This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
IPSec Virtual Private Network (VPN) between an Avaya G450 Media Gateway and a Cisco PIX 515 Firewall - Issue 1.0
Abstract
These Application Notes provide a sample configuration to configure an IPSec Virtual Private Network (VPN) between an Avaya G450 Media Gateway and a Cisco PIX 515 Firewall, over a Frame Relay Wide Area Network (WAN). The Avaya G450 Media Gateway is controlled by an Avaya S8500 Server. The sample configuration uses the Internet Key Exchange (IKE) protocol to establish a secure Internet Security Association and Key Management Protocol (ISAKMP) control channel between the Avaya G450 Media Gateway and the Cisco PIX 515. In addition, Advanced Encryption Standard (AES) and Perfect Forward Secrecy (PFS) are also provisioned.
9.5. Verify IKE Negotiations using Cisco PIX 515 Firewall Debug Traces................................................................. 29 9.6. Verify IKE Negotiations using G450 Gateway Syslog .......................................................................................... 33 9.7. Verify Security Associations (SAs) on the Cisco PIX 515 Firewall....................................................................... 34 9.8. Verify Security Associations (SAs) on the G450 Gateway..................................................................................... 36 9.9. Verify the Avaya G450 Media Gateway Registration Status................................................................................. 37 9.10. Place Test Calls..................................................................................................................................................... 38
10. VPN Troubleshooting ..........................................................................................................................39 10.1. Clearing Avaya G450 Media Gateway SAs........................................................................................................... 39 10.2. Capturing IPSEC Data on the Avaya G450 Media Gateway................................................................................ 40
1. Introduction These Application Notes describe a site-to-site IPSec Virtual Private Network (VPN) between an Avaya G450 Media Gateway and a Cisco PIX 515 Firewall (Figure 1). The sample configuration uses an IPSec VPN to secure communications between a Branch office containing Avaya IP Telephones (SIP and H.323) and an Avaya G450 Media Gateway, and the Main office containing an Avaya S8500C Server, Avaya G650 Media Gateway, Avaya SIP Enablement Services (SES) and Avaya IP Telephones (SIP and H.323). The Main office uses a Cisco PIX 515 Firewall to terminate the VPN. The Branch and Main offices are connected via a Frame Relay Wide Area Network (WAN) utilizing T1 circuits. A Cisco 2811 router is used in the reference configuration to simulate the WAN network and provide Frame Relay switching between the offices. Note – These Application Notes describe the provisioning of the sample configuration as it applies to configuring an IPSec VPN tunnel between the Avaya G450 Media Gateway and the Cisco PIX 515 Firewall. Provisioning of the sample configuration infrastructure is not covered.
The sample configuration uses the Internet Key Exchange (IKE) protocol to establish a secure Internet Security Association and Key Management Protocol (ISAKMP) control channel between two peers; the Avaya G450 Media Gateway and the Cisco PIX 515.
ISAKMP defines procedures and packet formats to establish, negotiate, modify and delete Security Associations (SA). SAs contain all the information required for execution of various network security services. ISAKMP defines payloads for exchanging key generation and authentication data. These formats provide a consistent framework for transferring key and authentication data which is independent of the key generation technique, encryption algorithm and authentication mechanism. There may be many different key exchange protocols, each with different security properties. However, a common framework is required for agreeing to the format of SA attributes, and for negotiating, modifying, and deleting SAs. ISAKMP serves as this common framework.
IKE establishes an ISAKMP SA by negotiating proposals in an exchange known as Phase 1 (Main Mode). In order to successfully establish an ISAKMP SA, both peers must agree to a common set of security attributes contained within the Phase 1 proposal.
1. ISAKMP Phase One (Main Mode, MM)
a. Negotiate and establish an ISAKMP SA, a secure communication channel for further IKE communication. The two systems generate a Diffie-Hellman shared value (a method to generate a symmetric key where two parties can exchange values and generate the same symmetric key) that is used as the base for a symmetric shared key, and further IKE communication is encrypted using this symmetric key.
b. Verify the remote system’s identity (primary authentication)
The following ISAKMP security attributes are administered on both peers in the sample configuration (see Sections 3.6 and 6.3).
• ISAKMP (Phase 1) proposal: o Encryption Algorithm: 3DES o Hash Algorithm: SHA o Lifetime (seconds): 86400 o Diffie-Hellman Group: 2
Once an ISAKMP SA is established, both peers can negotiate IPSec security attributes necessary to establish IPSec SAs. The IKE protocol does this in a second proposal exchange known as Phase 2 (or Quick Mode).
2. ISAKMP Phase Two (Quick Mode, QM)
a. Using the secure communication channel provided by the ISAKMP/MM SA, negotiate one or more SAs for IPSec transforms (AH or ESP). A Phase Two negotiation typically negotiates two SAs for an IPSec transform: one for inbound and one for outbound traffic.
The following IPSec security attributes were administered on both peers in the sample configuration (see Sections 3.6 and 6.3).
• IPSec (Phase 2) proposal: o Encryption Algorithm: AES-ESP o Hash Algorithm: HMAC-SHA-ESP o Security Association Lifetime (seconds): 3600 o Perfect Forward Secrecy: Enabled o Diffie-Hellman Group: 2
IP Encapsulating Security Payload (ESP) protocol is used to secure traffic in the sample configuration because of the added confidentiality protection provided. The sample configuration uses the Advanced Encryption Standard with 128-bit key (AES-128) to protect communications between the Branch office and Main office. Perfect Forward Secrecy (PFS) was also enabled on the VPN. The PFS feature provides additional security protection by deriving new secret keys from a second Diffie-Hellman key agreement. This is advantageous because if one key is compromised on a given tunnel, all previous and subsequent keys will remain secure because they are no longer derived from previous keys. During periods of congestion in the Wide Area Network (WAN) it is possible that IPSec packets are queued such that they arrive to the G450 Media Gateway out of sequence. For devices that support a very small anti-replay window, the end result would be dropped ESP packets and the loss of all data contained within them. To counteract this problem, the Avaya G450 Media Gateway implements a large 1K anti-replay window in order to sustain data forwarding and avoid potential data loss even when IPSec packets arrive severely out of sequence.
3. Configure the Avaya G450 Media Gateway The following steps use the Avaya G450 Media Gateway command line interface (CLI). Refer to [1] for more information. Parameter values shown are specific to the sample configuration shown in Figure 1.
3.1. Ethernet Interface Configuration This section defines the Ethernet interface for the Avaya G450 Media Gateway as well as defining the address of Avaya Communication Manager in the Main office for registration purposes.
