Purpose of this article is to share our experience during that Covid-19 period where we were able to successfully setup a VPN configuration for remote worker using Alcatel 8068S phones with FTD 2110 running 22.214.171.124.
I would like to thank all of my colleagues that helped in solving that problem : Alain TREMBLAY, Benjamin HUBERT, Robert NELTA, Bertrand NGALO, Sebastien DA SILVA, Luis MARQUES and Rodolphe VALIDIRE. I would like also to thank Nidhi S. from the TAC who pointed out CSCvr53363 which was the big part of our problem.
The bug is not public yet, but, part of the problem was the fact that we were already doing site-to-site VPN and anyconnect on the "outside" interface, and we had to create another "outside" interface for hub-to-spoke with dynamic public IP address setup.
The 8068s supports only site-to-site configuration with very limited options :
So first is to create IKEv2 sets for the hub-to-spoke tunnel configuration :
Now we are ready to configure the hub-to-spoke topology :
The important part is here : we began to add VPN phones one-by-one so the protected network (which is an IP address in a dedicated VPN network) needs a particular route through the "new outside" interface :
Then configuration continues with Alcatel 8068S specific values :
This password is the one shared on the Alcatel 8068S side :