Application Note: G350 and G250 R3.0 IPSec VPN · performance that was measured in lab tests....

Application Note: G350 and G250 R3.0 IPSec VPN

ABSTRACT This document provides an overview of IPSec VPN functionality in Release 3.0 of the G350 and G250 Media Gateways. This document includes a brief overview of the G350 and G250, the VPN features to be provided in Release 3.0, VPN-related command-line interface commands, sample configurations, and information about the performance that was measured in lab tests. Application Note Document number: 08-300651 July 2005

Avaya Inc. – Proprietary Use Pursuant to Company Instructions

All information in this document is subject to change without notice. Although the information is believed to be accurate, it is provided without guarantee of complete accuracy and without warranty of any kind. It is the user’s responsibility to verify and test all information in this document. Avaya shall not be liable for any adverse outcomes resulting from the application of this document; the user must take full responsibility. © 2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya Logo are trademarks of Avaya Inc. or Avaya ECS Ltd., a wholly owned subsidiary of Avaya Inc. and may be registered in the US and other jurisdictions. All trademarks identified by ® and ™ are registered trademarks or trademarks, respectively, of Avaya Inc. All other registered trademarks or trademarks are property of their respective owners.


2

Table of Contents 1 General ..................................................................................................................................................................5

1.1 Scope and introduction ..................................................................................................................................5 1.2 Definitions, abbreviations, and textual conventions ......................................................................................5

2 Overview ...............................................................................................................................................................7 2.1 The G350 Media Gateway.............................................................................................................................7

2.1.1 .. The G250 Media Gateway.........................................................................................................................8 2.2 Features of the G350 and G250 R3.0 IPSec VPN .........................................................................................9

2.2.1 .. Interoperability and certification................................................................................................................9 2.3 Design for QoS ............................................................................................................................................10 2.4 Routing, resiliency, and load sharing...........................................................................................................11 2.5 Security........................................................................................................................................................13 2.6 Administration and maintenance .................................................................................................................15

3 Operational Model...............................................................................................................................................16 3.1 The G350 and G250 interfaces ....................................................................................................................16 3.2 VPN configuration model............................................................................................................................17

4 VPN CLI..............................................................................................................................................................19 4.1 Configuration commands.............................................................................................................................19

4.1.1 .. Configure isakmp peer parameters ..........................................................................................................19

4.1.2 .. Configure isakmp peer-group parameters................................................................................................19

4.1.3 .. Configure isakmp policy parameters .......................................................................................................20

4.1.4 .. Configure IPSec parameters ....................................................................................................................21

4.1.5 .. Configure crypto map ..............................................................................................................................21

4.1.6 .. Configure crypto list ................................................................................................................................22

4.1.7 .. Interface context ......................................................................................................................................22 4.2 Intervention commands ...............................................................................................................................22 4.3 show commands...........................................................................................................................................23

5 VPN application samples.....................................................................................................................................24 5.1 Spoke with hub resiliency and load sharing through GRE ..........................................................................24

5.1.1 .. Hub resiliency..........................................................................................................................................26

5.1.2 .. Hub load sharing through GRE................................................................................................................28

5.1.3 .. Configuration of the other elements ........................................................................................................30 5.2 A spoke GW that is connected to an external access router.........................................................................31

6 Performance notes ...............................................................................................................................................33 6.1 Throughput ..................................................................................................................................................33 6.2 Delay............................................................................................................................................................34


3

List of Tables Table 1 - Features of the G350 Release 2.2 IPSec VPN................................................................................................9 Table 2 - Additional VPN features introduced in G350 and G250 Release 3.0 ............................................................9 Table 3 - Interoperability with other IPSec devices.......................................................................................................9 Table 4 - QoS features .................................................................................................................................................10 Table 5 - Routing, resiliency, and load-sharing features .............................................................................................11 Table 6 - Security features...........................................................................................................................................13 Table 7 - Administration and maintenance features ....................................................................................................15 Table 8 - G350 and G250 interfaces............................................................................................................................16 Table 9 - SPD components ..........................................................................................................................................18 Table 10 -Configure isakmp peer parameters..............................................................................................................19 Table 11 -Configure isakmp peer-group parameters ...................................................................................................19 Table 12 - Configure isakmp parameters.....................................................................................................................20 Table 13 - Configure IPSec parameters .......................................................................................................................21 Table 14 - Configure Crypto-Map...............................................................................................................................21 Table 15 - Configure Crypto-List ................................................................................................................................22 Table 16 - Interface context.........................................................................................................................................22 Table 17 - Tunnels.......................................................................................................................................................25 Table 18 - Full-duplex IPSec VPN encryption and decryption rates...........................................................................33 Table 19 - Delay measured on simulated VoIP traffic for G350s................................................................................35

Table of Figures Figure 1 - The G350 Media Gateway ............................................................................................................................7 Figure 2 - The G250 Media Gateway ............................................................................................................................8 Figure 3 - The G250-BRI Media Gateway ....................................................................................................................8 Figure 4 - IPSec and IKE parameters and relationships ..............................................................................................17 Figure 5 - Spoke with hub resiliency and load sharing................................................................................................24 Figure 6 - The G350 configuration file, showing hub resiliency through the activation of a backup interface. OSPF is

used for IP Routing table updates. ......................................................................................................................27 Figure 7 - The G350 configuration file for hub load sharing.......................................................................................29 Figure 8 - Cisco 1 configuration (relevant parts).........................................................................................................30 Figure 9 - Cisco 2 configuration (relevant parts).........................................................................................................30 Figure 10 - SG 1 configuration (to be done through GUI, and so on) .........................................................................30 Figure 11 - SG2 configuration (to be done through GUI, and so on) ..........................................................................30 Figure 12 - A spoke GW that is connected to an external access router......................................................................31 Figure 13 - G350 configuration file for a spoke GW that is connected to an external access router...........................32 Figure 14 - Relevant VSU 5000 head-end configuration (formatted as a VPN Manager report)................................32 Figure 15 - Throughput test .........................................................................................................................................33 Figure 16 - G350 Delay Measurements .......................................................................................................................34


4

1 General

1.1 Scope and introduction

This document provides a short overview of the functionality of the G350 and G250 R3.0 IPSec VPN. “The G350 Media Gateway is a modular, converged device that combines an H.248 VoIP media gateway, an IP WAN access router, and a power-delivering LAN switch. Avaya Communication Manager controls the H.248 VoIP media gateway, either remotely or installed in the G350 chassis.” 1.2 Definitions, abbreviations, and textual conventions

ACL Access Control List Branch Branch Office BRI ISDN Basic Rate Interface BW Bandwidth CLI Command Line Interface CNA Converged Network Analyzer – an application developed by Avaya,

which provides network monitoring and statistics information using test plugs built into Avaya products.

