################################################# ## ## Update: 01/24/2008, By: Don Mc Coy ## ## 46vpnsetting.txt File for Cisco Xauth with PSK ## See 46vpnsettingreadme.txt for details and ## additional customization options. ## ################################################# SET VPNACTIVE 1 SET NVVPNMODE 2 SET NVVPNCFGPROF 3 SET VPNMONFRQ 20 SET DHCPSRVR 207.162.17.33,192.168.169.168 SET VPNPROC 2 # SET VPNCODE 876 ################################################# ## Provide the values for the variables listed ## below. ## Don't forget to remove ## from the begining ## of SET command if you are providing the value ## for a variable. ################################################# ################################################# ## SET NVSGIP variable VPN Gateway IP Address ################################################# SET NVSGIP 207.162.17.33 ################################################# ## SET NVBACKUPSGIP variable Backup VPN Gateway IP ## Address ################################################# ## SET NVBACKUPSGIP ################################################# ## SET NVVPNUSER variable contains the VPN username ################################################# SET NVVPNUSER "IPPhone" ################################################# ## SET NVVPNPSWDTYPE variable determines how the ## password should be treated "1 = Save to Flash" ################################################# SET NVVPNPSWDTYPE 1 SET NVVPNPSWD "IPPhoneVPN" ################################################# ## SET NVVPNFILESRVR variable contains the URL or IP ## of the file server HTTP or TFTP and directory ## location of files. ################################################# SET NVVPNFILESRVR http://207.162.19.13 ################################################# ## Variable Name : NVVPNENCAPS ## Valid Values ## 0 4500-4500 ## 1 Disable ## 2 2070-500 ## 4 RFC (As per RFC 3947 and 3948) ## Description ## Type of UDP encapsulation method to use if there is a NAT device between ## phone and the security gateway. By default UDP Encapsulation 4500-4500 ## is used. ## If NVVPNENCAPS is 0, ike negotiation starts with source port of 2070 ## and destination port 500. Negotiation switches to port source port ## 4500 and destination port 4500 if peer supports port floating (Ref ## RFC 3947,3948). Finally IPsec traffic is send inside UDP packets ## from/to port 4500 if supported by peer or port 2070<->500 if port ## floating is not supported but UDP encapsulation is supported as ## published in the initial draft versions of RFC 3947 and 3948. ## If NVVPNENCAPS is 1, ike nat traversal is completly disabled. ## If NVVPNENCAPS is 2, Port floating is disabled during IKE nat traversal. ## If NVVPNENCAPS is 4, ike negotiation starts with source port of 500 and ## destination port 500. Negotiation switches to port source port 4500 ## and destination port 4500 if peer supports port floating (Ref RFC 3947 ## and 3948). Finally IPsec traffic is send inside UDP packets from/to ## port 4500 if supported by peer or port 500<->500 if port floating is ## not supported but UDP encapsulation is supported as published in the ## initial draft versions of RFC 3947 and 3948. ## Note ## UDP Encapsulation causes overhead hence it might be desirable to disable ## udp encapsulation if NAT device supports IPsec pass through and there is ## only one IPsec client behind the NAT connecting to the same security ## gateway. However not all devices support IPsec pass through hence this ## value must not be pushed if phone is downloading the script over the VPN ## tunnel. ## ## Example : Setting NVVPNENCAPS to 1 if script is not downloaded over VPN tunnel. ## ## IF $VPNACTIVE SEQ 1 goto skipencaps ## SET NVVPNENCAPS 1 ## # skipencaps ## ## The example above will set NVVPNENCAPS to 1 if script is not downloaded over the ## tunnel. ################################################# SET NVVPNENCAPS 4 SET NVIKECONFIGMODE 0 ################################################# ## SET NVVPNCOPYTOS variable decides whether TOS ## bits should be copied from interr header to outer ## header or not. By default TOS bits are not ## copied. ################################################# SET NVVPNCOPYTOS 1 ################################################# ## SET NVVPNCONCHECK variable is a tunnel connectivity ## check is performed after tunnel is setup. ## 1 First Time ## 2 Never ## 3 Always ## Default is 1. ################################################# SET NVVPNCONCHECK 2 ################################################# ## SET VPNMONFRQ variable sends syslog messages to ## syslog server Integer greater than or equal ## to 5 ## example for 20 minutes would be SET VPNMONFRQ 20 ################################################# # SET VPNMONFRQ 60 # SET LOGSRVR 198.73.164.187 # SET LOGLOCAL 8 # SET LOCAL_LOG_LEVEL ## SET NVWEBLMURL ################################################# ## SET NVIKEID varialbe is the string used as the ## IKE