Enhancing Nortel IP Phones with Open-Source Software
by Ariel Saia
I thought it would be fun to try connecting one of our company's Nortel IP phones from my home using my broadband connection and a VPN tunnel back to our corporate office. So I took one of our Nortel i2004 IP phones (User Guide) home and starting seeing what I could do with it.
I first needed to get into the phone's setup. That was easy enough.
I powered the unit up and once I saw the Nortel logo come up on the display, I hit the group of four buttons one at a time (below the LCD screen) in sequence 1 2 3 4 from left to right.
In the setup I noticed our telephony department configures the phone with full DHCP with data and voice VLAN smarts in the phone. Since my goal was to use the phone in a very basic home network environment, I would need to manually configure some of these settings (more on this later).
However, I did notice the S1 server (Nortel phone server) specified. So at this point it looked promising that I could have my office IP phone working at my house.
For the first step, I needed to create my VPN tunnel to corporate.
I had a $400 CyberGuard SG560 (User Manual) firewall/VPN device floating around and decided to configure it as a PPTP client and connect it to my company's PPTP VPN server.
Once connected, I could then ping the S1 server (Nortel phone server) from the SG560 box. Fantastic!
I trekked on; I now needed to configure the phone to communicate over this link rather than being on our internal LAN. I went into the phone's setup again and selected "0" for no DHCP.
I then gave the phone a static IP address (on the same subnet as the LAN on my SG560 box) of:
Host IP: 192.168.1.10 Netmask: 255.255.255.0 Gateway: 192.168.1.1The next option was the "S1 IP" (Nortel phone server): 172.16.201.11
Next was the "S1 Port". I selected the default port of: 4100
I also opted for the defaults for "S1 Action" 1 and "Retry Count" 5 and repeated the same steps for S2.
I then was asked for a "Voice VLAN." I selected 0 for no on the Voice and Data VLAN.
I still had my SG560 connected to my corporate PPTP server. The phone rebooted and after about two minutes the phone connected to the S1 server and was prompting me for a "Node" and "TN" number (this is how the phone is registered to the Nortel phone system).
The next day I asked one of my friends in the telephony department to provide me with a "Node" and "TN" for my phone. I returned home, plugged the numbers into the phone, and violà! The phone connected!
I picked up the handset and called my friend. I could then hear him pick up his handset and begin talking but he couldn't hear me from his end. After some head scratching I decided to put a packet sniffer between my SG560 box and my broadband connection.
I found the Nortel phone server was trying to send packets to the phone during my phone call on port 5201 (UDP) and my SG560 box was of course dropping the packets. I then created a rule on the SG560 box to redirect any incoming UDP port 5201 traffic to 192.168.1.10 (the IP phone).
I then placed my call again and he could now hear me and I could hear him. So there I sat with an office extension in my house!
I told my friend in the telephony department about my test and of course he wanted one for his house too. However, after hearing he would need a $400 CyberGuard unit, excitement quickly turned to disappointment. I now was determined to come up with a reliable and inexpensive way to use our IP office phones in remote locations.
I had a Linksys WRT54G v4 router flashed with DD-WRT (one of the best third-party firmware) that I had been using for Wi-Fi bridging.
I remembered seeing the capability of using it as a PPTP or OpenVPN client/server. So I configured the router as a PPTP client just like the SG560 unit and added to port forwarding (5201 UDP) needed by the Nortel phone system.
The IP phone connected and my test calls were made successfully, again just like in the SG560 over my company's PPTP VPN server.
I now wanted to test the reliability of the WRT54G. I quickly found that the PPTP connection would drop within a few hours and not reconnect without requiring a reboot of the router. This of course was not an acceptable option so I started looking into OpenVPN as an alternative to PPTP.
In the meantime my friend from the telephony department found Nortel was selling a solution (Nortel Contivity) that essentially does the same thing for about $350-$450 per phone and about $10k for the back-end VPN server. Ouch!
Now more than ever I wanted to build a solution on open source software.
I installed my favorite Linux distribution (SUSE 10.1) on a spare server we had in our server room and began the OpenVPN setup.
I tested the Linksys WRT54G (DD-WRT) with the OpenVPN client instead of PPTP.
I wrote this custom startup script for DD-WRT that creates the needed certificate files and calls the OpenVPN client, also monitoring the tunnel for inactivity, and acts accordingly.
DD-WRT Startup Script
Remember not to enable OpenVPN in the DD-WRT GUI since this script calls it for you.
DD-WRT Firewall Script
#!/bin/bash iptables -t nat -I PREROUTING -i tun0 -p udp --dport 5000:5300 -j DNAT --to-destination 192.168.1.10 iptables -I INPUT -p tcp --dport 22 -j logaccept iptables -I INPUT -p tcp --dport 443 -j logacceptThe router stayed connected and was reconnecting when necessary.
This was to be the rock solid remote IP phone solution I was searching for.
However, I wanted others to also manage the server and to be able to set up new certificates (phone users) when necessary and my SUSE setup via certificates would be a challenge for non-Linux admins. So I needed an easier more user-friendly management interface.
IPCop with "Zerina" would fit the bill perfectly.
I installed IPCop with the OpenVPN add-on "Zerina." I was surprised at how easy it was to configure multiple OpenVPN tunnels with the built in certificate manager.
As for the DD-WRT box, all I needed to have the end users do was to plug it into any DHCP enabled network with Internet access. That's it!
I then convinced management to purchase 65 Linksys WRT54GLs for less than $45 each and flashed them with DD-WRT (v23 SP1 VPN firmware).
However you don't necessary need to purchase WRT54GLs. Any supported router listed on the DD-WRT site will do. We now have over 60 remote users (sales, support, etc.) that rely on their phones every day, and already have plans to more than double the number of users!
I have tested this with Nortel's i2001, i2002, i2004, and i2007 IP phones. You can also use this setup to connect remote offices as well, not just Nortel IP phones!
Thanks to "BrainSlayer" for DD-WRT (www.dd-wrt.com) and the IPCop crew (www.ipcop.org)!