1. Configure an Ethernet interface for the Voice domain on the Avaya G450 Media Gateway. a. interface vlan 2
Creates the interface Vlan2. b. ip address 73.73.73.2 255.255.255.0
Sets the network IP address and mask for the Avaya G450 Media Gateway . c. pmi
Sets the Primary Management Interface. d. exit
2. Configure the Media gateway Controller (MGC) list. This list specifies the IP address of the
C-LAN board located in the Avaya G650 Media Gateway at the Main office. The Avaya G450 Media Gateway will register to this address.
a. set mgc list 50.50.50.100 b. exit
interface Vlan 2 icc-vlan ip address 73.73.73.2 255.255.255.0 pmi exit set mgc list 50.50.50.100 set mediaserver 50.50.50.100 50.50.50.100 23 telnet set mediaserver 50.50.50.100 50.50.50.100 5023 sat
Figure 2 – Avaya G450 Media Gateway IP Interface Configuration
3.2. WAN Interface Configuration The following commands configure the MM340 WAN module as a T1 Frame Relay interface. In the sample configuration, the MM340 WAN module is located in slot 8 of the Avaya G450 Media Gateway.
1. Configure MM340 module as a T1 interface. a. ds-mode t1
2. Configure the T1 controller. a. controller t1 8/1 b. linecode b8zs c. framing esf d. channel-group 1 timeslots 1-24 speed 64 e. clock source line (default) f. exit
Figure 3 – Avaya G450 Media Gateway WAN Interface Configuration
3.3. Access Control List Configuration (optional) An Access Control List (ACL) can be specified to permit trusted traffic only. The sample configuration will work with or without the inbound ACL in place. However it is recommended that an ACL be implemented on all public-facing interfaces in order to limit external access. Note - Rule restrictions should be based on individual network security requirements. The rules specified below should be viewed as examples and not as a security template. The following ACL rules are defined in the sample configuration:
• Rule 1 - Allow ICMP messages to the reach the Avaya G450 Media Gateway local address for Path MTU Discovery (PMTUD) from any source. PMTUD is a technique for determining the maximum transmission unit size on the network path between two IP hosts to avoid IP fragmentation.
• Rule 2 - Permit IKE protocol (UDP port 500) message exchanges from the peer to the Avaya G450 Media Gateway local address.
• Rule 3 - Permit ESP protocol traffic from the peer to the Avaya G450 Media Gateway local address.
• Rule 4 - Permit any traffic between trusted voice networks. • Rule Default - Deny any other traffic flows, which do not match ACL criteria.
1. Configure ACL 301
a. ip access-control-list 301 b. name "Permit VPN Traffic Only"
2. Create ACL rules a. ip-rule 1
i. ip-protocol icmp ii. destination-ip host 30.30.30.2
IP address of the Main office 3825 router Frame Relay interface. iii. exit
3.4. Frame Relay Sub-Interface Configuration The following commands configure the Serial sub-interface for the Frame Relay circuit to the Cisco 3825 router in the Main office (see Section 4.3).
1. Configure the Serial sub-interface. a. interface Serial 8/1:1.1 point-to-point b. description "To_2811_WAN_Router" c. ip access-group 301 in
Value 301 is defined in Section 3.3 Step 1. d. frame-relay interface-dlci 101 ietf
The DLCI value must match with the Cisco 3825 (see Section 4.3) as well as the Cisco 2811 (see Section 5.2).
e. ip address 30.30.30.2 255.255.255.0 f. exit
interface Serial 8/1:1.1 point-to-point description "To_Frame_Relay_Switch" ip access-group 301 in frame-relay interface-dlci 101 ietf ip address 30.30.30.2 255.255.255.0 exit
Figure 5 – Avaya G450 Media Gateway Frame Relay Configuration
3.5. IP Routing Configuration Routing information must be provided to reach the Main office Voice IP domain (50.50.50.0). In the sample configuration, static routing is used.
1. Configure the default route for the Avaya G450 Media Gateway. The address specified is the IP address of the Frame Relay interface of the Cisco 3825 router in the Main office.
a. ip route 0.0.0.0 0.0.0.0 30.30.30.1
3.6. Virtual Private Network (VPN) Configuration Note: A valid VPN license must be installed on the Avaya G450 to enable these features. See [1] for more information. Note: The ISAKMP policy attributes must be configured identically on both the Avaya G450 and the Cisco PIX 515 Firewall (see Section 6.3).
1. Configure an ISKAKMP Phase 1 policy. a. crypto isakmp policy 1
i. description “G450 Policy1” ii. encryption 3des
iii. hash sha iv. group 2 v. authentication pre-share
vi. lifetime 86400 86400 (seconds, 24 hours) is the default value and need not be specified.
Figure 9 – Avaya G450 Media Gateway Crypto-list Configuration
6. Assign a crypto-group to the Serial sub-interface defined in Section 3.4. The crypto-group specifies the crypto-list defined in Step 5 above.
a. interface Serial 8/1:1.1 point-to-point i. ip crypto-group 901
Defined in Step 5 above. ii. exit
interface Serial 8/1:1.1 point-to-point description "To_Frame_Relay_Switch" ip access-group 301 in ip crypto-group 901 frame-relay interface-dlci 101 ietf ip address 30.30.30.2 255.255.255.0 exit
Figure 10 – Avaya G450 Media Gateway Crypto-group Configuration
7. Enter the command copy run start to save the configuration on the Avaya G450 Media Gateway.
4. Configure the Cisco 3825 Router As described in Section 1, the 3825 router connects the Main office to the WAN and terminates the Frame Relay connection to the Branch office. The serial interfaces are configured as DTE. The following commands were entered via Cisco CLI from the enable/config t access prompt. See [8] for more information.
4.1. Ethernet Interface Configuration Configure the Ethernet interface connected to the Cisco PIX Firewall.
1. Configure the Ethernet interface. a. interface FastEthernet 2/0
i. description To_PIX ii. ip address 1.1.1.1 255.255.255.252
iii. duplex full iv. speed 100 v. no shutdown
vi. exit
interface FastEthernet2/0 description To_PIX ip address 1.1.1.1 255.255.255.252 duplex full speed 100
Figure 11 – Cisco 3825 Router IP Interface Configuration
4.2. Serial Interface Configuration Configure the Serial interface connected to the Cisco 2811 WAN router.
1. Configure the Serial interface. a. interface serial 1/0/0
i. description To_WAN_2811 ii. encapsulation frame-relay IETF
iii. service-module t1 timeslots 1-24 speed 64 iv. service-module t1 framing esf
This is the default value. v. service-module t1 linecode b8zs
This is the default value. vi. service-module t1 clock source line
This is the default value. vii. frame-relay lmi-type ansi
This is the default value. viii. frame-relay intf-type dte
This is the default value. ix. no shutdown x. exit
interface Serial1/0/0 description To_WAN_2811 no ip address encapsulation frame-relay IETF service-module t1 timeslots 1-24 speed 64 frame-relay lmi-type ansi
Figure 12 – Cisco 3825 Router Serial Interface Configuration
4.3. Serial Sub-Interface Configuration Configure the Serial sub-interface for the Frame-relay circuit to the Avaya G450 Media Gateway (see Section 3.4).