CoS Class of Service DLCI Data Link Connection Identifier (in Frame Relay) DSCP Differentiated Services Code Point DSL Digital Subscriber Line ESP Encapsulating Security Protocol – an encapsulating protocol of the

IPSec standard. FR Frame Relay FTP File Transfer Protocol GRE Generic Routing Encapsulation. An IP tunneling protocol defined in

RFC 1701. GW Gateway, namely – the G350 and G250 Head-end A VPN Gateway device that is located at a hub site. The head-end

concentrates tunnels from multiple spoke sites and/or remote clients. ICMP Internet Control Message Protocol IKE Internet Key Exchange – the key exchange protocol of the IPSec

standard. IP Internet Protocol IP PBX A PBX that is based on the IP protocol. IPSec IP Security – a set of protocols that supports IP layer secure packet

exchange. LAN Local Area Network MD5 Message Digest 5 MIB Management Information Base MM Media Module – the type of switchable card used in Avaya G700,

G350 and G250 Media Gateways. MTU Maximum Transmission Unit PBX Private Branch Exchange: A telephone system that is owned by an

organization. PFS Perfect Forward Secrecy PMI Primary Management Interface. The IP interface that is used as a

source IP for SNMP traps, syslog messages, the H.248 media Gateway functionality, and file transfer protocols.

PoE Power over Ethernet. Usually refers to the MM314 switched 10/100 PoE ports.

PPP Point to Point Protocol


5

http://www.ietf.org/rfc/rfc1701.txt

QoS Quality of Service RADIUS Remote Authentication Dial-In User Service RED Random Early Detection SA Security Association (in IPSec) SCP Secure Copy (an extension to SSH) SFP Small Form-factor Pluggable – a transceiver used on 2Gbps switches

that replaces GBIC. SNMP Simple Network Management Protocol SPD Security Policy Database (in IPSec) SSH Secure Shell TFPT Trivial File Transfer Protocol USB Universal Serial Bus VoIP Voice over IP VPN Virtual Private Network. In the context of this document, an IPSec

VPN. VRRP Virtual Router Redundancy Protocol VSU A legacy Avaya product line that provides IPSec VPN Gateway

functionality. WAN Wide Area Network WFQ Weighted Fair Queuing


6

2 Overview

2.1 The G350 Media Gateway

Figure 1 - The G350 Media Gateway

The G350 is a modular, converged media gateway Figure 1). The G350 is designed to meet the voice needs and the data needs of 8 to 40 users in a branch office of a large enterprise. The G350 provides the integrated functionality of an H.248 VoIP media gateway, a fully featured IP WAN access router, and a PoE LAN switch. With an optional S8300 Media Server module installed, the G350 can function as a standalone IP PBX. The 3U, 19” rack-mountable chassis of the G350 provides slots for one to five media modules and one high-density media module. The chassis also includes:

• Two analog line ports, one with ETR functionality

• One analog trunk port

• one 10/100 Ethernet LAN interface

• One 10/100 Ethernet WAN interface

• One RS232 port

• One USB ports, and

• One contact-closure adjunct-control port that can control one or two contact-closure relays

The media modules include the optional S8300 Media Server module, and a variety of telephony and data interfaces. These interfaces include voice E1/T1, BRI, analog trunks and lines and digital telephones. Interfaces also include data E1/T1, V.35 to a 24x10/100 PoE + 1xSFP 1 GB Ethernet switching blade.


7

2.1.1 The G250 Media Gateway

Figure 2 - The G250 Media Gateway

Figure 3 - The G250-BRI Media Gateway

The G250 is a modular, converged media gateway. There are two versions, the G250 (Figure 2) and the G250-BRI (Figure 3). The G250 is designed to meet the voice needs and the data needs of around 5 to 10 users in a small branch office of a large enterprise. The G250 provides the integrated functionality of an H.248 VoIP media gateway, a fully featured IP WAN access router, and a PoE LAN switch. With an optional S8300B Media Server module installed, the G250 can function as a stand-alone IP PBX. The 2U, 19” rack-mountable chassis of the G250 provides slots for one S8300B Server module and one slot for a data E1/T1 (MM340) or a V.35 (MM342) media module. The chassis also includes:

• Two analog line ports, one with ETR functionality

• Four analog trunk ports in the G250

• One analog trunk and two digital BRI ISDN trunk ports in the G250-BRI

• Eight 10/100 Power Over Ethernet LAN ports, providing 80 watts of aggregate power

• One 10/100 Ethernet WAN interface

• One RS232 port

• One USB port, and

• One contact-closure adjunct-control port that can control one or two contact-closure relays


8

2.2 Features of the G350 and G250 R3.0 IPSec VPN

Table 1 lists the main IPSec VPN features provided in the previous G350 release - 2.2

Table 1 - Features of the G350 Release 2.2 IPSec VPN Feature

Standards-based IPSec implementation [RFC 2401-RFC 2412...] Standard encryption and authentication algorithms for IKE and ESP. These algorithms include DES, TDES, AES (128-bit), MD5-HMAC, SHA1-HMAC, and IKE DH groups 1 and 2. ESP for data protection and IKE for key exchange. Quick Mode key negotiation with Perfect Forward Secrecy (PFS) IKE peer authentication through a preshared secret. Up to 50 IPSec peers for mesh and hub-and-spoke IPSec topologies. IPSec protection that can be applied on any output port and on many ports concurrently, for maximum installation flexibility. Per-interface security policy with bypass capability. Smooth integration with the onboard GRE tunneling feature. This tight integration provides the ability to use GRE over IPSec in a manner that maintains QoS for the encapsulated traffic. Random preshared-key-generation service. Load Balancing Resiliency through core routing features, such as backup interface, GRE and so on.

Table 2 lists the main IPSec VPN features that were added for the R3.0 release of the G350 and G250 firmware.

Table 2 - Additional VPN features introduced in G350 and G250 Release 3.0 Feature

Support dynamic local address, which can be acquired through DHCP/Ethernet or IPCP/PPPoE. This is achieved by initiating Aggressive Mode, and identifying the Gateway through an FQDN string rather then IP address. Remote peer failover support. NAT traversal support – standard and legacy methods. Stronger encryption algorithms – longer keys for AES and DH. Optimized bandwidth consumption by IP compression support and transport mode ESP support (can help when using GRE over IPSec). Enhanced service assurance by employing continuous IKE and IPSec SA establishment. Support for a comprehensive proprietary monitoring MIB.

2.2.1 Interoperability and certification The G350 and G250 with IPSec are FIPS-140-2 level 1 certified. Table 3 lists the equipment with which IPSec interoperability is currently verified.

