IPSec Virtual Private Network (VPN) between an Avaya G350 ...

Avaya Solution & Interoperability Test Lab

IPSec Virtual Private Network (VPN) between an Avaya G350 Media Gateway and a Cisco PIX 525 Firewall - Issue 1.0

Abstract

These Application Notes provide a sample configuration with steps to configure an IPSec Virtual Private Network (VPN) between an Avaya G350 Media Gateway and a Cisco PIX 525 Firewall. The G350 Media Gateway is controlled by Avaya S8700 Media Servers with a G350 Media Gateway. The G350 Media Gateway is equipped with a Local Survivable Processor (LSP) in the event that communication with the Avaya S8700 Media Servers is lost. The sample configuration uses the newer Advanced Encryption Standard with 128-bit key (AES-128) encryption for optimized performance and Perfect Forward Secrecy (PFS) for added protection. The product house requested that these Application Notes be written and published to help Avaya customers deploy G350 IPSec VPNs in the field.

GAK; Reviewed: SPOC 3/10/2005

Solution & Interoperability Test Lab Application Notes ©2005 Avaya Inc. All Rights Reserved.

1 of 46g350pixvpn.doc




Table of Contents

1. INTRODUCTION...................................................................................................................3 2. EQUIPMENT AND SOFTWARE VALIDATED.....................................................................6 3. CONFIGURE THE AVAYA G350 MEDIA GATEWAY .........................................................6

3.1. G350 MEDIA GATEWAY VOIP ADMINISTRATION ...............................................................6 3.2. BASIC SWITCH ADMINISTRATION......................................................................................7 3.3. LAYER 3 ROUTING ADMINISTRATION ................................................................................9 3.4. QUALITY OF SERVICE (QOS) ADMINISTRATION TASKS ....................................................11 3.5. VIRTUAL PRIVATE NETWORK (VPN) ADMINISTRATION TASKS .........................................14

4. CONFIGURE THE CISCO 3640 ROUTER.........................................................................19 5. CONFIGURE THE CISCO PIX 525 FIREWALL.................................................................21 6. CONFIGURE THE P580 SWITCH......................................................................................22 7. CONFIGURE THE LOCAL SURVIVABLE PROCESSOR (LSP) ......................................24 8. CONFIGURE AVAYA COMMUNICATION MANAGER .....................................................27 9. VERIFICATION STEPS ......................................................................................................31

9.1. VERIFY CISCO PIX 525 FIREWALL INTERFACES AND ROUTING .......................................31 9.2. VERIFY G350 MEDIA GATEWAY INTERFACES AND ROUTING ...........................................32 9.3. VERIFY CISCO PIX VPN POLICIES.................................................................................34 9.4. VERIFY G350 MEDIA GATEWAY VPN POLICIES..............................................................34 9.5. VERIFY IKE NEGOTIATIONS USING CISCO PIX 525 DEBUG TRACES................................36 9.6. VERIFY IKE NEGOTIATIONS USING G350 GATEWAY SYSLOG..........................................38 9.7. VERIFY SECURITY ASSOCIATIONS (SAS) ON THE CISCO PIX FIREWALL ..........................39 9.8. VERIFY SECURITY ASSOCIATIONS (SAS) ON THE G350 GATEWAY..................................40 9.9. VERIFY G350 MEDIA GATEWAY CALL CONTROLLER/REGISTRATION STATUS ..................42 9.10. PLACE TEST CALLS ...................................................................................................42

10. VPN TROUBLESHOOTING TIPS ..................................................................................43 10.1. HOW TO CLEAR ALL G350 GATEWAY (PHASE 2) IPSEC SAS......................................43 10.2. HOW TO CLEAR ALL G350 (PHASE 1) ISAKMP SAS..................................................43

11. TERMINOLOGY .............................................................................................................44 12. CONCLUSION ................................................................................................................44 13. ADDITIONAL REFERENCES ........................................................................................45




1. Introduction These Application Notes describe a site-to-site IPSec Virtual Private Network (VPN) between an Avaya G350 Media Gateway and a Cisco PIX 525 Firewall (Figure 1). IPSec is used to provide interoperable, cryptographically based security for IPv4 voice and data traffic flows between designated subnetworks and/or hosts. It can be used to provide access control, origin authentication, data confidentiality and replay attack protection for Avaya IP Telephony. A VPN replay attack, also known as “brute force attack” occurs when a hacker attempts to exploit the mathematical rules used to encrypt a message. The hacker tries to test all possible key values that may have been used to secure a message, and then decrypt it if the key is discovered. These Application Notes demonstrate the use of certain features that help mitigate this vulnerability. The sample configuration uses IPSec to secure communications between Avaya IP Telephones, IP Softphones, S8700 Media Servers, G650 Media Gateway, and a G350 Media Gateway. The sample configuration uses the Internet Key Exchange (IKE) protocol to establish a secure Internet Security Association and Key Management Protocol (ISAKMP) control channel between the two peers; the G350 Media Gateway and the Cisco PIX 525. ISAKMP is used to add, modify and remove IPSec Security Associations (SAs) and it periodically updates encryption keys to avoid brute force attacks in a secure manner. IKE establishes an ISAKMP Security Association (SA) by negotiating proposals in an exchange known as Main Mode (commonly called Phase 1). In order to successfully establish an ISAKMP SA, both peers must agree to a common set of security attributes contained within a phase 1 proposal. The following ISAKMP security attributes were administered on both peers in the sample configuration: ISAKMP (Phase 1) proposal:

Encryption Algorithm: 3DES Hash Algorithm: SHA Diffie-Hellman Group: 2 Lifetime (seconds): 86400

For detailed information on these attributes including how they are exchanged and used, please see the additional references section of these Applications Notes. The applicable RFC standards available from the Internet Engineering Task Force (IETF) are listed for your convenience. Once an ISAKMP SA is established, both peers can negotiate IPSec security attributes necessary to establish IPSec SAs. The IKE protocol does this in a second proposal exchange known as Quick Mode (commonly called Phase 2). The following IPSec security attributes were administered on both peers in the sample configuration: IPSec (Phase 2) proposal:

Encryption Algorithm: AES-ESP Hash Algorithm: HMAC-SHA-ESP Security Association Lifetime (seconds): 3600 Perfect Forward Secrecy: Enabled Diffie-Hellman Group: 2

The IP Encapsulating Security Payload (ESP) protocol is used to secure voice and data traffic in the sample configuration, because of the added confidentiality protection provided (i.e. data




payload is completely encrypted). The alternative protocol, IP Authentication Header (AH), only provides origin and replay protection. The data payload is not encrypted, making voice packets more vulnerable to potential interception and playback. The sample configuration uses the Advanced Encryption Standard with 128-bit key (AES-128) to protect voice and data communications between the branch office and headquarters. The AES standard was selected because of its higher throughput performance and reduced latency when compared with older encryption standards (e.g. 3DES). Perfect Forward Secrecy (PFS) was enabled on the VPN in order to strengthen the tunnel against brute force attacks. The PFS feature provides additional security protection by deriving secret keys from a Diffie-Hellman shared secret value. This is advantageous because if one key is compromised on a given tunnel, all previous and subsequent keys will remain secure because they are no longer derived from previous keys. Please see the reference section of these Application Notes for detailed information on the Phase 2 security attributes used. During periods of congestion in the Wide Area Network (WAN) it is possible that IPSec packets are queued such that they arrive to the G350 Media Gateway out of sequence. For devices that support a very small anti-replay window, the end result would be dropped ESP packets and the loss of all data contained within them. To counteract this problem, the Avaya G350 Media Gateway implements a large 1K anti-replay window in order to sustain data forwarding and avoid potential data loss even when IPSec packets arrive severely out of sequence. A single Frame Relay Permanent Virtual Circuit (PVC) was selected to carry encrypted voice and data traffic through the WAN. This may also be accomplished by using two PVCs: one dedicated to voice, one dedicated to data. The sample configuration uses the single PVC as a reduced cost alternative. Although an Internet Service Provider (ISP) typically dedicates PVCs to a customer, this may not prevent access by an unauthorized person. Additional security measures are often required in certain configurations. This is especially true for investment banking and government solutions. Network designers and implementers should carefully review bandwidth requirements when deploying Virtual Private Networks, especially on asymmetrical connections like cable modems (e.g., uplink 2 Mbps, downlink 128 Kbps). IPSec encrypted voice calls consume more bandwidth than unencrypted calls, because of the added IPSec header length and payload padding required by the ESP protocol. Dynamic Host Configuration Protocol (DHCP) or static IP addressing may be used to assign networking parameters to Avaya IP Telephones in the sample configuration. Static IP addressing was chosen to keep the example simple.

