Avaya JNPR - AC VPN

Avaya Solution & Interoperability Test Lab
Sample Configuration for Juniper Networks Auto Connect

VPN to Support an Avaya Multi-Branch Voice over IP
Solution – Issue 1.0
Abstract
These Application Notes describe the steps for configuring Juniper Networks ScreenOS based
devices for Auto Connect VPN to support an Avaya Multi-Branch Voice over IP solution.
Auto Connect VPN allows for the dynamic provisioning of VPN tunnels between spoke sites
in a Hub-and-Spoke VPN architecture. This complements the traffic flow patterns of inter-
branch VoIP calls.
AL; Reviewed: Solution & Interoperability Test Lab Application Notes 1 of 32

SPOC 10/3/2008 ©2008 Avaya Inc. All Rights Reserved. JNPR_AC-VPN
1. Introduction
These Application Notes describe a solution for configuring the Juniper Networks ScreenOS
based devices for Auto Connect Virtual Private Network (AC-VPN) to support a multi-branch
Avaya Voice over IP (VoIP) solution. In traditional enterprise architecture, Hub-and-Spoke
topology typically provides an efficient way for branch offices (Spokes) to access resources
located at the HQ (Hub) location. With the increase use of VoIP throughout the enterprise, there
is a corresponding need for inter-branch (inter-spoke) voice traffic for users placing call between
branches. This is where AC-VPN provide increase value over traditional Hub-and-Spoke VPN
architectures. AC-VPN dynamically establishes VPN tunnels between spoke sites as needed
eliminating the need for inter-spoke traffic from passing through the Hub. For example, when a
user places a call from branch-1 to branch-2, there is no need for VoIP traffic to travel from
branch-1 (Spoke1) to HQ (Hub) and then to branch-2 (Spoke2). AC-VPN provides a short cut
between the two branch locations by dynamically establishing a VPN tunnel between the two
branches. This helps lower latency by shortening the path VoIP traffic needs to travel, increases
the available resources at the Hub VPN gateway by not having to relay VoIP traffic, and
increases throughput by eliminating unnecessary traffic from utilizing the Hub’s Wide Area
Network (WAN) connection.
There is no need for additional equipment to configure AC-VPN other than the Juniper Networks
ScreenOS based Gateway that have already been deployed as part of a Hub-and-Spoke VPN
architecture. AC-VPN is a software feature that is available as part of Juniper Networks
ScreenOS release 6.0 and above for the SSG, ISG and NS 5000 series, and functions as an
enhancement to the existing Hub-and-Spoke VPN feature set.
1.1. Overview
The sample network used in these Application Notes consists of 3 locations - HQ, Branch, and
Home, with HQ location serving as the VPN Hub while the Branch and Home locations serve as
VPN Spokes. Juniper Networks ScreenOS devices are deployed in each location to provide
WAN connectivity, firewall, and VPN functionality. IP addresses are statically administrated in
order to focus on the necessary AC-VPN configuration. Each VPN spoke location supports 2 IP
sub-networks, one for voice where Avaya IP Telephones are connected and the other for data
where computers are connected. The AC-VPN is configured such that only inter-branch VoIP
traffic generated by Avaya IP Telephones can trigger the establishment and use of the dynamic
VPN tunnel. All data traffic is directed to the ISG 1000, HQ HUB VPN gateway. This is true
for all data traffic whether the destination is the Hub or to another VPN spoke.
Since Spoke locations in the sample network only have a simulated 10Mbps connection to the
Internet, policy based traffic shaping is enabled and configured for VoIP traffic. This will
preserve the quality of phone calls from competing data traffic. Through the use of policy based
traffic shaping, specific bandwidth is allocated for both signaling and media traffic for Avaya
VoIP calls.
Local voice and data networks in each site are assigned to the Trust zone with the VPN tunnel
assigned to the VPN zone to allow for greater control in writing security policies.

2. Configuration
Figure 1 illustrates the configuration used in these Application Notes. The Routing Information
Protocol (RIP) is used among HQ, Branch, and Home locations while the Open Shortest Path
First (OSPF) routing protocol is used in the Core IP network. The Juniper Networks ISG 1000
redistributed necessary routes between OSPF and RIP. All Juniper Networks ScreenOS devices
are managed out of band via the 172.16.254.0 IP sub-network. All Avaya IP Telephones are
assigned to the same IP Network Region within Avaya Communication Manager.
Figure 1: Sample Network Configuration

3. Equipment and Software Validated
The following equipment and software/firmware were used in the sample configuration:
DEVICE DESCRIPTION VERSION

Avaya Communication Manager with
R 5.0
Avaya S8500 Server
(R015x.00.0.825.4)
Avaya G650 Gateway
Avaya 9640G IP Telephone (H.323) 1.5
Avaya 4621SW IP Telephone (H.323) 1.8.3
Avaya 4625SW IP Telephone (H.323) 1.8.3
Juniper Networks Integrated Security Gateway 1000 ScreenOS 6.1R1
Juniper Networks Security Services Gateway 20 ScreenOS 6.1R1
Juniper Networks Security Services Gateway 5 ScreenOS 6.1R1
4. Configuring Juniper Networks ScreenOS Devices

This section describes the configuration for the different ScreenOS devices shown in Figure 1.
It is assumed that basic configuration has been performed to allow for IP connectivity into each
of the ScreenOS devices. All steps in this section are performed using the Command Line
Interface (CLI). Although not shown, these same configuration steps can also be accomplished
using the WebUI. Screen capture may be shown in certain steps to facilitate clarification.
The configuration required for each device is broken up into the following 3 sub-sections:
Basic configuration - Provide basic configuration steps to provision a base Hub-

and-Spoke VPN architecture.
AC-VPN configuration - Provide additional steps to implement AC-VPN over existing

Hub-and-Spoke architecture.
Quality of Service (QoS) - Provide steps in configuring policy based traffic shaping for
Avaya VoIP traffic
Instead of completing the entire configuration one device at a time before verification, it may be
beneficial to implement each sub-section for each of the devices in the network first and ensure it
is working before moving on to the next sub-section. This will minimize complexity in
verification and troubleshooting.