Table 3 - Interoperability with other IPSec devices Vendor Equipment Comment

Avaya VSU and SG series

Cisco Cisco IOS 3660 v12.3

Cisco IOS 2600 v12.3 / v12.2

Cisco PIX 525 Firewall v6.3(3)

Checkpoint Checkpoint NG with application intelligence (R54) Build 289

Juniper/ Juniper/Netscreen NS-50 Gateway


9



Vendor Equipment Comment

Netscreen 5.0.0r6.0

Nortel Nortel Contivity 1100 Firewall V04_80.124

2.3 Design for QoS

The G350 and G250 design is optimized to provide quality of service (QoS) for different types of traffic. The G350 and G250 are VoIP media gateways. Therefore, a primary design goal is to provide real-time traffic with the best QoS possible, when the traffic flows through the system, and the network beyond the system. The design strives to provide the traffic with the lowest latency and jitter possible. The introduction of IPSec VPN is integrated into this design. Thus, the design ensures that the impact of encryption on packet classification and packet flow is minimal. The design also ensures good utilization of the network interfaces. Table 4 lists the QoS features of the G350 and G250.

Table 4 - QoS features Element Description Comment

Preclassification and random early detection (RED) inbound queuing

Packets that enter the G350 and G250 are preclassified to a set of priority queues. The classification is based on a combination of ingress interface, DSCP, and L2 type and priority. The priority queues include a RED packet-dropping algorithm, which helps to control congestion.

This feature ensures that in the event of a high CPU load, high- priority packets such as control and VoIP packets that are received from the network are the last to be dropped. RED induces congestion control in hosts across the network, for congestion avoidance.

Fast and slow paths

The G350 and G250 provide both fast and slow forwarding paths. A slow forwarding path ensures Packets pre-classified with a lower priority are forwarded on the slow path and thus do not affect with the higher priority packets.

QoS classification and marking

The G350 and G250 uses user-configurable QoS policy lists to classify packets on ingress and egress. This classification is based on:

• IP source/dest address • Protocol • source/dest. port-ranges • DSCP and • interface.

The outcome of this classification can be one or more of the following:

• DSCP coloring • Egress queuing priority change • VC selection within FR DLCI

group – when egress interface is FR.

• L2 802.1p change – when egress interface is VLAN on a trunk port.

DSCP copy to tunnel

The G350 and G250 can copy DSCP markings from the inner packets to an IPSec or a GRE encapsulation header.


10

Element Description Comment

Transmit scheduling

Outbound traffic is serviced by a queuing mechanism that includes:

Priority queues for high-priority flows such as VoIP and control

Weighted fair queuing (WFQ) for medium-priority and low-priority flows such as data applications

RED is used to avoid congestion.

WFQ performs per-flow scheduling even when the encapsulating or encrypting traffic is in GRE and IPSec tunnels.

An adaptive queue algorithm for IPSec processing ensures that the maximum delay limits for high-priority traffic are met, and maintains high line utilization.

Traffic shaping Traffic shaping is available for frame-relay interfaces and WAN-fast-Ethernet interfaces

Traffic shaping on a the WAN Ethernet interface simulates the narrow bandwidth on the WAN side of an attached broadband modem, and thus ensures the use of the smart scheduling capability of the G350 and G250

Path MTU Discovery

Both GRE and IPSec tunnels participate in path-MTU-discovery protocol, for optimized network performance.

The overhead of encapsulation headers is communicated to MTU discovering hosts, to reduce IP fragmentation.

IPSec prefragmentation

Packets are fragmented before the packets enter IPSec processing, for optimized network performance.

For flows that do not use path MTU discovery, IPSec prefragmentation ensures that the head-end does not need to perform expensive reassembly prior to decryption.

2.4 Routing, resiliency, and load sharing

The G350 with the MM314 24x10/100 PoE + 1x Gig Ethernet SFP switching module is both a router and a LAN switch. The G250 has a built-in 8x10/100 PoE switch, and thus is always a LAN switch as well as a router. Table 5 shows the many options that the G350 and G250 can use to select a path for packets. These options ensure resiliency, load sharing, and optimal path usage for specific applications.

Table 5 - Routing, resiliency, and load-sharing features Item Description Comment

IPSec remote peer failover

The G350 and G250 can failover to a redundant remote VPN peer if the connection with the current peer fails. The G350 and G250 can actively monitor the health of the connection with the remote peer through a generic mechanism called “object-tracking”. The G350 and G250 also monitor the health of the connection through IKE and IPSec transaction timeouts and IKE DPD (detailed below). If a failure in the connection with the current peer is detected, the G350 and G250 can failover to a backup peer by either re-performing DNS lookup or by selecting a backup peer out of a preconfigured list of


11

Item Description Comment

redundant peers.

IPSec VPN on a virtual interface

The VPN tunnel can be configured on an “always up” loopback or VLAN virtual interface that uses a configurable local address to provide seamless local link failover.

Dynamic routing over IPSec

Routing over IPSec-protected GRE tunnels reduces configuration overhead.

Routing eliminates the need to configure multiple crypto-policy entries to cover the subnets of an enterprise.

IPSec autorecovery

The G350 and G250 provide fast automatic recovery in case of a database corruption. Such corruption can occur, for example, because of the unexpected reset of a peer.

IKE DPD support

DPD (Dead Peer Detection) is a standard way (defined in RFC 3706) of performing health-check of the remote VPN peer over the IKE channel.

OSPF, RIPv1/v2, static routes with precedence

The G350 and G250 support routing protocols that provide resiliency and load sharing through OSPF equal-cost, multipath routing. High-precedence and low-precedence static routes can be configured to control forwarding with or without dynamic route updates through routing protocols.

IP routing provides alternate paths when network paths are unavailable.

Virtual-router redundancy protocol (VRRP)

The G350 and G250 support standard VRRP. Thus the G350 and G250 can function in both backup configurations and load-sharing configurations for IP hosts.

VRRP is interoperable with Cisco and other major router vendors.

Backup interface

The G350 and G250 provide support for a backup interface that is activated when a designated primary interface fails. Backup includes the possibility of configuring activation wait-times and deactivation wait-times to prevent flapping.

Policy-based routing

The G350 and G250 can forward traffic to the next-hop destinations based on IP source, destination, protocol, ports and DSCP.

Policy-based routing can be used to maintain an always-on, low-bandwidth DSL backup connection for less time-critical applications.

Health checks ICMP and TCP health checks can be used to trigger a backup mechanism, such as an interface backup.


12


Spanning tree and rapid spanning tree

Spanning tree provides the ability to construct resilient bridged networks.

