ## Description ## Encryption Algorithms to propose for IKE Phase 1 Security Association. ## Note ## Phone by default proposes all encryption algorithm. Security Gateway ## picks the algorthm mandated by administrator. Prioirity order of ## algorithms proposed by phone is AES-128,3DES,DES,AES-192.AES-256. ## In very rare circumstances security gateway may not handle multiple ## proposals. In such cases only you should try overriding the default ## behaviour. ## ## Example : Setting Encryption Alg to AES-128 ## SET NVIKEP1ENCALG 1 ## Variable Name : NVIKEP2ENCALG ## Valid Values ## 0 ANY ## 1 AES-128 ## 2 3DES ## 3 DES ## 4 AES-192 ## 5 AES-256 ## Description ## Encryption Algorithm(s) to propose for IKE Phase 2 Security ## Association. ## Note ## Phone by default proposes all encryption algorithm. Security Gateway ## picks the algorithm mandated by administrator. Priority order of ## algorithms proposed by phone is AES-128,3DES,DES,AES-192.AES-256. ## In very rare circumstances security gateway may not handle multiple ## proposals. In such cases only you should try overriding the default ## behaviour. ## ## Example : Setting Encryption Alg to AES-128 ## SET NVIKEP2ENCALG 1 ## Variable Name : NVIKEP1AUTHALG ## Valid Values ## 0 ANY ## 1 MD5 ## 2 SHA1 ## Description ## Authentication Algorithm(s) to propose for IKE phase 1 Security ## Association. ## Note ## Phone by default proposes all Authentication algorithms. Security ## Gateway picks the algorithm mandated by administrator. Prioirity order ## of algorithims proposed by phone is MD5,SHA1. In very rare circumstances ## security gateway may not handle multiple proposals. In such cases ## only you should try overriding the default behaviour. ## ## Example : Setting Authentication Alg to SHA1 ## SET NVIKEP1AUTHALG 1 ## Variable Name : NVIKEP2AUTHALG ## Valid Values ## 0 ANY ## 1 MD5 ## 2 SHA1 ## Description ## Authentication Algorithim(s) to propose for IKE phase 2 Security ## Association ## Note ## Phone by default proposes all Authentication algorithms. Security ## Gateway picks the algorithm mandated by administrator. Priority order ## of algorithms proposed by phone is MD5,SHA1. In very rare circumstances ## security gateway may not handle multiple proposals. In such cases ## only you should try overriding the default behaviour. ## ## Example : Setting Authentication Alg to SHA1 ## SET NVIKEP2AUTHALG 1 ## Variable Name : TRUSTCERTS ## Valid Values ## Name of a file containing CA certificate ## in PEM format. Length of the file name ## cannot be more than 16 characters. ## Description ## Use this variable to import CA ## certificates. The certificate presented ## by peer is validated against the list of ## CAs imported through this command. Maximum ## number of CAs that can be imported is limited ## to 5. ## Note ## In case of Certificate based VPN, such as ## Certificate Xauth and Hybrid Xauth if issuer ## of the certificate presented by security gateway ## is not found in the trusted CA list, phone displays ## the finger print of the certificate sent by ## security gateway. ## Example ## SET TRUSTCERTS CA1.CRT,CA2.CRT,CA3.CRT ## Variable Name : NORTELAUTH ## Valid Values ## 1 or "password" ## 2 or "radius" ## 3 or "secureid" ## 4 or "axent" ## Description ## Use this variable to configure Authentication method for Nortel ## Contivity. ## ## Example (User is configured locally on Nortel Switch) ## SET NORTELAUTH 1 ## SET NORTELAUTH "password" ## Example (User is configured externally on a RADIUS sever) ## SET NORTELAUTH 2 ## SET NORTELAUTH "radius" ## Example (User is configured externally on a RSA Ace server) ## SET NORTELAUTH 3 ## SET NORTELAUTH "secureid" ## Variable Name : NVXAUTH ## Valid Values ## 1 or "Enable" ## 2 or "Disable" ## Description ## Use this variable to disable XAuth based user authentication ## for profiles which enable XAuth by default. ## ## Example (XAuth based user authentication required) ## SET NVXAUTH "Enable" ## SET NVXAUTH 1 ## Example (XAuth based user authentication not required) ## SET NVXAUTH "Disable" ## SET NVXAUTH 2 ## Variable Name : NVIKECERTVERIFYLEVEL ## Valid Values ## 128 ## 129 ## 130 ## 131 ## Description ## Use this variable to enable/disable the Date/Time and Domain Name ## verification of the certificate presented by security gateway ## during IKE negotiation. ## ## Example (Disable both Date/Time and Domain Name verification) ## SET NVIKECERTVERIFYLEVEL 128 ## Example (Enable Date/Time verification only) ## SET NVIKECERTVERIFYLEVEL 129 ## Example (Enable Domain Name verification only) ## SET NVIKECERTVERIFYLEVEL 130 ## Example (Enable both Date/Time and Domain Name verification) ## SET NVIKECERTVERIFYLEVEL 131 ## Variable Name : QTEST ## Valid Values ## 1 or "Enable" ## 2 or "Disable" ## Description ## Use this variable to enable or disable QTEST at startup. ## By default QTEST is disabled at startup. ## Example (Enabling QTEST at startup) ## SET QTEST 1 ## SET QTEST "Enable" ## Example (Disabling QTEST at startup) ## SET QTEST 2 ## SET QTEST "Disable" ## Variable Name : QTESTRESPONDER ## Valid Values ## IP Address of the host acting as QTESTRESPONDER in dotted ## decimal format. ## ## Description ## If this information is supplied, phone performs QTEST using ## UDP Echo port 7 with the host indicated by this variable. ## Example (Setting 10.1.1.1 as the QTEST responder) ## SET QTESTRESPONDER 10.1.1.1 ## Variable Name : MYCERTURL ## Valid Values ## URL for enrolling with a SCEP fronted Certificate Authority. ## ## Description ## If this information is supplied, phone generates a RSA key pair ## and sends the enrollment request using SCEP protocol to the ## server pointed by this URL. Consult your CA administrator guide ## for further information regarding SCEP support. ## Example ## SET MYCERTURL "http://10.1.1.1/mscep/mscep.dll" ## Variable Name : MYCERTCN ## Valid values ## $MACADDR ## $SERIALNO ## ## Description ## If value of this variable is set to $MACADDR, phone uses it's ## MAC Address as the CN component of the certificate request ## If value of this variable is set to $SERIALNO, phone uses it's ## Serial Number as the CN component of the certificate request. ## Example ## SET MYCERTCN $MACADDR ## Variable Name : SCEPPASSWORDREQ ## Valid values ## 0 ## 1 ## ## Description ## If value of this variable is set to 1, phone user is prompted to ## enter challenge pass phrase during SCEP certificate enrollment. ## If value of this variable is set to 0, phone uses the challenge ## pass phrase as indicated by SCEPPASSWORD variable. ## ## Note ## Consult your Certificate Authrority administrator guide for HOWTO ## configure pass phrase for SCEP certificate enrollment. ## ## Example (Prompt user for entering challenge pass phrase) ## SET SCEPPASSWORDREQ 1 ## Variable Name : SCEPPASSWORD ## Valid values ## String ## ## Description ## The string specified here is used by phone as the SCEP challenge pass ## phrase for SCEP certificate enrollment. If left unspecified and ## SCEPPASSWORDREQ is SET to 0, phone uses it's SERIAL number as the challenge ## pass phrase. ## Note ## Consult your Certificate Authrority administrator guide for HOWTO ## configure pass phrase for SCEP certificate enrollment. ## ## Example (Instructing phone to use string "abcd" as the SCEP challenge pass phrase) ## SET SCEPPASSWORD "abcd" goto END # END GET 46xxsettings.txt ## END OF VPN SETTINGS SCRIPT FILE