4.1. Configuring Juniper Network ISG 1000
This section describes the configuration for the ISG 1000 at the HQ location.
4.1.1. Base configuration

This section describes the base configuration needed to established basic network and static VPN
connectivity.
1. Log in to the ISG 1000 using appropriate username and password.
login: username
password:*******
nsisg1000->
2. Create a new security zone called “vpn”.
set zone name vpn
3. Configure all the physical and logical interfaces.
• The sample configuration uses the out-of-band management port with an IP

address of 172.16.254.106 to manage the device. This configuration is optional.
• “ping” is allowed on the Untrust interface ethernet1/3 to facility troubleshooting.
set interface ethernet1/1 zone Trust

set interface ethernet1/3 zone Untrust
set interface tunnel.1 zone vpn
set interface mgt ip 172.16.254.106/24
set interface ethernet1/1 ip 192.168.100.12/24
set interface ethernet1/1 nat
set interface ethernet1/3 route
set interface tunnel.1 ip 172.172.0.1/24
set interface ethernet1/1 ip manageable
set interface ethernet1/3 manage ping
4. To facilitate referencing, the sample network defined user friendly names to identify the
different networks.
• Local-voice defines the IP sub-network where all Avaya IP Telephones are

connected locally.
• all-internal-net defines the IP sub-network that encompasses the entire
sample network.
set address Trust Local-voice 172.28.10.0 255.255.255.0

set address vpn all-internal-net 172.0.0.0 255.0.0.0

5. Define a custom service for Avaya VoIP traffic to be used by SreenOS security policies.
The range of UDP ports used for Avaya media traffic is defined in the ip-network-region
form in Avaya Communication Manager in Section 5, Step 1.
set service Avaya-Sgl-Fm-Spoke protocol udp src-port 0-65535 dst-port 1719-1719

set service Avaya-Sgl-Fm-Spoke + tcp src-port 1720-1720 dst-port 0-65535
set service Avaya-Sgl-To-Spoke protocol udp src-port 1719-1719 dst-port 0-65535
set service Avaya-Sgl-To-Spoke + tcp src-port 0-65535 dst-port 1720-1720
set service Avaya-RTP protocol udp src-port 2048-3329 dst-port 2048-3329
6. Define the VPN gateways. Two VPN gateways are defined at the ISG 1000 – Branch-
SSG20 which points to the Branch’s SSG20, and Home-SSG5 which points to the
Home’s SSG5.
• The sample network uses a pre-shared string of “1234567890”. The same pre-shared
string must also be used at the Branch’s SSG20 and Home’s SSG 5 in Section 4.2.1,
Step 6 and Section 4.3.1, Step 6 respectively. It is advisable to use a more robust
pre-shared key in a production environment.
set ike gateway Home-SSG5 address 10.10.230.6 outgoing-interface ethernet1/3

preshare 1234567890 sec-level standard
set ike gateway Branch-SSG20 address 10.10.220.6 outgoing-interface ethernet1/3
7. Configure 2 VPN tunnels, one to the Branch and the other to the Home using the gateway
defined in Step 6 and bind the VPN tunnels to the tunnel interface.
set vpn To_Home gateway Home-SSG5 no-replay tunnel idletime 0 sec-level

standard
set vpn To_Home id 2 bind interface tunnel.1
set vpn To_Branch gateway Branch-SSG20 no-replay tunnel idletime 0 sec-level
standard
set vpn To_Branch id 1 bind interface tunnel.1
8. Enable routing protocol and route re-distribution. The ISG 1000 in the sample network
uses 2 routing protocols, OSPF and RIP. OSPF is enabled on the internal Trust interface
to exchange routing information within the Core IP network. RIP is enabled on the
tunnel interface to exchange routing information between VPN Hub and the Spokes.
Routes learned from RIP are re-distributed into the OSPF network and routes learned
from OSPF are re-distributed into RIP network. Access lists are configured to define
what IP sub-networks are re-distributed.
set vrouter trust-vr

set access-list 1
set access-list 1 permit ip 172.28.0.0/16 10
set access-list 2
set route-map name core-net permit 1

set match ip 1
exit
set route-map name spoke-net permit 1
set match ip 2
exit
unset add-default-route
set route 0.0.0.0/0 interface ethernet1/3 gateway 10.10.210.1 permanent
set protocol ospf
set redistribute route-map spoke-net protocol rip
exit
set protocol rip
set redistribute route-map core-net protocol ospf
set redistribute route-map core-net protocol connected
exit
exit
set interface ethernet1/1 protocol ospf area 0.0.0.0
set interface ethernet1/1 protocol ospf enable
set interface ethernet1/1 protocol ospf cost 1
set interface tunnel.1 protocol rip
set interface tunnel.1 protocol rip enable
set interface tunnel.1 protocol rip demand-circuit
9. Define the necessary policy to allow traffic to traverse between the different zones.
Logging is enabled to facilitate troubleshooting and analysis.
set policy id 11 from Trust to vpn CLAN-1 Any Avaya-Sgl-To-Spoke permit log
traffic priority 2 dscp value 0
set policy id 11
set src-address CLAN-2
exit
set policy id 12 from Trust to vpn Local-voice Any Avaya-RTP permit log traffic
priority 2 dscp value 0
set policy id 13 from Trust to vpn Any Any ANY permit log
set policy id 14 from Trust to vpn Any Any ANY deny log
set policy id 21 from vpn to Trust all-internal-net CLAN-1 Avaya-Sgl-Fm-Spoke
permit log traffic priority 2
set policy id 21
set dst-address CLAN-2
exit
set policy id 22 from vpn to Trust all-internal-net Any Avaya-RTP permit log
traffic priority 2
set policy id 23 from vpn to Trust all-internal-net Any ANY permit log
set policy id 24 from vpn to Trust Any Any ANY deny log
set policy id 31 from Trust to Untrust Any Any ANY permit log
set policy id 32 from Trust to Untrust Any Any ANY deny log
set policy id 41 from Untrust to Trust Any Any ANY deny log

The screen capture below shows the order of the security policies as seen from the WebUI.
4.1.2. Configure AC-VPN on the ISG 1000

This section shows configuration steps relevant to the configuration of the AC-VPN feature.
1. Define a gateway to be used by the AC-VPN tunnel.
set ike gateway ac-vpn-hub acvpn-profile sec-level standard
2. Configure the ac-vpn tunnel. The AC-VPN tunnel in the sample network is configured
for automatically tear-down after 1 minute of in-activity. This parameter is configured
via the idletime option. This idle time parameter will be downloaded to and used by the
Spoke gateways when establishing the AC-VPN tunnel.
set vpn ac-vpn acvpn-profile ac-vpn-hub replay tunnel idletime 1 sec-level

standard
3. Enable and configure Next Hop Routing Protocol (NHRP) and bind it to the tunnel
interface. VPN spoke gateways rely on the NHRP protocol to learn the IP addresses of
the peer spokes which is needed to dynamically establish the spoke to spoke tunnels.

set protocol nhrp
set protocol nhrp acvpn-profile ac-vpn
exit
set interface tunnel.1 protocol nhrp enable
exit

4.1.3. Configure Quality of Service for Avaya VoIP traffic
1. Enable and configure policy based traffic shaping for voice traffic. As part of Section
4.3.1, Step 9, these policies should already be in place. This step is to amend the security
policy to enable the traffic shaping option for the Avaya VoIP related policies.
Although it may seem unnecessary from a security stand point, it is absolutely essential
to have corresponding policies configured from TrustÆVPN and VPNÆTrust zones with
traffic shaping enabled and configured. Depending on which direction VoIP traffic starts,
policies from either direction may be activated.
set policy id 11 from Trust to vpn CLAN-1 Any Avaya-Sgl-To-Spoke permit log
set policy id 11
exit
set policy id 12 from Trust to vpn Local-voice Any Avaya-RTP permit log
set policy id 21 from vpn to Trust all-internal-net CLAN-1 Avaya-Sgl-Fm-Spoke
permit log traffic priority 2
set policy id 21
exit
set policy id 22 from vpn to Trust all-internal-net Any Avaya-RTP permit log
traffic priority 2
4.2. Configuring Juniper Network SSG 20