1. Configure the Serial sub-interface. a. interface serial 1/0/0.1 point-to-point
i. description Frame_Relay_To_G450 ii. ip address 30.30.30.1 255.255.255.0
iii. frame-relay interface-dlci 101 ietf This DLCI value must match with the Avaya G450 Media Gateway (see Section 3.4) as well as the Cisco 2811 WAN router (see Section 5.2).
Figure 13 – Cisco 3825 Router Serial Sub-Interface Configuration
4.4. IP Routing Configuration Routing information must be provided to reach the Main office Voice IP domain (50.50.50.0) and the Branch office Voice IP domain (73.73.73.0). In the sample configuration, static routing is used.
1. Add static routes. a. ip route 50.50.50.0 255.255.255.0 1.1.1.2
To reach the Main office, route to the Cisco PIX 515 Firewall outside interface. b. ip route 73.73.73.0 255.255.255.0 30.30.30.2
To reach the Branch office, route to the Avaya G450 Media Gateway Serial interface. c. exit
ip route 50.50.50.0 255.255.255.0 1.1.1.2 ip route 73.73.73.0 255.255.255.0 30.30.30.2
5. Configure the Cisco 2811 Router As described in Section 1, the Cisco 2811 router simulates a Frame Relay WAN. The Cisco 2811 connects the Main office Cisco 3825 edge router to the Avaya G450 Media Gateway in the Branch office. The Cisco 2811 serial interfaces are configured as DCE. The following commands were entered via Cisco CLI from the enable/config t access prompt. See [8] for more information.
5.1. Enable Frame Relay Switching 1. Enable frame relay switching on the 2811 router.
a. frame-relay switching
5.2. Serial Interface Configuration
1. Configure the Serial interface to the Avaya G450 Media Gateway. a. interface Serial0/2/0
i. description To_G450 ii. no ip address
iii. encapsulation frame-relay IETF iv. frame-relay lmi-type ansi v. frame-relay intf-type dce
vi. frame-relay route 101 interface Serial0/3/0 101 This DLCI value must match the Avaya G450 Media Gateway (see Section 3.4)
2. Configure the Serial interface to the Cisco 3825 edge router. a. interface Serial0/3/0
i. description To_HDQ_3825 ii. no ip address
iii. encapsulation frame-relay IETF iv. frame-relay lmi-type ansi v. frame-relay intf-type dce
vi. frame-relay route 101 interface Serial0/2/0 101 This DLCI value must match the Cisco 3825 edge router (see Section 4.3).
6. Configure the Cisco PIX 515 Firewall As described in Section 1, the Cisco PIX 515 Firewall connects the Main office to the Cisco 3825 edge router. It provides access security between the secure inside Main office Voice IP domain (50.50.50.0) and any unsecure outside domains. The Cisco PIX 515 Firewall also terminates the IPSec VPN tunnel from the Avaya G450 Media Gateway in the Branch office. The following commands were entered via Cisco CLI from the enable/config t access prompt. See [6] and [7] for more information.
6.1. Inside and Outside Interface Configuration Configure the Ethernet interfaces connected to the Main office Voice IP domain (secure), and the Cisco 3825 edge router (unsecure).
1. Configure the Ethernet interfaces. a. ip address inside 50.50.50.1 255.255.255.0 b. ip address outside 1.1.1.2 255.255.255.252 c. interface ethernet0 auto d. interface ethernet1 auto
ip address inside 50.50.50.1 255.255.255.0 ip address outside 1.1.1.2 255.255.255.252 interface ethernet0 auto interface ethernet1 auto
6.2. IP Routing Configuration Routing information must be provided for the Main office Voice IP domain (50.50.50.0) to reach the Branch office Voice IP domain (73.73.73.0). In the sample configuration, static routing is used.
1. Add static route. a. route outside 0.0.0.0 0.0.0.0 1.1.1.1 1 To reach the Branch office, route to the Cisco 3825 router.
6.3. Virtual Private Network (VPN) Configuration Note: The ISAKMP policy attributes must be configured identically on both the Avaya G450 and the Cisco PIX 515 Firewall (see Section 3.6).
1. Configure access-lists to prevent NATing of VPN traffic by the Cisco PIX 515 Firewall.
a. access-list novpnnat permit ip 50.50.50.0 255.255.255.0 73.73.73.0 255.255.255.0 “novpnnat” is a name assigned to the access-list.
b. nat (inside) 0 access-list novpnnat Disables NAT for access-list novpnnat.
a. isakmp enable outside b. isakmp key <key string> address 30.30.30.2 netmask 255.255.255.255
Once entered, the key will be displayed as “******” on the CLI. c. isakmp identity address d. isakmp policy 1 athentication pre-share e. isakmp policy1 encryption 3des f. isakmp policy 1 hash sha g. isakmp policy 1 group 2 h. isakmp policy 1 lifetime 86400
4. Configure access-lists that define VPN traffic between the Main office and Branch office.
a. access-list 101 permit ip 50.50.50.0 255.255.255.0 73.73.73.0 255.255.255.0
“HighAES” is a name assigned to the transform-set.
6. Configure crypto-maps (Phase 2). a. Crypto map BranchVPN 1 ipsec-isakmp b. Crypto map BranchVPN 1 match address 101 c. Crypto map BranchVPN 1 set pfs group2 d. Crypto map BranchVPN 1 set peer 30.30.30.2 e. Crypto map BranchVPN 1 set transform-set HighAES f. Crypto map BranchVPN 1 set security-association lifetime seconds 3600 g. Crypto map BranchVPN 1 interface outside
7. Configure the Cisco PIX 515 Firewall to permit any packet from the IPSec tunnel.
7. Configure Avaya Communication Manager In the sample configuration, there are two Network Regions. The Avaya equipment in the Main office is defined in Network Region 1 and the Avaya equipment in the Branch office is defined in Network Region 2. Note – With the exception of Section 6.1, the following commands were entered using an Avaya Communication Manager SAT session. For information on these commands see [2]. 7.1. Avaya G450 Media Gateway Serial Number
1. On the Avaya G450 Media Gateway enter the command show system and copy down the serial number. This is required when the Avaya G450 Media Gateway is provisioned on Avaya Communication Manager in the next step.