Avaya 4620SW IP TelephoneTagged VLAN 10192.168.10.3 /24

Cisco PIX 525 FirewallUntagged VLAN 135

Inside – 100.100.100.2 /24Outside – 1.1.1.2 /30

Avaya G350 Media GatewaySerial 2/1:1.1 – 110.110.110.2 /30

VLAN 10 – 192.168.10.1 /24VLAN 21 – 172.21.0.1 /16

Serial 2/1:1

Outside

Inside

HeadquartersIP Network Region 1

IPSec Tunnel

IPSI

MEDPRO

Data Application ServerUntagged VLAN 100192.168.100.2 /24

FE1/0

4/1 4/2

4/3

4/4

4/54/6

Avaya P580 MultiService SwitchVLAN 101 (voice) – 192.168.101.1 /24VLAN 100 (data) – 192.168.100.0 /24

VLAN 135 – 100.100.100.1 /24

C-LAN

eth1eth1

4/7

4/8

4/9

DLCI 101

Branch OfficeIP Network Region 2

S0/0

Data Application ClientUntagged VLAN 21

172.21.0.2 /16


6/1

Avaya IP Softphone ClientUntagged VLAN 21

172.21.0.3 /16

`

6/2

802.1Q

Frame Relay WAN

Avaya G650 Media GatewayUntagged VLAN 101

IPSI – 192.168.101.5 /24C-LAN – 192.168.101.6 /24

MEDPRO – 192.168.101.7 /24

Cisco 3640 RouterFE1/0 – 1.1.1.1 /30

S0/0 – 110.110.110.1 /30


Avaya S8700 Media Server #1Untagged VLAN 101192.168.101.2 /24

Virtual IP .4

Avaya S8700 Media Server #2Untagged VLAN 101192.168.101.3 /24

Virtual IP .4

1

Server PC

Client PC

Figure 1: Site-to-Site VPN over Frame Relay







2. Equipment and Software Validated Please reference Table 1 below, to review the equipment and software validated: Equipment Software Avaya S8300B Media Server R012x.01.0.411.7 (2.1) Avaya S8700 Media Servers with G650 Media Gateway R012x.01.0.411.7 (2.1) Avaya G350 Media Gateway 23.10.0 Avaya P580 MultiService Switch v6.0 Avaya 4620SW IP Telephones 2.0 Cisco 3640 Router 12.2(24) Cisco PIX 525 Firewall 6.3(4)

Table 1: Equipment and Software Validated

3. Configure the Avaya G350 Media Gateway The following steps use the command line interface (CLI) of the Avaya G350 Media Gateway to configure it as shown in Figure 1. Several commands are described using their default values for reference purposes. These steps assume a factory default configuration prior to execution. This section illustrates the following configuration tasks:

• G350 Media Gateway Voice over IP (VoIP) Administration • Basic Switch Administration • Advanced Layer 3 Routing Administration • Quality of Service (QoS) Administration • Virtual Private Network (VPN) Administration

3.1. G350 Media Gateway VoIP Administration 1. Start a terminal session to the Avaya G350 Media Gateway console port.

Bits per second 9600 Data bits 8 Parity None Stop bits 1 Flow control None

2. Log in using a valid login ID and password. 3. Configure a hostname for ease of identification (optional).

G350-???(super)# hostname BR

4. Configure separate Virtual LANs for voice and data.

BR-???(super)# set vlan 10 name voice10 BR-???(super)# set vlan 21 name data21

Note: The question marks will be replaced once the Media Gateway is registered.




5. Configure the Primary Management Interface (PMI) and ICC-VLAN.

The Avaya G350 Media Gateway uses a single IP address for H.248 signaling and voice processing known as the PMI. When the G350 Media Gateway is equipped with an S8300 Media Server, the two are connected through an internal switch. The icc-vlan command specifies the VLAN interface used for communication between the S8300 Media Server ICC/LSP and the G350 Media Gateway. The icc-vlan interface and S8300 Media Server must reside on the same subnet for proper operation.

BR-???(super)# interface vlan 10 BR-???(super-if:Vlan 10)# ip address 192.168.10.1 255.255.255.0 BR-???(super-if:Vlan 10)# pmi BR-???(super-if:Vlan 10)# icc-vlan BR-???(super-if:Vlan 10)# exit

6. Configure the Media Gateway Controller list.

The Avaya G350 Media Gateway maintains a statically provisioned list of controllers. Two IP addresses are configured for the sample configuration. The first IP address 192.168.101.6 is the C-LAN on the Avaya G650 Media Gateway. The second IP address 192.168.10.2 is the Avaya S8300B Media Server LSP. If the G350 fails to register with the C-LAN it will register with its local processor.

BR-???(super)# set mgc list 192.168.101.6,192.168.10.2

3.2. Basic Switch Administration 1. Configure a port for PC only connectivity.

Do not enable 802.1Q tagging on ports connected to PCs. Ports should only be configured as trunks if an Avaya IP Telephone resides between the switch port and the PC.

BR-001(super)# set port vlan 21 6/2




2. Configure a port for an Avaya IP Telephone with attached PC.

There are two ways to provision a switch port to support and Avaya IP Telephone. If maximum configuration flexibility is desired the port should be configured as an access link, but this comes with increased security risk. BR-001(super)# set port vlan 21 6/1 BR-001(super)# set trunk 6/1 off BR-001(super)# set port vlan-binding-mode 6/1 static BR-001(super)# set port static-vlan 6/1 10

If the Administrator follows the steps defined above, the switch port will support either a directly attached PC or an Avaya IP Telephone with an inline attached PC. Configuring the port in this manner causes all data communications from the Avaya IP Telephone, attached PC and networking segments to be transmitted and received untagged. The port data VLAN 21 will transmit and receive untagged frames from the attached PC. The statically bound voice VLAN 10 will also transmit and receive untagged frames. MAC addressing differentiates unicast traffic on the segments and broadcasts from each segment crossover. This is a practical procedure for pre-staging configurations, but it opens ARP security vulnerabilities, because now broadcast transmissions from the data segment will also be propagated on the voice segment. The attached PC will be able to receive packets from the voice segment. A hacker residing on the attached PC may access the voice network by simply changing to an IP address on the voice segment.

If security is paramount, with a sacrifice in configuration flexibility, the switch port should always be configured as an 802.1Q trunk.

BR-001(super)# set port vlan 21 6/1 BR-001(super)# set trunk 6/1 dot1q BR-001(super)# set port vlan-binding-mode 6/1 static BR-001(super)# set port static-vlan 6/1 10 Please be advised that this step must only be implemented on ports that have both an Avaya IP Telephone and inline attached PC. Do not use this step to pre-stage a PC only port for a future IP Telephone deployment. The switch port will transmit “data” VLAN 21 frames with a tag and will receive untagged frames and tagged frames for VLAN 21. It will only transmit and receive tagged “voice” VLAN 10 frames. In this scenario the Avaya IP Telephone is responsible for stripping the “data” VLAN 21 tag before transmitting it to the attached PC. This configuration provides maximum security and complete broadcast segmentation, but this switch port cannot support a directly attached PC without an Avaya IP Telephone inline. Select the port configuration carefully.

3. Configure the data network router interface.

BR-001(super)# interface vlan 21 BR-001(super-if:Vlan 21)# ip address 172.21.0.1 255.255.0.0 BR-001(super-if:Vlan 21)# exit




3.3. Layer 3 Routing Administration The sample configuration uses an MM340 WAN access module to provide frame relay connectivity. 1. Configure the MM340 DS1 controller.

BR-001(super)# controller t1 2/1 BR-001(super-controller:2/1)# description “Branch T1 Controller" BR-001(super-controller:2/1)# framing esf BR-001(super-controller:2/1)# linecode b8zs BR-001(super-controller:2/1)# clock source line BR-001(super-controller:2/1)# channel-group 1 timeslots 1-24 speed 64 BR-001(super-controller:2/1)# exit

2. Configure the MM340 serial interface.

BR-001(super)# interface serial 2/1:1 BR-001(super-if:Serial 2/1:1)# encapsulation frame-relay ietf BR-001(super-if:Serial 2/1:1)# bandwidth 1536000 BR-001(super-if:Serial 2/1:1)# idle-character flags BR-001(super-if:Serial 2/1:1)# exit

3. (Optional) Configure an inbound access control list (ACL) to permit trusted traffic only.

Access control lists should be implemented on all public-facing interfaces in order to limit external access into protected subnetworks. The sample configuration will work with or without the inbound ACL in place.

Access list rule descriptions: Rule 1 - Allow ICMP messages to the reach the G350 Media Gateway local

address for Path MTU Discovery (PMTUD) from any source. Rule 2 - Permit IKE protocol (UDP port 500) message exchanges from any peer

to the G350 Media Gateway local address. Administrators may choose to limit IKE from specific peers only.

Rule 3 - Permit ESP protocol (IANA protocol 50) traffic from any peer to the G350

Media Gateway local address. Administrators may choose to limit ESP traffic from specific peers only.

Rule 4 - Permit any traffic between trusted voice networks (post decryption) Rule 5 - Permit any traffic between trusted data networks (post decryption) Rule 6 - Permit any traffic between trusted voice and data networks for Avaya IP

Softphone client connectivity (post decryption). Administrators may choose to limit traffic between the voice and data network segments further by only allowing required protocols and ports.

Rule Default - Deny any other traffic flows, which do not match ACL criteria




BR-001(super)# ip access-control-list 301 BR-001(super-ACL 301)# name "Permit VPN Traffic Only" BR-001(super-ACL 301)# ip-rule 1 BR-001(super-ACL 301/ip rule 1)# ip-protocol icmp BR-001(super-ACL 301/ip rule 1)# source-ip any BR-001(super-ACL 301/ip rule 1)# destination-ip host 110.110.110.2 BR-001(super-ACL 301/ip rule 1)# exit BR-001(super-ACL 301)# ip-rule 2 BR-001(super-ACL 301/ip rule 2)# ip-protocol udp BR-001(super-ACL 301/ip rule 2)# udp destination-port eq ike BR-001(super-ACL 301/ip rule 2)# source-ip any BR-001(super-ACL 301/ip rule 2)# destination-ip host 110.110.110.2 BR-001(super-ACL 301/ip rule 2)# exit BR-001(super-ACL 301)# ip-rule 3 BR-001(super-ACL 301/ip rule 3)# ip-protocol esp BR-001(super-ACL 301/ip rule 3)# source-ip any BR-001(super-ACL 301/ip rule 3)# destination-ip host 110.110.110.2 BR-001(super-ACL 301/ip rule 3)# exit BR-001(super-ACL 301)# ip-rule 4 BR-001(super-ACL 301/ip rule 4)# source-ip 192.168.101.0 0.0.0.255 BR-001(super-ACL 301/ip rule 4)# destination-ip 192.168.10.0 0.0.0.255 BR-001(super-ACL 301/ip rule 4)# exit BR-001(super-ACL 301)# ip-rule 5 BR-001(super-ACL 301/ip rule 5)# source-ip 192.168.100.0 0.0.0.255 BR-001(super-ACL 301/ip rule 5)# destination-ip 172.21.0.0 0.0.255.255 BR-001(super-ACL 301/ip rule 5)# exit BR-001(super-ACL 301)# ip-rule 6 BR-001(super-ACL 301/ip rule 6)# source-ip 192.168.101.0 0.0.0.255 BR-001(super-ACL 301/ip rule 6)# destination-ip 172.21.0.0 0.0.255.255 BR-001(super-ACL 301/ip rule 6)# exit BR-001(super-ACL 301)# ip-rule default BR-001(super-ACL 301/ip default)# composite-operation deny BR-001(super-ACL 301/ip default)# exit BR-001(super-ACL 301)# exit

4. Assign IP address, Frame Relay DLCI and ACL to the MM340 serial sub-interface.

Assigning an inbound Access Control List (ACL) on the public facing interface is optional.

