If you need a super easy VPN that can be used without buying a software client like Cisco VPN Client, then L2TP is definitely the way to go. Windows 7, Vista and XP all have a built-in VPN client that can hook up to it. It’s a really good alternative to traditional IPSEC especially for your road warriors.
L2TP Connection Setup
Log into your Cyberoam and click “VPN” on the left hand side.
Select L2TP and fill in the blanks.
The Local IP address should be the one corresponding to the LAN port on your Cyberoam.
“Assign IP” should be a range of UNUSED IP addresses on your Local Network. I selected a range of 10. For example if 192.168.1.100 through 192.168.1.110 were not used for anything on your network and could be reserved for this, place those IP addresses in these field.
The DNS server blanks should be your internal network DNS servers so that your users can hit your internal servers without IP addresses. Please see the note below on client set up as I’ve run into a couple of issues with this.
You can add a WINS server, but who uses WINS anymore?
Once you’re done there click on save, then click the policy tab.
You can use the Default L2TP policy, I know it works just fine.
Select pre-shared key in the drop down and put in a good strong passkey for your connection. Cyberoam will typically recommend a simple number sequence for testing purposes and to insure you confirmed it correctly on both ends. You can start out with something like “12345678” but please change this after you’ve tested it.
The WAN port should be the internet facing IP address your users will be entering into Windows. Please note that if you don’t have a static IP address for your internet connection, you’ll need to use a dynamic DNS service or configure Cyberoam’s dynamic DNS service.
I usually check the “Allow NAT Traversal” checkbox. This helps if your end users are behind a router somewhere.
Set Remote LAN Network to “Any” as you might not know how the other end’s network is set up.
Leave remote ID like it is.
Leave the Quick Mode Selecters as default (it should look like the picture above), unless you know you need a different port.
Click Save, and activate the connection.
I like using Active Directory Integration anywhere I can but for some reason the Cyberoam doesn’t like LDAP users authenticating to it over VPN. I might have a setting wrong, but I’ve never gotten this to work right anywhere I’ve installed one. If you have LDAP/AD integration set up, you’ll just need to add extra users in the Cyberoam for L2TP access. If you imported all your users manually then you can just go into users you want to give access and select the L2TP enable box.
Setting Up Windows VPN
I assume Windows 7 for this. Vista directions are almost identical, XP should be easy to figure out. I would imagine Windows 8 uses the same basic wizard as Vista/7.
Go into your network and sharing center and click “Set up a new connection or network”.
Select “Connect to a Workplace” in the next window. Click Next.
Select “Use my Internet Connection (VPN)”
Type in the IP address you selected in step 6 when you set up the L2TP connection on the Cyberoam. You can also put a DNS name here if you want (Like if you use dynamic DNS or have a DNS record set up on the internet for this IP). Name the Destination. I also will typically select the “Allow other people to use this connection” if multiple usernames will be used on the target computer. Click Next.
Put the username and password in on the next window. These are the Cyberoam user names. Again if you use LDAP you may or may not be able to use your normal Windows login credentials here. I typically don’t send the Domain if I set up Cyberoam specific usernames for this. Click Next.
It will attempt to connect, but you want to skip that because you need to enter a pre-shared key into the Windows settings.
Go back into Network and Sharing Center and click on “Change Adapter Settings”.
You’ll see the VPN connection you just set up here. Right click on it and hit properties.
Everything on the General Tab should be fine. Click on the Options tab. I typically uncheck “Send Windows Domain” since you are logging in with a Cyberoam account. Click on PPP Settings and make sure the bottom two boxes are unchecked.
Click on the Security Tab. Change “Type of VPN” at the top to “L2TP”, this will save a LOT of login wait time. Click the Advanced button under the drop down and select “Use preshared key for authentication”. Enter the same key you put into the Cyberoam in step 5.
Under Data encryption I will select “Optional Encryption” for testing purposes. Required encryption works fine though.
Select “Unencrypted password (PAP)” under the allowed protocols. I usually just do this to test the connection, I take it off for production.
Click the Networking tab. It’s a good idea to manually enter the DNS servers under the IP4 properties. For some reason the DNS servers aren’t always transmitted to the client.
You should be able to connect just fine. Remember you’ll need to test this outside your own LAN. The only problem I’ve had with this method is that the connection occasionally needs to be reset by de-activating and re-activating it under the L2TP connections tab in the Cyberoam. I wouldn’t use this for more than a few users.
The main reason you won’t be able to connect is if you typed the pre-shared key incorrectly. The second reason is usually an incorrect user/password combination. The third biggest reason is the connection needs to be reset as mentioned above. Also I’ve never been able to get more than one remote user per site to be able to connect successfully. So don’t do this and send teams of people to one place on a shared internet connection and expect them all to be able to connect.
This post is about how to do a PRI trace on a ShoreTel T1 switch. I couldn’t find good text instructions on how to do this on the internet. Dr Voip has instructions on how to debug caller ID but if you need a trace log, it won’t help much. It’s probably in the ShoreTel knowledge base, but I’ve been a little disappointed with this in the past. I won’t go into how to interpret the output either, this is just instructions on how to get a log easily for sending to your ShoreTel partner for analysis.