This section describes the configuration for the SSG 20 at the Branch location. This section is
divided into 3 sub-sections to better illustrate the specific configuration pertaining to each
operation of the security device.

connectivity.
1. Log in to the SSG 20 using appropriate username and password.
login: username
password:*******
ssg20-wlan->
2. Create a new security zone called vpn.
set zone name vpn

• The sample configuration uses Ethernet port ethernet0/1 as the management port
with an IP address of 172.16.254.111 to manage the device. This configuration is
optional.
• “ping” is allowed on external Untrust interface ethernet0/0 to facility
troubleshooting.
unset interface bgroup0 port ethernet0/4

set interface ethernet0/1 zone DMZ
set interface bgroup0 zone Trust
set interface bgroup0 ip 172.220.0.1/24
set interface bgroup0 route
set interface bgroup0 ip manageable
set interface ethernet0/1 manage ssh
set interface ethernet0/1 manage web
4. To facilitate referencing, the sample network defined user friendly name to identify the
different networks.
• Local-voice defines the IP sub-network where all Avaya IP Telephones are

connected to locally.
• Local-data defines the IP sub-network where all computer users are
• all-internal-net defines the IP sub-network that encompasses the entire
sample network.
• CLAN-1 and CLAN-2 defines the IP addresses of the CLAN boards Avaya
VoIP signaling traffic communicate with.

set address Trust Local-data 172.221.0.0 255.255.255.0
set address VPN all-internal-net 172.0.0.0 255.0.0.0
set address VPN CLAN-1 172.28.10.7 255.255.255.255
set address VPN CLAN-2 172.28.10.17 255.255.255.255

5. Define custom service for Avaya VoIP traffic to be used by ScreenOS security policies.
The range of UDP ports used for Avaya media traffic is defined in the ip-network-region
set service Avaya-Sgl-up protocol udp src-port 0-65535 dst-port 1719-1719

set service Avaya-Sgl-up + tcp src-port 1720-1720 dst-port 0-65535
set service Avaya-Sgl-dn protocol udp src-port 1719-1719 dst-port 0-65535
set service Avaya-Sgl-dn + tcp src-port 0-65535 dst-port 1720-1720
Home’s SSG5.
• The sample network uses a pre-shared string of 1234567890. The same pre-shared
string must also be used at the HQ’s ISG 1000 and Home’s SSG 5 in Section 4.1.1,
Step 6 and Section 4.3.1, Step 6. It is advisable to use a more robust pre-shared key
in a production environment.
set ike gateway HQ-ISG1000 address 10.10.210.5 outgoing-interface ethernet0/0

7. Configure the VPN tunnels to the HQ location using the gateway defined in Step 6 and
bind the VPN tunnels to the tunnel interface.
set vpn To_HQ gateway HQ-ISG1000 no-replay tunnel idletime 0 sec-level standard
set vpn To_HQ id 3 bind interface tunnel.1
8. Enable and configure the RIP routing protocol. RIP is enabled on the tunnel interface to
exchange routing information between the VPN Hub and Spokes. Access lists are
configured to definite what IP sub-networks are learned and advertised.

set protocol rip
set enable
exit
exit
set vrouter untrust-vr
exit
set router-id 172.172.0.2
set access-list 1
set access-list 2
set route-map name local-net permit 1
set match ip 1
exit
set route-map name comp-net permit 2
set match ip 2
exit

set route 0.0.0.0/0 interface ethernet0/0 gateway 10.10.220.1 preference 100
permanent
set protocol rip
set redistribute route-map local-net protocol connected
set route-map comp-net in
set route-map local-net out
exit
exit
9. Define the necessary policy to allow traffic to traverse between the different zones.
Logging is enable to facilitate troubleshooting and analysis.
set policy id 11 from Trust to VPN Local-voice CLAN-1 Avaya-Sgl-up permit log
set policy id 11
exit
set policy id 12 from Trust to VPN Local-voice all-internal-net Avaya-RTP
permit log
set policy id 13 from Trust to VPN Local-data all-internal-net ANY permit log
set policy id 14 from Trust to VPN Any Any ANY deny log
set policy id 21 from VPN to Trust CLAN-1 Any Avaya-Sgl-dn permit log
set policy id 21
exit
set policy id 22 from VPN to Trust all-internal-net Local-voice Avaya-RTP
permit log
set policy id 23 from VPN to Trust all-internal-net Local-data ANY permit log
set policy id 24 from VPN to Trust Any Any ANY deny log
set policy id 31 from Trust to Untrust Any Any ANY permit log

The screen capture below shows the order of the security policies as seen from the WebUI.
4.2.2. Configure AC-VPN on the SSG 20

set ike gateway ac-vpn-gw acvpn-dynamic local-id Branch

set ike gateway ac-vpn-gw cert peer-ca self-signed
2. Configure the AC-VPN tunnel using the ac-vpn-gw defined in Step 1.

3.
set vpn ac-vpn acvpn-dynamic ac-vpn-gw To_HQ

set protocol nhrp
set protocol nhrp nhs 172.172.0.1
set protocol nhrp cache 172.220.0.0/24
exit
set traffic-shaping mode on

This section shows configuration steps for configuring QoS for Avaya VoIP traffic.
1. Define the bandwidth for the external Untrust Ethernet interface and bandwidth
allocation for the logical tunnel interface.
The available bandwidth for the Ethernet connection between ethernet0/0 and the
simulated Internet is 10Mbps; therefore the sample network defines the Maximum
Bandwidth (mbw) as 10000 kbps. Out of this total 1000 kbps bandwidth 8000 kbps is
guaranteed for the tunnel interface with a maximum of 10000 kbps. The guaranteed
bandwidth of 8000 kbps will be used by all incoming and outgoing voice and data traffic
traversing any VPN tunnel.
set interface ethernet0/0 phy full 10mb

set interface ethernet0/0 bandwidth egress mbw 10000 ingress mbw 10000
set interface tunnel.1 bandwidth egress gbw 8000 mbw 10000 ingress mbw 8000
traffic shaping enabled and configured. Depending on which direction VoIP traffic start,
The table below shows the bandwidth allocation for the Avaya VoIP traffic used in the
sample network. This allocation is for demonstration purpose only; actual bandwidth
allocation should take into account the total number of all outbound simultaneous call as
well as audio codec used. The allocation should be able to accommodate approximately
10 simultaneous call using G.711 codec.
Purpose of VoIP traffic Guaranteed bandwidth Maximum bandwidth