BR-001(super)# interface serial 2/1:1.1 point-to-point BR-001(super-if:Serial 2/1:1.1)# description "Connects to Router (RT)" BR-001(super-if:Serial 2/1:1.1)# ip address 110.110.110.2 255.255.255.252 BR-001(super-if:Serial 2/1:1.1)# ip access-group 301 in BR-001(super-if:Serial 2/1:1.1)# frame-relay interface-dlci 101 BR-001(super-if:Serial 2/1:1.1)# exit




5. Configure a default static route destined for the router peer opposite the PVC.

The G350 Media Gateway will fail to establish a VPN with the Cisco PIX without the necessary routing information. The gateway must have either a default route to send all traffic to in order to reach its remote peer or individually defined static routes.

BR-001(super)# ip route 0.0.0.0 0.0.0.0 110.110.110.1

3.4. Quality of Service (QoS) Administration Tasks 1. Enable Frame Relay traffic shaping and configure the serial interface for VoIP mode.

The G350 Media Gateway serial interface has four transmit (Tx) queues, which are used to classify and forward packets based on strict-priority scheduling. By default, the serial interface operates in Data mode, which is not intended for use with voice applications. In Data mode, all four Tx queues are sized according to interface bandwidth and Maximum Transmission Size (MTU). As a result, the default queue sizes for Data mode allows for up to a two second delay. The possibility of excessive delay during periods of congestion makes Data mode a poor choice for VoIP implementations. The Avaya G350 Media Gateway serial interface should be configured for VoIP mode, when it is used for voice and data traffic simultaneously. VoIP mode is implemented by using the voip-queue command under the serial interface context. When the serial interface operates in VoIP mode, it gives precedence to VoIP traffic in the highest transmit (Tx) queue, while continuing to use strict-priority scheduling to classify data into the lower three remaining queues. VoIP mode works well for voice traffic because it is designed to distinguish between VoIP Control and VoIP Bearer traffic within the high Tx queue and minimizes bearer traffic delay. BR-001(super)# interface serial 2/1:1 BR-001(super-if:Serial 2/1:1)# frame-relay traffic-shaping BR-001(super-if:Serial 2/1:1)# voip-queue BR-001(super-if:Serial 2/1:1)# exit




2. Use the default IP QoS-List 400 to classify voice and data traffic on all interfaces.

To review the default qos-list policies enforced by the G350 Media Gateway, use the show ip qos-list command. The G350 uses the Trust-DSCP-CoS operation to compare the (Layer 2) 802.1P priority of a frame with the encapsulated (Layer 3) DSCP value. Forwarding priority is determined by the greater of the two. The default QoS list classifies DSCP 34 as VoIP Control and DSCP 46 as VoIP Bearer. These values are consistent with Avaya Communication Manager IP Network Region defaults. When the default ip qos-list is applied on a serial interface configured for VoIP mode, DSCP priorities 34 and 46 are forwarded by the highest transmit (Tx) queue, known as the VoIP queue. VoIP Control and VoIP Bearer are serviced in round-robin fashion. The VoIP Bearer buffer is 25% of the size of the VoIP Control buffer to minimize bearer traffic delay. By default, the VoIP queue is optimized for the G.729 codec with 20 milliseconds of delay. The VoIP queue can be modified to support a different codec and/or delay size. Please refer to the Avaya G350 Media Gateway Administration Guide for details on changing the VoIP queue parameters.

BR-001(super)# show ip qos-list 400 Index Name Owner ----- ------------------------------- -------------------------- 400 Default QoS List other Pre-classification : trust-cos-dscp Index Protocol IP Wildcard Port Operation DSCP ----- -------- --- ---------------- --------------- ------------ -------------- Deflt Any Src Any Any Trust-DSCP-CoS Any Dst Any Any Index Name CoS DSCP Trust ----- -------------------- --------- --------- ------------ 0 CoS0 0 no-change No 1 CoS1 1 no-change No 2 CoS2 2 no-change No 3 CoS3 3 no-change No 4 CoS4 4 no-change No 5 CoS5 5 no-change No 6 CoS6 6 no-change No 7 CoS7 7 no-change No 9 No-Change no-change no-change No 10 Trust-DSCP - - DSCP 11 Trust-DSCP-CoS - - DSCP-and-CoS DSCP Action Name ---- -------------------- ------------ 0 No-Change DSCP#0 1 No-Change DSCP#1 2 No-Change DSCP#2 3 No-Change DSCP#3 4 No-Change DSCP#4 5 No-Change DSCP#5




6 No-Change DSCP#6 7 No-Change DSCP#7 8 No-Change DSCP#8 9 No-Change DSCP#9 10 No-Change DSCP#10 11 No-Change DSCP#11 12 No-Change DSCP#12 13 No-Change DSCP#13 14 No-Change DSCP#14 15 No-Change DSCP#15 16 No-Change DSCP#16 17 No-Change DSCP#17 18 No-Change DSCP#18 19 No-Change DSCP#19 20 No-Change DSCP#20 21 No-Change DSCP#21 22 No-Change DSCP#22 23 No-Change DSCP#23 24 No-Change DSCP#24 25 No-Change DSCP#25 26 No-Change DSCP#26 27 No-Change DSCP#27 28 No-Change DSCP#28 29 No-Change DSCP#29 30 No-Change DSCP#30 31 No-Change DSCP#31 32 No-Change DSCP#32 33 No-Change DSCP#33 34 CoS7 VoIP Control 35 No-Change DSCP#35 36 No-Change DSCP#36 37 No-Change DSCP#37 38 No-Change DSCP#38 39 No-Change DSCP#39 40 No-Change DSCP#40 41 CoS7 VoIP Control 42 No-Change DSCP#42 43 CoS6 VoIP Bearer RESV 44 CoS6 VoIP Bearer RESV 45 No-Change DSCP#45 46 CoS6 VoIP Bearer 47 No-Change DSCP#47 48 No-Change DSCP#48 49 No-Change DSCP#49 50 No-Change DSCP#50 51 No-Change DSCP#51 52 No-Change DSCP#52 53 No-Change DSCP#53 54 No-Change DSCP#54 55 No-Change DSCP#55 56 No-Change DSCP#56 57 No-Change DSCP#57 58 No-Change DSCP#58 59 No-Change DSCP#59 60 No-Change DSCP#60 61 No-Change DSCP#61 62 No-Change DSCP#62 63 No-Change DSCP#63




3. Configure Frame Relay Traffic Shaping

The configuration uses a Full T-1 bandwidth pipe of 1.536 Mbps. However, the Internet Service Provider (ISP) has limited the CIR to 768 Kbps, half of the available pipe. The following map-class was created to allow excess bursting of 786 Kbps above the CIR for data transport. The DE pre-mark feature is enabled at 50% of the CIR. Once 50% of the CIR is reached by low priority traffic, all additional low priority traffic will be labeled as Discard Eligible (DE).

BR-001(super)# map-class frame-relay voice BR-001(super-map-class)# be out 768000 BR-001(super-map-class)# cir out 768000 BR-001(super-map-class)# bc out 96000 BR-001(super-map-class)# de pre-mark 50 BR-001(super-map-class)# exit BR-001(super)# interface serial 2/1:1.1 point-to-point BR-001(super-if:Serial 2/1:1.1)# frame-relay class-dlci 101 voice

3.5. Virtual Private Network (VPN) Administration Tasks 1. Configure an ISAKMP policy (i.e. phase 1 proposal)

BR-001(super)# crypto isakmp policy 1 BR-001(super-isakmp:1)# description “High P1 Proposal” BR-001(super-isakmp:1)# encryption 3des BR-001(super-isakmp:1)# hash sha BR-001(super-isakmp:1)# group 2 BR-001(super-isakmp:1)# authentication pre-share BR-001(super-isakmp:1)# lifetime 86400 BR-001(super-isakmp:1)# exit

Notes: The ISAKMP policy attributes must be configured identically on both peers. The ISAKMP policy subcommands have been listed below with syntax as a reference. Description commands: Syntax: description <desc> <desc> - string (1-80)

Encryption commands: Syntax: encryption {3des|des|aes} Default: des

Hash commands: Syntax: hash {sha|md5} Default: md5 Group commands: Syntax: group {1|2} Default: 1 Lifetime commands: Syntax: lifetime <seconds> <seconds> - lifetime in seconds (60 - 86400) Default: 86400




2. Configure the ISAKMP peer.

BR-001(super)# crypto isakmp peer address 1.1.1.2 BR-001(super-peer:1.1.1.2)# description "Headquarters (HQ) Peer" BR-001(super-peer:1.1.1.2)# isakmp-policy 1 BR-001(super-peer:1.1.1.2)# pre-shared-key MySeCrEtKeY BR-001(super-peer:1.1.1.2)# exit

Notes: The ISAKMP peer address is the IP address of the remote peer, which the G350 Media Gateway was to establish a secure ISAKMP channel. The crypto isakmp peer address subcommand syntax has been listed below as a reference. Description commands: Syntax: description <desc> <desc> - string (1-80) Isakmp-policy commands: Syntax: isakmp-policy <id> <id> - isakmp policy id (1-20) Pre-shared-key commands: Syntax: pre-shared-key <psk-str> <psk-str> - pre-shared secret string (1-127)




3. Configure a transform-set (i.e. IKE phase 2 proposal). The transform-set defines security attributes, such as the protocol to employ, the algorithm to be used, etc. BR-001(super)# crypto ipsec transform-set HighAES esp-aes esp-sha-hmac BR-001(super-transform:HighAES)# set security-association lifetime seconds 3600 BR-001(super-transform:HighAES)# set pfs group2 BR-001(super-transform:HighAES)# exit

Note: The following command and subcommand syntax applies to IPSec transform-sets. Crypto ipsec transform-set commands: Syntax: crypto ipsec transform-set <name> {{esp-des|esp-3des|esp-aes} [{esp-md5-hmac|esp-sha-hmac}]|esp-null {esp-md5-hmac|esp-sha-hmac}} <name> - transform-set name without spaces (1-32) Set security-association lifetime seconds commands: Syntax: set security-association lifetime seconds <seconds> <seconds> - lifetime in seconds (120 - 86400) Default: 3600 Set security-association lifetime kilobytes commands:Syntax: set security-association lifetime kilobytes <kilobytes> <kilobytes> - lifetime in kilobytes (2560 - 536870912) Default: 4608000 Set pfs commands: Syntax: set pfs [group1 | group2] Default: no pfs




4. Configure the crypto-map.

Crypto-maps define the peers to negotiate with IPSec (IKE phase 2) protection and the transform-sets to secure the traffic flows.

