g450 Pix VPN

JF; Reviewed: SPOC 9/2/2008

Solution & Interoperability Test Lab Application Notes ©2008 Avaya Inc. All Rights Reserved.

1 of 42 G450_PIX_VPN.doc

Avaya Solution & Interoperability Test Lab

IPSec Virtual Private Network (VPN) between an Avaya G450 Media Gateway and a Cisco PIX 515 Firewall - Issue 1.0

Abstract

These Application Notes provide a sample configuration to configure an IPSec Virtual Private Network (VPN) between an Avaya G450 Media Gateway and a Cisco PIX 515 Firewall, over a Frame Relay Wide Area Network (WAN). The Avaya G450 Media Gateway is controlled by an Avaya S8500 Server. The sample configuration uses the Internet Key Exchange (IKE) protocol to establish a secure Internet Security Association and Key Management Protocol (ISAKMP) control channel between the Avaya G450 Media Gateway and the Cisco PIX 515. In addition, Advanced Encryption Standard (AES) and Perfect Forward Secrecy (PFS) are also provisioned.




1. Introduction ................................................................................................................................................4

2. Equipment and Software Validated .........................................................................................................7

3. Configure the Avaya G450 Media Gateway ............................................................................................8 3.1. Ethernet Interface Configuration ............................................................................................................................ 8 3.2. WAN Interface Configuration ................................................................................................................................. 8 3.3. Access Control List Configuration (optional) ......................................................................................................... 9 3.4. Frame Relay Sub-Interface Configuration ............................................................................................................ 11 3.5. IP Routing Configuration...................................................................................................................................... 11 3.6. Virtual Private Network (VPN) Configuration...................................................................................................... 11

4. Configure the Cisco 3825 Router ............................................................................................................14 4.1. Ethernet Interface Configuration .......................................................................................................................... 14 4.2. Serial Interface Configuration .............................................................................................................................. 14 4.3. Serial Sub-Interface Configuration ....................................................................................................................... 15 4.4. IP Routing Configuration...................................................................................................................................... 15

5. Configure the Cisco 2811 Router ............................................................................................................16 5.1. Enable Frame Relay Switching ............................................................................................................................. 16 5.2. Serial Interface Configuration .............................................................................................................................. 16

6. Configure the Cisco PIX 515 Firewall....................................................................................................17 6.1. Inside and Outside Interface Configuration.......................................................................................................... 17 6.2. IP Routing Configuration...................................................................................................................................... 17 6.3. Virtual Private Network (VPN) Configuration...................................................................................................... 17

7. Configure Avaya Communication Manager..........................................................................................19 7.1. Avaya G450 Media Gateway Serial Number ........................................................................................................ 19 7.2. Add the Avaya G450 Media Gateway ................................................................................................................... 19 7.3. Configure IP-Codec Sets ....................................................................................................................................... 20 7.4. Configure IP-Network-Regions ............................................................................................................................. 21 7.5. Configure IP-Network-Map .................................................................................................................................. 23 7.6. Save Translations .................................................................................................................................................. 23

8. Configure Avaya 96xx SIP IP Telephone Codec Type..........................................................................23 8.1. Configure 46xxsettings.txt File to Enable the G.729B Codec. .............................................................................. 24

9. Verification Steps .....................................................................................................................................25 9.1. Verify Cisco PIX 515 Firewall Interfaces and Routing......................................................................................... 25 9.2. Avaya G450 Media Gateway Interfaces and Routing ........................................................................................... 26 9.3. Verify Cisco PIX 515 Firewall VPN Policies ........................................................................................................ 27 9.4. Verify G450 Media Gateway VPN Policies........................................................................................................... 28




9.5. Verify IKE Negotiations using Cisco PIX 515 Firewall Debug Traces................................................................. 29 9.6. Verify IKE Negotiations using G450 Gateway Syslog .......................................................................................... 33 9.7. Verify Security Associations (SAs) on the Cisco PIX 515 Firewall....................................................................... 34 9.8. Verify Security Associations (SAs) on the G450 Gateway..................................................................................... 36 9.9. Verify the Avaya G450 Media Gateway Registration Status................................................................................. 37 9.10. Place Test Calls..................................................................................................................................................... 38

10. VPN Troubleshooting ..........................................................................................................................39 10.1. Clearing Avaya G450 Media Gateway SAs........................................................................................................... 39 10.2. Capturing IPSEC Data on the Avaya G450 Media Gateway................................................................................ 40

11. Conclusion ............................................................................................................................................40

12. References.............................................................................................................................................41




1. Introduction These Application Notes describe a site-to-site IPSec Virtual Private Network (VPN) between an Avaya G450 Media Gateway and a Cisco PIX 515 Firewall (Figure 1). The sample configuration uses an IPSec VPN to secure communications between a Branch office containing Avaya IP Telephones (SIP and H.323) and an Avaya G450 Media Gateway, and the Main office containing an Avaya S8500C Server, Avaya G650 Media Gateway, Avaya SIP Enablement Services (SES) and Avaya IP Telephones (SIP and H.323). The Main office uses a Cisco PIX 515 Firewall to terminate the VPN. The Branch and Main offices are connected via a Frame Relay Wide Area Network (WAN) utilizing T1 circuits. A Cisco 2811 router is used in the reference configuration to simulate the WAN network and provide Frame Relay switching between the offices. Note – These Application Notes describe the provisioning of the sample configuration as it applies to configuring an IPSec VPN tunnel between the Avaya G450 Media Gateway and the Cisco PIX 515 Firewall. Provisioning of the sample configuration infrastructure is not covered.

Figure 1 – IPSec VPN Sample Configuration.




The sample configuration uses the Internet Key Exchange (IKE) protocol to establish a secure Internet Security Association and Key Management Protocol (ISAKMP) control channel between two peers; the Avaya G450 Media Gateway and the Cisco PIX 515.

ISAKMP defines procedures and packet formats to establish, negotiate, modify and delete Security Associations (SA). SAs contain all the information required for execution of various network security services. ISAKMP defines payloads for exchanging key generation and authentication data. These formats provide a consistent framework for transferring key and authentication data which is independent of the key generation technique, encryption algorithm and authentication mechanism. There may be many different key exchange protocols, each with different security properties. However, a common framework is required for agreeing to the format of SA attributes, and for negotiating, modifying, and deleting SAs. ISAKMP serves as this common framework.

IKE establishes an ISAKMP SA by negotiating proposals in an exchange known as Phase 1 (Main Mode). In order to successfully establish an ISAKMP SA, both peers must agree to a common set of security attributes contained within the Phase 1 proposal.

1. ISAKMP Phase One (Main Mode, MM)

a. Negotiate and establish an ISAKMP SA, a secure communication channel for further IKE communication. The two systems generate a Diffie-Hellman shared value (a method to generate a symmetric key where two parties can exchange values and generate the same symmetric key) that is used as the base for a symmetric shared key, and further IKE communication is encrypted using this symmetric key.

b. Verify the remote system’s identity (primary authentication)

The following ISAKMP security attributes are administered on both peers in the sample configuration (see Sections 3.6 and 6.3).

• ISAKMP (Phase 1) proposal: o Encryption Algorithm: 3DES o Hash Algorithm: SHA o Lifetime (seconds): 86400 o Diffie-Hellman Group: 2

Once an ISAKMP SA is established, both peers can negotiate IPSec security attributes necessary to establish IPSec SAs. The IKE protocol does this in a second proposal exchange known as Phase 2 (or Quick Mode).

2. ISAKMP Phase Two (Quick Mode, QM)

a. Using the secure communication channel provided by the ISAKMP/MM SA, negotiate one or more SAs for IPSec transforms (AH or ESP). A Phase Two negotiation typically negotiates two SAs for an IPSec transform: one for inbound and one for outbound traffic.




The following IPSec security attributes were administered on both peers in the sample configuration (see Sections 3.6 and 6.3).

• IPSec (Phase 2) proposal: o Encryption Algorithm: AES-ESP o Hash Algorithm: HMAC-SHA-ESP o Security Association Lifetime (seconds): 3600 o Perfect Forward Secrecy: Enabled o Diffie-Hellman Group: 2

IP Encapsulating Security Payload (ESP) protocol is used to secure traffic in the sample configuration because of the added confidentiality protection provided. The sample configuration uses the Advanced Encryption Standard with 128-bit key (AES-128) to protect communications between the Branch office and Main office. Perfect Forward Secrecy (PFS) was also enabled on the VPN. The PFS feature provides additional security protection by deriving new secret keys from a second Diffie-Hellman key agreement. This is advantageous because if one key is compromised on a given tunnel, all previous and subsequent keys will remain secure because they are no longer derived from previous keys. During periods of congestion in the Wide Area Network (WAN) it is possible that IPSec packets are queued such that they arrive to the G450 Media Gateway out of sequence. For devices that support a very small anti-replay window, the end result would be dropped ESP packets and the loss of all data contained within them. To counteract this problem, the Avaya G450 Media Gateway implements a large 1K anti-replay window in order to sustain data forwarding and avoid potential data loss even when IPSec packets arrive severely out of sequence.




2. Equipment and Software Validated

Equipment Firmware Software Avaya S8500C Server - Avaya Communication Manager 5.0

(R015x.00.0.825.4) Avaya G650 Media Gateway

IPSI – TN2312BP CLAN – TN799DP

MedPro – TN2302AP

HW15 FW040 HW01 FW024 HW20 FW117 HW02 FW018

-

Avaya G450 Media Gateway MM340 WAN

27.26.0 -

- -

Avaya SIP Enablement Services (SES) (Edge and Home) - 5.0 (5.0.0.0-825.31)

Avaya 4621 SW IP Telephones (H.323) a20d01b3_8.bin - Avaya 4621 SW IP Telephone (SIP) s20d01b2.2.2.bin - Avaya 9640 IP Telephone (SIP) 2.0.1.34(5) - Cisco 3825 Router - c3825-spservicesk9-mz 12.3(11)T Cisco 2811 Router - c2800nm-ipvoicek9-mz.124-12.bin Cisco PIX 515 Firewall - 6.3(5) Wireshark IP Protocol Analyzer - V 0.99.5




3. Configure the Avaya G450 Media Gateway The following steps use the Avaya G450 Media Gateway command line interface (CLI). Refer to [1] for more information. Parameter values shown are specific to the sample configuration shown in Figure 1.