(gbw) (mbw)
Avaya VoIP registration
5 kbps 10 kbps
Avaya H.323 signaling
Avaya VoIP Media 1000 kbps 1100 kbps

set policy id 11 from Trust to VPN Local-voice CLAN-1 Avaya-Sgl-up permit log
traffic gbw 5 priority 2 mbw 10
set policy id 11
exit
set policy id 12 from Trust to VPN Local-voice all-internal-net Avaya-RTP
permit log traffic gbw 1000 priority 2 mbw 1100
set policy id 13 from Trust to VPN Local-data all-internal-net ANY permit log
set policy id 14 from Trust to VPN Any Any ANY deny log
set policy id 21 from VPN to Trust CLAN-1 Any Avaya-Sgl-dn permit log traffic
gbw 5 priority 2 mbw 10
set policy id 22 from VPN to Trust all-internal-net Local-voice Avaya-RTP
The screen capture below provides a quick view of traffic shaping for each of the policies. The
icon indicates that traffic shaping is enabled for that particular security policy. This screen
can be accessed by selecting Reports Æ Policies from the left panel menu in the WebUI.
4.3. Configuring Juniper Network SSG 5

This section describes the configuration for the SSG 5 at the Home location.

connectivity.
1. Log in to the SSG 5 using appropriate username and password.
login: username
password:*******
ssg5-serial-wlan->
2. Create a new security zone called vpn.

set zone name vpn
• The sample configuration uses Ethernet port ethernet0/1 as the management port
with an IP address of 172.16.254.107 to manage the device. This configuration is
optional.
• ping is allowed on external Untrust interface ethernet0/0 to facility
troubleshooting.
unset interface bgroup0 port ethernet0/6

set interface wireless0/0 zone Null
set interface bgroup0 zone Trust
set interface bgroup0 port ethernet0/2
set interface bgroup0 port ethernet0/3
set interface bgroup0 ip 172.230.0.1/24
set interface bgroup0 nat
set interface bgroup0 ip manageable
4. To facilitate referencing, the sample network defined user friendly name to identify the
different networks.
• Local-voice defines the IP Sub-network where all Avaya IP Telephones are

• Local-data defines the IP Sub-network where all computer users are
• all-internal-net defines the IP Sub-network that encompasses the entire
sample network.
• CLAN-1 and CLAN-2 defines the IP addresses of the CLAN boards where
Avaya VoIP signaling traffic communicate with.

set address Trust Local-data 172.231.0.0 255.255.255.0
set address vpn all-internal-net 172.0.0.0 255.0.0.0
set address vpn CLAN-1 172.28.10.7 255.255.255.255
set address vpn CLAN-2 172.28.10.17 255.255.255.255

5. Define custom service for Avaya VoIP traffic to be used by ScreenOS security policies.
The range of UDP port used for Avaya media traffic is defined in the ip-network-region
set service Avaya-Sgl-up protocol udp src-port 0-65535 dst-port 1719-1719

set service Avaya-Sgl-up + tcp src-port 1720-1720 dst-port 0-65535
set service Avaya-Sgl-dn protocol udp src-port 1719-1719 dst-port 0-65535
set service Avaya-Sgl-dn + tcp src-port 0-65535 dst-port 1720-1720
Home’s SSG5.
• The sample network uses a pre-shared string of 1234567890. The same pre-shared
string must also be use at the Branch’s SSG20 and Home’s SSG 5 in Section 4.1.1,
Step 6 and Section 4.2.1, Step 6. It is advisable to use a more robust pre-shared key
in a production environment.
set ike gateway HQ_ISG1000 address 10.10.210.5 outgoing-interface ethernet0/0

7. Configure the VPN tunnels to the HQ location using the gateway defined in Step 6 and
bind the VPN tunnels to the tunnel interface.
set vpn To_HQ gateway HQ_ISG1000 no-replay tunnel idletime 0 sec-level standard
set vpn To_HQ id 3 bind interface tunnel.1
8. Enable and configure the RIP routing protocol. RIP is enabled on the tunnel interface to
exchange routing information between the VPN Hub and. Access lists are configured to
definite what IP sub-networks are advertised.

set protocol rip
set enable
exit
exit
set router-id 172.172.0.3
set access-list 1
set access-list 2
set route-map name local-net permit 1
set match ip 1
exit
set route-map name comp-net permit 2
set match ip 2
exit

set route 0.0.0.0/0 interface ethernet0/0 gateway 10.10.230.1 preference 100
permanent
set protocol rip
set redistribute route-map local-net protocol connected
set route-map comp-net in
set route-map local-net out
exit
exit
set interface tunnel.1 protocol rip send-version v1v2
set interface tunnel.1 protocol rip receive-version v1v2
9. Define the necessary policy to allow traffic traverse between the different zones.
Logging is enable to facilitate troubleshooting and analysis.
set policy id 11 from Trust to vpn Local-voice CLAN-1 Avaya-Sgl-up permit log
set policy id 11
exit
set policy id 12 from Trust to vpn Local-voice all-internal-net UDP-ANY permit
log
set policy id 13 from Trust to Local-data all-internal-net ANY permit log
set policy id 14 from Trust to vpn Any Any ANY deny log
set policy id 21 from vpn to Trust CLAN-1 Local-voice Avaya-Sgl-dn permit log
set policy id 21
exit
set policy id 22 from vpn to Trust all-internal-net Local-voice Avaya-RTP
permit log
set policy id 23 from vpn to Trust all-internal-net Local-data ANY permit log
set policy id 24 from vpn to Trust Any Any ANY deny log
set policy id 31 from Trust to Untrust Any Any ANY permit

The screen capture below shows the order of the security policies as seen form the WebUI.
4.3.2. Configure AC-VPN on the SSG 5

set ike gateway ac-vpn-gw acvpn-dynamic local-id Home1

set ike gateway ac-vpn-gw cert peer-ca self-signed
2. Configure the AC-VPN tunnel using the ac-vpn-gw defined in Step 1.
set vpn ac-vpn acvpn-dynamic ac-vpn-gw To_HQ

set protocol nhrp
set protocol nhrp nhs 172.172.0.1
set protocol nhrp cache 172.230.0.0/24
exit
exit

This section shows configuration steps for configuring QoS for Avaya VoIP traffic.
1. Define the bandwidth for the external Untrust Ethernet interface and bandwidth
allocation for the logical tunnel interface.
The available bandwidth for the Ethernet connection between ethernet0/0 and the
simulated Internet is 10Mbps; therefore the sample network defines the Maximum
Bandwidth (mbw) as 10000 kbps. Out of this total 1000 kbps bandwidth 8000 kbps is
guaranteed for the tunnel interface with a maximum of 10000 kbps. The guaranteed
bandwidth of 8000 kbps will be used by all incoming and outgoing voice and data traffic
traversing any VPN tunnel.
set interface ethernet0/0 bandwidth egress mbw 10000 ingress mbw 0

set interface tunnel.1 bandwidth egress gbw 8000 mbw 8000 ingress mbw 8000
traffic shaping enabled and configured. Depending on which direction VoIP traffic start,
The table below shows the bandwidth allocation for the Avaya VoIP traffic used in the
sample network. This allocation is for demonstration purpose only; actual bandwidth
allocation should take into account the total number of all outbound simultaneous call as
well as audio codec used. The allocation should be able to accommodate approximately
10 simultaneous call using G.711 codec.
Purpose of VoIP traffic Guaranteed bandwidth Maximum bandwidth