BR-001(super)# crypto map 1 BR-001(super-crypto:1)# description "High P2 Proposal" BR-001(super-crypto:1)# set transform-set HighAES BR-001(super-crypto:1)# set peer 1.1.1.2 BR-001(super-crypto:1)# exit

Note: The following command and subcommand syntax applies to crypto maps. Crypto map commands: Syntax: crypto map <id> <id> - integer(1-50) Description commands: Syntax: description <desc> <desc> - string (1-80) Set transform-set commands: Syntax : set transform-set <name> Set peer commands: Syntax : set peer <peer address> <peer address> - remote peer address




5. Configure a crypto-list.

The crypto list contains ip-rules, which select traffic flows requiring IPSec protection according to source and destination IP addressing.

BR-001(super)# ip crypto-list 901 BR-001(Super-Crypto 901)# name "Traffic To Be Encrypted" BR-001(super-Crypto 901)# local-address 110.110.110.2 BR-001(super-Crypto 901)# ip-rule 1 BR-001(super-Crypto 901/ip rule 1)# protect crypto map 1 BR-001(super-Crypto 901/ip rule 1)# source-ip 192.168.10.0 0.0.0.255 BR-001(super-Crypto 901/ip rule 1)# destination-ip 192.168.101.0 0.0.0.255 BR-001(super-Crypto 901/ip rule 1)# exit BR-001(super-Crypto 901)# ip-rule 2 BR-001(super-Crypto 901/ip rule 2)# protect crypto map 1 BR-001(super-Crypto 901/ip rule 2)# source-ip 172.21.0.0 0.0.255.255 BR-001(super-Crypto 901/ip rule 2)# destination-ip 192.168.100.0 0.0.0.255 BR-001(super-Crypto 901/ip rule 2)# exit BR-001(super-Crypto 901)# ip-rule 3 BR-001(super-Crypto 901/ip rule 3)# protect crypto map 1 BR-001(super-Crypto 901/ip rule 3)# source-ip 172.21.0.0 0.0.255.255 BR-001(super-Crypto 901/ip rule 3)# destination-ip 192.168.100.0 0.0.0.255 BR-001(super-Crypto 901/ip rule 3)# exit BR-001(super-Crypto 901)# exit

Note: The following command and subcommand syntax applies to crypto-lists. Ip crypto-list commands: Syntax : ip crypto-list <index> <index> - integer (901..999) Name commands: Syntax : name <name> <name> - list name Local address commands: Syntax : local-address <ip-address> <ip-address> - an IP address that belongs to a local IP interface Ip-rule commands: Syntax : ip-rule {<index> | default} <index> - integer (1..9999) Protect crypto commands: protect crypto map Protect traffic that matches this rule, by applying the IPSec processing configured by the specified crypto map. Source-ip commands: Syntax :source-ip {host <ip-address> | any | <ip-address> <wildcard>} <ip-address> - ip network <wildcard> - ip network wildcard Destination-ip commands: Syntax :destination-ip {host <ip-address> | any | <ip-address> <wildcard>} <ip-address> - ip network <wildcard> - ip network wildcard




6. Assign the crypto-group to the serial interface. The crypto-group subcommand enables IPSec processing on a router interface by binding a crypto-list to it. Administrators may only bind one crypto-list to an interface at a time. Once IPSec is enabled, the Security Policy Database (SPD) is consulted by the interface during the processing of all inbound and outbound traffic, including non-IPSec traffic. The G350 Media Gateway Security Policy Database (SPD) includes the crypto-list, ip-rules, crypto-maps and transform sets. The crypto list contains ip-rules, which select traffic flows requiring IPSec protection based on source and destination IP addressing. Each ip-rule is protected by a crypto-map. The crypto-map defines the peer to negotiate with IPSec (IKE phase 2) protection and the transform-set to secure the traffic flow. The transform-set defines security attributes, such as the protocol to employ (e.g. AH or ESP), the algorithm to be used (e.g., DES, 3DES, AES), etc..

BR-001(super)# interface serial 2/1:1.1 point-to-point BR-001(super-if:Serial 2/1:1.1)# ip crypto-group 901

Note: The following subcommand syntax applies to interfaces. Ip crypto-group commands: Syntax : ip crypto-group <crypto-list-id> <crypto-list-id> - integer (900..999, 900 - default crypto list)

4. Configure the Cisco 3640 Router 1. Log in using a valid Login and Password. 2. Enter the global configuration mode.

Router>enable Router#config t

3. Enter a recognized hostname for troubleshooting (optional).

router(config)#hostname RT 4. Configure the interface IP address used to connect to the inside PIX interface.

RT(config)#interface FastEthernet 1/0 RT(config-if)#description "Connects to Headquarters (HQ)" RT(config-if)#ip address 1.1.1.1 255.255.255.252 RT(config-if)#no shutdown RT(config-if)#exit




5. Configure Frame Relay traffic shaping.

Any traffic above the CIR value will be marked with discard eligibility (DE).

RT(config)#map-class frame-relay voice RT(config-map-class)#frame-relay cir out 768000 RT(config-map-class)#frame-relay bc out 96000 RT(config-map-class)#frame-relay be out 768000 RT(config-map-class)#exit

6. Configure the serial interface to connect the Frame Relay WAN.

RT(config)#interface serial 0/0 RT(config-if)#encapsulation frame-relay ietf RT(config-if)#service-module t1 clock source line RT(config-if)#service-module t1 framing esf RT(config-if)#service-module t1 linecode b8zs RT(config-if)#service-module t1 timeslots 1-24 speed 64 RT(config-if)#fair-queue RT(config-if)#frame-relay lmi-type ansi RT(config-if)#frame-relay intf-type dte RT(config-if)#exit

7. Configure the point-to-point Frame Relay serial sub-interface and PVC.

RT(config)#interface serial 0/0.1 point-to-point RT(config-subif)#description "Connects to Branch (BR)" RT(config-subif)#ip address 110.110.110.1 255.255.255.252 RT(config-subif)#frame-relay interface-dlci 101 RT(config-fr-dlci exit)# RT(config-subif)#no frame-relay ip rtp header-compression RT(config-subif)#exit

8. Add static routes needed to reach protected BR and HQ attached subnetworks.

RT(config)#ip route 0.0.0.0 0.0.0.0 110.110.110.2 1 RT(config)#ip route 192.168.100.0 255.255.255.0 1.1.1.2 1 RT(config)#ip route 192.168.101.0 255.255.255.0 1.1.1.2 1 RT(config)#exit

9. Save the running configuration file.

RT#copy run start Destination filename [startup-config]? <Enter>




5. Configure the Cisco PIX 525 Firewall 1. Log in using a valid login and password. 2. Enter the global configuration mode.

pixfirewall> enable pixfirewall# config terminal

3. Enter a known hostname for troubleshooting purposes (optional).

pixfirewall(config)# hostname HQ

4. Configure the outside (unsecure) and inside (secure) interfaces.

HQ(config)# ip address outside 1.1.1.2 255.255.255.252 HQ(config)# ip address inside 100.100.100.2 255.255.255.252

5. Enable the physical outside and inside Ethernet ports.

HQ(config)# interface ethernet0 auto HQ(config)# interface ethernet1 auto

6. Configure a default static route to the WAN and static routes to protected LAN segments.

HQ(config)# route outside 0.0.0.0 0.0.0.0 1.1.1.1 1 HQ(config)# route inside 192.168.100.0 255.255.255.0 100.100.100.1 1 HQ(config)# route inside 192.168.101.0 255.255.255.0 100.100.100.1 1

7. Define an access-list and interface binding to prevent NATing of traffic to be encrypted.

HQ(config)# access-list nonatvpn permit ip 192.168.100.0 255.255.255.0 172.21.0.0 255.255.0.0 HQ(config)# access-list nonatvpn permit ip 192.168.101.0 255.255.255.0 192.168.10.0 255.255.255.0 HQ(config)# access-list nonatvpn permit ip 192.168.101.0 255.255.255.0 172.21.0.0 255.255.0.0 HQ(config)# nat (inside) 0 access-list nonatvpn

8. Define an interface binding to NAT all other traffic that is not being encrypted.

HQ(config)# nat (inside) 1 0.0.0.0 0.0.0.0 0 0 9. Configure and enable ISAKMP policy (phase 1 proposal).

HQ(config)# isakmp enable outside HQ(config)# isakmp key MySeCrEtKeY address 110.110.110.2 netmask 255.255.255.255 HQ(config)# isakmp identity address HQ(config)# isakmp policy 1 authentication pre-share HQ(config)# isakmp policy 1 encryption 3des HQ(config)# isakmp policy 1 hash sha HQ(config)# isakmp policy 1 group 2 HQ(config)# isakmp policy 1 lifetime 86400




10. Create access-lists, which define traffic of interest to be encrypted between HQ and BR.

HQ(config)# access-list 101 permit ip 192.168.100.0 255.255.255.0 172.21.0.0 255.255.0.0 HQ(config)# access-list 101 permit ip 192.168.101.0 255.255.255.0 192.168.10.0 255.255.255.0 HQ(config)# access-list 101 permit ip 192.168.101.0 255.255.255.0 172.21.0.0 255.255.0.0

11. Administer an IPSec transform-set (partial phase 2 proposal)

HQ(config)# crypto ipsec transform-set HighAES esp-aes esp-sha-hmac 12. Configure crypto map and interface binding for the branch VPN (partial phase 2 proposal).