3.1. Ethernet Interface Configuration This section defines the Ethernet interface for the Avaya G450 Media Gateway as well as defining the address of Avaya Communication Manager in the Main office for registration purposes.

1. Configure an Ethernet interface for the Voice domain on the Avaya G450 Media Gateway. a. interface vlan 2

Creates the interface Vlan2. b. ip address 73.73.73.2 255.255.255.0

Sets the network IP address and mask for the Avaya G450 Media Gateway . c. pmi

Sets the Primary Management Interface. d. exit

2. Configure the Media gateway Controller (MGC) list. This list specifies the IP address of the

C-LAN board located in the Avaya G650 Media Gateway at the Main office. The Avaya G450 Media Gateway will register to this address.

a. set mgc list 50.50.50.100 b. exit

interface Vlan 2 icc-vlan ip address 73.73.73.2 255.255.255.0 pmi exit set mgc list 50.50.50.100 set mediaserver 50.50.50.100 50.50.50.100 23 telnet set mediaserver 50.50.50.100 50.50.50.100 5023 sat

Figure 2 – Avaya G450 Media Gateway IP Interface Configuration

3.2. WAN Interface Configuration The following commands configure the MM340 WAN module as a T1 Frame Relay interface. In the sample configuration, the MM340 WAN module is located in slot 8 of the Avaya G450 Media Gateway.

1. Configure MM340 module as a T1 interface. a. ds-mode t1

2. Configure the T1 controller. a. controller t1 8/1 b. linecode b8zs c. framing esf d. channel-group 1 timeslots 1-24 speed 64 e. clock source line (default) f. exit




3. Configure the Serial interface.

a. interface Serial 8/1:1 b. encapsulation frame-relay ietf c. frame-relay lmi-type ansi d. exit

ds-mode t1 ! controller t1 8/1 linecode b8zs framing esf channel-group 1 timeslots 1-24 speed 64 exit ! interface Serial 8/1:1 encapsulation frame-relay ietf frame-relay lmi-type ansi exit

Figure 3 – Avaya G450 Media Gateway WAN Interface Configuration

3.3. Access Control List Configuration (optional) An Access Control List (ACL) can be specified to permit trusted traffic only. The sample configuration will work with or without the inbound ACL in place. However it is recommended that an ACL be implemented on all public-facing interfaces in order to limit external access. Note - Rule restrictions should be based on individual network security requirements. The rules specified below should be viewed as examples and not as a security template. The following ACL rules are defined in the sample configuration:

• Rule 1 - Allow ICMP messages to the reach the Avaya G450 Media Gateway local address for Path MTU Discovery (PMTUD) from any source. PMTUD is a technique for determining the maximum transmission unit size on the network path between two IP hosts to avoid IP fragmentation.

• Rule 2 - Permit IKE protocol (UDP port 500) message exchanges from the peer to the Avaya G450 Media Gateway local address.

• Rule 3 - Permit ESP protocol traffic from the peer to the Avaya G450 Media Gateway local address.

• Rule 4 - Permit any traffic between trusted voice networks. • Rule Default - Deny any other traffic flows, which do not match ACL criteria.

1. Configure ACL 301

a. ip access-control-list 301 b. name "Permit VPN Traffic Only"

2. Create ACL rules a. ip-rule 1

i. ip-protocol icmp ii. destination-ip host 30.30.30.2

IP address of the Main office 3825 router Frame Relay interface. iii. exit

b. ip-rule 2




i. ip-protocol udp ii. destination-ip host 30.30.30.2

iii. udp destination-port eq Ike iv. exit

c. ip-rule 3 i. ip-protocol esp

ii. destination-ip host 30.30.30.2 iii. exit

d. ip-rule 4 i. source-ip 50.50.50.0 0.0.0.255

Main office voice subnet. ii. destination-ip 73.73.73.0 0.0.0.255

Branch office voice subnet. iii. exit

e. ip-rule default i. composite-operation "Deny"

ii. exit f. exit

ip access-control-list 301 name "Permit VPN Traffic Only" ! ip-rule 1 ip-protocol icmp destination-ip host 30.30.30.2 exit ip-rule 2 ip-protocol udp destination-ip host 30.30.30.2 udp destination-port eq Ike exit ip-rule 3 ip-protocol esp destination-ip host 30.30.30.2 exit ip-rule 4 source-ip 50.50.50.0 0.0.0.255 destination-ip 73.73.73.0 0.0.0.255 exit ip-rule default composite-operation "Deny" exit ! exit

Figure 4 – Avaya G450 Media Gateway ACL Configuration




3.4. Frame Relay Sub-Interface Configuration The following commands configure the Serial sub-interface for the Frame Relay circuit to the Cisco 3825 router in the Main office (see Section 4.3).

1. Configure the Serial sub-interface. a. interface Serial 8/1:1.1 point-to-point b. description "To_2811_WAN_Router" c. ip access-group 301 in

Value 301 is defined in Section 3.3 Step 1. d. frame-relay interface-dlci 101 ietf

The DLCI value must match with the Cisco 3825 (see Section 4.3) as well as the Cisco 2811 (see Section 5.2).

e. ip address 30.30.30.2 255.255.255.0 f. exit

interface Serial 8/1:1.1 point-to-point description "To_Frame_Relay_Switch" ip access-group 301 in frame-relay interface-dlci 101 ietf ip address 30.30.30.2 255.255.255.0 exit

Figure 5 – Avaya G450 Media Gateway Frame Relay Configuration

3.5. IP Routing Configuration Routing information must be provided to reach the Main office Voice IP domain (50.50.50.0). In the sample configuration, static routing is used.

1. Configure the default route for the Avaya G450 Media Gateway. The address specified is the IP address of the Frame Relay interface of the Cisco 3825 router in the Main office.

a. ip route 0.0.0.0 0.0.0.0 30.30.30.1

3.6. Virtual Private Network (VPN) Configuration Note: A valid VPN license must be installed on the Avaya G450 to enable these features. See [1] for more information. Note: The ISAKMP policy attributes must be configured identically on both the Avaya G450 and the Cisco PIX 515 Firewall (see Section 6.3).

1. Configure an ISKAKMP Phase 1 policy. a. crypto isakmp policy 1

i. description “G450 Policy1” ii. encryption 3des

iii. hash sha iv. group 2 v. authentication pre-share

vi. lifetime 86400 86400 (seconds, 24 hours) is the default value and need not be specified.




vii. exit 2. Configure the ISAKMP peer (Cisco PIX 515).

a. crypto isakmp peer address "1.1.1.2" i. description "PIX Outside"

ii. encrypted-pre-shared-key <enter a key string> Once entered, the CLI will display the key string in an encrypted format.

iii. isakmp-policy 1 iv. exit

crypto isakmp policy 1 description "G450 Policy1" encryption 3des hash sha group 2 authentication pre-share exit crypto isakmp peer address "1.1.1.2" description "PIX Outside" encrypted-pre-shared-key 4deP+Z58jV6kWqSMeS/SsT9sDmvbna1b8fiRxn1/Icg= isakmp-policy 1 exit

Figure 6 – Avaya G450 Media Gateway ISAKMP Configuration

3. Configure a transform-set (IKE Phase 2). Transform-sets define security attributes.

a. crypto ipsec transform-set G450P2 esp-aes esp-sha-hmac G450P2 is the name of the transform-set.

i. set security-association lifetime seconds 3600 This value is in seconds. 3600 is the default value and need not be specified.

ii. set pfs group2 iii. exit

crypto ipsec transform-set G450P2 esp-aes esp-sha-hmac set pfs group2 exit

Figure 7 – Avaya G450 Media Gateway Transform-set Configuration

4. Configure a crypto-map. Crypto-maps define the peers to negotiate with IKE Phase 2 and transform-sets.

a. crypto map 1 i. description "PIX_Outside"

ii. set peer 1.1.1.2 iii. set transform-set G450P2

Specified in Step 3 above. iv. exit

crypto map 1 description "PIX_Outside" set peer 1.1.1.2 set transform-set G450P2 exit

Figure 8 – Avaya G450 Media Gateway Crypto-map Configuration




5. Configure a crypto-list. The crypto-list contains ip-rules which select traffic flows based on source and destination IP addressing.

a. ip crypto-list 901 i. name "Encrypted traffic"

ii. local-address 30.30.30.2 Serial sub-interface IP address of the Avaya G450 Media Gateway

iii. ip-rule 1 1. protect crypto map 1 2. source-ip 73.73.73.0 0.0.0.255

Voice IP domain in the Branch office. 3. destination-ip 50.50.50.0 0.0.0.255

Voice IP domain in the Main office. 4. exit

iv. exit

ip crypto-list 901 name "Encrypted traffic" local-address 30.30.30.2 ip-rule 1 protect crypto map 1 source-ip 73.73.73.0 0.0.0.255 destination-ip 50.50.50.0 0.0.0.255 exit exit

Figure 9 – Avaya G450 Media Gateway Crypto-list Configuration

6. Assign a crypto-group to the Serial sub-interface defined in Section 3.4. The crypto-group specifies the crypto-list defined in Step 5 above.

a. interface Serial 8/1:1.1 point-to-point i. ip crypto-group 901

Defined in Step 5 above. ii. exit

interface Serial 8/1:1.1 point-to-point description "To_Frame_Relay_Switch" ip access-group 301 in ip crypto-group 901 frame-relay interface-dlci 101 ietf ip address 30.30.30.2 255.255.255.0 exit

Figure 10 – Avaya G450 Media Gateway Crypto-group Configuration

7. Enter the command copy run start to save the configuration on the Avaya G450 Media Gateway.




4. Configure the Cisco 3825 Router As described in Section 1, the 3825 router connects the Main office to the WAN and terminates the Frame Relay connection to the Branch office. The serial interfaces are configured as DTE. The following commands were entered via Cisco CLI from the enable/config t access prompt. See [8] for more information.