(gbw) (mbw)
Avaya VoIP registration
5 kbps 10 kbps
Avaya H.323 signaling
Avaya VoIP Media 1000 kbps 1100 kbps
set policy id 11 from Trust to vpn Local-voice CLAN-1 Avaya-Sgl-up permit log
set policy id 11
exit
set policy id 12 from Trust to vpn Local-voice all-internal-net UDP-ANY permit
log traffic gbw 1000 priority 2 mbw 1100
set policy id 21 from vpn to Trust CLAN-1 Local-voice Avaya-Sgl-dn permit log
set policy id 21

exit
set policy id 22 from vpn to Trust all-internal-net Local-voice Avaya-RTP
The screen capture below shows provides a quick view of whether traffic shaping is enabled for
each of the policy. The icon indicates that traffic shaping is enabled for that particular
security policy. This screen can be accessed by selecting Reports Æ Policies from the left panel
menu in the WebUI.
5. Configure Avaya Communication Manager

This section describes the Avaya Communication Manager configuration. All commands are
administered via the System Administration Terminal (SAT) of Avaya Communication
Manager. Although these Application Notes do not describe the configuration for Dynamic Call
Admission Control (D-CAC), it is recommended that some form of bandwidth management
control be used in Avaya Communication Manager to manage inter-office calls. For detail
information on configuring Avaya Communication Manager, please consult references [1], [2],
and [3].
1. Use the ip-network-region form to display the UDP ports used for Avaya VoIP Media
traffic. The sample network uses the UDP port range of 2048 – 3329 for Avaya VoIP
Media traffic. Verify that Intra-region IP-IP Direct Audio is set to yes to allow for
direct media exchange between Avaya IP Telephones.
display ip-network-region 1 Page 1 of 19
IP NETWORK REGION
Region: 1
Location: Authoritative Domain: interop.com
Name:
MEDIA PARAMETERS Intra-region IP-IP Direct Audio: yes
Codec Set: 1 Inter-region IP-IP Direct Audio: yes
UDP Port Min: 2048 IP Audio Hairpinning? n
UDP Port Max: 3329

DIFFSERV/TOS PARAMETERS RTCP Reporting Enabled? y
Call Control PHB Value: 46 RTCP MONITOR SERVER PARAMETERS
Audio PHB Value: 46 Use Default Server Parameters? y
Video PHB Value: 26
802.1P/Q PARAMETERS
Call Control 802.1p Priority: 6
Audio 802.1p Priority: 6
Video 802.1p Priority: 5 AUDIO RESOURCE RESERVATION PARAMETERS
H.323 IP ENDPOINTS RSVP Enabled? n
H.323 Link Bounce Recovery? y
Idle Traffic Interval (sec): 20
Keep-Alive Interval (sec): 5
Keep-Alive Count: 5
2. Use the display station form to verify whether Direct IP-IP Audio connections is set to
y. This allows for direction media exchange between Avaya IP Telephones.
display station 11011 Page 2 of 5
STATION
FEATURE OPTIONS
LWC Reception: spe Auto Select Any Idle Appearance? n
LWC Activation? y Coverage Msg Retrieval? y
LWC Log External Calls? n Auto Answer: none
CDR Privacy? n Data Restriction? n
Redirect Notification? y Idle Appearance Preference? n
Per Button Ring Control? n Bridged Idle Line Preference? n
Bridged Call Alerting? n Restrict Last Appearance? y
Active Station Ringing: single
EMU Login Allowed? n
H.320 Conversion? n Per Station CPN - Send Calling Number?
Service Link Mode: as-needed
Multimedia Mode: enhanced Audible Message Waiting? n
MWI Served User Type: qsig-mwi Display Client Redirection? n
Select Last Used Appearance? n
Coverage After Forwarding? s
Remote Softphone Emergency Calls: as-on-local Direct IP-IP Audio Connections? y

Emergency Location Ext: 11011 Always Use? n IP Audio Hairpinning? n
6. Conclusion
These Application Notes have described the administrative steps required to configure the
Juniper Networks ScreenOS based devices for Auto Connect VPN to support an Avaya VoIP
solution.

7. Verification
1. Ping may be used to verify the external Untrust interface of all security gateways is
reachable over the Simulated Internet or WAN network. An unreachable external
interface will prevent static VPN tunnel from being established.
2. Verify all VPN tunnels and VPN gateways are configured with the same phase I and
phase II security proposal for tunnel establishment. Incompatible phase I and/or phase II
security proposal will prevent VPN tunnels from being established. The get ike gateway
and get vpn commands can be used to list the proposals selected for each gateway and
VPN tunnel.
nsisg1000-> get ike gateway
Id Name Gateway Address Gateway ID Mode Proposals
---- --------------- --------------- --------------- ---- ---------
0 Home-SSG5 10.10.230.6 Main pre-g2-3des-sha,pre-
g2-aes128-sh
a
1 Branch-SSG20 10.10.220.6 Main pre-g2-3des-sha,pre-
g2-aes128-sh
a
2 ac-vpn-hub none (profile acvpn) Aggr rsa-g2-3des-sha,rsa-
g2-aes128-sh
a,dsa-g2-3des-sha,dsa-g2-aes128-sha
Total Gateways: 3 (3 including dynamic peers)
nsisg1000-> get vpn

Name Gateway Mode RPlay 1st Proposal Monitor Use Cnt
Interface
--------------- --------------- ---- ----- -------------------- ------- -------
----------
-----
To_Home Home-SSG5 tunl No g2-esp-3des-sha on 0
eth1/3
To_Branch Branch-SSG20 tunl No g2-esp-3des-sha on 0
eth1/3
ac-vpn ac-vpn-hub tunl Yes g2-esp-3des-sha off 0
null
Total Auto VPN: 3

Similar output can also be obtained via the WebUI by selecting VPNs Æ AutoKey
Advanced Æ Gateway and VPNs Æ AutoKey IKE from the left panel menu of the
WebUI.
3. Use the get sa active command to verify whether the VPN tunnel is active.
The following is an output from the ISG 1000 showing 2 active VPN tunnels.
nsisg1000-> get sa active
Total active sa: 2
total configured sa: 2
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID
vsys
00000002< 10.10.230.6 500 esp:3des/sha1 31e96159 2048 unlim A/U -1 0
00000002> 10.10.230.6 500 esp:3des/sha1 b7be3c94 2048 unlim A/U -1 0
00000001< 10.10.220.6 500 esp:3des/sha1 31e96158 2036 unlim A/U -1 0
00000001> 10.10.220.6 500 esp:3des/sha1 c96fd8ec 2036 unlim A/U -1 0

