Configuring a Generic Routing Encapsulation (GRE) Tunnel ...

Avaya Solution & Interoperability Test Lab

Configuring a Generic Routing Encapsulation (GRE) Tunnel Over IPSec VPN Using Transport Mode with Open Shortest Path First (OSPF) Routing Protocol between an Avaya G250 Media Gateway and a Cisco Access Router - Issue 1.0

Abstract

These Application Notes present the steps necessary to configure a Generic Routing Encapsulation (GRE) tunnel over IPSec VPN using transport mode for Open Shortest Path First (OSPF) routing protocol between the Avaya G250 Media Gateway and a Cisco Access Router. Without a GRE tunnel, an IPSec configuration cannot transfer routing protocols, such as OSPF.

JZ; Reviewed: GAK 6/16/2005

Solution & Interoperability Test Lab Application Notes ©2005 Avaya Inc. All Rights Reserved.

1 of 21 G250-GRE-VPN.doc

1. Introduction The network diagram in Figure 1 shows two offices. The office labeled “Main Office” uses an Avaya S8500 Media Server and an Avaya G650 Media Gateway. The office labeled “Small Office” contains an Avaya G250-BRI Media Gateway. As shown in Figure 1, a VPN tunnel across the Internet between the Avaya G250-BRI Media Gateway and the Cisco 3745 Access Router is used between the Main and Small Offices. Normal IP Security (IPSec) configurations cannot transfer routing protocols, such as Open Shortest Path First (OSPF). These Application Notes illustrate how to configure a Generic Routing Encapsulation (GRE) tunnel to accomplish the routing between the different networks.

The access to the Internet from the Avaya G250-BRI Media Gateway and the Cisco Access Router are configured to use PPP over T1 in the sample configuration. The Avaya Inter-Gateway Alternate Routing (IGAR) feature provides a means of alternately using PSTN facilities when the IP link is incapable of carrying the bearer connection. The number of VoIP calls allowed on the IP link is determined by the Call Admission Control – Bandwidth Limit (CAC-BL) reported from the Avaya G250-BRI Media Gateway and the IP Codec used. Once the bandwidth limit is reached, subsequent calls will use the PSTN facilities.

Avaya IP Telephones

Avaya S8300 LSP With Avaya G250-BRI Media Gateway

PMI: 192.168.203.1

Avaya G650Media

Gateway

Avaya S8500 Media Server

Main Office Small Office

IPSI-2C-LAN

MEDPRO

PSTNISDN PRI

Cisco 3745

ISDN BRI

Avaya Analog Phone

Avaya Analog Phone

Internet68.38.206.10012.160.179.124

Avaya IP Telephones

Cisco Catalyst

6509

IPSec Tunnel

GRE Tunnel10.10.11.110.10.11.2

Figure 1: GRE Tunnel Over IPSec Configuration Between an Avaya G250-BRI Media Gateway and a Cisco Access Router







2. Equipment and Software Validated Table 1 below shows the versions verified in these Application Notes.

Equipment Software Avaya Communication Manager Avaya S8500 Media Server Avaya S8300 Media Server (LSP)

3.0 (load 337.0) 3.0 (load 337.0)

Avaya G650 Media Gateway IPSI (TN2312AP) C-LAN (TN799DP) MEDPRO (TN2302AP)

HW03 FW012 HW01 FW012 HW15 FW102

Avaya G250-BRI Media Gateway 24.11.1 Avaya 4600 Series IP Telephones 2.1.3 Cisco 3745 Access Router 12.3(13) Cisco Catalyst 6509 Switch Layer 2 Layer 3

8.3(4) 12.1(13)E6

Table 1: Software Versions

3. Configurations The Avaya IGAR is a single-server feature that provides an alternate bearer path between the Port Networks (PNs) and Gateways (GWs). In order to keep a single-server system, the IP connection must exist between the Avaya Media Server and Avaya PNs/GWs. As shown in Figure 1, the Avaya G250-BRI Media Gateway will register to the Avaya S8300 Local Survivable Processor (LSP) when there is no IP connection between the Main and Small Offices. Sections 3.1 and 3.2 focus on the VPN related configuration between the Avaya G250-BRI Media Gateway and the Cisco Access Router. Refer to reference [1] for how to configure the Avaya IGAR feature based on Figure 1.

3.1 Configure Avaya G250-BRI Media Gateway

3.1.1. Configure IP Routing on the Avaya G250-BRI Media Gateway The following screen shows VLAN configurations of VLAN 202 and 203. VLAN 203 is configured as the Primary Management Interface (PMI). The G250-BRI Media Gateway will use the PMI to register to the Media Gateway Controllers (MGC). interface Vlan 202 ip address 192.168.202.1 255.255.255.0 interface Vlan 203 icc-vlan ip address 192.168.203.1 255.255.255.0 pmi