This feature is currently available for the G350 only. For the MM314, which is the high-density media module that provides PoE switch functionality.

Port redundancy

Fast Ethernet ports on the PoE switching Media Module can be configured as a primary pair or a backup pair.

This feature is currently available for the G350 only, for the MM314.

2.5 Security

Table 6 lists the security-related features of the G350 and G250.

Table 6 - Security features Item Description Comment

Hardened IP stack The IP stack is hardened against known IP-layer attacks, such as malformed IP packets or fragment-based attacks.

Access-control lists

Stateless access-control lists can be applied per interface direction. These lists are based on a combination of the IP source and the destination address, the protocol, the source and the destination port ranges, the TCP established bit, and the interface. IP fragments and IP options can be blocked. Notification of deny events can be sent to management stations.

IEEE 802.1X The G350 and G250 can play the authenticator1 role of 802.1X port-based access control, and allow or deny access to the PoE ports based on 802.1X authentication of client hosts.

This feature is interoperable with clients such as Windows XP.

OSPF authentication

The G350 and G250 provide support for OSPF authentication of neighbor routers through MD5 hashes.

Audit log An audit log can keep track of configuration changes. This log can be on a syslog server or onboard.

Security log A security log can keep track of security related events, such as login failures. This log can be on a syslog server or onboard.

This log can be used to detect attacks.

RADIUS authentication

An external RADIUS server can be used to authenticate administrators and 802.1X supplicants.

1 802.1X defines 3 separate roles. The G350 assumes the authenticator role, as opposed to the supplicant role and authentication server role. Avaya Inc. – Proprietary

Use Pursuant to Company Instructions 13


Digitally signed firmware images

Avaya digitally signs firmware images and thus ensures that no malicious code can be installed on the device.

Report login attempts

The G350 and G250 report both successful and unsuccessful login attempts through syslog and SNMP traps. The G350 and G250 also report SNMP authentication failures.


14

2.6 Administration and maintenance

Table 7 lists the administration and maintenance features of the G350 and G250.

Table 7 - Administration and maintenance features Item Description Comment

CLI over Telnet, SSHv2

The G350 and G250 support a comprehensive CLI for configuration and real-time monitoring and control, over direct connection, Telnet, or SSHv2 protocols.

SNMPv1, v3 The G350 and G250 support comprehensive configuration and monitoring MIBs over SNMPv1 and secure SNMPv3. SNMPv3 also provides the ability to customize MIB views for different administrative users. Traps provide detailed notifications for various events.

Secrets are not exposed over SNMP. Such secrets include VPN, SSH shared secrets, and so on.

Device management

A SNMPv1/3 Java-based device manager can be launched through a Web interface, or installed as part of the Avaya Integrated Management solution. The Integrated Management solution provides additional applications such as batch firmware update and configuration backup.

Configuration upload, download, and rollback

Configuration files in a human-readable CLI format can be uploaded or downloaded to the G350 and G250 over SCP, FTP, or TFTP. Changes to a running configuration can be committed to a start-up file, or rolled-back through a reset.

Syslog Extensive logs can be sent to a syslog server, stored onboard, or both sent to a syslog server and stored onboard to provide troubleshooting and alarming capabilities.

Packet sniffer A packet sniffer can capture packets in Ethreal format, for later upload and analysis.

A Packet Sniffer can capture IPsec packets in plain text or ciphertext on any interface, according to configuration.

Out of band management

The G350 and G250 provide support for an external dial-in RS232 or USB modem, for out-of-band management

Network diagnostic utilities

Ping and trace-route can be used from the CLI to diagnose and troubleshoot networks.


15

3 Operational Model

3.1 The G350 and G250 interfaces

The G350 and G250 media gateways are essentially routers with one or more of the interfaces listed in Table 8. These interfaces form the basis of the G350 and G250 configuration, and provide context for many of the configuration and classification parameters, such as packet forwarding, routing protocols, policy-based routing, and some backup resiliency schemes. Access, QoS, policy-based routing, and VPN policy lists are also configured on these interfaces. One specific interface is used as the source IP for the media-gateway functionality and some other protocols. This interface is designated as “PMI” (Primary Management Interface).

Table 8 - G350 and G250 interfaces Interface Description Comment

VLAN An always-on interface that is mapped to the 10/100 LAN Ethernet port and the MM314 PoE switch module on the G350, and to the onboard 10/100 PoE ports on the G250.

One or more IP interfaces can be mapped to a VLAN interface.

On the G350, the 10/100 LAN port on the chassis and the MM314 10/100 and the 1 Gigabit SFP port form a single “LAN switch.”

This interface is used to connect to the LAN and stations such as IP telephones.

WAN Ethernet

An interface that can be configured as an IP interface and set in either Ethernet or PPP-over-Ethernet encapsulation. The IP address of this interface can be dynamically obtained through DHCP when working in Ethernet mode, or IPCP when working in PPPoE encapsulation mode.

This interface is used to connect to a broadband modem or an access router.

Serial A V.35/X.21 or an E1/T1 channel group, both of which are available with the applicable media module

A serial interface can have a PPP or a frame-relay encapsulation. An IP interface can map directly to a PPP serial interface.

Subframe-relay interface

A frame-relay virtual channel or a set of virtual channels over which an IP interface can be configured.

Loopback A virtual interface that can be created to assign an IP address to the G350 and G250 on an interface that is always up by an administrator

GRE tunnel

A virtual interface that is comprised of a tunnel source and destination IP addresses.

This interface includes a “keep-alive” mechanism that can help detect network outages.


16

Interface Description Comment

Console An RS232 interface for direct connection or out-of-band management through a dial-in modem.

This interface is a non-routing interface.

USB Modem

An interface for out-of-band management through a dial-in USB modem.

This interface is a nonrouting interface.

Dialer An interface for working with an external PSTN dialup modem connected through the USB or serial interfaces.

This routing interface is typically employed as a backup interface for maintaining VoIP control connectivity with the remote CM, and for in-band management, in case the primary WAN interface fails.

3.2 VPN configuration model

Figure 4 shows the IPSec and the IKE parameters on the G350 and G250 and the relationship of these parameters.

crypto map 2

crypto map 1 crypto map N

crypto maps pool

Rule 1

Rule 4

Rule 3

Rule 2

Rule N

crypto list

interface

isakmppolicy

N

isakmppolicy

2

isakmppolicy

1

isakmp policies pool

transform-set 1

transform-sets pool

isakmp peer 1

isakmp peer Ntransform-

set N

peer

peer

isakmp peers pool

peer

isakmppeer-group 1

isakmppeer-group N

peerpeer

isakmp peer-groupspool

Figure 4 - IPSec and IKE parameters and relationships


17

The G350 and G250 implement a modular configuration model, in which the Security Policy Database (SPD) is built from components. Table 9 lists these components.