G450-001(super)# show system System Name : Branch_G450 System Location : System Contact : Uptime (d,h:m:s) : 7,02:56:35 MV Time : 08:04:49 29 FEB 2008 Serial No : 07IS13107508 Model No : G450
Figure 19 – Avaya G450 Media Gateway Serial Number 7.2. Add the Avaya G450 Media Gateway
1. add media-gateway 1 a. Type: g450 b. Name: <text> c. Serial No: <serial number>
Enter the Avaya G450 Media Gateway serial number taken from the show system command entered in the Avaya G450 Media Gateway in Section 7.1.
d. Network Region: 2 e. Other fields will auto-populate once the Avaya G450 Media Gateway registers.
add media-gateway 1 Page 1 of 1 MEDIA GATEWAY Number: 1 Registered? n Type: g450 FW Version/HW Vintage: Name: G450_Branch MGP IP Address: Serial No: 07IS13107508 Controller IP Address: Encrypt Link? y MAC Address: Network Region: 2 Location: 1 Site Data: Recovery Rule: 1 Slot Module Type Name DSP Type FW/HW version V1: V2:
Figure 20 – Avaya Communication Manager – Add Avaya G450 Media Gateway
7.3. Configure IP-Codec Sets In the sample configuration, calls between the Main office (Network Region 1) and the Branch office (Network Region 2) will use codec set 2. Intra-region calls will use codec set 1. Codec set 1 will use G.711MU while codec set 2 will use G.729B.
Note - See Section 8 for additional details on these codec choices. The G.729 codec is preferable over a VPN in order to conserve bandwidth. In addition, the frames per packet value was left as 2 (default) in this example because the G450 serial interface is optimized for G.729 using the default 20ms packet size. Administrators may wish to increase the frames per packet from the default 2 to 3. Increasing the RTP payload sample size actually reduces the per call bandwidth slightly, because the increased payload counteracts the additional IPSec encryption overhead.
1. change ip-codec-set 1 a. Audio Codec 1: G.711MU
change ip-codec-set 1 Page 1 of 2 IP Codec Set Codec Set: 1 Audio Silence Frames Packet Codec Suppression Per Pkt Size(ms) 1: G.711MU n 2 20 2: 3: 4:
Media Encryption 1: none 2: 3:
Figure 21 – Avaya Communication Manager Provisioning – IP-Codec-Set 1
2. change ip-codec-set 2
a. Audio Codec 1: G.729B change ip-codec-set 2 Page 1 of 2 IP Codec Set Codec Set: 2 Audio Silence Frames Packet Codec Suppression Per Pkt Size(ms) 1: G.729B n 2 20 2: 3: 4:
Media Encryption 1: none 2: 3:
Figure 22– Avaya Communication Manager Provisioning – IP-Codec-Set 2
7.4. Configure IP-Network-Regions The Main office is defined as Network Region 1. The Branch office is defined as Network Region 2.
1. Configure Network Region 1. a. change ip-network-region 1
This opens the Network Region form. 2. On page 1 of the form, provision the field:
a. Codec Set: 1 Let the remaining fields default. change ip-network-region 1 Page 1 of 19 IP NETWORK REGION Region: 1 Location: 1 Authoritative Domain: main.com Name: MEDIA PARAMETERS Intra-region IP-IP Direct Audio: yes Codec Set: 1 Inter-region IP-IP Direct Audio: yes UDP Port Min: 2048 IP Audio Hairpinning? n UDP Port Max: 3329 DIFFSERV/TOS PARAMETERS RTCP Reporting Enabled? y Call Control PHB Value: 46 RTCP MONITOR SERVER PARAMETERS Audio PHB Value: 46 Use Default Server Parameters? y Video PHB Value: 26 802.1P/Q PARAMETERS Call Control 802.1p Priority: 5 Audio 802.1p Priority: 5 Video 802.1p Priority: 5 AUDIO RESOURCE RESERVATION PARAMETERS H.323 IP ENDPOINTS RSVP Enabled? n H.323 Link Bounce Recovery? y Idle Traffic Interval (sec): 20 Keep-Alive Interval (sec): 5
Figure 23 – Avaya Communication Manager Provisioning – IP Network Region 1 – Page 1
3. On page 3 of the form, the first line is pre-defined (Network Region 1 can communicate with
Network Region 1). On the second line, define the communication between Network Regions 1 and 2 by provisioning the following fields:
a. src rgn = 1 In the Network Region 1 form, Network Region 1 is always the source.
b. dst rgn = 2 Region 2 was the destination Network Region used in the sample configuration for the Branch office.
c. codec set = 1 Let the remaining fields default. change ip-network-region 1 Page 3 of 19 Inter Network Region Connection Management src dst codec direct WAN-BW-limits Video Dyn rgn rgn set WAN Units Total Norm Prio Shr Intervening-regions CAC IGAR 1 1 1 1 2 1 y NoLimit n
Figure 24 – Avaya Communication Manager Provisioning – IP Network Region 1 – Page 3
a. change ip-network-region 2 This opens the Network Region form.
5. On page 1 of the form provision the field: a. Codec Set: 1 b. Let the remaining fields default.
change ip-network-region 2 Page 1 of 19 IP NETWORK REGION Region: 2 Location: 1 Authoritative Domain: main.com Name: MEDIA PARAMETERS Intra-region IP-IP Direct Audio: yes Codec Set: 1 Inter-region IP-IP Direct Audio: yes UDP Port Min: 2048 IP Audio Hairpinning? n UDP Port Max: 3329 DIFFSERV/TOS PARAMETERS RTCP Reporting Enabled? y Call Control PHB Value: 46 RTCP MONITOR SERVER PARAMETERS Audio PHB Value: 46 Use Default Server Parameters? y Video PHB Value: 26 802.1P/Q PARAMETERS Call Control 802.1p Priority: 5 Audio 802.1p Priority: 5 Video 802.1p Priority: 5 AUDIO RESOURCE RESERVATION PARAMETERS H.323 IP ENDPOINTS RSVP Enabled? n H.323 Link Bounce Recovery? y Idle Traffic Interval (sec): 20 Keep-Alive Interval (sec): 5
Figure 25 – Avaya Communication Manager Provisioning – IP Network Region 2 – Page 1
6. On page 3 of the form, the first line is pre-defined (Network Region 2 can communicate with Network Region 2). On the second line define the communication between Network Regions 1 and 2 by provisioning the following fields:
a. src rgn = 2 In the Network Region 2 form, Network Region 2 is always the source.
b. dst rgn = 1 Region 1 is the destination Network Region used in the sample configuration for the Main office.
c. codec set = 2 d. Let the remaining fields self populate.
change ip-network-region 2 Page 3 of 19
Inter Network Region Connection Management src dst codec direct WAN-BW-limits Video Dyn rgn rgn set WAN Units Total Norm Prio Shr Intervening-regions CAC IGAR 2 1 2 y NoLimit n 2 2 1
Figure 26 – Avaya Communication Manager Provisioning – IP Network Region 2 – Page 3
7.5. Configure IP-Network-Map The IP Network Map form defines Network Regions to IP address domains used by IP telephones.