The following is an output from the Branch’s SSG 20 showing 1 active VPN tunnel to the
HQ’s ISG 1000 before the dynamic tunnel is established.
ssg20-wlan-> get sa active

Total active sa: 1
vsys
00000003< 10.10.210.5 500 esp:3des/sha1 c96fd948 1543 unlim A/U -1 0
00000003> 10.10.210.5 500 esp:3des/sha1 425c5093 1543 unlim A/U -1 0
The following is an output from the Branch’s SSG 20 showing 2 active VPN tunnel. One
to the HQ’s ISG 1000 and the other one to the Home’s SSG 5 that was dynamically
provisioned.
ssg20-wlan-> get sa active
Total active sa: 2
vsys
00000003< 10.10.210.5 500 esp:3des/sha1 c96fd948 1499 unlim A/U -1 0
00000003> 10.10.210.5 500 esp:3des/sha1 425c5093 1499 unlim A/U -1 0
00008006< 10.10.230.6 500 esp:3des/sha1 c96fd94a 3572 unlim A/- -1 0
00008006> 10.10.230.6 500 esp:3des/sha1 b7be3cf4 3572 unlim A/- -1 0
4. Use the get vrouter trust-vr protocol nhrp command to verify whether NHRP is
running and configured properly in all ScreenOS device configured with AC-VPN.
The following is an output from the ISG 1000 showing that NHRP is enabled and
running on the tunnel.1 interface.
nsisg1000-> get vrouter trust-vr protocol nhrp

NHRP instance at Vroute(trust-vr):
-------------------------------------------------------------------------------
NHRP Server : 0.0.0.0
holdtime : 300
resolution-request retry : 3
retry interval : 6 sec
total NHRP cache entry : 4
static NHRP entry : 0
pending resolution-request : 0
NHRP enabled interface : 1
ACVPN profile in use : ac-vpn
-------------------------------------------------------------------------------
interface Enabled Req-ID
-------------------------------------------------------------------------------
tunnel.1 Yes 0

The following is an output from the SSG 20 showing the IP address of the NHRP Server
which is the ISG 1000’s tunnel.1 interface’s IP address. The output also shows that
NHRP is enabled and running on the tunnel.1 interface.
ssg20-wlan-> get vrouter trust-vr protocol nhrp

NHRP instance at Vroute(trust-vr):
-------------------------------------------------------------------------------
NHRP Server : 172.172.0.1
holdtime : 300
resolution-request retry : 3
retry interval : 6 sec
total NHRP cache entry : 1
static NHRP entry : 1
pending resolution-request : 0
NHRP enabled interface : 1
ACVPN profile in use : none
-------------------------------------------------------------------------------
interface Enabled Req-ID
-------------------------------------------------------------------------------
tunnel.1 Yes 3512
5. Use the get vrouter trust-vr protocol nhrp peer command to verify any established
NHRP peer.
The following is an output from the ISG 1000 showing two NHRP peers – Branch and
Home along with their respective IP address.
nsisg1000-> get vrouter trust-vr protocol nhrp peer

-------------------------------------------------------------------------------
Registered peers (Total 2):
-------------------------------------------------------------------------------
Peer src prot Self-cert-hash ID type ID
--------------- ---------------------------------------------- ------- --------
172.172.0.2 <2793dafe cc9c6d8d a150c064 8b3001cd ad5d154e> 2 Branch
172.172.0.3 <d8cd73c7 a822f290 2206f92e 21cf33ae 55b08926> 2 Home
The following are two outputs from the SSG 20. The first output shows no NHRP peer
when the AC-VPN tunnel is in-active. The second output shows a newly discovered
NHRP peer with an IP address of 172.172.0.3 and an ID of Home which is the SSG 5 in
the sample network after the AC-VPN tunnel has been established.
ssg20-wlan-> get vrouter trust-vr protocol nhrp peer

-------------------------------------------------------------------------------
Learned peers (Total = 1):
-------------------------------------------------------------------------------
Peer nhop prot Self-cert-hash ID type ID
--------------- ---------------------------------------------- ------- --------
172.172.0.3

ssg20-wlan-> get vrouter trust-vr protocol nhrp peer
-------------------------------------------------------------------------------
Learned peers (Total = 1):
-------------------------------------------------------------------------------
Peer nhop prot Self-cert-hash ID type ID
--------------- ---------------------------------------------- ------- --------
172.172.0.3 <d8cd73c7 a822f290 2206f92e 21cf33ae 55b08926> 2 Home
6. Use the get vrouter trust-vr protocol nhrp cache command to verify whether the
appropriate IP sub-network is being advertised by the NHRP peer.
The following is an output from the ISG 1000 showing the 2 hosts and 2 IP sub-networks
it learns from its NHRP peers along with the IP addresses to reach these hosts and sub-
networks.
nsisg1000-> get vrouter trust-vr protocol nhrp cache
-------------------------------------------------------------------------------
flags: R-registered, C-cached, L-replied, P-pushed, S-static, I-imported,
F-in FIB, D-being deleted.
-------------------------------------------------------------------------------
Prefix nhop-public-IP nhop-private-IP Pref Flags Expire(in sec)
-------------------------------------------------------------------------------
172.172.0.2/32 10.10.220.6 172.172.0.2 128 C 284
172.172.0.3/32 10.10.230.6 172.172.0.3 128 C 282
172.220.0.0/24 10.10.220.6 172.172.0.2 128 RF 284
172.230.0.0/24 10.10.230.6 172.172.0.3 128 RF 282
The following are 2 outputs from the SSG 20. The first output shows the IP network that
is being advertised to other NHRP peer. The second output shows an IP sub-network
172.230.0.0/24 the SSG 20 learned through NHRP after an AC-VPN tunnel has been
established. In this sample output the AC-VPN tunnel is established between the Branch
and Home locations.
ssg20-wlan-> get vrouter trust-vr protocol nhrp cache

-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
172.220.0.0/24 0.0.0.0 0.0.0.0 128 S 300
ssg20-wlan-> get vrouter trust-vr protocol nhrp cache

-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
172.220.0.0/24 0.0.0.0 0.0.0.0 128 S 300
172.230.0.0/24 10.10.230.6 172.172.0.3 0 PF 251

7. Use the get route command to verify NHRP routing is working as expected.
The following is an abbreviated output from the SSG 20 when the AC-VPN tunnel is in-
active. Noticed there is only one RIP advertised route to each of the IP sub-networks for
the Home location.
Ssg20-wlan-> get route
ID IP-Prefix Interface Gateway P Pref Mtr Vsys