HQ(config)# crypto map BranchVPN 1 ipsec-isakmp HQ(config)# crypto map BranchVPN 1 match address 101 HQ(config)# crypto map BranchVPN 1 set peer 110.110.110.2 HQ(config)# crypto map BranchVPN 1 set transform-set HighAES HQ(config)# crypto map BranchVPN 1 set pfs group2 HQ(config)# crypto map BranchVPN 1 set security-association lifetime seconds 3600 HQ(config)# crypto map BranchVPN interface outside

13. Configure the PIX to bypass interface access-list checks for all IPSec traffic.

PIX(config)# sysopt connection permit-ipsec 14. Save the running configuration file.

PIX(config)# write memory

6. Configure the P580 Switch 1. Log in using a valid Login and Password. 2. Enter the global configuration mode.

P580> enable P580# configure

3. Enter a known hostname for troubleshooting purposes (optional).

P580(configure)# hostname CO-P580-01 4. Create the data, voice and uplink VLANs respectively.

CO-P580-01(configure)# set vlan 100 name vlan100 CO-P580-01(configure)# set vlan 101 name vlan101 CO-P580-01(configure)# set vlan 135 name vlan135




5. Bind the voice and uplink VLANs to voice and uplink only ports.

CO-P580-01(configure)# set port vlan 4/1 135 CO-P580-01(configure)# set port vlan 4/4-9 101

6. Configure all dual use ports (e.g. IP Telephones with attached PC’s)

CO-P580-01(configure)# set port trunking-format 4/2-3 ieee-802.1Q CO-P580-01(configure)# set port vlan-binding-method 4/2-3 static CO-P580-01(configure)# set port vlan 4/2-3 100 CO-P580-01(configure)# set vlan 101 4/2-3

7. Configure the layer 3 router interfaces for all VLANs.

CO-P580-01(configure)# interface vlan100 CO-P580-01(config-if:vlan100)# ip address 192.168.100.1 255.255.255.0 CO-P580-01(config-if:vlan100)# ip vlan name vlan100 CO-P580-01(config-if:vlan100)# exit CO-P580-01(configure)# interface vlan101 CO-P580-01(config-if:vlan101)# ip address 192.168.101.1 255.255.255.0 CO-P580-01(config-if:vlan101)# ip vlan name vlan101 CO-P580-01(config-if:vlan101)# exit CO-P580-01(configure)# interface vlan135 CO-P580-01(config-if:vlan135)# ip address 100.100.100.1 255.255.255.252 CO-P580-01(config-if:vlan135)# ip vlan name vlan135 CO-P580-01(config-if:vlan135)# exit

8. Configure static routes to reach protected networks behind branch peer via Cisco PIX.

CO-P580-01(configure)# ip route 172.21.0.0 255.255.0.0 100.100.100.2 1 high CO-P580-01(configure)# ip route 192.168.10.0 255.255.255.0 100.100.100.2 1 high

9. Enable diff-serv examination on all voice, data and uplink ports.

CO-P580-01(configure)# set port use-diffserv 4/1-9 on 10. Copy the running configuration.

CO-P580-01(configure)# exit CO-P580-01# copy run start

7. Configure the Local Survivable Processor (LSP) 1. Configure a laptop with IP address 192.11.13.5 /30 to access the S8300B service port and

connect via Ethernet crossover cable. Use a web browser to access the server (http://192.11.13.6). It may be necessary to add an entry in the browser to bypass the proxy server for local address. A “Welcome” page appears. Click Continue.

2. A “Security Alert” popup window will appear asking “Do you want to proceed?”. Click Yes. 3. The “Logon” page appears. Enter a valid Login ID and click Logon. 4. The “Logon” password confirmation page appears. Enter a valid password for the Login ID

and click Logon. 5. A homepage appears with several hyperlink options. Click Launch Maintenance Web

Interface. 6. Click Configure Server under Server Configuration in the navigation tree. 7. The “Review Notices” page appears. Click Continue. 8. The “Back Up Data” page appears. Click Continue.




9. The “Specify how you want to use this wizard” page appears. Select Configure all services using the wizard and click Continue.

10. The “Set Server Identities” page appears. Enter a Host Name (e.g. BR-S8300B) for the

S8300B Media Server and click Continue.




11. The “Configure Ethernet Interfaces” page appears. Enter an IP address, Gateway and Subnet mask for the S8300B Media Server and click Continue.

12. The “Configure Local Survivable Processor” page appears. Select This is a local

survivable processor… Enter the CLAN IP address, Primary server 1 and Primary server 2 and click Continue.

13. Configure the remaining screens according to configuration requirements. When the

Update System page appears. Click Continue.







8. Configure Avaya Communication Manager 1. The system administrator must obtain the serial number for the G350 Media Gateway in

order to register the gateway with the Avaya S8700 Media Servers located at the Headquarters location. Execute the show system on the CLI of the G350 through the console port.

G350-001(super)# show system System Name : System Location : System Contact : Uptime (d,h:m:s) : 0,10:36:36 MV Time : 10:30:07 21 OCT 2004 MAC Address : 00:04:0d:29:d2:f5 WAN MAC address : 00:04:0d:29:d2:f4 Serial No : 03IS69612658 Model No : G350 HW Vintage : 0 HW Suffix : B FW Vintage : 23.10.0

2. Add the Avaya G350 Media Gateway to Avaya Communication Manager using the SAT on

the active S8700 Media Server.

Change the gateway type to g350. Use a unique name to describe the gateway. Enter the serial number of the G350 Media Gateway and choose a Network Region. In the sample configuration, the Headquarters location is part of Network Region 1 and the Branch Office location is part of Network Region 2.

add media-gateway 1 Page 1 of 1 MEDIA GATEWAY Number: 1 IP Address: Type: g350 FW Version/HW Vintage: Name: BR MAC Address: Serial No: 03IS69612658 Encrypt Link? y Network Region: 2 Location: 1 Registered? n Controller IP Address: Site Data: Slot Module Type Name V1: V2: V3: V4: V5: V6: V7: V8: V9:




3. Configure codec set 1, which will be used for all intra-region (local) calls between IP endpoints.

change ip-codec-set 1 Page 1 of 2 IP Codec Set Codec Set: 1 Audio Silence Frames Packet Codec Suppression Per Pkt Size(ms) 1: G.711MU n 2 20 2: 3: 4: 5: 6: 7: Media Encryption 1: none 2: 3:

4. Configure codec set 2 to use G.729. This codec set will be used for all inter-region calls

through the VPN over the Frame Relay WAN. The frames per packet value was left as 2 in this example because the G350 serial interface QoS mechanisms were left as default, which is optimized for G.729 using a 20ms packet size. Administrators may wish to increase the frames per packet from the default 2 to 3. Increasing the RTP payload sample size actually reduces the per call bandwidth slightly, because the increased payload counteracts the additional IPSec encryption overhead. This is useful when bandwidth preservation is paramount. Adjust G350 serial interface QoS queuing optimization accordingly if this value will be modified.

change ip-codec-set 2 Page 1 of 2 IP Codec Set Codec Set: 2 Audio Silence Frames Packet Codec Suppression Per Pkt Size(ms) 1: G.729 n 2 20 2: 3: Media Encryption 1: none 2:




5. Configure IP Network Region 1. This region defines QoS and codec set parameters for all stations located at the Headquarters location. Use Codec Set 1 with DSCP 34 for call control, DSCP 46 for audio, 802.1p priority 6 for audio and priority 7 for signaling.

change ip-network-region 1 Page 1 of 19 IP NETWORK REGION Region: 1 Location: Home Domain: Name: HQ Region Intra-region IP-IP Direct Audio: yes AUDIO PARAMETERS Inter-region IP-IP Direct Audio: yes Codec Set: 1 IP Audio Hairpinning? y UDP Port Min: 2048 UDP Port Max: 3028 RTCP Reporting Enabled? y RTCP MONITOR SERVER PARAMETERS DIFFSERV/TOS PARAMETERS Use Default Server Parameters? y Call Control PHB Value: 34 Audio PHB Value: 46 802.1P/Q PARAMETERS Call Control 802.1p Priority: 7 Audio 802.1p Priority: 6 AUDIO RESOURCE RESERVATION PARAMETERS H.323 IP ENDPOINTS RSVP Enabled? n H.323 Link Bounce Recovery? n Idle Traffic Interval (sec): 20 Keep-Alive Interval (sec): 5 Keep-Alive Count: 5

6. Configure IP Network Region 2. This region defines QoS and codec set parameters for all

stations located at the Branch Office location. Use Codec Set 1 with DSCP 34 for call control, DSCP 46 for audio, 802.1p priority 6 for audio and priority 7 for signaling.

change ip-network-region 2 Page 1 of 19 IP NETWORK REGION Region: 2 Location: Home Domain: Name: BR Region Intra-region IP-IP Direct Audio: yes AUDIO PARAMETERS Inter-region IP-IP Direct Audio: yes Codec Set: 1 IP Audio Hairpinning? y UDP Port Min: 2048 UDP Port Max: 3028 RTCP Reporting Enabled? y RTCP MONITOR SERVER PARAMETERS DIFFSERV/TOS PARAMETERS Use Default Server Parameters? y Call Control PHB Value: 34 Audio PHB Value: 46 802.1P/Q PARAMETERS Call Control 802.1p Priority: 7 Audio 802.1p Priority: 6 AUDIO RESOURCE RESERVATION PARAMETERS H.323 IP ENDPOINTS RSVP Enabled? n H.323 Link Bounce Recovery? y Idle Traffic Interval (sec): 20 Keep-Alive Interval (sec): 5 Keep-Alive Count: 5




7. Navigate to Page 3 of 19 on Network Region 2. Configure the codec set 2 for all calls between Regions 2 and 1. Change the WAN-BW-limits to 2:Calls. This configuration will only allow 2 calls between the locations. This value should be customized based on results from a properly performed Customer Infrastructure Readiness Survey (CIRS), available through Avaya Services.

change ip-network-region 2 Page 3 of 19 Inter Network Region Connection Management src dst codec direct Dynamic CAC rgn rgn set WAN WAN-BW-limits Intervening-regions Gateway 2 1 2 y 2 :Calls 2 2 1 2 3 2 4 2 5 2 6 2 7 2 8

8. Configure the IP Network Map so that IP Telephones located at the Branch Office are

registered as members of IP Network Region 2 and IP Telephones located at the Headquarters are registered as members of IP Network Region 1.

change ip-network-map Page 1 of 32 IP ADDRESS MAPPING Emergency Subnet Location From IP Address (To IP Address or Mask) Region VLAN Extension 192.168.10 .0 . . . 24 2 n 192.168.101.0 . . . 24 1 n . . . . . . n . . . . . . n . . . . . . n . . . . . . n . . . . . . n . . . . . . n . . . . . . n . . . . . . n . . . . . . n . . . . . . n . . . . . . n . . . . . . n . . . . . . n . . . . . . n




9. Verification Steps The following steps can be used to validate the configuration. In order to verify that the VPN tunnel is configured correctly, one of the devices must initiate security negotiations.