In the following screen, a MM340 T1/E1 data module on the G250-BRI Media Gateway is connected to the Internet with a public IP address. The module is configured to T1 by default. Channel group 1 is configured with 24 channels. The corresponding Serial interface 2/1:1 is configured to PPP encapsulation. ds-mode t1 controller t1 2/1 linecode b8zs framing esf channel-group 1 timeslots 1-24 speed 64 interface Serial 2/1:1 encapsulation ppp ip address 68.38.206.100 255.255.255.0 In the following screen, a GRE tunnel interface is configured. The tunnel source IP address is the IP address of Serial 2/1:1 and the tunnel destination is the Cisco Access Router’s public IP address. The tunnel IP addresses on the Avaya G250-BRI Media Gateway and Cisco Access Router must be configured on the same network for OSPF routing protocol. interface Tunnel 1 tunnel source 68.38.206.100 tunnel destination 12.160.179.124 ip address 10.10.11.1 255.255.255.252 The following screen shows the OSPF and default route configuration. The tunnel interface must be included in the OSPF configuration. The default route is configured to the Internet gateway IP address. router ospf network 10.10.11.0 0.0.0.3 area 0.0.0.0 network 192.168.202.0 0.0.0.255 area 0.0.0.0 network 192.168.203.0 0.0.0.255 area 0.0.0.0 ip default-gateway 68.38.206.1




3.1.2. Configure VPN on the Avaya G250-BRI Media Gateway The Avaya G250-BRI Media Gateway is also a VPN appliance. The following shows the IKE phase 1 policy configuration. Configurations on the Cisco Access Router and Avaya G250-BRI Media Gateway must match for IKE phase 1 proposal. crypto isakmp policy 1 description "Phase 1 Proposal" encryption aes hash md5 group 2 authentication pre-share The following screen shows ISAKMP peer configuration with the Cisco Access Router. The Avaya G250-BRI Media Gateway is configured to initiate the IKE connection (aggressive mode). The Avaya G250-BRI Media Gateway supports standard VPN Dead Peer Detection (DPD) keepalives. The command keepalive 10 retry 2 on-demand is used to configure the DPD keepalives. With the on-demand approach, the G250-BRI Media Gateway never sends a DPD message if it has no traffic to send. If the G250-BRI Media Gateway has to send outbound traffic and the liveliness of the peer is questionable, the G250-BRI Media Gateway will send a DPD message to query the status of the peer. In the example, the G250-BRI Media Gateway will send a DPD keepalive message every 10 seconds, and to retry every two seconds if the DPD messages fail. crypto isakmp peer address 12.160.179.124 pre-shared-key **** isakmp-policy 1 initiate mode aggressive keepalive 10 retry 2 on-demand The following creates an IPSec Phase 2 transform-set proposal using the transport mode. In transport mode, only the IP payload is encrypted, and the original IP headers are left intact. With tunnel mode, the entire original IP packet is encrypted, and a new VPN header is added. Compared to tunnel mode, transport mode results in less overhead, and therefore uses less bandwidth for a VoIP call. Perfect Forward Secrecy (PFS) is enabled to strengthen the tunnel against brute force attacks. crypto ipsec transform-set H2 esp-aes esp-sha-hmac mode transport set pfs group2




The following assigns an IPSec phase 2 proposal to the Cisco Access Router via a crypto map: crypto map 1 description "Phase 2 Proposal" set peer 12.160.179.124 set transform-set H2 The following screen configures a crypto-list 901 to define the VPN traffic between the Avaya G250-BRI Media Gateway and Cisco Access Router. Note that the source IP address must be configured to the GRE tunnel source IP address and the destination IP address to the public IP address of the Cisco Access Router. ip crypto-list 901 name "To-Cisco-3745" local-address Serial 2/1:1 ip-rule 1 protect crypto map 1 source-ip host 68.38.206.100 destination-ip host 12.160.179.124 Use the command ip crypto-group to apply IP crypto-list 901 to the public facing interface, which is Serial 2/1:1 in the sample. interface Serial 2/1:1 encapsulation ppp ip crypto-group 901 ip address 68.38.206.100 255.255.255.0




3.2 Configure Cisco Access Router

3.2.1. Basic IP Routing Configuration The Cisco 3745 Access Router is connected to the Cisco Catalyst 6509 and to the Internet. The following screen shows interface configuration. FastEthernet0/0 is connected to the Cisco Catalyst 6509 and Serial 0/0 is connected to the Internet. interface FastEthernet0/0 ip address 192.168.200.1 255.255.255.0 duplex auto speed auto ! interface Serial0/0 ip address 12.160.179.124 255.255.255.0 encapsulation ppp service-module t1 clock source internal In the following screen, a GRE tunnel interface is configured. The tunnel source IP address is the IP address of Serial 0/0 and the tunnel destination is the public IP address of the G250-BRI Media Gateway. The tunnel IP addresses on the Avaya G250-BRI Media Gateway and Cisco Access Router must be configured on the same network in order for the OSPF routing protocol to work properly. interface Tunnel1 ip address 10.10.11.2 255.255.255.252 tunnel source Serial0/0 tunnel destination 68.38.206.100 The following screen shows the OSPF and default route configuration. The OSPF routing is configured with the Cisco 6509 and the Avaya G250-BRI Media Gateway via the tunnel interface. The tunnel interface must be included in the OSPF configuration. The default route is configured to the Internet gateway. router ospf 1 log-adjacency-changes network 10.10.11.0 0.0.0.3 area 0 network 192.168.200.0 0.0.0.255 area 0 ip route 0.0.0.0 0.0.0.0 12.160.179.1