1. change ip-network-map a. Under the From IP Address heading enter 50.50.50.0
This is the voice IP domain in the Main office. b. Tab to the Subnet or Mask heading and enter 24
The To IP Address fields will self populate after the form in entered. c. Under the Region heading enter 1
The Main office is assigned to Network Region 1. d. Under the From Ip Address heading enter 73.73.73.0
This is the voice IP domain in the Branch office. e. Tab to the Subnet or Mask heading and enter 24 f. Under the Region heading enter 2
The Branch office is assigned to Network Region 2. g. Let the remaining fields default.
change ip-network-map Page 1 of 32 IP ADDRESS MAPPING Subnet Location From IP Address (To IP Address or Mask) Region VLAN Extension 50 .50 .50 .0 50 .50 .50 .255 24 1 n 73 .73 .73 .0 73 .73 .73 .255 24 2 n . . . . . . n . . . . . . n
Figure 27 – Avaya Communication Manager Provisioning – IP-Network-Map 7.6. Save Translations After the provisioning is completed, enter the command save trans to save the configuration on Avaya Communication Manager.
8. Configure Avaya 96xx SIP IP Telephone Codec Type The Avaya 46xx H.323 and SIP IP telephones use the G.729B variety of the G.729 codec by default. The Avaya 96xx H.323 IP telephones also use G.729B. However the Avaya 96xx SIP IP telephones use G729A as the default type G.729 codec. As described in Section 7.3, the G.729 codec type is the most bandwidth efficient over the IPSec VPN tunnel. Therefore the sample configuration defines calls between Network Regions 1 and 2 to use G.729B codec, as it is supported by most Avaya IP telephone types in their default configurations. In order to allow G.729 call compatibility between the Avaya 96xx SIP IP telephone and the other Avaya IP telephone types, the Avaya 96xx SIP IP telephones must be provisioned to also use the G.729B codec. This is performed via the configuration file 46xxsettings.txt. The 46xxsettings.txt file is available from http://support.avaya.com. The 46xxsettings.txt file must be installed on an HTTP server that has IP connectivity to the Avaya 96xx SIP IP telephones. The 46xxsettings.txt file is retrieved by the Avaya 96xx SIP IP telephones when they are connected for the first time, or are reset. For information on using the 46xxsettings.txt file, and Avaya 96xx SIP IP telephone implementation, see [4] and [5].
8.1. Configure 46xxsettings.txt File to Enable the G.729B Codec. 1. On the HTTP server, go to the /initpub/wwwroot directory (Windows Internet Information
Services was used for the HTTP Server in the reference configuration). 2. Using a text editor, open the 46xxsettings.txt file. 3. Find the section labeled ##### CODEC SETTINGS ##### 4. By default, the G.729A codec is enabled, (## SET ENABLE_G729 1). Enter a new line SET
ENABLE_G729 2 (without the leading # comment characters). 5. Save and close the 46xxsettings.txt file. 6. Reset the Avaya 96xx SIP IP telephones to install the updated 46xxsettings.txt file. The Avaya
96xx SIP IP telephones will now use the G.729B codec.
Note – Only the section of the 46xxsetings.txt file pertaining to G.729 codec provisioning is shown for brevity. ## ##################### CODEC SETTINGS ##################### ## ## G.729 Codec Enabled ## Determines whether G.729 codec is available on the ## phone. ## 0 for G.729(A) disabled ## 1 for G.729(A) enabled without Annex B support ## 2 for G.729(A) enabled with Annex B support ## SET ENABLE_G729 1 SET ENABLE_G729 2 ## ##
Figure 28 – Enable the G.729B codec via the 46xxsettings.txt file
9. Verification Steps The following steps can be used to validate the sample configuration.
9.1. Verify Cisco PIX 515 Firewall Interfaces and Routing 1. Check that “inside” and “outside” interface/line protocols are up and IP addressing is correct.
a. show interface ethernet0 This is the “outside” interface
pixfirewall# show interface ethernet0 interface ethernet0 "outside" is up, line protocol is up Hardware is i82559 ethernet, address is 0003.6bf7.25e8 IP address 1.1.1.2, subnet mask 255.255.255.252 MTU 1500 bytes, BW 100000 Kbit half duplex 517521 packets input, 74718903 bytes, 0 no buffer Received 1406 broadcasts, 0 runts, 0 giants 1 input errors, 1 CRC, 0 frame, 0 overrun, 1 ignored, 0 abort 508963 packets output, 80276706 bytes, 0 underruns 0 output errors, 15 collisions, 0 interface resets 0 babbles, 6 late collisions, 34 deferred 1 lost carrier, 0 no carrier input queue (curr/max blocks): hardware (128/128) software (0/9) output queue (curr/max blocks): hardware (0/9) software (0/1)
9.2. Avaya G450 Media Gateway Interfaces and Routing 1. Verify Serial interface status.
a. show interface serial 8/1:1
G450-001(super)# show interface serial 8/1:1 Serial 8/1:1 is up, line protocol is up MTU 1500 bytes, Bandwidth 1536 kbit Reliability 255/255 txLoad 1/255 rxLoad 1/255 Encapsulation FRAME-RELAY IETF Link status trap enabled LMI enq sent 77737, LMI stat recvd 77737, LMI upd recvd 0, DTE LMI up LMI DLCI 0, LMI type is ANSI Annex D, frame relay DTE Weighted Fair VoIP queueing mode Last input 00:00:00, Last output 00:00:01 Last clearing of 'show interface' counters never 5 minute input rate 708 bits/sec, 0 packets/sec 5 minute output rate 784 bits/sec, 0 packets/sec 0 input drops, 0 output drops, 0 unknown protocols 587790 packets input, 76396277 bytes 0 broadcasts received, 0 giants 0 input errors, 0 CRC, 0 abort 597153 packets output, 70441367 bytes 0 output errors, 0 collisions
Figure 32 – Avaya G450 Media Gateway – Serial Interface.