9.1. Verify Cisco PIX 525 Firewall Interfaces and Routing 1. Check that “inside” and “outside” interface/line protocols are up and IP addressing is correct.

HQ(config)# show interface ethernet0 interface ethernet0 "outside" is up, line protocol is up Hardware is i82559 ethernet, address is 0006.d75c.ed48 IP address 1.1.1.2, subnet mask 255.255.255.252 MTU 1500 bytes, BW 100000 Kbit full duplex 22 packets input, 1560 bytes, 0 no buffer Received 2 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 19 packets output, 1364 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collisions, 0 deferred 0 lost carrier, 0 no carrier input queue (curr/max blocks): hardware (128/128) software (0/1)

output queue (curr/max blocks): hardware (0/1) software (0/1)

HQ(config)# show interface ethernet1 outside interface ethernet1 "inside" is up, line protocol is up Hardware is i82559 ethernet, address is 0006.d75c.ed49 IP address 100.100.100.2, subnet mask 255.255.255.252 MTU 1500 bytes, BW 100000 Kbit full duplex 131 packets input, 706 bytes, 0 no buffer Received 11130 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 5 packets output, 342 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collisions, 0 deferred 0 lost carrier, 0 no carrier input queue (curr/max blocks): hardware (128/128) software (0/1) output queue (curr/max blocks): hardware (0/1) software (0/1)

2. Examine all Cisco PIX route table entries for accuracy. Be sure that the default route is

defined to use the Cisco 3640 router and that routes to all protected subnetworks are in place.

HQ(config)# show route outside 0.0.0.0 0.0.0.0 1.1.1.1 1 OTHER static outside 1.1.1.0 255.255.255.252 1.1.1.2 1 CONNECT static inside 100.100.100.0 255.255.255.252 100.100.100.2 1 CONNECT static inside 192.168.100.0 255.255.255.0 100.100.100.1 1 OTHER static inside 192.168.101.0 255.255.255.0 100.100.100.1 1 OTHER static




9.2. Verify G350 Media Gateway Interfaces and Routing 1. Verify Serial interface status.

BR-001(super)# show interface serial 2/1:1 Serial 2/1:1 is up, line protocol is up MTU 1500 bytes, Bandwidth 1536 kbit Reliability 255/255 txLoad 1/255 rxLoad 1/255 Encapsulation FRAME-RELAY IETF Link status trap enabled LMI enq sent 21265, LMI stat recvd 21263, LMI upd recvd 0, DTE LMI up LMI DLCI 0, LMI type is ANSI Annex D (Auto Detected), frame relay DTE Weighted Fair VoIP queueing mode Last input 00:00:09, Last output 00:00:09 Last clearing of 'show interface' counters never 5 minute input rate 24 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 4262 input drops, 0 output drops, 4262 unknown protocols 38520 packets input, 2504110 bytes 0 broadcasts received, 0 giants 0 input errors, 0 CRC, 0 abort 34260 packets output, 1218540 bytes 0 output errors, 0 collisions

2. Verify Serial subinterface status.

BR-001(super)# show interface serial 2/1:1.1 Serial 2/1:1.1 is up, line protocol is up Description: Connects to Router (RT) Internet address is 110.110.110.2, mask is 255.255.255.252 MTU 1500 bytes, Bandwidth 1536 kbit Encapsulation FRAME-RELAY IETF Link status trap enabled Last input 00:56:57, Last output 00:56:57 Last clearing of 'show interface' counters never 4262 input drops, 0 output drops, 4262 unknown protocols 17257 packets input, 866647 bytes 0 broadcasts received, 0 giants 0 input errors, 0 CRC, 0 abort 12995 packets output, 868852 bytes

0 output errors, 0 collisions 3. Verify Frame Relay PVC status.

BR-001(super)# show frame-relay pvc Showing 1 PVC PVC Statistics for interface Serial 2/1:1 (Frame Relay DTE) Active Inactive Deleted Static Local 1 0 0 0 Unused 0 0 0 0 DLCI = 101, USAGE = LOCAL , PVC STATUS = ACTIVE, INTERFACE = Serial 2/1:1.1 ROLE = Primary , PRIORITY CLASS = None input pkts 17256, output pkts 12995, dropped pkts 0 in bytes 2188405, out bytes 920832 in FECN pkts 0




in BECN pkts 0 in DE pkts 0, out DE pkts 0 pvc create time 2d10h, last time pvc status changed 2d10h traffic-shaping map-class: voip_class cir 1536000, bc 15360, be 0 interval 10 pkts 12995, delayed pkts 0, dropped pkts 0 bytes 920832, delayed byts 0, dropped byts 0 de pre mark is off end-to-end fragmentation is off

4. Verify voice VLAN interface status.

BR-001(super)# show interface vlan 10 Vlan 10 is up, line protocol is up Description: Voice Network Physical address is 00:04:0d:29:d2:f5 Internet address is 192.168.10.1, mask is 255.255.255.0 MTU 1500 bytes, Bandwidth 100000 kbit Reliability 255/255 txLoad 1/255 rxLoad 1/255 Encapsulation ARPA, ICC-VLAN Link status trap disabled Full-duplex, 100Mb/s ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:13, Last output 00:00:13 Last clearing of 'show interface' counters never 5 minute input rate 88 bits/sec, 0 packets/sec 5 minute output rate 100 bits/sec, 0 packets/sec 0 input drops, 0 output drops, 0 unknown protocols 26934 packets input, 2835144 bytes 0 broadcasts received, 0 giants 0 input errors, 0 CRC 42611 packets output, 3846102 bytes 0 output errors, 0 collisions Outbound ESP 0xe1125

5. Verify data VLAN interface status.

BR-001(super)# show interface vlan 21 Vlan 21 is up, line protocol is up Description: Data Network Physical address is 00:04:0d:29:d2:f5 Internet address is 172.21.0.1, mask is 255.255.0.0 Primary management interface MTU 1500 bytes, Bandwidth 100000 kbit Reliability 255/255 txLoad 1/255 rxLoad 1/255 Encapsulation ARPA Link status trap disabled Full-duplex, 100Mb/s ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:03:46, Last output 00:03:46 Last clearing of 'show interface' counters never 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 0 input drops, 0 output drops, 0 unknown protocols 4557 packets input, 520364 bytes 4338 broadcasts received, 0 giants 0 input errors, 0 CRC 658 packets output, 24108 bytes 0 output errors, 0 collisions




6. Verify G350 Media Gateway IP route table entries.

BR-001(super)# show ip route Showing 4 rows Network Mask Interface Next-Hop Cost TTL Source --------------- ---- -------------------- --------------- ----- --- --------- 0.0.0.0 0 Serial 2/1:1.1 110.110.110.1 1 n/a STAT-LO 110.110.110.0 30 Serial 2/1:1.1 110.110.110.2 1 n/a LOCAL 172.21.0.0 16 Vlan 21 172.21.0.1 1 n/a LOCAL 192.168.10.0 24 Vlan 10 192.168.10.1 1 n/a LOCAL

9.3. Verify Cisco PIX VPN Policies 1. Verify that configured ISAKMP policies have the correct security attributes.

HQ(config)# show crypto isakmp isakmp enable outside isakmp key ******** address 110.110.110.2 netmask 255.255.255.255 isakmp identity address isakmp policy 1 authentication pre-share isakmp policy 1 encryption 3des isakmp policy 1 hash sha isakmp policy 1 group 2 isakmp policy 1 lifetime 43200

2. Verify that the configured IPSec transform-sets have the correct security attributes.

HQ(config)# show crypto ipsec transform-set Transform set HighAES: { esp-aes esp-sha-hmac } will negotiate = { Tunnel, },

9.4. Verify G350 Media Gateway VPN Policies Administrators should execute the following steps to confirm VPN configuration on the G350 Media Gateway prior to attempting tunnel initialization. 1. Verify that the remote peer has been defined under crypto isakmp peer. The optional

description is included for usability.

BR-001(super)# show crypto isakmp peer Showing 1 rows Description Peer identity Auth Plc ----------------- ------------------ ----- --- Headquarters (HQ) 1.1.1.2 psk 1 Peer




2. Verify that configured ISAKMP policies have the correct security attributes. The optional description is included for usability.

BR-001(super)# show crypto isakmp policy Showing 1 rows Id Description Encr Hash Authentication DH group life sec -- -------------------- ------- ------- -------------- -------- ---------- 1 High P1 Proposal 3des sha Preshared key 2 86400

3. Verify that the configured IPSec transform-sets have the correct security attributes. The

optional name is included for usability.