Identifier during phase 1 negotiation. ################################################# SET NVIKEID GroupVPN2 ################################################# ## SET NVIKEPSK variable is the Group PSK ## Never Set Preshared Key from script if this ## file is not located on an isolated network. ################################################# SET NVIKEPSK AB9EE967ACAB3AE9 ################################################# ## SET NVIKEIDTYPE variable is the IKE Identifier ## type for the IKE-ID specified. ## 1 IP Address ## 2 FQDN ## 3 User-FQDN (E-Mail) ## 9 Directory-Name ## 11 Key-ID (Opaque) ################################################# SET NVIKEIDTYPE 2 ################################################# ## SET NVIPSECSUBNET variable contains IP subnets ## protected by the security gateway. ################################################# SET NVIPSECSUBNET 0.0.0.0/0 ################################################# ## SET NVIKEDHGRP varialbe contains the value of ## DH group to use during phase 1 negotiation. ## 1 Diffie-Hellman Group 1 ## 2 Diffie-Hellman Group 2 ## 3 Diffie-Hellman Group 3 ## Default is Group 2. ################################################# SET NVIKEDHGRP 2 ################################################# ## SET NVPFSDHGRP varialbe contains the value of ## DH group to use during phase 2 negotiation. ## 0 No-PFS ## 1 Diffie-Hellman Group 1 ## 2 Diffie-Hellman Group 2 ## 5 Diffie-Hellman Group 5 ## Default is 0 "No-PFS". ################################################# SET NVPFSDHGRP 0 ################################################# ## SET NVIKEP1ENCALG varialbe Encryption Algorithm ## to propose for IKE Phase 1 Security Association. ## 0 ANY ## 1 AES-128 ## 2 3DES ## 3 DES ## 4 AES-192 ## 5 AES-256 ################################################# SET NVIKEP1ENCALG 2 SET NVIKEP1LIFESEC 432000 ################################################# ## SET NVIKEP2ENCALG varialbe Encryption Algorithm ## to propose for IKE Phase 2 Security Association. ## 0 ANY ## 1 AES-128 ## 2 3DES ## 3 DES ## 4 AES-192 ## 5 AES-256 ################################################# SET NVIKEP2ENCALG 2 SET NVIKEP1LIFESEC 432000 ################################################# ## SET NVIKEP1AUTHALG varialbe Authentication Algorithm ## to propose for IKE Phase 1 Security Association. ## 0 ANY ## 1 MD5 ## 2 SHA1 ################################################# SET NVIKEP1AUTHALG 2 ################################################# ## SET NVIKEP2AUTHALG varialbe Authentication Algorithm ## to propose for IKE Phase 2 Security Association. ## 0 ANY ## 1 MD5 ## 2 SHA1 ################################################# SET NVIKEP2AUTHALG 2 SET NVIKEP2LIFESEC 432000 ########################## ## Ajouté pour Xauth SET NVXAUTH 1 ################################################## ## The correct place for these variables is in ## 46xxsettings.txt file. However due to importance ## of these variables with respect to VPNremote ## phones these are provided here. If your 46xxsetting ## already contains these values don't bother reentering ## it here. Values in 46xxsettings.txt will override ## whatever you provide here. ################################################## ## SET SNMPADD SET SNMPSTRING public ## SET LOGSRVR ################################################## ## SET MCIPADD variable is the Call Server IP ################################################## SET MCIPADD 10.195.15.4 ## SET MCPORT ## SET DNSSRVR ################################################# ## Set DOMAIN variable is the IP of the Gatekeeper ################################################# ## SET DOMAIN XXXXXX.XXX ################################################# ########Don't modify anything below this line#### ################################################# ################################################# SET WMLHOME http://10.195.15.25/landing_1.wml SET PHNDPLENGTH 4 ## DHCPSTAT ## Valid Values ## 1 run DHCPv4 only (IPv4only-mode, if no own IPv6 address is programmed statically) ## 2 run DHCPv6 only (IPv6only-mode, if no own IPv4 address is programmed statically) ## 3 run both DHCPv4 & DHCPv6 (dual-stack mode) ## Description ## Specifies whether DHCPv4, DHCPv6, or both will be used in case IPV6STAT has enabled IPv6 support generally ## Example : Setting dual stack mode ## SET DHCPSTAT 3 SET DHCPSTAT 3 ## ## DHCPSRVR specifies a list of enterprise DHCP server IP addresses from which configuration ## parameters may be requested through a VPN tunnel via a DHCPINFORM message. ## Addresses can be in dotted-decimal or DNS name format, ## separated by commas without any intervening spaces. ## The list can contain up to 255 characters; the default value is null (""). ## This parameter is supported by: ## 96x1 H.323 R6.0 and later ## 96x0 H.323 R3.1 and later ## # IF $GROUP SEQ 876 goto EnableVPN # EnableVPN # SET NVVPNMODE 1 # SET VPNACTIVE 1 # END ## GET 46xxsettings.txt ## END OF VPN SETTINGS SCRIPT FILE