4.1. Ethernet Interface Configuration Configure the Ethernet interface connected to the Cisco PIX Firewall.

1. Configure the Ethernet interface. a. interface FastEthernet 2/0

i. description To_PIX ii. ip address 1.1.1.1 255.255.255.252

iii. duplex full iv. speed 100 v. no shutdown

vi. exit

interface FastEthernet2/0 description To_PIX ip address 1.1.1.1 255.255.255.252 duplex full speed 100

Figure 11 – Cisco 3825 Router IP Interface Configuration

4.2. Serial Interface Configuration Configure the Serial interface connected to the Cisco 2811 WAN router.

1. Configure the Serial interface. a. interface serial 1/0/0

i. description To_WAN_2811 ii. encapsulation frame-relay IETF

iii. service-module t1 timeslots 1-24 speed 64 iv. service-module t1 framing esf

This is the default value. v. service-module t1 linecode b8zs

This is the default value. vi. service-module t1 clock source line

This is the default value. vii. frame-relay lmi-type ansi

This is the default value. viii. frame-relay intf-type dte

This is the default value. ix. no shutdown x. exit

interface Serial1/0/0 description To_WAN_2811 no ip address encapsulation frame-relay IETF service-module t1 timeslots 1-24 speed 64 frame-relay lmi-type ansi

Figure 12 – Cisco 3825 Router Serial Interface Configuration




4.3. Serial Sub-Interface Configuration Configure the Serial sub-interface for the Frame-relay circuit to the Avaya G450 Media Gateway (see Section 3.4).

1. Configure the Serial sub-interface. a. interface serial 1/0/0.1 point-to-point

i. description Frame_Relay_To_G450 ii. ip address 30.30.30.1 255.255.255.0

iii. frame-relay interface-dlci 101 ietf This DLCI value must match with the Avaya G450 Media Gateway (see Section 3.4) as well as the Cisco 2811 WAN router (see Section 5.2).

iv. no shutdown v. exit

interface Serial1/0/0.1 point-to-point description Frame_Relay_To_G450 ip address 30.30.30.1 255.255.255.0 frame-relay interface-dlci 101 IETF

Figure 13 – Cisco 3825 Router Serial Sub-Interface Configuration

4.4. IP Routing Configuration Routing information must be provided to reach the Main office Voice IP domain (50.50.50.0) and the Branch office Voice IP domain (73.73.73.0). In the sample configuration, static routing is used.

1. Add static routes. a. ip route 50.50.50.0 255.255.255.0 1.1.1.2

To reach the Main office, route to the Cisco PIX 515 Firewall outside interface. b. ip route 73.73.73.0 255.255.255.0 30.30.30.2

To reach the Branch office, route to the Avaya G450 Media Gateway Serial interface. c. exit

ip route 50.50.50.0 255.255.255.0 1.1.1.2 ip route 73.73.73.0 255.255.255.0 30.30.30.2

Figure 14 – Cisco 3825 Router Static Routing Configuration

2. Enter wr mem to save the router configuration.




5. Configure the Cisco 2811 Router As described in Section 1, the Cisco 2811 router simulates a Frame Relay WAN. The Cisco 2811 connects the Main office Cisco 3825 edge router to the Avaya G450 Media Gateway in the Branch office. The Cisco 2811 serial interfaces are configured as DCE. The following commands were entered via Cisco CLI from the enable/config t access prompt. See [8] for more information.

5.1. Enable Frame Relay Switching 1. Enable frame relay switching on the 2811 router.

a. frame-relay switching

5.2. Serial Interface Configuration

1. Configure the Serial interface to the Avaya G450 Media Gateway. a. interface Serial0/2/0

i. description To_G450 ii. no ip address

iii. encapsulation frame-relay IETF iv. frame-relay lmi-type ansi v. frame-relay intf-type dce

vi. frame-relay route 101 interface Serial0/3/0 101 This DLCI value must match the Avaya G450 Media Gateway (see Section 3.4)

2. Configure the Serial interface to the Cisco 3825 edge router. a. interface Serial0/3/0

i. description To_HDQ_3825 ii. no ip address

iii. encapsulation frame-relay IETF iv. frame-relay lmi-type ansi v. frame-relay intf-type dce

vi. frame-relay route 101 interface Serial0/2/0 101 This DLCI value must match the Cisco 3825 edge router (see Section 4.3).

3. Enter wr mem to save the router configuration.

frame-relay switching ! interface Serial0/2/0 description To_G450 no ip address encapsulation frame-relay IETF frame-relay lmi-type ansi frame-relay intf-type dce frame-relay route 101 interface Serial0/3/0 101 ! interface Serial0/3/0 description To_HDQ_3825 no ip address encapsulation frame-relay IETF frame-relay lmi-type ansi frame-relay intf-type dce frame-relay route 101 interface Serial0/2/0 101

Figure 15 – Cisco 2811WAN Router Configuration




6. Configure the Cisco PIX 515 Firewall As described in Section 1, the Cisco PIX 515 Firewall connects the Main office to the Cisco 3825 edge router. It provides access security between the secure inside Main office Voice IP domain (50.50.50.0) and any unsecure outside domains. The Cisco PIX 515 Firewall also terminates the IPSec VPN tunnel from the Avaya G450 Media Gateway in the Branch office. The following commands were entered via Cisco CLI from the enable/config t access prompt. See [6] and [7] for more information.

6.1. Inside and Outside Interface Configuration Configure the Ethernet interfaces connected to the Main office Voice IP domain (secure), and the Cisco 3825 edge router (unsecure).

1. Configure the Ethernet interfaces. a. ip address inside 50.50.50.1 255.255.255.0 b. ip address outside 1.1.1.2 255.255.255.252 c. interface ethernet0 auto d. interface ethernet1 auto

ip address inside 50.50.50.1 255.255.255.0 ip address outside 1.1.1.2 255.255.255.252 interface ethernet0 auto interface ethernet1 auto

Figure 16 – Cisco PIX 515 Firewall Interface Configuration

6.2. IP Routing Configuration Routing information must be provided for the Main office Voice IP domain (50.50.50.0) to reach the Branch office Voice IP domain (73.73.73.0). In the sample configuration, static routing is used.

1. Add static route. a. route outside 0.0.0.0 0.0.0.0 1.1.1.1 1 To reach the Branch office, route to the Cisco 3825 router.

route outside 0.0.0.0 0.0.0.0 1.1.1.1 1

Figure 17 – Cisco PIX 515 Firewall Routing Configuration

6.3. Virtual Private Network (VPN) Configuration Note: The ISAKMP policy attributes must be configured identically on both the Avaya G450 and the Cisco PIX 515 Firewall (see Section 3.6).

1. Configure access-lists to prevent NATing of VPN traffic by the Cisco PIX 515 Firewall.

a. access-list novpnnat permit ip 50.50.50.0 255.255.255.0 73.73.73.0 255.255.255.0 “novpnnat” is a name assigned to the access-list.

b. nat (inside) 0 access-list novpnnat Disables NAT for access-list novpnnat.

2. Defining NATing for all non-VPN traffic.

a. nat (inside) 1 0.0.0.0 0.0.0.0




3. Configure an ISKAKMP policy (Phase 1).

a. isakmp enable outside b. isakmp key <key string> address 30.30.30.2 netmask 255.255.255.255

Once entered, the key will be displayed as “******” on the CLI. c. isakmp identity address d. isakmp policy 1 athentication pre-share e. isakmp policy1 encryption 3des f. isakmp policy 1 hash sha g. isakmp policy 1 group 2 h. isakmp policy 1 lifetime 86400

4. Configure access-lists that define VPN traffic between the Main office and Branch office.

a. access-list 101 permit ip 50.50.50.0 255.255.255.0 73.73.73.0 255.255.255.0

5. Configure transform-set (Phase 2). a. Crypto ipsec transform-set HighAES esp-aes esp-sha-hmac

“HighAES” is a name assigned to the transform-set.

6. Configure crypto-maps (Phase 2). a. Crypto map BranchVPN 1 ipsec-isakmp b. Crypto map BranchVPN 1 match address 101 c. Crypto map BranchVPN 1 set pfs group2 d. Crypto map BranchVPN 1 set peer 30.30.30.2 e. Crypto map BranchVPN 1 set transform-set HighAES f. Crypto map BranchVPN 1 set security-association lifetime seconds 3600 g. Crypto map BranchVPN 1 interface outside

7. Configure the Cisco PIX 515 Firewall to permit any packet from the IPSec tunnel.

a. Sysopt connection permit-ipsec

8. Enter wr mem to save the configuration.

access-list novpnnat permit ip 50.50.50.0 255.255.255.0 73.73.73.0 255.255.255.0 nat (inside) 0 access-list novpnnat nat (inside) 1 0.0.0.0 0.0.0.0 0 0 isakmp enable outside isakmp key ******** address 30.30.30.2 netmask 255.255.255.255 isakmp identity address isakmp policy 1 authentication pre-share isakmp policy 1 encryption 3des isakmp policy 1 hash sha isakmp policy 1 group 2 isakmp policy 1 lifetime 86400 access-list 101 permit ip 50.50.50.0 255.255.255.0 73.73.73.0 255.255.255.0 crypto ipsec transform-set HighAES esp-aes esp-sha-hmac crypto map BranchVPN 1 ipsec-isakmp crypto map BranchVPN 1 match address 101 crypto map BranchVPN 1 set pfs group2 crypto map BranchVPN 1 set peer 30.30.30.2 crypto map BranchVPN 1 set transform-set HighAES crypto map BranchVPN 1 set security-association lifetime seconds 3600 crypto map BranchVPN interface outside sysopt connection permit-ipsec

Figure 18 – Cisco PIX 515 Firewall VPN Configuration




7. Configure Avaya Communication Manager In the sample configuration, there are two Network Regions. The Avaya equipment in the Main office is defined in Network Region 1 and the Avaya equipment in the Branch office is defined in Network Region 2. Note – With the exception of Section 6.1, the following commands were entered using an Avaya Communication Manager SAT session. For information on these commands see [2]. 7.1. Avaya G450 Media Gateway Serial Number

1. On the Avaya G450 Media Gateway enter the command show system and copy down the serial number. This is required when the Avaya G450 Media Gateway is provisioned on Avaya Communication Manager in the next step.