BR-001(super)# show crypto ipsec transform-set Showing 1 rows Name ESP enc ESP hash PFS Life Sec Life KB Mode ----------------------- --------- --------- --- ---------- ---------- ------ HighAES aes sha-hmac #2 3600 4608000 Tunnel

4. Verify that the crypto-list is configured with proper wildcard masking and crypto-mapping corresponds to the correct transform-set. Any traffic that does not match the crypto-list bypasses IPSec processing. Encrypted ESP packets inherit (or copy) the DSCP value from the original “clear-text” packet. BR-001(super)# show ip crypto-list 901 Index Description Status Owner ----- ------------------------------- --------- -------------------------- 901 Traffic To Be Encrypted valid other Local address: 110.110.110.2 Rules: Index Protocol IP Wildcard Action Crypto map ----- -------- --- ---------------- --------------- ------- ---------- 1 Any Src 192.168.10.0 0.0.0.255 protect 1 Dst 192.168.101.0 0.0.0.255 2 Any Src 172.21.0.0 0.0.255.255 protect 1 Dst 192.168.100.0 0.0.0.255 3 Any Src 172.21.0.0 0.0.255.255 protect 1 Dst 192.168.100.0 0.0.0.255 Deflt Any Src Any bypass - Dst Any Applicable crypto maps: Id Description Remote peer Transform-set DSCP -- -------------------- --------------- ----------------------- ---- 1 High P2 Proposal 1.1.1.2 HighAES copy




9.5. Verify IKE Negotiations using Cisco PIX 525 Debug Traces Enable local debug output to the console from the CLI. Start interesting traffic from the G350 Media Gateway side and verify the ISAKMP (phase 1) SA and IPSec (phase 2) SAs are created. HQ(config)# debug crypto ipsec HQ(config)# debug crypto isakmp crypto_isakmp_process_block:src:110.110.110.2, dest:1.1.1.2 spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing SA payload. message ID = 0 ISAKMP (0): Checking ISAKMP transform 0 against priority 1 policy ISAKMP: encryption 3DES-CBC ISAKMP: hash SHA ISAKMP: auth pre-share ISAKMP: default group 2 ISAKMP: life type in seconds ISAKMP: life duration (basic) of 86400 ISAKMP (0): atts are acceptable. Next payload is 0 ISAKMP (0): processing vendor id payload ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:110.110.110.2, dest:1.1.1.2 spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing IKE payload. message ID = 0 ISAKMP (0): processing NONCE payload. message ID = 0 return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:110.110.110.2, dest:1.1.1.2 spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing ID payload. message ID = 0 ISAKMP (0): processing HASH payload. message ID = 0 ISAKMP (0): SA has been authenticated ISAKMP (0): ID payload next-payload : 8 type : 1 protocol : 17 port : 500 length : 8 ISAKMP (0): Total payload length: 12 return status is IKMP_NO_ERROR ISAKMP (0): sending INITIAL_CONTACT notify ISAKMP (0): sending NOTIFY message 24578 protocol 1 VPN Peer: ISAKMP: Added new peer: ip:110.110.110.2/500 Total VPN Peers:1 VPN Peer: ISAKMP: Peer ip:110.110.110.2/500 Ref cnt incremented to:1 Total VPN P eers:1 crypto_isakmp_process_block:src:110.110.110.2, dest:1.1.1.2 spt:500 dpt:500 OAK_QM exchange oakley_process_quick_mode: OAK_QM_IDLE ISAKMP (0): processing SA payload. message ID = 1638545594 ISAKMP : Checking IPSec proposal 1




ISAKMP: transform 1, ESP_AES ISAKMP: attributes in transform: ISAKMP: SA life type in seconds ISAKMP: SA life duration (basic) of 3600 ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 ISAKMP: encaps is 1 ISAKMP: authenticator is HMAC-SHA ISAKMP: key length is 128 ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) dest= 1.1.1.2, src= 110.110.110.2, dest_proxy= 192.168.100.0/255.255.255.0/0/0 (type=4), src_proxy= 172.21.0.0/255.255.0.0/0/0 (type=4), protocol= ESP, transform= esp-aes esp-sha-hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x4 ISAKMP (0): processing NONCE payload. message ID = 1638545594 ISAKMP (0): processing ID payload. message ID = 1638545594 ISAKMP (0): ID_IPV4_ADDR_SUBNET src 172.21.0.0/255.255.0.0 prot 0 port 0 ISAKMP (0): processing ID payload. message ID = 1638545594 ISAKMP (0): ID_IPV4_ADDR_SUBNET dst 192.168.100.0/255.255.255.0 prot 0 port 0IPS EC(key_engine): got a queue event... IPSEC(spi_response): getting spi 0xe11252a1(3776074401) for SA from 110.110.110.2 to 1.1.1.2 for prot 3 return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:110.110.110.2, dest:1.1.1.2 spt:500 dpt:500 OAK_QM exchange oakley_process_quick_mode: OAK_QM_AUTH_AWAIT ISAKMP (0): Creating IPSec SAs inbound SA from 110.110.110.2 to 1.1.1.2 (proxy 172.21.0.0 to 192.168.100.0) has spi 3776074401 and conn_id 1 and flags 4 lifetime of 3600 seconds lifetime of 4608000 kilobytes lifetime of 4608000 kilobytes .0 to 172.21.0.0) has spi 24439 and conn_id 2 and flags 4 lifetime of 7200 seconds lifetime of 46IPSEC(initialize_sas): ,

08000 kilobytesIPSEC(key_engine): got a queue event...

(key eng. msg.) dest= 1.1.1.2, src= 110.110.110.2, dest_proxy= 192.168.100.0/255.255.255.0/0/0 (type=4), src_proxy= 172.21.0.0/255.255.0.0/0/0 (type=4), protocol= ESP, transform= esp-aes esp-sha-hmac , lifedur= 3600s and 4608000kb, spi= 0xe11252a1(3776074401), conn_id= 1, keysize= 128, flags= 0x4 IPSEC(initialize_sas): , (key eng. msg.) src= 1.1.1.2, dest= 110.110.110.2, src_proxy= 192.168.100.0/255.255.255.0/0/0 (type=4), dest_proxy= 172.21.0.0/255.255.0.0/0/0 (type=4), protocol= ESP, transform= esp-aes esp-sha-hmac , lifedur= 3600s and 4608000kb, spi= 0x5f77(24439), conn_id= 2, keysize= 128, flags= 0x4 VPN Peer: IPSEC: Peer ip:110.110.110.2/500 Ref cnt incremented to:2 Total VPN Peers:1 VPN Peer: IPSEC: Peer ip:110.110.110.2/500 Ref cnt incremented to:3 Total VPN Peers:1 return status is IKMP_NO_ERROR




9.6. Verify IKE Negotiations using G350 Gateway Syslog Enable local Syslog message output to the console from the CLI. Start interesting traffic from the G350 Media Gateway side and verify ISAKMP (phase 1) SA and IPSec (phase 2) SAs are created. BR-001(super)# set logging session enable BR-001(super)# set logging session condition ISAKMP debug -001(super)# set logging session condition IPSEC debug BR

09/13/2004,17:30:15:IPSEC-Informational: Call IKE negotiation for outgoing SPD entry 901_1: Peers 110.110.110.2<->1.1.1.2 09/13/2004,17:30:15:ISAKMP-Informational: Initiating IKE phase 1 negotiation: Peers 110.110.110.2<->1.1.1.2 09/13/2004,17:30:16:ISAKMP-Informational: Finished IKE phase 1 negotiation, creating ISAKMP SA: Peers 110.110.110.2<->1.1.1.2 Icookie - 279c05d31e5920d0, Rcookie - 15dcbafb5e61f247 esp-3des, esp-sha-hmac, DH group 2, Lifetime 86400 seconds 09/13/2004,17:30:16:ISAKMP-Informational: Initiating IKE phase 2 negotiation: Peers 110.110.110.2<->1.1.1.2 09/13/2004,17:30:16:ISAKMP-Informational: Received IKE notify message: Peers 1.1.1.2<->110.110.110.2, Type INITIAL_CONTACT (24578) Icookie - 279c05d31e5920d0, Rcookie - 15dcbafb5e61f247 09/13/2004,17:30:16:ISAKMP-Informational: Finished IKE phase 2, creating outbound IPSEC SA: SPI 0xe11252a1, Peers 110.110.110.2<->1.1.1.2 Identities: 172.21.0.0/255.255.0.0->192.168.100.0/255.255.255.0 esp-aes, esp-sha-hmac, 3600 seconds, 4608000 KB 09/13/2004,17:30:16:ISAKMP-Informational: Finished IKE phase 2, creating inbound IPSEC SA: SPI 0x5f77, Peers 1.1.1.2<->110.110.110.2 Identities: 192.168.100.0/255.255.255.0->172.21.0.0/255.255.0.0 esp-aes, esp-sha-hmac, 3600 seconds, 4608000 KB




9.7. Verify Security Associations (SAs) on the Cisco PIX Firewall 1. Verify ISAKMP SA using the show command.

HQ(config)# show crypto isakmp sa Total : 1 Embryonic : 0 dst src state pending created 1.1.1.2 110.110.110.2 QM_IDLE 0 1

2. Verify IPSec SAs using the show command.

HQ(config)# show crypto ipsec sa detail interface: outside Crypto map tag: BranchVPN, local addr. 1.1.1.2 local ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0) current_peer: 110.110.110.2:0 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #pkts no sa (send) 0, #pkts invalid sa (rcv) 0 #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0 #pkts invalid prot (recv) 0, #pkts verify failed: 0 #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0 #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0 ##pkts replay failed (rcv): 0 #pkts internal err (send): 0, #pkts internal err (recv) 0 local crypto endpt.: 1.1.1.2, remote crypto endpt.: 110.110.110.2 path mtu 1500, ipsec overhead 0, media mtu 1500 current outbound spi: 0 inbound esp sas: inbound ah sas: inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas: local ident (addr/mask/prot/port): (192.168.100.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (172.21.0.0/255.255.0.0/0/0) current_peer: 110.110.110.2:500 PERMIT, flags={origin_is_acl,} #pkts encaps: 63, #pkts encrypt: 63, #pkts digest 63 #pkts decaps: 64, #pkts decrypt: 64, #pkts verify 64 #pkts compressed: 0, #pkts decompressed: 0