3.2.2. VPN Configuration The following shows the IKE phase 1 policy and pre-shared key configuration with the G250-BRI Media Gateway. These configurations must match the configurations of the Avaya G250-BRI Media Gateway. crypto isakmp policy 1 encr aes hash md5 authentication pre-share group 2 crypto isakmp key xxxxxx address 68.38.206.100 The following screen shows the IPSec (IKE phase 2) configuration. IKE phase 2 is configured with transport mode. Access list 100 is configured to define the VPN traffic between the Cisco Access Router and the Avaya G250-BRI Media Gateway. Note that the source IP address in access list 100 must be configured to the GRE tunnel source IP address and the destination IP address to the public IP address of the Avaya G250-BRI Media Gateway. crypto ipsec transform-set H2 esp-aes esp-sha-hmac mode transport ! crypto map G250-BRI 10 ipsec-isakmp set peer 68.38.206.100 set transform-set H2 set pfs group2 match address 100 access-list 100 permit ip host 12.160.179.124 host 68.38.206.100

Use the command crypto isakmp keepalive 10 2 to enable DPD keepalives. crypto isakmp keepalive 10 2 Apply the IP crypto map to the public facing interface (Serial0/0): interface Serial0/0 ip address 12.160.179.124 255.255.255.0 encapsulation ppp service-module t1 clock source internal crypto map G250




4 Verification Steps

4.1 Verify VPN Status Use the command show crypto isakmp sa on the Avaya G250-BRI Media Gateway to display the current IKE SA. As shown below, the ISAKMP is ready and the DPD is enabled. G250-001(super)# show crypto isakmp sa C-id Local Remote State Encr Hash Aut DH TTL DPD Nat-T ---- --------------- --------------- ------- ------- ---- --- -- ----- --- --- 8 68.38.206.100 12.160.179.124 Ready aes md5 psk 2 86343 Yes No

--

Use the command show crypto ipsec sa on the Avaya G250-BRI Media Gateway to display the current IPSec status. Note that the IPSec runs in the transport mode. G250-001(super)# show crypto ipsec sa Interface: Serial 2/1:1 Crypto list id: 901, Local address: Serial 2/1:1.0 Rule: 1, Crypto map: 1, "Phase 2 Proposal" Local address: 68.38.206.100, Remote address: 12.160.179.124 Local identity: 68.38.206.100/255.255.255.255 Remote identity: 12.160.179.124/255.255.255.255 path mtu 1500, media mtu 1500 Current outbound spi: 0xa475be52 Inbound packets Outbound packets ------------------------------------ ----------------------------------- Total 213 Total 1385 Total OK 213 Total OK 1384 Decrypt 213 Encrypt 1384 Verify 213 Digest 1384 Decaps 0 Encaps 0 Total discards 0 Total discards 1 SA Type SPI Transform PFS Secs left KB left Mode --------------- ---------- ------------- --- ---------- ---------- --------- Inbound ESP 0x5cda esp-aes #2 3442 4607968 Transport esp-sha-hmac Outbound ESP 0xa475be52 esp-aes #2 3442 4607841 Transport esp-sha-hmac




Use the command show crypto isakmp sa detail on the Cisco Router to display the current IKE SA. The DPD keepalives are enabled. C3745#show crypto isakmp sa detail Codes: C - IKE configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal X - IKE Extended Authentication psk - Preshared key, rsig - RSA signature renc - RSA encryption C-id Local Remote I-VRF Encr Hash Auth DH Lifetime Cap. 8 12.160.179.124 68.38.206.100 aes md5 psk 2 23:51:41 D

Use the command show crypto ipsec sa on the Cisco Router to display the current IPSec status. Note that IPSec runs in the transport mode. C3745#show crypto ipsec sa interface: Serial0/0 Crypto map tag: G250, local addr. 12.160.179.124 protected vrf: local ident (addr/mask/prot/port): (12.160.179.124/255.255.255.255/0/0 remote ident (addr/mask/prot/port): (68.38.206.100/255.255.255.255/0/0) current_peer: 68.38.206.100:2070 PERMIT, flags={origin_is_acl,} #pkts encaps: 526, #pkts encrypt: 526, #pkts digest 526 #pkts decaps: 5327, #pkts decrypt: 5327, #pkts verify 5327 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 4, #recv errors 0 local crypto endpt.: 12.160.179.124, remote crypto endpt.: 68.38.206.100 path mtu 1500, ip mtu 1500, ip mtu idb Serial0/0 current outbound spi: 5CDA inbound esp sas: spi: 0xA475BE52(2759179858) transform: esp-aes esp-sha-hmac , in use settings ={Transport, } slot: 0, conn id: 2000, flow_id: 1, crypto map: G250 sa timing: remaining key lifetime (k/sec): (4389779/3007) IV size: 16 bytes replay detection support: Y inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x5CDA(23770)




transform: esp-aes esp-sha-hmac , in use settings ={Transport, } slot: 0, conn id: 2001, flow_id: 2, crypto map: G250 sa timing: remaining key lifetime (k/sec): (4390309/3006) IV size: 16 bytes replay detection support: Y outbound ah sas: outbound pcp sas:

Syslog debugging can be enabled on the G250-BRI Media Gateway to troubleshoot VPN issues. Enter the following commands from the console port to enable VPN debugging. G2 50-001(super)# set logging session condition isakmp debug