Table 9 - SPD components Item Description

Crypto-list An ordered list of rules that control which traffic requires IPSec protection, and which traffic does not require IPSec protection, i.e., “bypasses” IPSec. These rules are based on the source and the destination IP addresses or subnets. A crypto-list is activated on an interface. The G350 and G250 can have multiple crypto-lists activated on different interfaces.

Crypto map When a crypto-list rule requires IPSec protection, the rule points to a “crypto-map” object. The crypto-map object aggregates all the other configuration objects that are required for IPSec negotiation. These objects include the remote peer IP, the algorithms to be used for authentication and encryption, and so on.

Transform-set

A crypto-map object points to a single transform-set object. This object contains the parameters that are required for IKE Quick Mode negotiation.

Isakmp peer A crypto-map object also points to a single “isakmp peer” object. This object contains the peer IP address, the preshared key for peer authentication, and a pointer to an “isakmp policy” object.

Isakmp peer-group

A crypto map also points to either a single “isakmp peer-group” object or a single “isakmp peer” object. The “isakmp peer-group” object serves as an aggregator for redundant isakmp peers, and hence it points to one or more “isakmp peer” objects.

Isakmp policy

An Isakmp peer object points to a single “isakmp policy” object. This object contains the parameters that are required for IKE Phase-1 negotiation.

The crypto-list provides encryption rules. In many cases, an access-control list (ACL) is also activated on the public interface. In these cases, the ACL should be constructed so that IKE, IPSec, ICMP path MTU discovery and the traffic that is carried inside the tunnel can exit and enter the device. Optionally DHCP, DNS, SSH, SCP, and CNA test plug traffic should also be permitted by the ACL, depending on the configuration. The G350 and G250 verify which traffic is expected to arrive protected. If that traffic arrives unprotected, the G350 and G250 do not allow that traffic to enter.


18

4 VPN CLI

4.1 Configuration commands

Note that many of the following configuration commands can be deleted or returned to factory defaults by specifying “no” as a prefix to the command.

4.1.1 Configure isakmp peer parameters Table 10 lists isakmp peer CLI commands.

Table 10 -Configure isakmp peer parameters Command Description

crypto isakmp peer { address peer-addr | fqdn peer-hostname }

Create a new isakmp peer and enter into its context, or enter into the context of an existing isakmp peer.

pre-shared-key key-string [hexadecimal] Specify the preshared key for peer authentication within IKE Phase-1.

isakmp-policy policy-id Specify the isakmp policy to use when negotiating IKE Phase-1 with the peer.

self-identity { address | fqdn fqdn-str } Use “self-idtntity fqdn” to support an installation where the local IP address is dynamic.

initiate mode { main | aggressive } Use “initiate mode aggressive” to support an installation where the local IP address is dynamic.

keepalive [seconds [retry retry-seconds] [on-demand | periodic]]

Use this command to enable DPD keepalives and set various parameters for them.

keepalive-track track-id Use this command to enable object-tracking keepalives, by binding the liveliness status of this peer to an existing object-tracker.

continuous-channel Use this command to maintain a continuous IKE connection, by automatically reestablishing an IKE SA as soon as it expires.

crypto isakmp suggest-key [key-length] [alphanumeric | hexadecimal]

Use this utility command to generate a pseudo-random string that can be used as a preshared key for the connection with this peer.

description text Add text that describes the peer.

4.1.2 Configure isakmp peer-group parameters Table 11 lists isakmp peer-group CLI commands.

Table 11 -Configure isakmp peer-group parameters Command Description

crypto isakmp peer-group peer-group-name Create a new isakmp peer-group and/or enter into its context.

set peer {ip-address | hostname} [index index]

Add an isakmp peer into this peer-group.

description text Free text describing the peer-group.


19

4.1.3 Configure isakmp policy parameters Table 12 lists isakmp policy CLI commands.

Table 12 - Configure isakmp parameters Command Description

crypto isakmp policy policy-id Modify encryption, authentication, Diffie-Hellman group, and lifetime of existing policy: group { 1 | 2 | 5 | 14 } encryption {des | 3des | aes | aes-192 | aes-256 } hash {sha | md5} lifetime seconds authentication pre-share description text

Create a new isakmp policy and enter into its context, or enter into the context of an existing isakmp policy.

no crypto ipsec nat-transparency udp-encapsulation

Use this command to disable the default behavior that enables IPSec NAT traversal.

crypto isakmp nat keepalive [seconds] Use this command to enable NAT traversal keepalives, and set the keepalive interval.

crypto isakmp invalid-spi-recovery Specify whether to open an IKE SA when sending a DELETE message if an IKE SA does not already exist. The default is yes.


20

4.1.4 Configure IPSec parameters Table 13 lists the IPsec CLI commands.

Table 13 - Configure IPSec parameters Command Description

crypto ipsec transform-set transform-set-name { {esp-des | esp-3des | esp-aes | esp-aes-192 | esp-aes-256} [{esp-md5-hmac | esp-sha-hmac}] | esp-null {esp-md5-hmac | esp-sha-hmac} } [comp-lzs]

Create a new transform-set, or modify the encryption, the authentication, or both the encryption and the authentication of an existing transform-set, and enter the transform-set context.

crypto ipsec transform-set transform-set-name

Enter the context of an existing transform-set.

set security-association lifetime { seconds seconds | kilobytes {kilobytes | disable} }

Modify the lifetime of an existing transform-set.

set pfs [group1 | group2 | group5 | group14]

Modify the PFS group of an existing transform-set.

mode {tunnel | transport} Use the “mode transport” command to operate in ESP transport encapsulation mode when possible to minimize encapsulation overhead when using GRE over IPSec.

4.1.5 Configure crypto map Table 14 lists crypto-map CLI commands.

Table 14 - Configure Crypto-Map Command Description

crypto map map-id

Create a new crypto map and enter into its context, or enter into the context of an existing crypto map.

set peer { ip-address | hostname } Bind a remote peer to the crypto map.

set transform-set transform-set-name Bind a transform-set to the crypto map.

set dscp dscp-value Set the DSCP value for the encrypted packet. The default is to copy the value from the clear packet.

continuous-channel Use this command to maintain a continuous IPSec tunnel by automatically re-establishing an IPSec SA shortly before it expires.