#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #pkts no sa (send) 0, #pkts invalid sa (rcv) 0 #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0 #pkts invalid prot (recv) 0, #pkts verify failed: 0 #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0 #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0 ##pkts replay failed (rcv): 0 #pkts internal err (send): 0, #pkts internal err (recv) 0 local crypto endpt.: 1.1.1.2, remote crypto endpt.: 110.110.110.2 path mtu 1500, ipsec overhead 64, media mtu 1500 current outbound spi: 5f77 inbound esp sas: spi: 0xe11252a1(3776074401) transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 1, crypto map: BranchVPN sa timing: remaining key lifetime (k/sec): (4607993/2104) IV size: 16 bytes replay detection support: Y inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x5f77(24439) transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2, crypto map: BranchVPN sa timing: remaining key lifetime (k/sec): (4607996/2102) IV size: 16 bytes replay detection support: Y outbound ah sas: outbound pcp sas:

9.8. Verify Security Associations (SAs) on the G350 Gateway 1. Verify ISAKMP SA using the show command.

BR-001(super)# show crypto isakmp sa

C-id Local Remote State Cipher Hash Auth DH Sec left ---- --------------- --------------- ------- ------- ---- ---- -- -------- 4 110.110.110.2 1.1.1.2 Ready 3des sha psk 2 43002

2. Verify inbound and outbound IPSec SAs using the show command.

BR-001(super)# show crypto ipsec sa detail Inbound pkts errors (global): Invalid spi 0 Invalid interface 0




Interface: Serial 2/1:1.1 Crypto list id: 901, Local address: 110.110.110.2 Rule: 1, Crypto map: 1 Local address: 110.110.110.2, Remote address: 1.1.1.2 Local identity: 192.168.10.0/255.255.255.0 Remote identity: 192.168.101.0/255.255.255.0 path mtu 1500, media mtu 1500 Current outbound spi: 0x0 Inbound packets Outbound packets --------------------------------- ------------------------------- Total 0 Total 0 Total OK 0 Total OK 0 Decrypt 0 Encrypt 0 Verify 0 Digest 0 Decaps 0 Encaps 0 Total discards 0 Total discards 0 Invalid len 0 No sa 0 Replay failed 0 Seq rollover 0 Sa expired 0 Sa expired 0 Auth failed 0 Bad padding 0 Invalid idenitity 0 Unprotected 0 Other discards 0 Other discards 0 Rule: 2, Crypto map: 1 Local address: 110.110.110.2, Remote address: 1.1.1.2 Local identity: 172.21.0.0/255.255.0.0 Remote identity: 192.168.100.0/255.255.255.0 path mtu 1500, media mtu 1500 Current outbound spi: 0xe11252a1 Inbound packets Outbound packets --------------------------------- ------------------------------- Total 257 Total 258 Total OK 257 Total OK 257 Decrypt 257 Encrypt 257 Verify 257 Digest 257 Decaps 257 Encaps 257 Total discards 0 Total discards 1 Invalid len 0 No sa 1 Replay failed 0 Seq rollover 0 Sa expired 0 Sa expired 0 Auth failed 0 Bad padding 0 Invalid idenitity 0 Unprotected 0 Other discards 0 Other discards 0 SA Type SPI Transform PFS Secs left KB left Mode ------------- ---------- ------------- --- ---------- ---------- --------- Inbound ESP 0x5f77 esp-aes No 2939 4607969 Tunnel esp-sha-hmac Outbound ESP 0xe11252a1 esp-aes No 2939 4607969 Tunnel esp-sha-hmac




9.9. Verify G350 Media Gateway Call Controller/Registration Status 1. Check the MGC controller status from the G350 Media Gateway CLI.

BR-001(super)# show mgc CALL CONTROLLER STATUS ------------------------------------------- Registered : YES Active Controller : 192.168.101.6 H248 Link Status : UP H248 Link Error Code: 0x0 CONFIGURED MGC HOST --------------------- 192.168.101.6 192.168.10.2 -- Not Available -- -- Not Available --

2. Verify the registration status of the Avaya G350 Media Gateway with the S8700 Media

Servers via the Avaya Communication Manager SAT.

display media-gateway 1 MEDIA GATEWAY Number: 1 IP Address: 192.168.10 .1 Type: g350 FW Version/HW Vintage: 23 .10 .0 /1 Name: BR MAC Address: 00:04:0d:29:d2:f5 Serial No: 03IS69612658 Encrypt Link? y Network Region: 2 Location: 1 Registered? y Controller IP Address: 192.168.101.6 Site Data: Slot Module Type Name V1: S8300 ICC MM V2: MM340 DS1 WAN MM V3: V4: MM712 DCP MM V5: MM711 ANA MM V6: MM314 ETH 24P MM V7: virtual-analog ANA VMM V8: V9:

9.10. Place Test Calls Place calls between Branch Office and the Headquarters. Verify call establishment and voice quality over the VPN. Add a third telephone at each location (not depicted in diagram). Attempt to place a third call and verify that the Inter Network Region Connection Management blocks the third call attempt.




10. VPN Troubleshooting Tips Recommended troubleshooting order: 1. Physical Connectivity 2. Network Connectivity 3. Confirm Phase 1 ISAKMP SA establishment 4. Confirm Phase 2 inbound and outbound IPSec SA establishment 5. Confirm bi-directional VPN forwarding If Layer 3 connectivity appears to be working correctly, always check SA establishment. If an ISAKMP SA and IPSec SAs are created between the peers, the problem is usually routing. Check the encryption and decryption statistics for the IPSec SAs. If there is a routing problem on one side of the tunnel the Administrator will notice encryption/decryption in only one direction. This usually indicates that the remote network cannot route back through the tunnel. VPNs typically break because of Administration errors. The most commonly encountered problems with VPNs are either mismatched ISAKMP or IPSec security attributes or routing problems. Be sure to pay very close attention to these configuration items when administering a new VPN.

10.1. How to Clear All G350 Gateway (Phase 2) IPSec SAs The following command may be used to clear all IPSec SAs from the G350 Media Gateway. BR-001(super)# clear crypto sa all

10.2. How to Clear All G350 (Phase 1) ISAKMP SAs The following command may be used to clear all ISAKMP SAs from the G350 Media Gateway. Administrators should always clear phase 2 IPSec SAs prior to clearing phase 1 ISAKMP SAs in order to ensure proper operation. Some third party vendor implementations may loose traffic for an extended period of time if ISAKMP SAs are cleared before IPSec SAs. B R-001(super)# clear crypto isakmp

Alternatively, the Administrator may choose to remove a specific ISAKMP SA from a list of SAs based on the C-id. BR-001(super)# show crypto isakmp sa C-id Local Remote State Cipher Hash Auth DH Sec left ---- --------------- --------------- ------- ------- ---- ---- -- ---------- 4 110.110.110.2 1.1.1.2 Ready 3des sha psk 2 43002 BR-001(super)# clear crypto isakmp 4




11. Terminology AES An acronym for Advanced Encrytion Standard. AES is a Federal

Information Processing Standard (FIPS) for protecting sensitive, unclassified information.

IANA The Internet Assigned Numbers Authority IKE Internet Key Exchange protocol. Used to negotiate phase 1 and phase 2

Security Associations (SAs) IPSec IP Security. IPSec SAs are responsible for governing how traffic between

designated networks is protected. ISAKMP Internet Security Association and Key Management Protocol. A peer-to-

peer ISAKMP SA governs the protection of Security Associations and key management over a secure channel. ISAKMP SAs are used to establish, negotiate, modify and delete Security Associations.

TEP Tunnel End Point. An interface IP address that transmits and receives IKE

negotiations and processes ESP encrypted packets. SA Security Association. A Security Association (SA) is a simplex “connection”

that affords security services to the traffic carried by it. – RFC 2401

12. Conclusion Site-to-Site VPN connectivity between the Avaya G350 Media Gateway and the Cisco PIX 525 Firewall using AES-128 encryption with Perfect Forward Secrecy (PFS) can be achieved using the guidelines demonstrated in these Application Notes. The Call Admission Control (CAC) and Quality of Service (QoS) administration steps described allow voice traffic to traverse the WAN successfully, even when congestion caused by data applications occurs. The steps described in these Application Notes may be generalized for most configurations.




13. Additional References The following references are publicly available on the Internet by the IETF, Avaya and Cisco: [1] Avaya G350 Media Gateway Administration Guide [2] Avaya G350 Media Gateway Command Line Interface (CLI) Guide [3] RFC 2401, Security Architecture for the Internet Protocol, November 1998 [4] RFC 2402, IP Authentication Header, November 1998 [5] RFC 2404, The Use of HMAC-SHA-1-96 within ESP and AH [6] RFC 2406, IP Encapsulating Security Payload (ESP), November 1998 [7] RFC 2407, The Internet IP Security Domain of Interpretation for ISAKMP, November 1998 [8] RFC 2408, The Internet Security Association and Key Management Protocol (ISAKMP),

November 1998 [9] RFC 2409, The Internet Key Exchange (IKE), November 1998 [10] FIPS 197, Advanced Encryption Standard (AES), November 2001 [11] Cisco PIX Command Reference, Version 6.3




©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya Logo are trademarks of Avaya Inc. All trademarks identified by ® and ™ are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners. The information provided in these Application Notes is subject to change without notice. The configurations, technical data, and recommendations provided in these Application Notes are believed to be accurate and dependable, but are presented without express or implied warranty. Users are responsible for their application of any products specified in these Application Notes. Please e-mail any questions or comments pertaining to these Application Notes along with the full title name and filename, located in the lower right corner, directly to the Avaya Solution & Interoperability Test Lab at [email protected]

mailto:[email protected]

Date post:	02-Oct-2021
Category:	Documents
Upload:	others
View:	9 times
Download:	0 times

IPSec Virtual Private Network (VPN) between an Avaya G350 ...

Documents