G250-001(super)# set logging session condition ipsec debug G250-001(super)# set logging session enable The following screen shows annotated syslog debug messages from the Avaya G250-BRI Media Gateway: !---G250-BRI initiates IKE phase 1 with aggressive mode. 04/06/2005,14:37:45:ISAKMP-Informational: Initiating IKE phase 1 negotiation: Peers 68.38.206.100<->12.160.179.124, mode aggressive !---G250-BRI sends IKE phase 1 proposal to the Cisco Access Router. 04/06/2005,14:37:45:ISAKMP-Debug: Sending vendor ID to 12.160.179.124 (VID length = 16): Peers 68.38.206.100<->12.160.179.124 Avaya Gateway VPN v1.0 (0x133bc1e3f926a020cad5bed4ffe04c8f) 04/06/2005,14:37:45:ISAKMP-Debug: Sending vendor ID to 12.160.179.124 (VID length = 16): Peers 68.38.206.100<->12.160.179.124 G250-001(super-if:Serial 2/1:1)# ip crypto-group draft-ietf-ipsec-dpd-00.txt (0xafcad71368a1f1c96b8696fc77570100) 04/06/2005,14:37:45:ISAKMP-Debug: Sending vendor ID to 12.160.179.124 (VID length = 16): Peers 68.38.206.100<->12.160.179.124 Avaya VPNos v3.2 (0x4485152d18b6bbcc0be8a8469579ddcc) 04/06/2005,14:37:45:ISAKMP-Debug: Sending vendor ID to 12.160.179.124 (VID length = 16): Peers 68.38.206.100<->12.160.179.124




draft-ietf-ipsec-nat-t-ike-00 (0x4485152d18b6bbcd0be8a8469579ddcc) 04/06/2005,14:37:45:ISAKMP-Debug: Sending vendor ID to 12.160.179.124 (VID length = 16): Peers 68.38.206.100<->12.160.179.124 draft-ietf-ipsec-nat-t-ike-02 (0xcd60464335df21f87cfdb2fc68b6a448) 04/06/2005,14:37:45:ISAKMP-Debug: Sending vendor ID to 12.160.179.124 (VID length = 16): Peers 68.38.206.100<->12.160.179.124 draft-ietf-ipsec-nat-t-ike-02-cisco (0x90cb80913ebb696e086381b5ec427b1f) 04/06/2005,14:37:45:ISAKMP-Debug: Sending vendor ID to 12.160.179.124 (VID length = 16): Peers 68.38.206.100<->12.160.179.124 draft-ietf-ipsec-nat-t-ike-03 (0x7d9419a65310ca6f2c179d9215529d56) 04/06/2005,14:37:45:ISAKMP-Debug: Sending vendor ID to 12.160.179.124 (VID length = 16): Peers 68.38.206.100<->12.160.179.124 RFC 3947 (0x4a131c81070358455c5728f20e95452f) !---G250-BRI receives IKE phase 1 from the Cisco Router. 04/06/2005,14:37:46:ISAKMP-Debug: Received vendor ID from 12.160.179.124 (VID length = 16): Peers 68.38.206.100<->12.160.179.124 Unknown (0x12f5f28c457168a9702d9fe274cc0100) 04/06/2005,14:37:46:ISAKMP-Debug: Received vendor ID from 12.160.179.124 (VID length = 16): Peers 68.38.206.100<->12.160.179.124 draft-ietf-ipsec-dpd-00.txt (0xafcad71368a1f1c96b8696fc77570100) 04/06/2005,14:37:46:ISAKMP-Debug: Received vendor ID from 12.160.179.124 (VID length = 16): Peers 68.38.206.100<->12.160.179.124 Unknown (0x9783b02d9a4133deff68362b7cca1e87) 04/06/2005,14:37:46:ISAKMP-Debug: Received vendor ID from 12.160.179.124 (VID length = 8): Peers 68.38.206.100<->12.160.179.124 Unknown (0x09002689dfd6b712) 04/06/2005,14:37:46:ISAKMP-Debug: Received vendor ID from 12.160.179.124 (VID length = 16): Peers 68.38.206.100<->12.160.179.124 draft-ietf-ipsec-nat-t-ike-03 (0x7d9419a65310ca6f2c179d9215529d56) !---IKE phase 1 proposal is selected. 04/06/2005,14:37:46:ISAKMP-Informational: Selected NAT-T draft: draft-ietf-ipsec-nat-t-ike-03 Peers 68.38.206.100<->12.160.179.124