G450-001(super)# show system System Name : Branch_G450 System Location : System Contact : Uptime (d,h:m:s) : 7,02:56:35 MV Time : 08:04:49 29 FEB 2008 Serial No : 07IS13107508 Model No : G450

Figure 19 – Avaya G450 Media Gateway Serial Number 7.2. Add the Avaya G450 Media Gateway

1. add media-gateway 1 a. Type: g450 b. Name: <text> c. Serial No: <serial number>

Enter the Avaya G450 Media Gateway serial number taken from the show system command entered in the Avaya G450 Media Gateway in Section 7.1.

d. Network Region: 2 e. Other fields will auto-populate once the Avaya G450 Media Gateway registers.

add media-gateway 1 Page 1 of 1 MEDIA GATEWAY Number: 1 Registered? n Type: g450 FW Version/HW Vintage: Name: G450_Branch MGP IP Address: Serial No: 07IS13107508 Controller IP Address: Encrypt Link? y MAC Address: Network Region: 2 Location: 1 Site Data: Recovery Rule: 1 Slot Module Type Name DSP Type FW/HW version V1: V2:

Figure 20 – Avaya Communication Manager – Add Avaya G450 Media Gateway




7.3. Configure IP-Codec Sets In the sample configuration, calls between the Main office (Network Region 1) and the Branch office (Network Region 2) will use codec set 2. Intra-region calls will use codec set 1. Codec set 1 will use G.711MU while codec set 2 will use G.729B.

Note - See Section 8 for additional details on these codec choices. The G.729 codec is preferable over a VPN in order to conserve bandwidth. In addition, the frames per packet value was left as 2 (default) in this example because the G450 serial interface is optimized for G.729 using the default 20ms packet size. Administrators may wish to increase the frames per packet from the default 2 to 3. Increasing the RTP payload sample size actually reduces the per call bandwidth slightly, because the increased payload counteracts the additional IPSec encryption overhead.

1. change ip-codec-set 1 a. Audio Codec 1: G.711MU

change ip-codec-set 1 Page 1 of 2 IP Codec Set Codec Set: 1 Audio Silence Frames Packet Codec Suppression Per Pkt Size(ms) 1: G.711MU n 2 20 2: 3: 4:

Media Encryption 1: none 2: 3:

Figure 21 – Avaya Communication Manager Provisioning – IP-Codec-Set 1

2. change ip-codec-set 2

a. Audio Codec 1: G.729B change ip-codec-set 2 Page 1 of 2 IP Codec Set Codec Set: 2 Audio Silence Frames Packet Codec Suppression Per Pkt Size(ms) 1: G.729B n 2 20 2: 3: 4:

Media Encryption 1: none 2: 3:

Figure 22– Avaya Communication Manager Provisioning – IP-Codec-Set 2




7.4. Configure IP-Network-Regions The Main office is defined as Network Region 1. The Branch office is defined as Network Region 2.

1. Configure Network Region 1. a. change ip-network-region 1

This opens the Network Region form. 2. On page 1 of the form, provision the field:

a. Codec Set: 1 Let the remaining fields default. change ip-network-region 1 Page 1 of 19 IP NETWORK REGION Region: 1 Location: 1 Authoritative Domain: main.com Name: MEDIA PARAMETERS Intra-region IP-IP Direct Audio: yes Codec Set: 1 Inter-region IP-IP Direct Audio: yes UDP Port Min: 2048 IP Audio Hairpinning? n UDP Port Max: 3329 DIFFSERV/TOS PARAMETERS RTCP Reporting Enabled? y Call Control PHB Value: 46 RTCP MONITOR SERVER PARAMETERS Audio PHB Value: 46 Use Default Server Parameters? y Video PHB Value: 26 802.1P/Q PARAMETERS Call Control 802.1p Priority: 5 Audio 802.1p Priority: 5 Video 802.1p Priority: 5 AUDIO RESOURCE RESERVATION PARAMETERS H.323 IP ENDPOINTS RSVP Enabled? n H.323 Link Bounce Recovery? y Idle Traffic Interval (sec): 20 Keep-Alive Interval (sec): 5

Figure 23 – Avaya Communication Manager Provisioning – IP Network Region 1 – Page 1

3. On page 3 of the form, the first line is pre-defined (Network Region 1 can communicate with

Network Region 1). On the second line, define the communication between Network Regions 1 and 2 by provisioning the following fields:

a. src rgn = 1 In the Network Region 1 form, Network Region 1 is always the source.

b. dst rgn = 2 Region 2 was the destination Network Region used in the sample configuration for the Branch office.

c. codec set = 1 Let the remaining fields default. change ip-network-region 1 Page 3 of 19 Inter Network Region Connection Management src dst codec direct WAN-BW-limits Video Dyn rgn rgn set WAN Units Total Norm Prio Shr Intervening-regions CAC IGAR 1 1 1 1 2 1 y NoLimit n





4. Configure Network Region 2.

a. change ip-network-region 2 This opens the Network Region form.

5. On page 1 of the form provision the field: a. Codec Set: 1 b. Let the remaining fields default.

change ip-network-region 2 Page 1 of 19 IP NETWORK REGION Region: 2 Location: 1 Authoritative Domain: main.com Name: MEDIA PARAMETERS Intra-region IP-IP Direct Audio: yes Codec Set: 1 Inter-region IP-IP Direct Audio: yes UDP Port Min: 2048 IP Audio Hairpinning? n UDP Port Max: 3329 DIFFSERV/TOS PARAMETERS RTCP Reporting Enabled? y Call Control PHB Value: 46 RTCP MONITOR SERVER PARAMETERS Audio PHB Value: 46 Use Default Server Parameters? y Video PHB Value: 26 802.1P/Q PARAMETERS Call Control 802.1p Priority: 5 Audio 802.1p Priority: 5 Video 802.1p Priority: 5 AUDIO RESOURCE RESERVATION PARAMETERS H.323 IP ENDPOINTS RSVP Enabled? n H.323 Link Bounce Recovery? y Idle Traffic Interval (sec): 20 Keep-Alive Interval (sec): 5


6. On page 3 of the form, the first line is pre-defined (Network Region 2 can communicate with Network Region 2). On the second line define the communication between Network Regions 1 and 2 by provisioning the following fields:

a. src rgn = 2 In the Network Region 2 form, Network Region 2 is always the source.

b. dst rgn = 1 Region 1 is the destination Network Region used in the sample configuration for the Main office.

c. codec set = 2 d. Let the remaining fields self populate.

change ip-network-region 2 Page 3 of 19

Inter Network Region Connection Management src dst codec direct WAN-BW-limits Video Dyn rgn rgn set WAN Units Total Norm Prio Shr Intervening-regions CAC IGAR 2 1 2 y NoLimit n 2 2 1





7.5. Configure IP-Network-Map The IP Network Map form defines Network Regions to IP address domains used by IP telephones.

1. change ip-network-map a. Under the From IP Address heading enter 50.50.50.0

This is the voice IP domain in the Main office. b. Tab to the Subnet or Mask heading and enter 24

The To IP Address fields will self populate after the form in entered. c. Under the Region heading enter 1

The Main office is assigned to Network Region 1. d. Under the From Ip Address heading enter 73.73.73.0

This is the voice IP domain in the Branch office. e. Tab to the Subnet or Mask heading and enter 24 f. Under the Region heading enter 2

The Branch office is assigned to Network Region 2. g. Let the remaining fields default.

change ip-network-map Page 1 of 32 IP ADDRESS MAPPING Subnet Location From IP Address (To IP Address or Mask) Region VLAN Extension 50 .50 .50 .0 50 .50 .50 .255 24 1 n 73 .73 .73 .0 73 .73 .73 .255 24 2 n . . . . . . n . . . . . . n

Figure 27 – Avaya Communication Manager Provisioning – IP-Network-Map 7.6. Save Translations After the provisioning is completed, enter the command save trans to save the configuration on Avaya Communication Manager.

8. Configure Avaya 96xx SIP IP Telephone Codec Type The Avaya 46xx H.323 and SIP IP telephones use the G.729B variety of the G.729 codec by default. The Avaya 96xx H.323 IP telephones also use G.729B. However the Avaya 96xx SIP IP telephones use G729A as the default type G.729 codec. As described in Section 7.3, the G.729 codec type is the most bandwidth efficient over the IPSec VPN tunnel. Therefore the sample configuration defines calls between Network Regions 1 and 2 to use G.729B codec, as it is supported by most Avaya IP telephone types in their default configurations. In order to allow G.729 call compatibility between the Avaya 96xx SIP IP telephone and the other Avaya IP telephone types, the Avaya 96xx SIP IP telephones must be provisioned to also use the G.729B codec. This is performed via the configuration file 46xxsettings.txt. The 46xxsettings.txt file is available from http://support.avaya.com. The 46xxsettings.txt file must be installed on an HTTP server that has IP connectivity to the Avaya 96xx SIP IP telephones. The 46xxsettings.txt file is retrieved by the Avaya 96xx SIP IP telephones when they are connected for the first time, or are reset. For information on using the 46xxsettings.txt file, and Avaya 96xx SIP IP telephone implementation, see [4] and [5].




8.1. Configure 46xxsettings.txt File to Enable the G.729B Codec. 1. On the HTTP server, go to the /initpub/wwwroot directory (Windows Internet Information

Services was used for the HTTP Server in the reference configuration). 2. Using a text editor, open the 46xxsettings.txt file. 3. Find the section labeled ##### CODEC SETTINGS ##### 4. By default, the G.729A codec is enabled, (## SET ENABLE_G729 1). Enter a new line SET

ENABLE_G729 2 (without the leading # comment characters). 5. Save and close the 46xxsettings.txt file. 6. Reset the Avaya 96xx SIP IP telephones to install the updated 46xxsettings.txt file. The Avaya

96xx SIP IP telephones will now use the G.729B codec.