* 11 0.0.0.0/0 eth0/0 10.10.220.1 SP 100 1 Root
* 10 172.172.0.2/32 tun.1 0.0.0.0 H 0 0 Root
* 1 10.10.220.0/24 eth0/0 0.0.0.0 C 0 0 Root
* 4 172.16.254.111/32 eth0/1 0.0.0.0 H 0 0 Root
* 50 172.28.11.0/24 tun.1 172.172.0.1 R 100 11 Root
* 49 172.28.10.0/24 tun.1 172.172.0.1 R 100 11 Root
* 8 172.220.0.1/32 bgroup0 0.0.0.0 H 0 0 Root
* 5 172.221.0.0/24 eth0/4 0.0.0.0 C 0 0 Root
* 7 172.220.0.0/24 bgroup0 0.0.0.0 C 0 0 Root
* 40 172.231.0.0/24 tun.1 172.172.0.1 R 100 12 Root
* 39 172.230.0.0/24 tun.1 172.172.0.1 R 100 12 Root
* 3 172.16.254.0/24 eth0/1 0.0.0.0 C 0 0 Root
* 2 10.10.220.6/32 eth0/0 0.0.0.0 H 0 0 Root
* 9 172.172.0.0/24 tun.1 0.0.0.0 C 0 0 Root
The following is an abbreviated output from the SSG 20 after the AC-VPN tunnel has
been established. Noticed in addition to the RIP advertised route for the Home location
IP sub-networks, there is an additional NHRP route to the Home’s voice IP sub-network.
This new NHRP route points to the to Home’s SSG 5 tunnel interface’s IP address as the
gateway instead of the ISG 1000’s. Because of this NHRP route lower Preference
number, traffic destined to the Home’s voice IP sub-network will be routed to the
Home’s SSG 5 gateway directly over the AC-VPN tunnel.
ssg20-wlan-> get route
------------------------------------------------------------------------------
ID IP-Prefix Interface Gateway P Pref Mtr Vsys
-------------------------------------------------------------------------------
* 11 0.0.0.0/0 eth0/0 10.10.220.1 SP 100 1 Root
* 10 172.172.0.2/32 tun.1 0.0.0.0 H 0 0 Root
* 1 10.10.220.0/24 eth0/0 0.0.0.0 C 0 0 Root
* 4 172.16.254.111/32 eth0/1 0.0.0.0 H 0 0 Root
* 50 172.28.11.0/24 tun.1 172.172.0.1 R 100 11 Root
* 49 172.28.10.0/24 tun.1 172.172.0.1 R 100 11 Root
* 6 172.221.0.1/32 eth0/4 0.0.0.0 H 0 0 Root
* 8 172.220.0.1/32 bgroup0 0.0.0.0 H 0 0 Root
* 5 172.221.0.0/24 eth0/4 0.0.0.0 C 0 0 Root
* 7 172.220.0.0/24 bgroup0 0.0.0.0 C 0 0 Root
* 40 172.231.0.0/24 tun.1 172.172.0.1 R 100 12 Root
* 52 172.230.0.0/24 tun.1 172.172.0.3 N 35 0 Root
39 172.230.0.0/24 tun.1 172.172.0.1 R 100 12 Root
* 3 172.16.254.0/24 eth0/1 0.0.0.0 C 0 0 Root
* 42 172.28.240.0/24 tun.1 172.172.0.1 R 100 11 Root
* 2 10.10.220.6/32 eth0/0 0.0.0.0 H 0 0 Root
* 9 172.172.0.0/24 tun.1 0.0.0.0 C 0 0 Root

8. Use the get session command to verify that Avaya VoIP traffic is utilizing the
appropriate policy.
The following is an abbreviated output from SSG 20 showing that policy 12, 21 and 22,
which is enabled and configured with traffic shaping, are being used by Avaya VoIP
traffic.
ssg20-wlan-> get session

alloc 14/max 8064, alloc failed 0, mcast alloc 0, di alloc failed 0
total reserved 0, free sessions in shared pool 8050
id 8047/s**,vsys 0,flag 00000040/0000/0001,policy 22,time 5, dip 0 module 0
if 20(nspflag 2801):172.28.10.8/2633->172.220.0.111/3259,17,000000000000,sess
token 16,vl
an 0,tun 40000003,vsd 0,route 49
if 9(nspflag 800800):172.28.10.8/2633<-172.220.0.111/3259,17,00040de9794e,sess
token 3,vl
if 20(nspflag 3801):172.28.10.7/61441->172.220.0.111/1720,6,000000000000,sess
token 16,vl
an 0,tun 40000003,vsd 0,route 49,wsf 0
token 3,vl
an 0,tun 0,vsd 0,route 7,wsf 0
if 20(nspflag 2801):172.28.10.8/2632->172.220.0.111/3258,17,000000000000,sess
token 16,vl
token 3,vl
if 9(nspflag 800801):172.220.0.111/3259->172.230.0.112/3059,17,00040de9794e,
sess token 3,vlan 0,tun 0,vsd 0,route 7
if 20(nspflag 2800):172.220.0.111/3259<-172.230.0.112/3059,17,000000000000,
if 0(nspflag 800601):10.10.230.6/500->10.10.220.6/500,17,000496265f34,sess
token 4,vlan 0,tun 0,vsd 0,route 11
if 3(nspflag 2002010):10.10.230.6/500<-10.10.220.6/500,17,000000000000,sess
token 5,vlan0,tun 0,vsd 0,route 0
id 8060/s**,vsys 0,flag 00000040/0080/0021,policy 320002,time 180, dip 0 module
0
if 3(nspflag 2002011):172.172.0.2/1->172.172.0.1/1,54,000000000000,sess token
5,vlan 0,tun 0,vsd 0,route 0
if 20(nspflag 2600):172.172.0.2/1<-172.172.0.1/1,54,000000000000,sess token
16,vlan 0,tun 40000003,vsd 0,route 9
if 20(nspflag 2801):172.230.0.112/3058->172.220.0.111/3258,17,000000000000,
if 9(nspflag 800800):172.230.0.112/3058<-172.220.0.111/3258,17,00040de9794e,
Total 8 sessions shown

9. Use the get policy id <policy #> command to display configuration and usage
information.
The following is an output from SSG 20 for policy 22 during an active Avaya VoIP call.
The output shows the policy, bandwidth utilization (in and outside the tunnel), and
guarantee/maximum bandwidth settings along with other statistics.
ssg20-wlan-> get policy id 22

name:none (id 22), zone VPN -> Trust,action Permit, status enabled
src all-internal-net, dst Local-voice, serv Avaya-RTP
Rules on this VPN policy: 0
nat off, Web filtering : disabled
vpn unknown vpn, policy flag 00010000, session backup: on, idle reset: on
traffic shaping on, scheduler n/a, serv flag 00
log close, log count 39, alert no, counter no(0) byte rate(sec/min) 0/0
total octets 16982516, counter(session/packet/octet) 0/0/0
priority 2, diffserv marking Off
tadapter: state on, gbw/mbw 1000/1100 policing (no)
----------------------------------------------------------------------------
tmng (27): interface tunnel.1 state on priority 2
bw usage [for last one second]: 107 kbps
pak queue(cur/max): 0/15
pak received: 30370
pak dropped(out/shared): 0/0
PreShapingBytes (dropped/total): 0/8192628
diffserv-marking: 0x0
elapsed time: 351809253 ms
gbw/mbw: 1000/1100 (kbps)
gbw_q/mbw_q: 125/137
shared_tmng: 20
PostShapingBytes(total/borrowed):8192628/0
tokens (regular/borrowd): 0/8192628
token bucket (gbl/mbl): 125000/140625
tokens(gua/max): 124980/140625
----------------------------------------------------------------------------
tmng (28): interface bgroup0 state on priority 2
bw usage [for last one second]: 86 kbps
pak queue(cur/max): 0/15
pak received: 49084
pak dropped(out/shared): 0/0
PreShapingBytes (dropped/total): 0/10489948
diffserv-marking: 0x0
elapsed time: 351809374 ms
gbw/mbw: 1000/1100 (kbps)
gbw_q/mbw_q: 125/137
shared_tmng: 16
PostShapingBytes(total/borrowed):10489948/0
tokens (regular/borrowd): 0/10489948
token bucket (gbl/mbl): 125000/140625
tokens(gua/max): 125000/140625
No Authentication
No User, User Group or Group expression set