!---NAT device is not detected. 04/06/2005,14:37:46:ISAKMP-Informational: No NAT device was detected: Peers 68.38.206.100<->12.160.179.124 !---Finished IKE phase 1 with DPD enabled. 04/06/2005,14:37:46:ISAKMP-Informational: Finished IKE phase 1 negotiation, creating ISAKMP SA: Peers 68.38.206.100<->12.160.179.124 Icookie - 670cdf44a5fcdcbd, Rcookie - 624417309a4033de esp-aes, esp-md5-hmac, DH group 2, Lifetime 86400 seconds DPD enabled !---Start DPD keepalive 04/06/2005,14:37:46:ISAKMP-Informational: Start DPD keepalive with peer 12.160.179.124: Interval - 10 seconds , Retry interval - 2 seconds , Mode - on-demand Peers 68.38.206.100<->12.160.179.124 !--- Initiate IKE phase 2 04/06/2005,14:37:46:ISAKMP-Informational: Initiating IKE phase 2 negotiation: SPD entry - 901_1 Peers 68.38.206.100<->12.160.179.124 !---Finished IKE phase 2 with transport mode, created outbound IPSEC SA. 04/06/2005,14:37:46:ISAKMP-Informational: Finished IKE phase 2, creating outbound IPSEC SA: SPI 0x3b75fd57, Peers 68.38.206.100<->12.160.179.124 Identities: 68.38.206.100/255.255.255.255->12.160.179.124/255.255.255.255 esp-aes, esp-sha-hmac, 3600 seconds, 4608000 KB, PFS #2 Transport mode !---Finished IKE phase 2 with transport mode, created inbound IPSEC SA. 04/06/2005,14:37:46:ISAKMP-Informational: Finished IKE phase 2, creating inbound IPSEC SA: SPI 0x706a, Peers 12.160.179.124<->68.38.206.100 Identities: 12.160.179.124/255.255.255.255->68.38.206.100/255.255.255.255 esp-aes, esp-sha-hmac, 3600 seconds, 4608000 KB, PFS #2 Transport mode




Enter the following commands on the Cisco Access Router to enable VPN debugging. Cisco1711#debug crypto isakmp Cisco1711#debug crypto ipsec The following screen shows sample annotated debug messages from the Cisco Access Router. !---Receive IKE phase 1 proposal and process it. *Mar 1 21:16:46.574: ISAKMP (0:0): received packet from 68.38.206.100 dport 500 sport 2070 Global (N) NEW SA *Mar 1 21:16:46.574: ISAKMP: local port 500, remote port 2070 *Mar 1 21:16:46.574: ISAKMP: insert sa successfully sa = 63D5CBA0 *Mar 1 21:16:46.574: ISAKMP (0:13): processing SA payload. message ID = 0 *Mar 1 21:16:46.574: ISAKMP (0:13): processing ID payload. message ID = 0 *Mar 1 21:16:46.574: ISAKMP (0:13): ID payload next-payload : 13 type : 1 address : 68.38.206.100 protocol : 0 port : 0 length : 12 *Mar 1 21:16:46.574: ISAKMP (0:13): peer matches *none* of the profiles *Mar 1 21:16:46.574: ISAKMP (0:13): processing vendor id payload *Mar 1 21:16:46.574: ISAKMP (0:13): vendor ID seems Unity/DPD but major 76 mism atch *Mar 1 21:16:46.574: ISAKMP (0:13): processing vendor id payload *Mar 1 21:16:46.574: ISAKMP (0:13): vendor ID is DPD !---pre-shared key found for the G250. *Mar 1 21:16:46.574: ISAKMP (0:13) local preshared key found *Mar 1 21:16:46.574: ISAKMP : Scanning profiles for xauth ... *Mar 1 21:16:46.574: ISAKMP (0:13): Checking ISAKMP transform 0 against priorit y 1 policy *Mar 1 21:16:46.574: ISAKMP: encryption AES-CBC *Mar 1 21:16:46.574: ISAKMP: hash MD5 *Mar 1 21:16:46.574: ISAKMP: auth pre-share *Mar 1 21:16:46.574: ISAKMP: default group 2 *Mar 1 21:16:46.574: ISAKMP: life type in seconds *Mar 1 21:16:46.574: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80 *Mar 1 21:16:46.574: ISAKMP: keylength of 128 !--- Attributes for IKE phase 1 offered by the G250-BRI are accepted. *Mar 1 21:16:46.574: ISAKMP (0:13): atts are acceptable. Next payload is 0 *Mar 1 21:16:46.598: ISAKMP (0:13): processing vendor id payload *Mar 1 21:16:46.598: ISAKMP (0:13): vendor ID seems Unity/DPD but major 76 mism atch *Mar 1 21:16:46.598: ISAKMP (0:13): processing vendor id payload *Mar 1 21:16:46.598: ISAKMP (0:13): vendor ID is DPD *Mar 1 21:16:46.598: ISAKMP (0:13): processing KE payload. message ID = 0 *Mar 1 21:16:46.626: ISAKMP (0:13): processing NONCE payload. message ID = 0 *Mar 1 21:16:46.626: ISAKMP (0:13): SKEYID state generated *Mar 1 21:16:46.626: ISAKMP (0:13): processing vendor id payload