2. Verify Serial subinterface status. a. show interface serial 8/1:1
G450-001(super)# show interface serial 8/1:1.1 Serial 8/1:1.1 is up, line protocol is up Description: To_Frame_Relay_Switch Internet address is 30.30.30.2, mask is 255.255.255.0 MTU 1500 bytes, Bandwidth 1536 kbit IPSec PMTU: copy df-bit, Min PMTU is 300 Encapsulation FRAME-RELAY IETF Link status trap enabled Keepalive-track not set Last input 00:00:01, Last output 00:00:01 Last clearing of 'show interface' counters never 0 input drops, 0 output drops, 0 unknown protocols 510055 packets input, 73203176 bytes 0 broadcasts received, 0 giants 0 input errors, 0 CRC, 0 abort 519418 packets output, 46223882 bytes 0 output errors, 0 collisions
Figure 33 – Avaya G450 Media Gateway – Serial Sub-Interface.
3. Verify Frame Relay PVC status. a. show frame-relay pvc
G450-001(super)# show frame-relay pvc Showing 1 PVC PVC Statistics for interface Serial 8/1:1 (Frame Relay DTE) Active Inactive Deleted Static Local 1 0 0 0 Unused 0 0 0 0 DLCI = 101, USAGE = LOCAL , PVC STATUS = ACTIVE, INTERFACE = Serial 8/1:1.1 ROLE = Primary , PRIORITY CLASS = None input pkts 510059, output pkts 519422, dropped pkts 0 in bytes 75243940, out bytes 48301864 in FECN pkts 0 in BECN pkts 0 in DE pkts 0, out DE pkts 0 pvc create time 8d20h, last time pvc status changed 00:48:36
Figure 34 – Avaya G450 Media Gateway – Frame-Relay PVC.
4. Verify G450 Media Gateway IP route table entries. a. show ip-route
G450-001(super)# show ip route Showing 3 rows Network Mask Interface Next-Hop Cost TTL Source --------------- ---- ------------------- ------------------- ----- --- --------- 0.0.0.0 0 Serial 8/1:1.1 30.30.30.1 1 n/a STAT-LO 30.30.30.0 24 Serial 8/1:1.1 30.30.30.2 1 n/a LOCAL 73.73.73.0 24 Vlan 1 73.73.73.2 1 n/a LOCAL
Figure 35 – Avaya G450 Media Gateway – Show IP Route.
9.3. Verify Cisco PIX 515 Firewall VPN Policies 1. Verify that configured ISAKMP policies have the correct security attributes.
9.4. Verify G450 Media Gateway VPN Policies 1. Verify that the remote peer (Cisco PIX 515 Firewall) has been defined under crypto isakmp
peer. a. show crypto isakmp peer
G450-001(super)# show crypto isakmp peer Showing 1 rows Description Peer identity Self identity Auth Plc Md DPD Track Cnt K-alv Id ------------- ------------------ ------------------ ----- --- -- ----- ----- --- PIX Outside 1.1.1.2 IPv4 Address psk 1 MM none No
Figure 38 – Avaya G450 Media Gateway – Isakmp Peer.
2. Verify that configured ISAKMP policies have the correct security attributes. a. show crypto isakmp policy
G450-001(super)# show crypto isakmp policy Showing 1 rows Id Description Encr Hash Authentication DH group life sec -- -------------------- ------- ------- -------------- -------- ---------- 1 High 3des sha Preshared key 2 86400
Figure 39 – Avaya G450 Media Gateway – Isakmp Policy.
3. Verify that the configured IPSec transform-sets have the correct security attributes. a. show crypto ipsec transform-set
G450-001(super)# show crypto ipsec transform-set Showing 1 rows Name ESP Enc ESP Hash PCP PFS Life Sec Life KB Mode ----------------------- ------- -------- --- --- ---------- ---------- ------ HIGH aes sha-hmac No #2 3600 4608000 Tunnel
Figure 40 – Avaya G450 Media Gateway – Isakmp Policy.
4. Verify that the crypto-list is configured with proper wildcard masking and crypto-mapping corresponds to the correct transform-set. Any traffic that does not match the crypto-list bypasses IPSec processing.
a. show ip crypto-list 901
G450-001(super)# show ip crypto-list 901 Index Description Status Owner ----- ------------------------------- --------- -------------------------- 901 Encrypted traffic valid other Local address: 30.30.30.2 Rules: Index Proto IP Wildcard Port Action Frag DSCP Crypto map Rule ----- ------- --- ---------------- --------------- ------------ ---------- ---- 1 Any Src 73.73.73.0 0.0.0.255 Any protect No Any Dst 50.50.50.0 0.0.0.255 Any 1 Deflt Any Src Any Any bypass No Any Dst Any Any - Applicable crypto maps: Id Description Remote peer/group Transform-set DSCP C-cnl -- -------------------- ------------------ ----------------------- ---- ----- 1 PIX_Outside 1.1.1.2 HIGH copy No
Figure 41 – Avaya G450 Media Gateway – IP Crypto List 901.
9.5. Verify IKE Negotiations using Cisco PIX 515 Firewall Debug Traces
1. Enable local debug output to the console from the CLI. When the isakmp lifetime timer expires, verify ISAKMP (Phase 1) SA and IPSec (Phase 2) SAs are removed and recreated. Alternatively, the Avaya G450 Media Gateway isakmp Phase 1 clear SA and the IPSec Phase 2 clear SA commands can be used to immediately reset the VPN state (see Sections 9.1 and 9.2).