21

4.1.6 Configure crypto list Table 15 lists the crypto-list CLI commands.

Table 15 - Configure Crypto-List Command Description

ip crypto-list crypto-list-id

Create a new crypto list and enter into its context, or enter into the context of an existing crypto list.

name text Provide descriptive text for the crypto-list

local-address { ip-interface-address } Set the local IP address for the IPSec tunnels that are derived from this crypto-list.

ip-rule { index | default } Create or enter a rule context

source-ip { any | host ip-address | ip-address wildcard }

Specify the source IP selector for the rule.

destination-ip { any | host ip-address | ip-address wildcard }

Specify the destination IP selector for the rule.

protect crypto map map-id Specify whether to protect the traffic that matches this rule, by applying the IPSec processing that is configured by the specified crypto map.

no protect Specify whether to not protect the traffic that matches this rule. Instead, traffic that matches this rule shall bypass IPSec processing, and continue unprotected.

4.1.7 Interface context Table 16 lists interface CLI commands

Table 16 - Interface context Command Description

ip crypto-group crypto-list-id Activate a crypto list on this interface.

ip crypto-simulate list-number direction source-ip destination-ip

Simulate crypto list behavior for this specific packet.

crypto ipsec df-bit {clear |copy} Set the don’t-fragment bit behavior for the encrypted packets.

crypto ipsec minimal-pmtu bytes Use this command to change the default minimal PMTU kept for IPSec tunnels running over this interface.

4.2 Intervention commands

The following CLI commands can be used to clear certain IKE tables and IPSec tables: clear crypto sa all clear crypto sa counters clear crypto sa list clear crypto sa peer clear crypto sa spi clear crypto isakmp [connection-id]


22

4.3 show commands

The following commands provide information on the configuration and the status of IKE-related and IPSec-related functions: show crypto ipsec sa [list crypto-list-id [rule rule-id] | address ] [detail] show crypto isakmp sa show crypto ipsec transform-set [tag transform-set-name] show crypto isakmp peer show crypto isakmp policy show crypto map show ip crypto-list [{ list-number | all } [detailed]] show ip active-lists [ list-index | list-type ]


23

5 VPN application samples

5.1 Spoke with hub resiliency and load sharing through GRE

The following section provides a sample application that realizes VPN failover through the use of GRE. As of firmware release 3.0 there are also other mechanisms that can provide failover at the VPN level. These mechanisms, namely the use of DNS revolver for isakmp peer and the use of isakmp peer group, are not specified in this example, but they can work in conjunction with GRE or without it. Figure 5 shows how a branch with a G350 and G250 can connect to two VPN hub sites in a way that provides resiliency and possibly load sharing. The example uses a G350, but configuration of a G250 would be very similar. The G350 is connected through their 10/100 WAN Ethernet port to a bridging broadband modem. Note that the solution can also work if the G350 were connected to an access router. See Section 5.2, “A spoke GW that is connected to an external access router”, for details. Two GRE tunnel interfaces are defined. GRE1 leads to a Cisco router (Cisco1) that resides behind a VPN gateway (SG1) in HQ1. GRE2 leads to a Cisco Router (Cisco2) that resides behind a VPN gateway in HQ2 (SG2). Two VPNs are defined, one VPN with a remote peer, Gateway SG1, in HQ1 and the other VPN with a remote peer, Gateway SG2 in HQ2. Connectivity to the networks in HQ1 and HQ2 is determined through GRE keep-alives. If network connectivity is lost because of failures in the WAN, the HQ Cisco routers, or the HQ VPN devices, the GRE keep-alive fails and the GRE interface transitions to a “down” state. The two GRE tunnels can then be used for branch-to-HQ traffic in either active/active or active/standby fashion:

• Active/standby – GRE2 is configured as a backup interface for GRE1, and is activated only when GRE1 is in the “down” state.

• Active/Active – Both tunnel interfaces are active. RIP or OSPF routing protocols route traffic to destinations based on route cost and availability. For two routes of equal cost to the same destination, one through HQ1 and one through HQ2, OSPF automatically distributes traffic through both routes. Thus, the load is effectively shared between routes.

Figure 5 - Spoke with hub resiliency and load sharing


24

Table 17 describes the tunnels Table 17 - Tunnels

Tunnel Description Comment

GRE1 - Source: 101.11.12.1 [G350:v1] - Dest: 17.13.54.192 [Cisco1] - Use GRE keep-alive.

This tunnel is a Routing Interface for the G350.

GRE2 Source: 101.11.12.1 [G350:v1] - Dest: 18.13.54.192 [Cisco2] - Use GRE keep-alive.

This tunnel is a routing interface for the G350.

VPN1 - Source: 62.56.254.17 [G350:e0] - Dest: 14.22.5.225 - Protect GRE Tunnel1

VPN2 - Source: 62.56.254.17 [G350:e0] - Dest: 15.22.5.225 - Protect GRE Tunnel2


25

5.1.1 Hub resiliency Figure 6 shows the G350 configuration file. In this scenario, tunnel GRE2 to HQ2 is activated only if tunnel GRE1 to HQ1 fails. Backup activation includes hysteresis to prevent flapping. set vlan 2 name "V2" # the VPN policy ip crypto-list 901 name "list #901" local-address 62.56.254.17 # protect GRE tunnel 1 ip-rule 1 # use vpn to HQ1 protect crypto map 1 source-ip host 101.11.12.1 destination-ip host 17.13.54.192 exit # protect GRE tunnel 2 ip-rule 2 # use vpn to HQ2 protect crypto map 2 source-ip host 101.11.12.1 destination-ip host 18.13.54.192 exit exit # Both VPNs will use TDES with SHA-HMAC crypto ipsec transform-set ts1 esp-3des esp-sha-hmac exit # Configure IKE crypto isakmp policy 1 encryption 3des hash sha group 2 authentication pre-share exit crypto isakmp peer address 14.22.5.225 pre-shared-key sharedSecret isakmp-policy 1 exit crypto isakmp peer address 15.22.5.225 pre-shared-key sharedSecret isakmp-policy 1 exit # Configure VPN to HQ1 crypto map 1 set peer 14.22.5.225 set transform-set ts1 exit # Configure VPN to HQ2 crypto map 2 set peer 15.22.5.225 set transform-set ts1 exit # Configure Router Interfaces # VLAN interfaces for Voice and Data networks interface Vlan 1 description "VoIP_VLAN" # This VLAN will also function as the VLAN of the S8300 Call Controller module icc-vlan ip address 101.11.12.1 255.255.255.224 # This Interface will be the source IP of Media Gateway and some management protocols pmi exit interface Vlan 2 description "DATA_VLAN" ip address 101.10.12.1 255.255.255.224 exit # This interface connects to the broadband modem interface FastEthernet 10/2 bandwidth 256