*Mar 1 21:16:46.626: ISAKMP (0:13): vendor ID seems Unity/DPD but major 221 mis match *Mar 1 21:16:46.626: ISAKMP (0:13): processing vendor id payload *Mar 1 21:16:46.626: ISAKMP (0:13): vendor ID seems Unity/DPD but major 221 mis match *Mar 1 21:16:46.626: ISAKMP (0:13): processing vendor id payload *Mar 1 21:16:46.626: ISAKMP (0:13): vendor ID seems Unity/DPD but major 164 mis match *Mar 1 21:16:46.626: ISAKMP (0:13): processing vendor id payload *Mar 1 21:16:46.626: ISAKMP (0:13): vendor ID seems Unity/DPD but major 123 mis match *Mar 1 21:16:46.626: ISAKMP (0:13): vendor ID is NAT-T v2 *Mar 1 21:16:46.626: ISAKMP (0:13): processing vendor id payload *Mar 1 21:16:46.626: ISAKMP (0:13): vendor ID seems Unity/DPD but major 157 mis match *Mar 1 21:16:46.626: ISAKMP (0:13): vendor ID is NAT-T v3 *Mar 1 21:16:46.626: ISAKMP (0:13): processing vendor id payload *Mar 1 21:16:46.626: ISAKMP (0:13): vendor ID seems Unity/DPD but major 69 mism atch *Mar 1 21:16:46.626: ISAKMP (0:13): constructed NAT-T vendor-03 ID *Mar 1 21:16:46.626: ISAKMP (0:13): SA is doing pre-shared key authentication u sing id type ID_IPV4_ADDR *Mar 1 21:16:46.626: ISAKMP (0:13): ID payload next-payload : 10 type : 1 address : 12.160.179.124 protocol : 17 port : 0 length : 12 *Mar 1 21:16:46.630: ISAKMP (13): Total payload length: 12 *Mar 1 21:16:46.630: ISAKMP (0:13): sending packet to 68.38.206.100 my_port 500 peer_port 2070 (R) AG_INIT_EXCH *Mar 1 21:16:46.630: ISAKMP (0:13): Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH *Mar 1 21:16:46.630: ISAKMP (0:13): Old State = IKE_READY New State = IKE_R_AM 2 *Mar 1 21:16:46.914: ISAKMP (0:13): received packet from 68.38.206.100 dport 50 0 sport 2070 Global (R) AG_INIT_EXCH *Mar 1 21:16:46.914: ISAKMP (0:13): processing HASH payload. message ID = 0 *Mar 1 21:16:46.914: ISAKMP:received payload type 20 *Mar 1 21:16:46.914: ISAKMP:received payload type 20 *Mar 1 21:16:46.914: ISAKMP (0:13): SA authentication status: authenticated !--- Finished phase 1 negotiation *Mar 1 21:16:46.914: ISAKMP (0:13): SA has been authenticated with 68.38.206.100 *Mar 1 21:16:46.914: ISAKMP (0:13): IKE_DPD is enabled, initializing timers *Mar 1 21:16:46.914: ISAKMP: Created a peer struct for 68.38.206.100, peer port 2070 *Mar 1 21:16:46.914: ISAKMP: Locking peer struct 0x63D53780, IKE refcount 1 for from crypto_ikmp_dpd_ike_init *Mar 1 21:16:46.914: ISAKMP (0:13): peer matches *none* of the profiles *Mar 1 21:16:46.914: ISAKMP (0:13): Input = IKE_MESG_FROM_PEER, IKE_AM_EXCH *Mar 1 21:16:46.914: ISAKMP (0:13): Old State = IKE_R_AM2 New State = IKE_P1_C OMPLETE *Mar 1 21:16:46.914: ISAKMP (0:13): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPL ETE *Mar 1 21:16:46.914: ISAKMP (0:13): Old State = IKE_P1_COMPLETE New State = IK E_P1_COMPLETE