8. Additional References
Product documentation for Avaya products may be found at http://support.avaya.com
[1] Administrator Guide for Avaya Communication Manager, Doc # 03-300509, Issue 3.1,
February 2007
[2] Avaya Communication Manager Advanced Administration Quick Reference, Doc # 03-
300364, Issue 3, February 2007
[3] Administration for Network Connectivity for Avaya Communication Manager, Doc # 555-
233-504, Issue 12, February 2007
Product documentation for Juniper Networks products may be found at http://www.Juniper.net
[4] Concepts & Examples ScreenOS Reference Guide, Volume 1: Overview, Release 6.1.0 Rev.
01, Part Number 530-022543-01, Revision 01
[5] Concepts & Examples ScreenOS Reference Guide, Volume 2: Fundamentals, Release 6.1.0
Rev. 01, Part Number 530-022530-01, Revision 01
[6] Concepts & Examples ScreenOS Reference Guide, Volume 3: Administration, Release 6.1.0
Rev. 01, Part Number 530-022531-01, Revision 01
[7] Concepts & Examples ScreenOS Reference Guide, Volume 5: Virtual Private Networks,
Release 6.1.0 Rev. 01, Part Number 530-022533-01, Revision 01

©2008 Avaya Inc. All Rights Reserved.
Avaya and the Avaya Logo are trademarks of Avaya Inc. All trademarks identified by ® and ™
are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the
property of their respective owners. The information provided in these Application Notes is
subject to change without notice. The configurations, technical data, and recommendations
provided in these Application Notes are believed to be accurate and dependable, but are
presented without express or implied warranty. Users are responsible for their application of any
products specified in these Application Notes.
Please e-mail any questions or comments pertaining to these Application Notes along with the
full title name and filename, located in the lower right corner, directly to the Avaya Solution &
Interoperability Test Lab at interoplabnotes@list.avaya.com


Avaya JNPR - AC VPN

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Avaya JNPR - AC VPN

Uploaded by

Copyright:

Available Formats

Avaya Solution & Interoperability Test Lab

Sample Configuration for Juniper Networks Auto Connect

AL; Reviewed: Solution & Interoperability Test Lab Application Notes 1 of 32

AL; Reviewed: Solution & Interoperability Test Lab Application Notes 2 of 32

Figure 1: Sample Network Configuration

AL; Reviewed: Solution & Interoperability Test Lab Application Notes 3 of 32

DEVICE DESCRIPTION VERSION

4. Configuring Juniper Networks ScreenOS Devices

Basic configuration - Provide basic configuration steps to provision a base Hub-

AC-VPN configuration - Provide additional steps to implement AC-VPN over existing

AL; Reviewed: Solution & Interoperability Test Lab Application Notes 4 of 32

4.1.1. Base configuration

1. Log in to the ISG 1000 using appropriate username and password.

2. Create a new security zone called “vpn”.

set zone name vpn

3. Configure all the physical and logical interfaces.

• The sample configuration uses the out-of-band management port with an IP

set interface ethernet1/1 zone Trust

• Local-voice defines the IP sub-network where all Avaya IP Telephones are

set address Trust Local-voice 172.28.10.0 255.255.255.0

AL; Reviewed: Solution & Interoperability Test Lab Application Notes 5 of 32

set service Avaya-Sgl-Fm-Spoke protocol udp src-port 0-65535 dst-port 1719-1719

set ike gateway Home-SSG5 address 10.10.230.6 outgoing-interface ethernet1/3

set vpn To_Home gateway Home-SSG5 no-replay tunnel idletime 0 sec-level

set vrouter trust-vr

AL; Reviewed: Solution & Interoperability Test Lab Application Notes 6 of 32

AL; Reviewed: Solution & Interoperability Test Lab Application Notes 7 of 32

4.1.2. Configure AC-VPN on the ISG 1000

1. Define a gateway to be used by the AC-VPN tunnel.

set ike gateway ac-vpn-hub acvpn-profile sec-level standard

set vpn ac-vpn acvpn-profile ac-vpn-hub replay tunnel idletime 1 sec-level

set vrouter trust-vr

AL; Reviewed: Solution & Interoperability Test Lab Application Notes 8 of 32

4.2. Configuring Juniper Network SSG 20

4.2.1. Base configuration

1. Log in to the SSG 20 using appropriate username and password.

2. Create a new security zone called vpn.

set zone name vpn

AL; Reviewed: Solution & Interoperability Test Lab Application Notes 9 of 32

unset interface bgroup0 port ethernet0/4

• Local-voice defines the IP sub-network where all Avaya IP Telephones are

set address Trust Local-voice 172.220.0.0 255.255.255.0

AL; Reviewed: Solution & Interoperability Test Lab Application Notes 10 of 32

set service Avaya-Sgl-up protocol udp src-port 0-65535 dst-port 1719-1719

set ike gateway HQ-ISG1000 address 10.10.210.5 outgoing-interface ethernet0/0

set vrouter trust-vr

AL; Reviewed: Solution & Interoperability Test Lab Application Notes 11 of 32

AL; Reviewed: Solution & Interoperability Test Lab Application Notes 12 of 32

4.2.2. Configure AC-VPN on the SSG 20

1. Define a gateway to be used by the AC-VPN tunnel.

set ike gateway ac-vpn-gw acvpn-dynamic local-id Branch

2. Configure the AC-VPN tunnel using the ac-vpn-gw defined in Step 1.

set vrouter trust-vr

AL; Reviewed: Solution & Interoperability Test Lab Application Notes 13 of 32

set interface ethernet0/0 phy full 10mb

Purpose of VoIP traffic Guaranteed bandwidth Maximum bandwidth

AL; Reviewed: Solution & Interoperability Test Lab Application Notes 14 of 32

4.3. Configuring Juniper Network SSG 5

4.3.1. Base configuration

1. Log in to the SSG 5 using appropriate username and password.

AL; Reviewed: Solution & Interoperability Test Lab Application Notes 15 of 32

3. Configure all the physical and logical interfaces.

unset interface bgroup0 port ethernet0/6