Note – Only the section of the 46xxsetings.txt file pertaining to G.729 codec provisioning is shown for brevity. ## ##################### CODEC SETTINGS ##################### ## ## G.729 Codec Enabled ## Determines whether G.729 codec is available on the ## phone. ## 0 for G.729(A) disabled ## 1 for G.729(A) enabled without Annex B support ## 2 for G.729(A) enabled with Annex B support ## SET ENABLE_G729 1 SET ENABLE_G729 2 ## ##

Figure 28 – Enable the G.729B codec via the 46xxsettings.txt file




9. Verification Steps The following steps can be used to validate the sample configuration.

9.1. Verify Cisco PIX 515 Firewall Interfaces and Routing 1. Check that “inside” and “outside” interface/line protocols are up and IP addressing is correct.

a. show interface ethernet0 This is the “outside” interface

pixfirewall# show interface ethernet0 interface ethernet0 "outside" is up, line protocol is up Hardware is i82559 ethernet, address is 0003.6bf7.25e8 IP address 1.1.1.2, subnet mask 255.255.255.252 MTU 1500 bytes, BW 100000 Kbit half duplex 517521 packets input, 74718903 bytes, 0 no buffer Received 1406 broadcasts, 0 runts, 0 giants 1 input errors, 1 CRC, 0 frame, 0 overrun, 1 ignored, 0 abort 508963 packets output, 80276706 bytes, 0 underruns 0 output errors, 15 collisions, 0 interface resets 0 babbles, 6 late collisions, 34 deferred 1 lost carrier, 0 no carrier input queue (curr/max blocks): hardware (128/128) software (0/9) output queue (curr/max blocks): hardware (0/9) software (0/1)

Figure 29 – Cisco PIC 515 – Interface Ethernet0 (outside).

b. show interface ethernet1 This is the “inside” interface.

pixfirewall# show interface ethernet1 interface ethernet1 "inside" is up, line protocol is up Hardware is i82559 ethernet, address is 0003.6bf7.25e9 IP address 50.50.50.1, subnet mask 255.255.255.0 MTU 1500 bytes, BW 100000 Kbit full duplex 843942 packets input, 69016077 bytes, 0 no buffer Received 314685 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 541973 packets output, 43070045 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collisions, 0 deferred 4 lost carrier, 0 no carrier input queue (curr/max blocks): hardware (128/128) software (0/9) output queue (curr/max blocks): hardware (0/9) software (0/1)

Figure 30 – Cisco PIC 515 – Interface Ethernet1 (inside).

2. Examine Cisco PIX 515 Firewall route table entries. a. show route

pixfirewall# show route outside 0.0.0.0 0.0.0.0 1.1.1.1 1 OTHER static outside 1.1.1.0 255.255.255.252 1.1.1.2 1 CONNECT static inside 50.50.50.0 255.255.255.0 50.50.50.1 1 CONNECT static

Figure 31 – Cisco PIC 515 – Route Table.




9.2. Avaya G450 Media Gateway Interfaces and Routing 1. Verify Serial interface status.

a. show interface serial 8/1:1

G450-001(super)# show interface serial 8/1:1 Serial 8/1:1 is up, line protocol is up MTU 1500 bytes, Bandwidth 1536 kbit Reliability 255/255 txLoad 1/255 rxLoad 1/255 Encapsulation FRAME-RELAY IETF Link status trap enabled LMI enq sent 77737, LMI stat recvd 77737, LMI upd recvd 0, DTE LMI up LMI DLCI 0, LMI type is ANSI Annex D, frame relay DTE Weighted Fair VoIP queueing mode Last input 00:00:00, Last output 00:00:01 Last clearing of 'show interface' counters never 5 minute input rate 708 bits/sec, 0 packets/sec 5 minute output rate 784 bits/sec, 0 packets/sec 0 input drops, 0 output drops, 0 unknown protocols 587790 packets input, 76396277 bytes 0 broadcasts received, 0 giants 0 input errors, 0 CRC, 0 abort 597153 packets output, 70441367 bytes 0 output errors, 0 collisions

Figure 32 – Avaya G450 Media Gateway – Serial Interface.

2. Verify Serial subinterface status. a. show interface serial 8/1:1

G450-001(super)# show interface serial 8/1:1.1 Serial 8/1:1.1 is up, line protocol is up Description: To_Frame_Relay_Switch Internet address is 30.30.30.2, mask is 255.255.255.0 MTU 1500 bytes, Bandwidth 1536 kbit IPSec PMTU: copy df-bit, Min PMTU is 300 Encapsulation FRAME-RELAY IETF Link status trap enabled Keepalive-track not set Last input 00:00:01, Last output 00:00:01 Last clearing of 'show interface' counters never 0 input drops, 0 output drops, 0 unknown protocols 510055 packets input, 73203176 bytes 0 broadcasts received, 0 giants 0 input errors, 0 CRC, 0 abort 519418 packets output, 46223882 bytes 0 output errors, 0 collisions

Figure 33 – Avaya G450 Media Gateway – Serial Sub-Interface.




3. Verify Frame Relay PVC status. a. show frame-relay pvc

G450-001(super)# show frame-relay pvc Showing 1 PVC PVC Statistics for interface Serial 8/1:1 (Frame Relay DTE) Active Inactive Deleted Static Local 1 0 0 0 Unused 0 0 0 0 DLCI = 101, USAGE = LOCAL , PVC STATUS = ACTIVE, INTERFACE = Serial 8/1:1.1 ROLE = Primary , PRIORITY CLASS = None input pkts 510059, output pkts 519422, dropped pkts 0 in bytes 75243940, out bytes 48301864 in FECN pkts 0 in BECN pkts 0 in DE pkts 0, out DE pkts 0 pvc create time 8d20h, last time pvc status changed 00:48:36

Figure 34 – Avaya G450 Media Gateway – Frame-Relay PVC.

4. Verify G450 Media Gateway IP route table entries. a. show ip-route

G450-001(super)# show ip route Showing 3 rows Network Mask Interface Next-Hop Cost TTL Source --------------- ---- ------------------- ------------------- ----- --- --------- 0.0.0.0 0 Serial 8/1:1.1 30.30.30.1 1 n/a STAT-LO 30.30.30.0 24 Serial 8/1:1.1 30.30.30.2 1 n/a LOCAL 73.73.73.0 24 Vlan 1 73.73.73.2 1 n/a LOCAL

Figure 35 – Avaya G450 Media Gateway – Show IP Route.

9.3. Verify Cisco PIX 515 Firewall VPN Policies 1. Verify that configured ISAKMP policies have the correct security attributes.

a. show crypto isakmp

pixfirewall# show crypto isakmp isakmp enable outside isakmp key ******** address 30.30.30.2 netmask 255.255.255.255 isakmp identity address isakmp policy 1 authentication pre-share isakmp policy 1 encryption 3des isakmp policy 1 hash sha isakmp policy 1 group 2 isakmp policy 1 lifetime 86400

Figure 36 – Cisco PIX 515 Firewall – Isakmp Policies.

2. Verify that the configured IPSec transform-sets have the correct security attributes. a. show crypto ipsec transform-set

pixfirewall# show crypto ipsec transform-set Transform set HighAES: { esp-aes esp-sha-hmac } will negotiate = { Tunnel, },

Figure 37 – Cisco PIX 515 Firewall – IPSec Transform Set.




9.4. Verify G450 Media Gateway VPN Policies 1. Verify that the remote peer (Cisco PIX 515 Firewall) has been defined under crypto isakmp

peer. a. show crypto isakmp peer

G450-001(super)# show crypto isakmp peer Showing 1 rows Description Peer identity Self identity Auth Plc Md DPD Track Cnt K-alv Id ------------- ------------------ ------------------ ----- --- -- ----- ----- --- PIX Outside 1.1.1.2 IPv4 Address psk 1 MM none No

Figure 38 – Avaya G450 Media Gateway – Isakmp Peer.

2. Verify that configured ISAKMP policies have the correct security attributes. a. show crypto isakmp policy

G450-001(super)# show crypto isakmp policy Showing 1 rows Id Description Encr Hash Authentication DH group life sec -- -------------------- ------- ------- -------------- -------- ---------- 1 High 3des sha Preshared key 2 86400

Figure 39 – Avaya G450 Media Gateway – Isakmp Policy.

3. Verify that the configured IPSec transform-sets have the correct security attributes. a. show crypto ipsec transform-set

G450-001(super)# show crypto ipsec transform-set Showing 1 rows Name ESP Enc ESP Hash PCP PFS Life Sec Life KB Mode ----------------------- ------- -------- --- --- ---------- ---------- ------ HIGH aes sha-hmac No #2 3600 4608000 Tunnel

Figure 40 – Avaya G450 Media Gateway – Isakmp Policy.

4. Verify that the crypto-list is configured with proper wildcard masking and crypto-mapping corresponds to the correct transform-set. Any traffic that does not match the crypto-list bypasses IPSec processing.

a. show ip crypto-list 901

G450-001(super)# show ip crypto-list 901 Index Description Status Owner ----- ------------------------------- --------- -------------------------- 901 Encrypted traffic valid other Local address: 30.30.30.2 Rules: Index Proto IP Wildcard Port Action Frag DSCP Crypto map Rule ----- ------- --- ---------------- --------------- ------------ ---------- ---- 1 Any Src 73.73.73.0 0.0.0.255 Any protect No Any Dst 50.50.50.0 0.0.0.255 Any 1 Deflt Any Src Any Any bypass No Any Dst Any Any - Applicable crypto maps: Id Description Remote peer/group Transform-set DSCP C-cnl -- -------------------- ------------------ ----------------------- ---- ----- 1 PIX_Outside 1.1.1.2 HIGH copy No

Figure 41 – Avaya G450 Media Gateway – IP Crypto List 901.