a. debug crypto ipsec b. debug crypto isakmp
ISAKMP: rekeying phase 1 SA, src 1.1.1.2, dst 30.30.30.2 ISAKMP (0): retransmitting phase 1 (0)... ISAKMP (0): retransmitting phase 1 (1)... crypto_isakmp_process_block:src:30.30.30.2, dest:1.1.1.2 spt:500 dpt:500 ISAKMP (0): processing DELETE payload. message ID = 3099254529, spi size = 4IPSEC(key_engine): got a queue event... IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP return status is IKMP_NO_ERR_NO_TRANS ISAKMP (0): retransmitting phase 1 (2)... ISAKMP (0): retransmitting phase 1 (3)... ISAKMP (0): retransmitting phase 1 (4)... crypto_isakmp_process_block:src:30.30.30.2, dest:1.1.1.2 spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing SA payload. message ID = 0 ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy ISAKMP: encryption 3DES-CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (basic) of 120 ISAKMP (0): atts are acceptable. Next payload is 0 ISAKMP (0): processing vendor id payload ISAKMP (0): remote peer supports dead peer detection ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR return status is IKMP_NO_ERROR ISAKMP (0): deleting SA: src 1.1.1.2, dst 30.30.30.2 crypto_isakmp_process_block:src:30.30.30.2, dest:1.1.1.2 spt:500 dpt:500 ISAKMP: drop msg for deleted sa ISADB: reaper checking SA 0xffaf44, conn_id = 0 ISADB: reaper checking SA 0x116da8c, conn_id = 0 DELETE IT! VPN Peer: ISAKMP: Peer ip:30.30.30.2/500 Ref cnt decremented to:0 Total VPN Peers:1 VPN Peer: ISAKMP: Deleted peer: ip:30.30.30.2/500 Total VPN peers:0 ISADB: reaper checking SA 0xffaf44, conn_id = 0 crypto_isakmp_process_block:src:30.30.30.2, dest:1.1.1.2 spt:500 dpt:500 ISAKMP (0): processing DELETE payload. message ID = 1115737207, spi size = 16 return status is IKMP_NO_ERR_NO_TRANS
ISAKMP: encryption 3DES-CBC ISAKMP: hash SHA ISAKMP: default group 2 ISAKMP: auth pre-share ISAKMP: life type in seconds ISAKMP: life duration (basic) of 120 ISAKMP (0): atts are acceptable. Next payload is 0 ISAKMP (0): processing vendor id payload ISAKMP (0): remote peer supports dead peer detection ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:30.30.30.2, dest:1.1.1.2 spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing KE payload. message ID = 0 ISAKMP (0): processing NONCE payload. message ID = 0 ISAKMP (0): ID payload next-payload : 8 type : 1 protocol : 17 port : 500 length : 8 ISAKMP (0): Total payload length: 12 return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:30.30.30.2, dest:1.1.1.2 spt:500 dpt:500 OAK_MM exchange ISAKMP (0): processing ID payload. message ID = 0 ISAKMP (0): processing HASH payload. message ID = 0 ISAKMP (0): SA has been authenticated ISAKMP (0): beginning Quick Mode exchange, M-ID of -1071189158:c026f35aIPSEC(key_engine): got a queu e event... IPSEC(spi_response): getting spi 0xfbea09c7(4226419143) for SA from 30.30.30.2 to 1.1.1.2 for prot 3 return status is IKMP_NO_ERROR crypto_isakmp_process_block:src:30.30.30.2, dest:1.1.1.2 spt:500 dpt:500 OAK_QM exchange oakley_process_quick_mode: OAK_QM_IDLE ISAKMP (0): processing SA payload. message ID = 3223778138 ISAKMP : Checking IPSec proposal 1 ISAKMP: transform 1, ESP_AES ISAKMP: attributes in transform: ISAKMP: encaps is 1 ISAKMP: SA life type in seconds ISAKMP: SA life duration (basic) of 3600 ISAKMP: SA life type in kilobytes ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0 ISAKMP: authenticator is HMAC-SHA ISAKMP: key length is 128 ISAKMP: group is 2 ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part #1,
9.6. Verify IKE Negotiations using G450 Gateway Syslog 1. Enable local Syslog message output to the console from the CLI. When the isakmp lifetime
timer expires, verify ISAKMP (Phase 1) SA and IPSec (Phase 2) SAs are removed and recreated. Alternatively, the Avaya G450 Media Gateway isakmp Phase 1 clear SA and the IPSec Phase 2 clear SA commands can be used to immediately reset the VPN state (see Sections 9.1 and 9.2).
a. set logging session enable b. set logging session condition ISAKMP debug c. set logging session condition IPSEC debug
2. When completed, disable the logging.
a. set logging session disable
04/22/2008,09:46:50:ISAKMP-Informational: ISAKMP SA lifetime expiration Peers 30.30.30.2<->1.1.1.2 Icookie - 8323fecb991b7cd0, Rcookie - 73159c04f0b63f69 04/22/2008,09:46:50:ISAKMP-Informational: Sending IKE DELETE message (ISAKMP SA): Peers 30.30.30.2<->1.1.1.2 Icookie - 8323fecb991b7cd0, Rcookie - 73159c04f0b63f69 04/22/2008,09:47:42:VOICE-Warning: H248 link is DOWN 04/22/2008,09:47:58:ISAKMP-Warning: Peer 1.1.1.2 is presumed dead: IKE phase 1 negotiation failure 04/22/2008,09:48:11:ISAKMP-Informational: Begin IKE phase 1 negotiation, initiated by 1.1.1.2: Peers 30.30.30.2<->1.1.1.2, mode main 04/22/2008,09:48:11:ISAKMP-Debug: Sending vendor ID to 1.1.1.2 (VID length = 16): Peers 30.30.30.2<->1.1.1.2 draft-ietf-ipsec-dpd-00.txt (0xafcad71368a1f1c96b8696fc77570100) 04/22/2008,09:48:11:ISAKMP-Debug: Received vendor ID from 1.1.1.2 (VID length = 8): Peers 30.30.30.2<->1.1.1.2 Unknown (0x09002689dfd6b712) 04/22/2008,09:48:11:ISAKMP-Debug: Received vendor ID from 1.1.1.2 (VID length = 16): Peers 30.30.30.2<->1.1.1.2 draft-ietf-ipsec-dpd-00.txt (0xafcad71368a1f1c96b8696fc77570100) 04/22/2008,09:48:11:ISAKMP-Debug: Received vendor ID from 1.1.1.2 (VID length = 16): Peers 30.30.30.2<->1.1.1.2 Unknown (0x12f5f28c457168a9702d9fe274cc0100) 04/22/2008,09:48:11:ISAKMP-Debug: Received vendor ID from 1.1.1.2 (VID length = 16): Peers 30.30.30.2<->1.1.1.2
9.9. Verify the Avaya G450 Media Gateway Registration Status 1. Check the MGC controller status from the Avaya G450 Media Gateway CLI.
a. show mgc
G450-001(super)# show mgc CALL CONTROLLER STATUS ------------------------------------------- Registered : YES Active Controller : 50.50.50.100 H248 Link Status : UP H248 Link Error Code: 0x0 CONFIGURED MGC HOST --------------------- 50.50.50.100 -- Not Available -- -- Not Available -- sls disabled Done! G450-001(super)#
Figure 48 – Avaya G450 Media Gateway – MGC Status.