*Mar 1 21:16:46.918: ISAKMP (0:13): received packet from 68.38.206.100 dport 50 0 sport 2070 Global (R) QM_IDLE *Mar 1 21:16:46.918: ISAKMP: set new node 330763419 to QM_IDLE *Mar 1 21:16:46.918: ISAKMP (0:13): processing HASH payload. message ID = 33076 3419 *Mar 1 21:16:46.918: ISAKMP (0:13): processing SA payload. message ID = 3307634 19 *Mar 1 21:16:46.918: ISAKMP (0:13): Checking IPSec proposal 1 *Mar 1 21:16:46.918: ISAKMP: transform 1, ESP_AES *Mar 1 21:16:46.918: ISAKMP: attributes in transform: *Mar 1 21:16:46.918: ISAKMP: SA life type in seconds *Mar 1 21:16:46.918: ISAKMP: SA life duration (basic) of 3600 *Mar 1 21:16:46.918: ISAKMP: SA life type in kilobytes *Mar 1 21:16:46.918: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 *Mar 1 21:16:46.918: ISAKMP: encaps is 2 (Transport) *Mar 1 21:16:46.918: ISAKMP: authenticator is HMAC-SHA *Mar 1 21:16:46.918: ISAKMP: group is 2 *Mar 1 21:16:46.918: ISAKMP: key length is 128 !--- Attributes for IKE phase 2 offered by the G250-BRI are accepted. *Mar 1 21:16:46.918: ISAKMP (0:13): atts are acceptable. *Mar 1 21:16:46.918: IPSEC(validate_proposal_request): proposal part #1, (key eng. msg.) INBOUND local= 12.160.179.124, remote= 68.38.206.100, local_proxy= 12.160.179.124/255.255.255.255/0/0 (type=1), remote_proxy= 68.38.206.100/255.255.255.255/0/0 (type=1), protocol= ESP, transform= esp-aes esp-sha-hmac (Transport), lifedur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x24 *Mar 1 21:16:46.918: IPSEC(kei_proxy): head = G250, map->ivrf = , kei->ivrf = *Mar 1 21:16:46.942: ISAKMP (0:13): processing NONCE payload. message ID = 3307 63419 *Mar 1 21:16:46.942: ISAKMP (0:13): processing KE payload. message ID = 3307634 19 *Mar 1 21:16:46.970: ISAKMP (0:13): processing ID payload. message ID = 3307634 19 *Mar 1 21:16:46.970: ISAKMP (0:13): processing ID payload. message ID = 3307634 19 *Mar 1 21:16:46.970: ISAKMP (0:13): asking for 1 spis from ipsec *Mar 1 21:16:46.970: ISAKMP (0:13): Node 330763419, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH *Mar 1 21:16:46.970: ISAKMP (0:13): Old State = IKE_QM_READY New State = IKE_Q M_SPI_STARVE *Mar 1 21:16:46.970: IPSEC(key_engine): got a queue event... *Mar 1 21:16:46.970: IPSEC(spi_response): getting spi 997588311 for SA from 12.160.179.124 to 68.38.206.100 for prot 3 *Mar 1 21:16:46.970: ISAKMP: received ke message (2/1) *Mar 1 21:16:47.222: ISAKMP: Locking peer struct 0x63D53780, IPSEC refcount 1 f or for stuff_ke !--- Finished phase 2. Create inbound and outbound IPSec SA *Mar 1 21:16:47.222: ISAKMP (0:13): Creating IPSec SAs *Mar 1 21:16:47.222: inbound SA from 68.38.206.100 to 12.160.179.124 (f /i) 0/ 0 (proxy 68.38.206.100 to 12.160.179.124) *Mar 1 21:16:47.222: has spi 0x3B75FD57 and conn_id 2000 and flags 25 *Mar 1 21:16:47.222: lifetime of 3600 seconds *Mar 1 21:16:47.222: lifetime of 4608000 kilobytes *Mar 1 21:16:47.222: has client flags 0x0 *Mar 1 21:16:47.222: outbound SA from 12.160.179.124 to 68.38.206.100 (f/i) 0/ 0 (proxy 12.160.179.124 to 68.38.206.100 )




*Mar 1 21:16:47.222: has spi 28778 and conn_id 2001 and flags 2D *Mar 1 21:16:47.222: lifetime of 3600 seconds *Mar 1 21:16:47.222: lifetime of 4608000 kilobytes *Mar 1 21:16:47.222: has client flags 0x0 *Mar 1 21:16:47.222: ISAKMP (0:13): sending packet to 68.38.206.100 my_port 500 peer_port 2070 (R) QM_IDLE *Mar 1 21:16:47.222: ISAKMP (0:13): Node 330763419, Input = IKE_MESG_FROM_IPSEC , IKE_SPI_REPLY *Mar 1 21:16:47.222: ISAKMP (0:13): Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM2 *Mar 1 21:16:47.222: IPSEC(key_engine): got a queue event... *Mar 1 21:16:47.222: IPSEC(initialize_sas): , (key eng. msg.) INBOUND local= 12.160.179.124, remote= 68.38.206.100, local_proxy= 12.160.179.124/0.0.0.0/0/0 (type=1), remote_proxy= 68.38.206.100/0.0.0.0/0/0 (type=1), protocol= ESP, transform= esp-aes esp-sha-hmac (Transport), lifedur= 3600s and 4608000kb, spi= 0x3B75FD57(997588311), conn_id= 2000, *Mar 1 21:16:47.222: IPSEC(initialize_sas): ,

keysize= 128, flags= 0x25

(key eng. msg.) OUTBOUND local= 12.160.179.124, remote= 68.38.206.100, local_proxy= 12.160.179.124/0.0.0.0/0/0 (type=1), remote_proxy= 68.38.206.100/0.0.0.0/0/0 (type=1), protocol= ESP, transform= esp-aes esp-sha-hmac (Transport), lifedur= 3600s and 4608000kb, spi= 0x706A(28778), conn_id= 2001, keysize= 128, flags= 0x2D *Mar 1 21:16:47.222: IPSEC(kei_proxy): head = G250, map->ivrf = , kei->ivrf = *Mar 1 21:16:47.222: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and 68.38.206.100 *Mar 1 21:16:47.222: IPSEC(add mtree): src 12.160.179.124, dest 68.38.206.100, dest_port 0 *Mar 1 21:16:47.222: IPSEC(create_sa): sa created, (sa) sa_dest= 12.160.179.124, sa_prot= 50, sa_spi= 0x3B75FD57(997588311), sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2000 *Mar 1 21:16:47.222: IPSEC(create_sa): sa created, (sa) sa_dest= 68.38.206.100, sa_prot= 50, sa_spi= 0x706A(28778), sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2001