9.5. Verify IKE Negotiations using Cisco PIX 515 Firewall Debug Traces

1. Enable local debug output to the console from the CLI. When the isakmp lifetime timer expires, verify ISAKMP (Phase 1) SA and IPSec (Phase 2) SAs are removed and recreated. Alternatively, the Avaya G450 Media Gateway isakmp Phase 1 clear SA and the IPSec Phase 2 clear SA commands can be used to immediately reset the VPN state (see Sections 9.1 and 9.2).

a. debug crypto ipsec b. debug crypto isakmp

ISAKMP: rekeying phase 1 SA, src 1.1.1.2, dst 30.30.30.2 ISAKMP (0): retransmitting phase 1 (0)... ISAKMP (0): retransmitting phase 1 (1)... crypto_isakmp_process_block:src:30.30.30.2, dest:1.1.1.2 spt:500 dpt:500 ISAKMP (0): processing DELETE payload. message ID = 3099254529, spi size = 4IPSEC(key_engine): got a queue event... IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP return status is IKMP_NO_ERR_NO_TRANS ISAKMP (0): retransmitting phase 1 (2)... ISAKMP (0): retransmitting phase 1 (3)... ISAKMP (0): retransmitting phase 1 (4)... crypto_isakmp_process_block:src:30.30.30.2, dest:1.1.1.2 spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing SA payload. message ID = 0 ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy ISAKMP: encryption 3DES-CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (basic) of 120 ISAKMP (0): atts are acceptable. Next payload is 0 ISAKMP (0): processing vendor id payload ISAKMP (0): remote peer supports dead peer detection ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR return status is IKMP_NO_ERROR ISAKMP (0): deleting SA: src 1.1.1.2, dst 30.30.30.2 crypto_isakmp_process_block:src:30.30.30.2, dest:1.1.1.2 spt:500 dpt:500 ISAKMP: drop msg for deleted sa ISADB: reaper checking SA 0xffaf44, conn_id = 0 ISADB: reaper checking SA 0x116da8c, conn_id = 0 DELETE IT! VPN Peer: ISAKMP: Peer ip:30.30.30.2/500 Ref cnt decremented to:0 Total VPN Peers:1 VPN Peer: ISAKMP: Deleted peer: ip:30.30.30.2/500 Total VPN peers:0 ISADB: reaper checking SA 0xffaf44, conn_id = 0 crypto_isakmp_process_block:src:30.30.30.2, dest:1.1.1.2 spt:500 dpt:500 ISAKMP (0): processing DELETE payload. message ID = 1115737207, spi size = 16 return status is IKMP_NO_ERR_NO_TRANS




ISAKMP (0): deleting IPSEC SAs with peer at 30.30.30.2IPSEC(key_engine): got a queue event... IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP IPSEC(key_engine_delete_sas): delete all SAs shared with 30.30.30.2 map_free_entry: freeing entry 1 CRYPTO(epa_release_conn): released conn 1 VPN Peer: IPSEC: Peer Info not found during IPSEC deletion Peer ip:30.30.30.2/500 map_free_entry: freeing entry 2 CRYPTO(epa_release_conn): released conn 2 VPN Peer: IPSEC: Peer Info not found during IPSEC deletion Peer ip:30.30.30.2/500 ISAKMP (0): deleting SA: src 1.1.1.2, dst 30.30.30.2 ISADB: reaper checking SA 0xffaf44, conn_id = 0 DELETE IT! VPN Peer:ISAKMP: Peer Info for 30.30.30.2/500 not found - peers:0 IPSEC(key_engine): got a queue event... IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP IPSEC(key_engine_delete_sas): delete all SAs shared with 30.30.30.2 crypto_isakmp_process_block:src:30.30.30.2, dest:1.1.1.2 spt:500 dpt:500 ISAKMP: sa not found for ike msg crypto_isakmp_process_block:src:30.30.30.2, dest:1.1.1.2 spt:500 dpt:500 ISAKMP: sa not found for ike msg ISAKMP (0): beginning Main Mode exchange ISAKMP (0): retransmitting phase 1 (0)... ISAKMP (0): retransmitting phase 1 (1)... ISAKMP (0): retransmitting phase 1 (2)... crypto_isakmp_process_block:src:30.30.30.2, dest:1.1.1.2 spt:500 dpt:500 ISAKMP: sa not found for ike msg ISAKMP (0): retransmitting phase 1 (3)... ISAKMP (0): retransmitting phase 1 (4)... ISAKMP (0): deleting SA: src 1.1.1.2, dst 30.30.30.2IPSEC(key_engine): request timer fired: count = 1, (identity) local= 1.1.1.2, remote= 30.30.30.2, local_proxy= 50.50.50.0/255.255.255.0/0/0 (type=4), remote_proxy= 73.73.73.0/255.255.255.0/0/0 (type=4) ISAKMP (0): beginning Main Mode exchange ISADB: reaper checking SA 0x116da8c, conn_id = 0 ISADB: reaper checking SA 0xffaf44, conn_id = 0 DELETE IT! VPN Peer:ISAKMP: Peer Info for 30.30.30.2/500 not found - peers:0 ISADB: reaper checking SA 0x116da8c, conn_id = 0 ISAKMP (0): retransmitting phase 1 (0)... ISAKMP (0): retransmitting phase 1 (1)... ISAKMP (0): retransmitting phase 1 (2)... ISAKMP (0): retransmitting phase 1 (3)... crypto_isakmp_process_block:src:30.30.30.2, dest:1.1.1.2 spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing SA payload. message ID = 0 ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy




ISAKMP: encryption 3DES-CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (basic) of 120 ISAKMP (0): atts are acceptable. Next payload is 0 ISAKMP (0): processing vendor id payload ISAKMP (0): remote peer supports dead peer detection ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:30.30.30.2, dest:1.1.1.2 spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing KE payload. message ID = 0 ISAKMP (0): processing NONCE payload. message ID = 0 ISAKMP (0): ID payload next-payload : 8 type : 1 protocol : 17 port : 500 length : 8 ISAKMP (0): Total payload length: 12 return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:30.30.30.2, dest:1.1.1.2 spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing ID payload. message ID = 0 ISAKMP (0): processing HASH payload. message ID = 0 ISAKMP (0): SA has been authenticated ISAKMP (0): beginning Quick Mode exchange, M-ID of -1071189158:c026f35aIPSEC(key_engine): got a queu e event... IPSEC(spi_response): getting spi 0xfbea09c7(4226419143) for SA from 30.30.30.2 to 1.1.1.2 for prot 3 return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:30.30.30.2, dest:1.1.1.2 spt:500 dpt:500 OAK_QM exchange oakley_process_quick_mode: OAK_QM_IDLE ISAKMP (0): processing SA payload. message ID = 3223778138 ISAKMP : Checking IPSec proposal 1 ISAKMP: transform 1, ESP_AES ISAKMP: attributes in transform: ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (basic) of 3600 ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 ISAKMP: authenticator is HMAC-SHA ISAKMP: key length is 128 ISAKMP: group is 2 ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,




(key eng. msg.) dest= 30.30.30.2, src= 1.1.1.2, dest_proxy= 73.73.73.0/255.255.255.0/0/0 (type=4), src_proxy= 50.50.50.0/255.255.255.0/0/0 (type=4), protocol= ESP, transform= esp-aes esp-sha-hmac , lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x24 ISAKMP (0): processing NONCE payload. message ID = 3223778138 ISAKMP (0): processing KE payload. message ID = 3223778138 ISAKMP (0): processing ID payload. message ID = 3223778138 ISAKMP (0): processing ID payload. message ID = 3223778138map_alloc_entry: allocating entry 2 map_alloc_entry: allocating entry 1 ISAKMP (0): Creating IPSec SAs inbound SA from 30.30.30.2 to 1.1.1.2 (proxy 73.73.73.0 to 50.50.50.0) has spi 4226419143 and conn_id 2 and flags 25 lifetime of 3600 seconds lifetime of 4608000 kilobytes outbound SA from 1.1.1.2 to 30.30.30.2 (proxy 50.50.50.0 to 73.73.73.0) has spi 6940 and conn_id 1 and flags 25 lifetime of 3600 seconds lifetime of 4608000 kilobytesIPSEC(key_engine): got a queue event... IPSEC(initialize_sas): , (key eng. msg.) dest= 1.1.1.2, src= 30.30.30.2, dest_proxy= 50.50.50.0/255.255.255.0/0/0 (type=4), src_proxy= 73.73.73.0/255.255.255.0/0/0 (type=4), protocol= ESP, transform= esp-aes esp-sha-hmac , lifedur= 3600s and 4608000kb, spi= 0xfbea09c7(4226419143), conn_id= 2, keysize= 128, flags= 0x25 IPSEC(initialize_sas): , (key eng. msg.) src= 1.1.1.2, dest= 30.30.30.2, src_proxy= 50.50.50.0/255.255.255.0/0/0 (type=4), dest_proxy= 73.73.73.0/255.255.255.0/0/0 (type=4), protocol= ESP, transform= esp-aes esp-sha-hmac , lifedur= 3600s and 4608000kb, spi= 0x1b1c(6940), conn_id= 1, keysize= 128, flags= 0x25 return status is IKMP_NO_ERROR VPN Peer: ISAKMP: Added new peer: ip:30.30.30.2/500 Total VPN Peers:1 VPN Peer: ISAKMP: Peer ip:30.30.30.2/500 Ref cnt incremented to:1 Total VPN Peers:1 pixfirewall#

Figure 42 – Cisco PIX 515 Firewall – IPSec and Isakmp Debug.