26

# The broadband uses PPP over Ethernet encapsulation pppoe # Traffic shaping is used to emulate limited uplink BW on modem traffic-shape rate 256000 # QoS queuing optinmized for voice + data fair-voip-queue # Apply VPN policy on the interface. ip crypto-group 901 mtu 1492 ip address 62.56.254.17 255.255.255.252 exit # Configure the GRE tunnels interface Tunnel 1 # GRE Tunnel 1 is the primary, GRE tunnel 2 is the backup backup interface Tunnel 2 # The backup will activate only if the primary is down for 20 seconds # it will de-activate 15 seconds after the primary is up again backup delay # GRE keepalive keepalive 10 3 tunnel source 101.11.12.1 tunnel destination 17.13.54.192 ip address 10.10.10.1 255.255.255.252 exit

20 15

# GRE tunnel 2 interface Tunnel 2 keepalive 10 3 tunnel source 101.11.12.1 tunnel destination 18.13.54.192 ip address 20.20.20.1 255.255.255.252 exit # RS232 Console Interface interface Console ip address 10.3.0.1 255.255.255.0 exit # USB Interface interface USB-Modem shutdown ip address 10.3.0.3 255.255.255.0 exit # Routing table ip default-gateway 10.152.12.70 1 low ip route 17.13.54.192 255.255.255.255 FastEthernet 10/2 1 high ip route 18.13.54.192 255.255.255.255 FastEthernet 10/2 1 high # Configure OSPF Routing (will happen over the GRE tunnels) router ospf network 10.10.10.0 0.0.0.3 area 0.0.0.0 network 20.20.20.0 0.0.0.3 area 0.0.0.0 exit

Figure 6 - The G350 configuration file, showing hub resiliency through the activation of a backup interface. OSPF is used for IP Routing table updates.


27

5.1.2 Hub load sharing through GRE Figure 7 shows the G350 configuration file for hub load sharing. In this scenario, both GRE tunnels are active. OSPF equal-cost multipath routing uses both paths for routes that have the same cost. set vlan 2 name "V2" # the VPN policy ip crypto-list 901 name "list #901" local-address 62.56.254.17 # protect GRE tunnel 1 ip-rule 1 # use vpn to HQ1 protect crypto map 1 source-ip host 101.11.12.1 destination-ip host 17.13.54.192 exit # protect GRE tunnel 2 ip-rule 2 # use vpn to HQ2 protect crypto map 2 source-ip host 101.11.12.1 destination-ip host 18.13.54.192 exit exit # Both VPNs will use TDES with SHA-HMAC crypto ipsec transform-set ts1 esp-3des esp-sha-hmac exit # Configure IKE crypto isakmp policy 1 encryption 3des hash sha group 2 authentication pre-share exit crypto isakmp peer address 14.22.5.225 pre-shared-key sharedSecret isakmp-policy 1 exit crypto isakmp peer address 15.22.5.225 pre-shared-key sharedSecret isakmp-policy 1 exit # Configure VPN to HQ1 crypto map 1 set peer 14.22.5.225 set transform-set ts1 exit # Configure VPN to HQ2 crypto map 2 set peer 15.22.5.225 set transform-set ts1 exit # Configure Router Interfaces # VLAN interfaces for Voice and Data networks interface Vlan 1 description "VoIP_VLAN" # This VLAN will also function as the VLAN of the S8300 Call Controller module icc-vlan ip address 101.11.12.1 255.255.255.224 # This Interface will be the source IP of Media Gateway and some management protocols pmi exit interface Vlan 2 description "DATA_VLAN" ip address 101.10.12.1 255.255.255.224 exit # This interface connects to the broadband modem interface FastEthernet 10/2 bandwidth 256


28

# The broadband uses PPP over Ethernet encapsulation pppoe # Traffic shaping is used to emulate limited uplink BW on modem traffic-shape rate 256000 # QoS queuing optinmized for voice + data fair-voip-queue # Apply VPN policy on the interface. ip crypto-group 901 mtu 1492 ip address 62.56.254.17 255.255.255.252 exit # Configure the GRE tunnels interface Tunnel# GRE keepalive keepalive 10 3 tunnel source 101.11.12.1 tunnel destination 17.13.54.192 ip address 10.10.10.1 255.255.255.252 exit

1

# GRE tunnel 2 interface Tunnel 2 keepalive 10 3 tunnel source 101.11.12.1 tunnel destination 18.13.54.192 ip address 20.20.20.1 255.255.255.252 exit # RS232 Console Interface interface Console ip address 10.3.0.1 255.255.255.0 exit # USB Interface interface USB-Modem shutdown ip address 10.3.0.3 255.255.255.0 exit # Routing table ip default-gateway 10.152.12.70 1 low ip route 17.13.54.192 255.255.255.255 FastEthernet 10/2 1 high ip route 18.13.54.192 255.255.255.255 FastEthernet 10/2 1 high # Configure OSPF Routing (will happen over the GRE tunnels) router ospf network 10.10.10.0 0.0.0.3 area 0.0.0.0 network 20.20.20.0 0.0.0.3 area 0.0.0.0 exit

Figure 7 - The G350 configuration file for hub load sharing.


29

5.1.3 Configuration of the other elements interface Tunnel1 ip address 10.10.10.2 255.255.255.252 tunnel source 17.13.54.192 tunnel destination 101.11.12.1 router ospf 1 log-adjacency-changes redistribute connected subnets network 10.10.10.0 0.0.0.255 area 0

Figure 8 - Cisco 1 configuration (relevant parts) interface Tunnel2 ip address 20.20.20.2 255.255.255.252 tunnel source 18.13.54.192 tunnel destination 101.11.12.1 router ospf 1 log-adjacency-changes redistribute connected subnets network 20.20.20.0 0.0.0.255 area 0

Figure 9 - Cisco 2 configuration (relevant parts) encryption rule: host 17.13.54.192 host 101.11.12.1

Figure 10 - SG 1 configuration (to be done through GUI, and so on) encryption rule: host 18.13.54.192 host 101.11.12.1

Figure 11 - SG2 configuration (to be done through GUI, and so on)


30

5.2 A spoke GW that is connected to an external access router

In the following setup (Figure 12), the G350 is connected to an external access router instead of a simple bridging broadband modem as in the previous example. In this setup, the spoke is connected to a single head-end without failover. The spoke site has two internal subnets, one subnet for VoIP and another subnet for data. The central site has a single internal subnet. GRE is not active. All routes are static.