4.2 Verify GRE Tunnel and OSPF Routing Use the command show interface tunnel on the G250-BRI Media Gateway to verify that the GRE tunnel interface is up. If the GRE tunnel interface is not up, verify that the IPSec tunnel is up in Section 4.1. G250-BRI-001(super)# show interfaces Tunnel 1 Tunnel 1 is up, line protocol is up Internet address is 10.10.11.1, mask is 255.255.255.252 MTU 1422 bytes. Bandwidth 9 kbit Reliability 255/255 txLoad 148/255 rxLoad 11/255 Encapsulation GRE Link status trap enabled Keepalive not set Tunnel source 68.38.206.100, destination 12.160.179.124 Tunnel protocol/transport GRE/IP, key disabled Checksumming of packets disabled Tunnel TTL 255 Last input 00:00:01, Last output 00:00:00 Last clearing of 'show interface' counters never 5 minute input rate 363 bits/sec, 0 packets/sec 5 minute output rate 5233 bits/sec, 8 packets/sec 0 input drops, 1 output drops, 0 unknown protocols 11421 packets input, 1072048 bytes 0 broadcasts received, 0 giants 0 input errors, 0 CRC 214074 packets output, 15935107 bytes 0 output errors, 0 collisions Use the command show ip route on the Avaya G250-BRI Media Gateway to verify that routing entries are learned through the OSPF routing protocol. G250-BRI-001(super)# show ip route Showing 11 rows Network Mask Interface Next-Hop Cost TTL Source --------------- ---- ------------------- ------------------- ----- --- --------- 0.0.0.0 0 Serial 2/1:1 68.38.206.1 1 n/a STAT-LO 10.4.4.0 24 Tunnel 1 10.10.11.2 11113 n/a OSPF 10.10.11.0 30 Tunnel 1 10.10.11.1 1 n/a LOCAL 68.38.206.0 24 Serial 2/1:1 68.38.206.100 1 n/a LOCAL 68.38.206.1 32 Serial 2/1:1 68.38.206.100 1 n/a LOCAL192.168.87.0 24 Tunnel 1 10.10.11.2 11113 n/a OSPF

192.168.88.0 24 Tunnel 1 10.10.11.2 11113 n/a OSPF 192.168.89.0 24 Tunnel 1 10.10.11.2 11113 n/a OSPF 192.168.200.0 24 Tunnel 1 10.10.11.2 11112 n/a OSPF 192.168.202.0 24 Vlan 202 192.168.202.1 1 n/a LOCAL 192.168.203.0 24 Vlan 203 192.168.203.1 1 n/a LOCAL




Use the command show interface tunnel on the Cisco Access Router to verify that the tunnel interface is up. If the tunnel interface is not up, verify that the IPSec tunnel is up in Section 4.1. C3745#show interfaces tunnel 1 Tunnel1 is up, line protocol is up Hardware is Tunnel Internet address is 10.10.11.2/30 MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec, reliability 255/255, txload 1/255, rxload 113/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source 12.160.179.124 (Serial0/0), destination 68.38.206.100 Tunnel protocol/transport GRE/IP, key disabled, sequencing disabled Tunnel TTL 255 Checksumming of packets disabled, fast tunneling enabled Last input 00:00:00, output 00:00:08, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 160 Queueing strategy: fifo Output queue: 0/0 (size/max) 5 minute input rate 4000 bits/sec, 7 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 656387 packets input, 48599764 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 46393 packets output, 4260844 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out Use the command show ip route on the Cisco Access Router to verify that routing entries are learned through OSPF routing protocol. C3745#show ip route Gateway of last resort is 12.160.179.1 to network 0.0.0.0 S 192.168.89.0/24 [1/0] via 192.168.200.2 S 192.168.88.0/24 [1/0] via 192.168.200.2 C 192.168.128.0/24 is directly connected, FastEthernet1/1 C 192.168.200.0/24 is directly connected, FastEthernet0/0 O 192.168.202.0/24 [110/11112] via 10.10.11.1, 02:38:03, Tunnel1 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks O 10.4.4.0/24 [110/2] via 192.168.200.2, 02:38:03, FastEthernet0/0 C 10.10.11.0/30 is directly connected, Tunnel1 O 192.168.203.0/24 [110/11112] via 10.10.11.1, 02:38:03, Tunnel1 12.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 12.160.179.1/32 is directly connected, Serial0/0 C 12.160.179.0/24 is directly connected, Serial0/0 S 192.168.87.0/24 [1/0] via 192.168.200.2 S* 0.0.0.0/0 [1/0] via 12.160.179.1




5 Conclusion As illustrated by these Application Notes, a GRE tunnel over IPSec VPN can be configured so that OSPF routing protocol can be used between an Avaya G250-BRI Media Gateway and a Cisco Access Router. IPSec VPN can be configured to transport mode for the GRE tunnel between the Avaya G250-BRI Media Gateway and the Cisco Access Router.

6 Additional References The following Applications Notes can be found at http://www.avaya.com. [1] Configuring Avaya Communication Manager with Inter-Gateway Alternate Routing

(IGAR) and Call Administration Control-Bandwidth Limit (CAC-BL) Features




©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya Logo are trademarks of Avaya Inc. All trademarks identified by ® and ™ are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners. The information provided in these Application Notes is subject to change without notice. The configurations, technical data, and recommendations provided in these Application Notes are believed to be accurate and dependable, but are presented without express or implied warranty. Users are responsible for their application of any products specified in these Application Notes. Please e-mail any questions or comments pertaining to these Application Notes along with the full title name and filename, located in the lower right corner, directly to the Avaya Solution & Interoperability Test Lab at [email protected]

mailto:[email protected]

Configuring a Generic Routing Encapsulation (GRE) Tunnel ...

Documents