9.6. Verify IKE Negotiations using G450 Gateway Syslog 1. Enable local Syslog message output to the console from the CLI. When the isakmp lifetime

timer expires, verify ISAKMP (Phase 1) SA and IPSec (Phase 2) SAs are removed and recreated. Alternatively, the Avaya G450 Media Gateway isakmp Phase 1 clear SA and the IPSec Phase 2 clear SA commands can be used to immediately reset the VPN state (see Sections 9.1 and 9.2).

a. set logging session enable b. set logging session condition ISAKMP debug c. set logging session condition IPSEC debug

2. When completed, disable the logging.

a. set logging session disable

04/22/2008,09:46:50:ISAKMP-Informational: ISAKMP SA lifetime expiration Peers 30.30.30.2<->1.1.1.2 Icookie - 8323fecb991b7cd0, Rcookie - 73159c04f0b63f69 04/22/2008,09:46:50:ISAKMP-Informational: Sending IKE DELETE message (ISAKMP SA): Peers 30.30.30.2<->1.1.1.2 Icookie - 8323fecb991b7cd0, Rcookie - 73159c04f0b63f69 04/22/2008,09:47:42:VOICE-Warning: H248 link is DOWN 04/22/2008,09:47:58:ISAKMP-Warning: Peer 1.1.1.2 is presumed dead: IKE phase 1 negotiation failure 04/22/2008,09:48:11:ISAKMP-Informational: Begin IKE phase 1 negotiation, initiated by 1.1.1.2: Peers 30.30.30.2<->1.1.1.2, mode main 04/22/2008,09:48:11:ISAKMP-Debug: Sending vendor ID to 1.1.1.2 (VID length = 16): Peers 30.30.30.2<->1.1.1.2 draft-ietf-ipsec-dpd-00.txt (0xafcad71368a1f1c96b8696fc77570100) 04/22/2008,09:48:11:ISAKMP-Debug: Received vendor ID from 1.1.1.2 (VID length = 8): Peers 30.30.30.2<->1.1.1.2 Unknown (0x09002689dfd6b712) 04/22/2008,09:48:11:ISAKMP-Debug: Received vendor ID from 1.1.1.2 (VID length = 16): Peers 30.30.30.2<->1.1.1.2 draft-ietf-ipsec-dpd-00.txt (0xafcad71368a1f1c96b8696fc77570100) 04/22/2008,09:48:11:ISAKMP-Debug: Received vendor ID from 1.1.1.2 (VID length = 16): Peers 30.30.30.2<->1.1.1.2 Unknown (0x12f5f28c457168a9702d9fe274cc0100) 04/22/2008,09:48:11:ISAKMP-Debug: Received vendor ID from 1.1.1.2 (VID length = 16): Peers 30.30.30.2<->1.1.1.2




Unknown (0x76e459d681edb35dc5fb95461256e04f) 04/22/2008,09:48:11:ISAKMP-Informational: Finished IKE phase 1 negotiation, creating ISAKMP SA: Peers 30.30.30.2<->1.1.1.2 Icookie - 8323fecb81ecb35d, Rcookie - 643f0ef3bd44bc4e esp-3des, esp-sha-hmac, DH group 2, Lifetime 120 seconds DPD enabled 04/22/2008,09:48:12:ISAKMP-Informational: Begin IKE phase 2 negotiation, initiated by 1.1.1.2: Peers 30.30.30.2<->1.1.1.2 04/22/2008,09:48:12:ISAKMP-Informational: Finished IKE phase 2, creating outbound IPSEC SA: SPI 0xfbea09c7, Peers 30.30.30.2<->1.1.1.2 Identities: 73.73.73.0/255.255.255.0->50.50.50.0/255.255.255.0 esp-aes, esp-sha-hmac, 3600 seconds, 4608000 KB, PFS #2 Tunnel mode 04/22/2008,09:48:12:ISAKMP-Informational: Finished IKE phase 2, creating inbound IPSEC SA: SPI 0x1b1c, Peers 1.1.1.2<->30.30.30.2

Identities: 50.50.50.0/255.255.255.0->73.73.73.0/255.255.255.0 esp-aes, esp-sha-hmac, 3600 seconds, 4608000 KB, PFS #2 Tunnel mode

Figure 43 – Avaya G450 Media Gateway – IPSec and Isakmp Debug.

9.7. Verify Security Associations (SAs) on the Cisco PIX 515 Firewall 1. Verify ISAKMP SA using the show command.

a. show crypto isakmp sa

pixfirewall# show crypto isakmp sa Total : 1 Embryonic : 0 dst src state pending created 30.30.30.2 1.1.1.2 QM_IDLE 0 1

Figure 44 – Cisco PIX 515 Firewall – ISAKMP SA.

2. Verify IPSec SAs using the show command. a. show crypto ipsec sa detail

pixfirewall# show crypto ipsec sa detail interface: outside Crypto map tag: BranchVPN, local addr. 1.1.1.2 local ident (addr/mask/prot/port): (50.50.50.0/255.255.255.0/1/0) remote ident (addr/mask/prot/port): (73.73.73.0/255.255.255.0/1/0) current_peer: 30.30.30.2:0 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #pkts no sa (send) 0, #pkts invalid sa (rcv) 0 #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0 #pkts invalid prot (recv) 0, #pkts verify failed: 0




#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0 #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0 ##pkts replay failed (rcv): 0 #pkts internal err (send): 0, #pkts internal err (recv) 0 local crypto endpt.: 1.1.1.2, remote crypto endpt.: 30.30.30.2 path mtu 1500, ipsec overhead 0, media mtu 1500 current outbound spi: 0 inbound esp sas: inbound ah sas: inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas: local ident (addr/mask/prot/port): (50.50.50.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (73.73.73.0/255.255.255.0/0/0) current_peer: 30.30.30.2:500 PERMIT, flags={origin_is_acl,} #pkts encaps: 508147, #pkts encrypt: 508147, #pkts digest 508147 #pkts decaps: 514309, #pkts decrypt: 514309, #pkts verify 514309 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #pkts no sa (send) 110, #pkts invalid sa (rcv) 0 #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0 #pkts invalid prot (recv) 0, #pkts verify failed: 0 #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0 #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0 ##pkts replay failed (rcv): 0 #pkts internal err (send): 0, #pkts internal err (recv) 0 local crypto endpt.: 1.1.1.2, remote crypto endpt.: 30.30.30.2 path mtu 1500, ipsec overhead 72, media mtu 1500 current outbound spi: 80ce inbound esp sas: spi: 0xd9e32a9f(3655543455) transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 1, crypto map: BranchVPN sa timing: remaining key lifetime (k/sec): (4607925/2586) IV size: 16 bytes replay detection support: Y inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x80ce(32974) transform: esp-aes esp-sha-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2, crypto map: BranchVPN sa timing: remaining key lifetime (k/sec): (4607953/2586) IV size: 16 bytes replay detection support: Y outbound ah sas: outbound pcp sas: pixfirewall#

Figure 45 – Cisco PIX 515 Firewall – IPSec SA.




9.8. Verify Security Associations (SAs) on the G450 Gateway 1. Verify ISAKMP SA using the show command.

a. show crypto isakmp sa

G450-001(super)# show crypto isakmp sa C-id Local Remote State Encr Hash Aut DH TTL DPD Nat-T ---- --------------- --------------- ------- ------- ---- --- -- ----- --- ----- 109 30.30.30.2 1.1.1.2 Ready 3des sha psk 2 85726 Yes No

Figure 46 – Avaya G450 Media Gateway – ISAKMP SA.

2. Verify inbound and outbound IPSec SAs using the show command. a. show crypto ipsec sa detail

G450-001(super)# show crypto ipsec sa detail Inbound pkts errors (global): Invalid spi 0 Invalid interface 0 Interface: Serial 8/1:1.1 Crypto list id: 901, Local address: 30.30.30.2 Rule: 1, Crypto map: 1, "PIX_Outside" Local address: 30.30.30.2 Remote address: 1.1.1.2 Local identity: 73.73.73.0/255.255.255.0 Remote identity: 50.50.50.0/255.255.255.0 path mtu 1500, media mtu 1500, configured min PMTU 300 Current outbound spi: 0xd9e32a9f Inbound packets Outbound packets ------------------------------------ ----------------------------------- Total 1592 Total 1862 Total OK 1592 Total OK 1861 Decrypt 1592 Encrypt 1861 Verify 1592 Digest 1861 Decaps 1592 Encaps 1861 Total discards 0 Total discards 1 Invalid len 0 No sa 1 Replay failed 0 Seq rollover 0 Sa expired 0 Sa expired 0 Auth failed 0 Bad padding 0 Invalid identity 0 Unprotected 0 Other discards 0 Other discards 0 SA Type SPI Transform PFS Secs left KB left Mode --------------- ---------- ------------- --- ---------- ---------- ------ Outbound ESP 0xd9e32a9f esp-aes #2 2888 4607938 Tunnel esp-sha-hmac Inbound ESP 0x80ce esp-aes #2 2888 4607937 Tunnel esp-sha-hmac

Figure 47 – Avaya G450 Media Gateway – IPSec SA.




9.9. Verify the Avaya G450 Media Gateway Registration Status 1. Check the MGC controller status from the Avaya G450 Media Gateway CLI.

a. show mgc

G450-001(super)# show mgc CALL CONTROLLER STATUS ------------------------------------------- Registered : YES Active Controller : 50.50.50.100 H248 Link Status : UP H248 Link Error Code: 0x0 CONFIGURED MGC HOST --------------------- 50.50.50.100 -- Not Available -- -- Not Available -- sls disabled Done! G450-001(super)#

Figure 48 – Avaya G450 Media Gateway – MGC Status.

2. Verify the registration status of the Avaya G450 Media Gateway with the S8500 Server via the Avaya Communication Manager SAT.

a. display media-gateway 1

display media-gateway 1 MEDIA GATEWAY Number: 1 Registered? y Type: g450 FW Version/HW Vintage: 27 .26 .0 /0 Name: G450_Branch MGP IP Address: 73 .73 .73 .2 Serial No: 07IS13107508 Controller IP Address: 50 .50 .50 .100 Encrypt Link? y MAC Address: 00:04:0d:ea:ab:b8 Network Region: 2 Location: 1 Site Data: Recovery Rule: 1 Slot Module Type Name DSP Type FW/HW version V1: V2: MM710 DS1 MM V3: MM342 USP WAN MM V4: MP80 8 1 V5: MM711 ANA MM V6: MM712 DCP MM V7: MM716 ANA MM Max Survivable IP Ext: 8 V8: MM340 DS1 WAN MM V9:

Figure 49 – Avaya S8500 Server – Avaya G450 Media Gateway Status.