Figure 12 - A spoke GW that is connected to an external access router set vlan 2 name "V2" ip crypto-list 901 name "list #901" local-address 206.1.1.10 # Protect internal VoIP subnet ip-rule 1 protect crypto map 1 source-ip 192.100.1.0 0.0.0.255 destination-ip 193.100.2.0 0.0.0.255 exit # Protect internal data subnet ip-rule 2 protect crypto map 1 source-ip 192.100.2.0 0.0.0.255 destination-ip 193.100.2.0 0.0.0.255 exit exit # Use 3DES and SHA-1 for protecting traffic crypto ipsec transform-set ts1 esp-3des esp-sha-hmac exit # Configure IKE crypto isakmp policy 1 encryption 3des hash sha group 2 authentication pre-share exit crypto isakmp peer address 207.1.1.100 pre-shared-key sharedSecret isakmp-policy 1 exit # Configure VPN to head-end crypto map 1 set peer 207.1.1.100 set transform-set ts1 exit # Configure Router Interfaces # VLAN interfaces for Voice and Data networks interface Vlan 1 description "VoIP_VLAN" # This VLAN will also function as the VLAN of the S8300 Call Controller module


31

icc-vlan ip address 192.100.1.1 255.255.255.0 # This Interface will be the source IP of Media Gateway and some management protocols pmi exit interface Vlan 2 description "DATA_VLAN" ip address 192.100.2.1 255.255.255.0 exit # This interface connects to the access router interface FastEthernet 10/2 bandwidth 256 # Traffic shaping is used to emulate limited uplink BW on access router traffic-shape rate 256000 # QoS queuing optinmized for voice + data fair-voip-queue # Apply VPN policy on the interface ip crypto-group 901 ip address 206.1.1.10 255.255.255.0 exit # Routing table ip default-gateway 206.1.1.100 1 low

Figure 13 - G350 configuration file for a spoke GW that is connected to an external access router

VPNs 1) G350−to−VSU5K VPN TYPE : ISAKMP DIRECTORY NAME : ou=VPNs,ou=Performance,dc=avaya,dc=com VSUs 1) VSU5000 VSU FIRMWARE TYPE : 3.2.34 DIRECTORY NAME : ou=Devices,ou=Performance,dc=avaya,dc=com IP Address : 207.1.1.100 VSU HARDWARE TYPE : 5000 EXPORT RESTRICTED ? : 3DES VSUs LOCAL TIME : VSU Local Time VSU Members : VSU5000 IP Group Members : G350−Private−Net, VSU5000−Private−Net User Group Members : User Members : Related IP Groups : VSU5000−Private−Net Related Users : Related User Groups : VPN memberships : G350−to−VSU5K IP Groups 1) G350−Private−Net Network/ Mask pairs or IP Range : 192.100.2.0/255.255.255.0 Associated VSU : Extranet device Distinguished Name : cn=G350−Private−Net,ou=IPGroups,ou=Performance,dc=avaya,dc=com 2) VSU5000−Private−Net Network/ Mask pairs or IP Range : 193.100.2.0/255.255.255.0 Associated VSU : cn=VSU5000,ou=Devices,ou=Performance,dc=avaya,dc=com

Distinguished Name : cn=VSU5000−Private−Net,ou=IPGroups,ou=Performance,dc=avaya,dc=com Figure 14 - Relevant VSU 5000 head-end configuration (formatted as a VPN Manager report)


32

6 Performance notes

6.1 Throughput

Figure 15 shows the configuration used for the throughput test.

Figure 15 - Throughput test

To provide the following performance results, two G350s were connected to each other through Fast Ethernet. A VPN tunnel was defined on this link. Traffic was sent from station_1 on the clear side of G350_1, to station_2 on the clear side of G350_2. Traffic was sent back through the tunnel from station_2 to station_1. The test was then repeated with two G250s instead of the G350s.

The full-duplex rate for traffic flowing to and from the device, (2

1221 encryptedencrypted RR >−>− +) was measured on the

encrypted link (Table 18). The equivalent half-duplex rate assumes that decryption is roughly equal to encryption in terms of processing power. Note that this is full-duplex traffic. Half-duplex traffic measurements provide values that are twice as high as the values in the table.

Table 18 - Full-duplex IPSec VPN encryption and decryption rates Full-Duplex Rate (Mbps), with SHA-1 HMAC

DUT

Packet Size (Bytes)

Clear traffic (reference) TDES DES AES-128 AES-192 AES-256

64 11.23 3.41 3.59 3.41 3.36 3.12

300 52.64 5.49 7.14 6.87 6.32 6.59 G350

1400 93.46 6.68 13.37 12.81 11.70 11.14

64 3.81 2.03 1.99 1.99 1.94 1.80

300 17.85 5.77 5.77 5.77 5.63 5.22 G250

1400 81.71 18.94 18.94 18.94 18.38 17.82

64 3.81 1.42 1.42 1.47 1.32 1.23

300 17.85 2.88 3.30 3.57 3.30 3.43 G250 FIPS

1400 81.71 4.46 8.35 8.91 7.24 7.80


33

6.2 Delay

Figure 16 shows the configuration used for the delay test.

Figure 16 - G350 Delay Measurements

To provide the following performance results, two G350s were connected to each other through a T1 interface that used 23 time slots of 64 Kbps, for a total of 1.472 Mbps. A VPN tunnel was defined on this link. A traffic generator/tester was connected to the two devices, sending clear traffic to device 1, and receiving clear traffic back from device 2. The following two flows were generated at the same time:

• A 5000-packet flow that mimicked data packets (Clear: size: 300 B, rate: 125 PPS = 293 Kbps, 352 Kbps)

• A 5000-packet flow that mimicked VoIP packets (Clear: size:78 B, rate: 500 PPS = 305 Kbps, 539 Kbps encrypted)

Fair VoIP queuing was activated on the devices, mapping VoIP to a priority queue, and data to a WFQ.

The Traffic Generator provided delay and packet loss measurements for the VoIP Queue. Table 19 lists the results for tests with and without VPN encryption. The table shows the minimum, the maximum, and the average delay, and the packet loss. The table also contains a computation of the serialization delay, which is the time that is required to transmit a simulated VoIP packet on the 1.472 Mbps WAN link, and the estimated average delay contributed by the devices. For VoIP traffic, the average delay added by the two devices is 2 ms or less. IPSec processing (encryption in device 1 + decryption in device 2) adds about 0.4 ms to the average delay experienced by VoIP traffic.


34

Table 19 - Delay measured on simulated VoIP traffic for G350s Test Min.

delay (ms)

Max. delay (ms)

Avg. delay (ms)

Packet loss

Serialization delay (ms)

Avg. delay, devices only (ms)

VPN turned OFF

1 3.3 2 0 0.4 1.6

3DES 1.3 4.9 2.4 0 0.8 2


35

Date post:	21-Mar-2020
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times

Application Note: G350 and G250 R3.0 IPSec VPN · performance that was measured in lab tests....

Documents