ShoreTel Partners: Feel free to send this page to your customers for instructions. I feel this is a thorough explanation of how to do this.
First things first, you’ll need some special software for this one. You’ll need a telnet client with logging ability, what comes with Windows is difficult get to log easily. Personally I like PuTTy. It’s a nice standalone application, and doesn’t need you to install it anywhere, just copy the putty.exe file wherever you want it, it’ll run from there. I keep it on my desktop at work, and on a shared folder.
The second thing you need to know is that you MUST do this from the ShoreTel server itself. This can be accomplished with a Remote Desktop session, you can not do this from a session on another computer.
Remote into the ShoreTel server (or log in from the console), and fire up PuTTy. I keep a copy of PuTTy on my ShoreTel server, on the desktop of whatever admin account I’m logging in with.
You’ll want to make a saved session for your T1 switch. So open ShoreTel Director and open the Quick Look page if it doesn’t go there by default. Click on whichever site has the T1 switch you need to get the log from. Make note of the IP address of that T1 switch. You’ll need it a lot.
In PuTTy select “Telnet” and type (or paste) in the IP address of the switch up top under “Host Name (or IP address). One trick you can do is add an entry in your DNS server called “priswitch” and connect it to that IP address. Makes things a lot easier, just never change the IP. Go ahead and give it a label in the “Saved Sessions” and click save. If you need to, select what you just saved and click “Load” to make sure it’s the session that is now active. You’ll know if you need to if the IP address field is blank.
Click the Logging item under “Session” and make the options look like below (click on the image for a better look). The file will be saved wherever the PuTTy.exe file is located.
Click on the Connection Item, and set the Seconds between keepalives box to 30. The ShoreTel switch will kick you out after about 60 seconds, so having it send a null packet every 30 seconds is handy.
Go back to the Session screen and click save. Now you have a session that’s automatically configured to keep whatever output comes from your PRI switch telnet session. Don’t open the session just yet, you have to allow access to the PRI switch.
Open a command prompt and type this in and hit enter: “cd pro*sho**ser*”. This will take you to the ShoreTel server directory under Program Files.
Type this in the command prompt: “ipbxctl -telneton [IP address of T1 Switch] ” and hit enter.
It will ask you for a password. You can google this or get it from your partner. It’s not a hard password to figure out. If it was correct it will say something like “Telnet enabled”
Open the session you saved in PuTTy. It will ask you for a username and password. This item is documented in your ShoreTel administration guide under how to set up a switch.
In an old switch it will probably dump you right into the VMX shell. Most newer switches will give you an ASCII ShoreTel logo and a numbered menu. If this is the case, type “gotoShell”.
This will give you a prompt that looks like this ->.
You’ll probably get some random output at this point so you just need to type the following commands and hit enter and keep in mind you may not be able to see what you are typing. My advice is to just type slow and not worry about it. Most switches won’t allow the use of a backspace. So just be careful.
Type in the following commands one right after another.trunk_debug_level=5 pri_trace=10 pri_log=10
You’ll get a LOT of stuff just scrolling up the screen if you did this right. Now all you need to do is run it for however long you need the log for, or whatever your partner tells you to do. PuTTy will constantly dump the output in this window to a log file.
One thing I have found out is that it’s a good idea to have 7zip installed on your ShoreTel server as the log files you have to send to ShoreTel are huge. These log files will compress down very small since they are just text files and allow you to simply e-mail them to TAC or your partner.
Short one today. I’ve been having a few issues with phone calls here, so after getting a new circuit and all that the problem didn’t resolve, so i’m thinking it’s our T1 switch. I wanted to make a few notes on how to go about swapping them out.
Step 1 – First set up the switch in ShoreTel Director. You don’t need a new set of trunk groups or anything, just the new switch.
Set your switch up however you normally do, personally I use static IP addresses for my switches and program them through the serial port. Honestly you could set up DHCP reservations in your DHCP server too. You might have to enter the server IP through the console, but when it boots into the server the first time the server actually changes this, so it might not be necessary (I’ve seen it do it on a packet sniffer and yes it kept changing it to the wrong IP).
Step 2 – Make sure the T1 settings are the same on both switches as you are setting up a replacement, and you’ll be hooking the existing T1 into the new switch, not adding any additional capacity. It’s also not a bad idea to check with your phone company on these settings if you can.
You can just set up the first Trunk in the T1 switch and use “Fill Down”. Make sure they are set up on the existing trunk group, again it’s best if you don’t make a new trunk group as you’ll have to re-enter everything.
Step 3 – When you’re ready all you should have to do now is move the T1 from one to the other. I always like to unplug the old switch just to make it show “offline” and not “D-Channel Down” as that can freak out other people getting into the Director.
I like to leave the old settings in place in Director for several days when I do this just to make sure everything is fine. Once you determine the new switch works fine, just delete the old one. That’s really all there is to it.