9.10. Place Test Calls Place calls (H.323/H.323, SIP/SIP, SIP/H.323) between the Branch office and the Main office.

1. Verify call establishment and voice quality over the VPN. 2. Place an IP protocol analyzer on the network between the Cisco PIX 515 Firewall and the

Cisco 2811 WAN router. Verify that the traffic is encrypted (ESP). In the sample configuration, 1.1.1.2 is the outside interface of the Cisco PIX 515 Firewall and 30.30.30.2 is the serial interface of the Avaya G450 Media Gateway.

No. Time Source Destination Protocol Info 851 09:44:17.815564 30.30.30.2 1.1.1.2 ESP ESP (SPI=0xfbea09c7) 852 09:44:17.839880 30.30.30.2 1.1.1.2 ESP ESP (SPI=0xfbea09c7) 853 09:44:17.841574 1.1.1.2 30.30.30.2 ESP ESP (SPI=0x00001b1c) 854 09:44:17.850941 1.1.1.2 30.30.30.2 ESP ESP (SPI=0x00001b1c) 855 09:44:17.855480 30.30.30.2 1.1.1.2 ESP ESP (SPI=0xfbea09c7) 856 09:44:17.879741 30.30.30.2 1.1.1.2 ESP ESP (SPI=0xfbea09c7) 857 09:44:17.881470 1.1.1.2 30.30.30.2 ESP ESP (SPI=0x00001b1c) 858 09:44:17.890920 1.1.1.2 30.30.30.2 ESP ESP (SPI=0x00001b1c) 859 09:44:17.895591 30.30.30.2 1.1.1.2 ESP ESP (SPI=0xfbea09c7) 860 09:44:17.912655 1.1.1.2 30.30.30.2 ESP ESP (SPI=0x00001b1c) 861 09:44:17.917298 30.30.30.2 1.1.1.2 ESP ESP (SPI=0xfbea09c7) 862 09:44:17.918881 1.1.1.2 30.30.30.2 ESP ESP (SPI=0x00001b1c) 863 09:44:17.919828 30.30.30.2 1.1.1.2 ESP ESP (SPI=0xfbea09c7) 864 09:44:17.921324 1.1.1.2 30.30.30.2 ESP ESP (SPI=0x00001b1c) 865 09:44:17.923272 30.30.30.2 1.1.1.2 ESP ESP (SPI=0xfbea09c7) 866 09:44:17.929803 30.30.30.2 1.1.1.2 ESP ESP (SPI=0xfbea09c7) 867 09:44:17.930777 30.30.30.2 1.1.1.2 ESP ESP (SPI=0xfbea09c7) 868 09:44:17.931331 1.1.1.2 30.30.30.2 ESP ESP (SPI=0x00001b1c) 869 09:44:17.934303 1.1.1.2 30.30.30.2 ESP ESP (SPI=0x00001b1c) 870 09:44:17.939781 30.30.30.2 1.1.1.2 ESP ESP (SPI=0xfbea09c7) 871 09:44:17.941325 1.1.1.2 30.30.30.2 ESP ESP (SPI=0x00001b1c) 872 09:44:17.954010 1.1.1.2 30.30.30.2 ESP ESP (SPI=0x00001b1c) 873 09:44:17.958380 30.30.30.2 1.1.1.2 ESP ESP (SPI=0xfbea09c7) 874 09:44:17.960390 1.1.1.2 30.30.30.2 ESP ESP (SPI=0x00001b1c) 875 09:44:17.966396 30.30.30.2 1.1.1.2 ESP ESP (SPI=0xfbea09c7) 876 09:44:17.979445 30.30.30.2 1.1.1.2 ESP ESP (SPI=0xfbea09c7) 877 09:44:17.981452 1.1.1.2 30.30.30.2 ESP ESP (SPI=0x00001b1c) 878 09:44:18.072626 1.1.1.2 30.30.30.2 ESP ESP (SPI=0x00001b1c) 879 09:44:18.077758 30.30.30.2 1.1.1.2 ESP ESP (SPI=0xfbea09c7)

Figure 50 – IP Protocol Trace – Encapsulated Security Protocol.




10. VPN Troubleshooting Recommended troubleshooting order:

1. Physical Connectivity 2. Network Connectivity 3. Confirm Phase 1 ISAKMP SA establishment 4. Confirm Phase 2 inbound and outbound IPSec SA establishment 5. Confirm bi-directional VPN forwarding

If network connectivity appears to be working correctly, check SA establishment (see Section 9). If an ISAKMP SA and IPSec SAs are created between the peers, the problem is usually routing. Check the encryption and decryption statistics for the IPSec SAs. If there is a routing problem on one side of the tunnel, the Administrator will notice encryption/decryption in only one direction. This usually indicates that the remote network cannot route back through the tunnel. The most commonly encountered problems with VPNs are either mismatched ISAKMP or IPSec security attributes or routing problems. Be sure to pay close attention to these configuration items when administering a VPN.

10.1. Clearing Avaya G450 Media Gateway SAs The following Avaya G450 Media Gateway commands may be used to clear ISAKMP (Phase 1) and IPSec (Phase 2) SAs. Administrators should always clear Phase 2 IPSec SAs prior to clearing Phase 1 ISAKMP SAs in order to ensure proper operation.

1. IPSEC Phase 2 SA a. clear crypto sa all

2. ISAKMP Phase 2 SA a. clear crypto isakmp

Alternatively, the Administrator may choose to remove a specific ISAKMP SA from a list of SAs based on the C-id.

b. Enter the show crypto isakmp sa command and note the “C-id” number you wish to

clear (depending on the configuration, more than one may be listed).

G450-001(super)# show crypto isakmp sa C-id Local Remote State Encr Hash Aut DH TTL DPD Nat-T ---- --------------- --------------- ------- ------- ---- --- -- ----- --- ----- 109 30.30.30.2 1.1.1.2 Ready 3des sha psk 2 85726 Yes No

Figure 51 – Output of show crypto isakmp sa command.

c. Enter clear crypto isakmp xxx, where xxx is the C-id number (109 in the example above).




10.2. Capturing IPSEC Data on the Avaya G450 Media Gateway The Avaya G450 Media Gateway has a capture function allowing a protocol trace to be taken that decrypts the IPSec data streams. This captured data can then be read by the Wireshark open-source IP protocol analyzer to help in debugging protocol issues on the VPN tunnel. Note – The capture feature has many options to customize the data that is collected. For more information on this command see [1].

1. Enable the capture feature a. capture-service

2. Specify the interface where the capture will be performed. In the sample configuration this is the Frame Relay Serial sub-interface that terminates the VPN at the Avaya G450 Media Gateway (see Section 3.4).

b. capture interface serial 8/1:1.1 3. Enable IPSec decryption for the capture.

c. capture ipsec decrypted 4. Start the capture.

d. capture start 5. After the test is performed, stop the capture.

e. capture stop 6. Verify that data has been captured into the buffer with the show capture command. Figure 51

shows a sample output from this command. f. show capture

G450-001> show capture Capture service is enabled and inactive Capture start time 19/06/2004-13:57:40 Capture stop time 19/06/2004-13:58:23 Current buffer size is 1024 KB Buffer mode is cyclic Maximum number of bytes captured from each frame: 1515 Capture list 527 on interface "Serial 8/1:1.1" Number of captured frames in file: 3596 (out of 3596 total captured frames) Size of capture file: 266 KB (26.6 %)

Figure 51 – Output of show capture command.

7. Copy the captured data to an external device to be viewed via Wireshark. The file can be copied via FTP, TFTP, SCP, or to a USB device. In the sample configuration the captured data was copied to a USB flash drive inserted into a USB interface on the Avaya G450 Media Gateway.

g. Copy capture-file usb <name the file> usbdevice0 h. Before removing the usb device enter safe-removal usb usbdevice0

11. Conclusion Site-to-site IPSec Virtual Private Network (VPN) connectivity between an Avaya G450 Media Gateway and a Cisco PIX 515 Firewall, using the Internet Key Exchange (IKE) protocol to establish a secure Internet Security Association and Key Management Protocol (ISAKMP) control channel between two peers, can be achieved using the guidelines demonstrated in these Application Notes.




12. References The following references are available from www.avaya.com [1] Administration for the Avaya G450 Media Gateway, 03-602055, Issue 1, January 2008 [2] Administrator Guide for Avaya Communication Manager, 03-300509, Issue 4.0, Release 5.0, January 2008 [3] IPSec Virtual Private Network (VPN) between an Avaya G350 Media Gateway and a Cisco PIX 525 Firewall - Issue 1.0, March 2005 [4] Avaya one-X™ Deskphone Edition for 9600 Series SIP IP Telephones Administrator Guide Release 2.0, 16-601944, Issue 2, December 2007 [5] Avaya one-X™ Deskphone Editionfor 9600 Series SIP IP Telephones Installation and Maintenance Guide Release 2.0, 16-601943, Issue 2l December 2007 The following references are available from www.cisco.com [6] Cisco PIX Firewall Command Reference, Version 6.3, 78-14890-01, 2004 [7] PIX 6.x: Simple PIX−to−PIX VPN Tunnel Configuration Example, Document ID: 6211, 2007 [8] Cisco IOS Wide-Area Networking Command Reference, Release 12.3, OL-4432-01




©2008 Avaya Inc. All Rights Reserved. Avaya and the Avaya Logo are trademarks of Avaya Inc. All trademarks identified by ® and ™ are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners. The information provided in these Application Notes is subject to change without notice. The configurations, technical data, and recommendations provided in these Application Notes are believed to be accurate and dependable, but are presented without express or implied warranty. Users are responsible for their application of any products specified in these Application Notes. Please e-mail any questions or comments pertaining to these Application Notes along with the full title name and filename, located in the lower right corner, directly to the Avaya Solution & Interoperability Test Lab at [email protected]

g450 Pix VPN

Documents

Transcript of g450 Pix VPN