2. Verify the registration status of the Avaya G450 Media Gateway with the S8500 Server via the Avaya Communication Manager SAT.
a. display media-gateway 1
display media-gateway 1 MEDIA GATEWAY Number: 1 Registered? y Type: g450 FW Version/HW Vintage: 27 .26 .0 /0 Name: G450_Branch MGP IP Address: 73 .73 .73 .2 Serial No: 07IS13107508 Controller IP Address: 50 .50 .50 .100 Encrypt Link? y MAC Address: 00:04:0d:ea:ab:b8 Network Region: 2 Location: 1 Site Data: Recovery Rule: 1 Slot Module Type Name DSP Type FW/HW version V1: V2: MM710 DS1 MM V3: MM342 USP WAN MM V4: MP80 8 1 V5: MM711 ANA MM V6: MM712 DCP MM V7: MM716 ANA MM Max Survivable IP Ext: 8 V8: MM340 DS1 WAN MM V9:
Figure 49 – Avaya S8500 Server – Avaya G450 Media Gateway Status.
9.10. Place Test Calls Place calls (H.323/H.323, SIP/SIP, SIP/H.323) between the Branch office and the Main office.
1. Verify call establishment and voice quality over the VPN. 2. Place an IP protocol analyzer on the network between the Cisco PIX 515 Firewall and the
Cisco 2811 WAN router. Verify that the traffic is encrypted (ESP). In the sample configuration, 1.1.1.2 is the outside interface of the Cisco PIX 515 Firewall and 30.30.30.2 is the serial interface of the Avaya G450 Media Gateway.
1. Physical Connectivity 2. Network Connectivity 3. Confirm Phase 1 ISAKMP SA establishment 4. Confirm Phase 2 inbound and outbound IPSec SA establishment 5. Confirm bi-directional VPN forwarding
If network connectivity appears to be working correctly, check SA establishment (see Section 9). If an ISAKMP SA and IPSec SAs are created between the peers, the problem is usually routing. Check the encryption and decryption statistics for the IPSec SAs. If there is a routing problem on one side of the tunnel, the Administrator will notice encryption/decryption in only one direction. This usually indicates that the remote network cannot route back through the tunnel. The most commonly encountered problems with VPNs are either mismatched ISAKMP or IPSec security attributes or routing problems. Be sure to pay close attention to these configuration items when administering a VPN.
10.1. Clearing Avaya G450 Media Gateway SAs The following Avaya G450 Media Gateway commands may be used to clear ISAKMP (Phase 1) and IPSec (Phase 2) SAs. Administrators should always clear Phase 2 IPSec SAs prior to clearing Phase 1 ISAKMP SAs in order to ensure proper operation.
1. IPSEC Phase 2 SA a. clear crypto sa all
2. ISAKMP Phase 2 SA a. clear crypto isakmp
Alternatively, the Administrator may choose to remove a specific ISAKMP SA from a list of SAs based on the C-id.
b. Enter the show crypto isakmp sa command and note the “C-id” number you wish to
clear (depending on the configuration, more than one may be listed).
G450-001(super)# show crypto isakmp sa C-id Local Remote State Encr Hash Aut DH TTL DPD Nat-T ---- --------------- --------------- ------- ------- ---- --- -- ----- --- ----- 109 30.30.30.2 1.1.1.2 Ready 3des sha psk 2 85726 Yes No
Figure 51 – Output of show crypto isakmp sa command.
c. Enter clear crypto isakmp xxx, where xxx is the C-id number (109 in the example above).
10.2. Capturing IPSEC Data on the Avaya G450 Media Gateway The Avaya G450 Media Gateway has a capture function allowing a protocol trace to be taken that decrypts the IPSec data streams. This captured data can then be read by the Wireshark open-source IP protocol analyzer to help in debugging protocol issues on the VPN tunnel. Note – The capture feature has many options to customize the data that is collected. For more information on this command see [1].
1. Enable the capture feature a. capture-service
2. Specify the interface where the capture will be performed. In the sample configuration this is the Frame Relay Serial sub-interface that terminates the VPN at the Avaya G450 Media Gateway (see Section 3.4).
b. capture interface serial 8/1:1.1 3. Enable IPSec decryption for the capture.
c. capture ipsec decrypted 4. Start the capture.
d. capture start 5. After the test is performed, stop the capture.
e. capture stop 6. Verify that data has been captured into the buffer with the show capture command. Figure 51
shows a sample output from this command. f. show capture
G450-001> show capture Capture service is enabled and inactive Capture start time 19/06/2004-13:57:40 Capture stop time 19/06/2004-13:58:23 Current buffer size is 1024 KB Buffer mode is cyclic Maximum number of bytes captured from each frame: 1515 Capture list 527 on interface "Serial 8/1:1.1" Number of captured frames in file: 3596 (out of 3596 total captured frames) Size of capture file: 266 KB (26.6 %)
Figure 51 – Output of show capture command.
7. Copy the captured data to an external device to be viewed via Wireshark. The file can be copied via FTP, TFTP, SCP, or to a USB device. In the sample configuration the captured data was copied to a USB flash drive inserted into a USB interface on the Avaya G450 Media Gateway.
g. Copy capture-file usb <name the file> usbdevice0 h. Before removing the usb device enter safe-removal usb usbdevice0
11. Conclusion Site-to-site IPSec Virtual Private Network (VPN) connectivity between an Avaya G450 Media Gateway and a Cisco PIX 515 Firewall, using the Internet Key Exchange (IKE) protocol to establish a secure Internet Security Association and Key Management Protocol (ISAKMP) control channel between two peers, can be achieved using the guidelines demonstrated in these Application Notes.
12. References The following references are available from www.avaya.com [1] Administration for the Avaya G450 Media Gateway, 03-602055, Issue 1, January 2008 [2] Administrator Guide for Avaya Communication Manager, 03-300509, Issue 4.0, Release 5.0, January 2008 [3] IPSec Virtual Private Network (VPN) between an Avaya G350 Media Gateway and a Cisco PIX 525 Firewall - Issue 1.0, March 2005 [4] Avaya one-X™ Deskphone Edition for 9600 Series SIP IP Telephones Administrator Guide Release 2.0, 16-601944, Issue 2, December 2007 [5] Avaya one-X™ Deskphone Editionfor 9600 Series SIP IP Telephones Installation and Maintenance Guide Release 2.0, 16-601943, Issue 2l December 2007 The following references are available from www.cisco.com [6] Cisco PIX Firewall Command Reference, Version 6.3, 78-14890-01, 2004 [7] PIX 6.x: Simple PIX−to−PIX VPN Tunnel Configuration Example, Document ID: 6211, 2007 [8] Cisco IOS Wide-Area Networking Command Reference, Release 12.3, OL-4432-01