Professional Documents
Culture Documents
Abstract
These Application Notes provide a sample configuration to configure an IPSec Virtual Private
Network (VPN) between an Avaya G450 Media Gateway and a Cisco PIX 515 Firewall, over
a Frame Relay Wide Area Network (WAN). The Avaya G450 Media Gateway is controlled by
an Avaya S8500 Server. The sample configuration uses the Internet Key Exchange (IKE)
protocol to establish a secure Internet Security Association and Key Management Protocol
(ISAKMP) control channel between the Avaya G450 Media Gateway and the Cisco PIX 515.
In addition, Advanced Encryption Standard (AES) and Perfect Forward Secrecy (PFS) are also
provisioned.
12. References.............................................................................................................................................41
Note – These Application Notes describe the provisioning of the sample configuration as it applies to
configuring an IPSec VPN tunnel between the Avaya G450 Media Gateway and the Cisco PIX 515
Firewall. Provisioning of the sample configuration infrastructure is not covered.
ISAKMP defines procedures and packet formats to establish, negotiate, modify and delete Security
Associations (SA). SAs contain all the information required for execution of various network security
services. ISAKMP defines payloads for exchanging key generation and authentication data. These
formats provide a consistent framework for transferring key and authentication data which is
independent of the key generation technique, encryption algorithm and authentication mechanism.
There may be many different key exchange protocols, each with different security properties.
However, a common framework is required for agreeing to the format of SA attributes, and for
negotiating, modifying, and deleting SAs. ISAKMP serves as this common framework.
The following ISAKMP security attributes are administered on both peers in the sample
configuration (see Sections 3.6 and 6.3).
Once an ISAKMP SA is established, both peers can negotiate IPSec security attributes necessary to
establish IPSec SAs. The IKE protocol does this in a second proposal exchange known as Phase 2 (or
Quick Mode).
IP Encapsulating Security Payload (ESP) protocol is used to secure traffic in the sample
configuration because of the added confidentiality protection provided. The sample configuration
uses the Advanced Encryption Standard with 128-bit key (AES-128) to protect communications
between the Branch office and Main office.
Perfect Forward Secrecy (PFS) was also enabled on the VPN. The PFS feature provides additional
security protection by deriving new secret keys from a second Diffie-Hellman key agreement. This is
advantageous because if one key is compromised on a given tunnel, all previous and subsequent keys
will remain secure because they are no longer derived from previous keys.
During periods of congestion in the Wide Area Network (WAN) it is possible that IPSec packets are
queued such that they arrive to the G450 Media Gateway out of sequence. For devices that support a
very small anti-replay window, the end result would be dropped ESP packets and the loss of all data
contained within them. To counteract this problem, the Avaya G450 Media
Gateway implements a large 1K anti-replay window in order to sustain data forwarding and avoid
potential data loss even when IPSec packets arrive severely out of sequence.
2. Configure the Media gateway Controller (MGC) list. This list specifies the IP address of the
C-LAN board located in the Avaya G650 Media Gateway at the Main office. The Avaya
G450 Media Gateway will register to this address.
a. set mgc list 50.50.50.100
b. exit
interface Vlan 2
icc-vlan
ip address 73.73.73.2 255.255.255.0
pmi
exit
Note - Rule restrictions should be based on individual network security requirements. The rules
specified below should be viewed as examples and not as a security template.
1. Configure the default route for the Avaya G450 Media Gateway. The address specified is the
IP address of the Frame Relay interface of the Cisco 3825 router in the Main office.
a. ip route 0.0.0.0 0.0.0.0 30.30.30.1
Note: A valid VPN license must be installed on the Avaya G450 to enable these features. See [1] for
more information.
Note: The ISAKMP policy attributes must be configured identically on both the Avaya G450 and the
Cisco PIX 515 Firewall (see Section 6.3).
4. Configure a crypto-map.
Crypto-maps define the peers to negotiate with IKE Phase 2 and transform-sets.
a. crypto map 1
i. description "PIX_Outside"
ii. set peer 1.1.1.2
iii. set transform-set G450P2
Specified in Step 3 above.
iv. exit
crypto map 1
description "PIX_Outside"
set peer 1.1.1.2
set transform-set G450P2
exit
Figure 8 – Avaya G450 Media Gateway Crypto-map Configuration
6. Assign a crypto-group to the Serial sub-interface defined in Section 3.4. The crypto-group
specifies the crypto-list defined in Step 5 above.
a. interface Serial 8/1:1.1 point-to-point
i. ip crypto-group 901
Defined in Step 5 above.
ii. exit
interface Serial 8/1:1.1 point-to-point
description "To_Frame_Relay_Switch"
ip access-group 301 in
ip crypto-group 901
frame-relay interface-dlci 101 ietf
ip address 30.30.30.2 255.255.255.0
exit
Figure 10 – Avaya G450 Media Gateway Crypto-group Configuration
7. Enter the command copy run start to save the configuration on the Avaya G450 Media
Gateway.
1. Configure access-lists to prevent NATing of VPN traffic by the Cisco PIX 515 Firewall.
a. access-list novpnnat permit ip 50.50.50.0 255.255.255.0 73.73.73.0 255.255.255.0
“novpnnat” is a name assigned to the access-list.
b. nat (inside) 0 access-list novpnnat
Disables NAT for access-list novpnnat.
Note – With the exception of Section 6.1, the following commands were entered using an Avaya
Communication Manager SAT session. For information on these commands see [2].
The G.729 codec is preferable over a VPN in order to conserve bandwidth. In addition, the frames
per packet value was left as 2 (default) in this example because the G450 serial interface is optimized
for G.729 using the default 20ms packet size. Administrators may wish to increase the frames per
packet from the default 2 to 3. Increasing the RTP payload sample size actually reduces the per call
bandwidth slightly, because the increased payload counteracts the additional IPSec encryption
overhead.
1. change ip-codec-set 1
a. Audio Codec 1: G.711MU
change ip-codec-set 1 Page 1 of 2
IP Codec Set
Codec Set: 1
Audio Silence Frames Packet
Codec Suppression Per Pkt Size(ms)
1: G.711MU n 2 20
2:
3:
4:
Media Encryption
1: none
2:
3:
Figure 21 – Avaya Communication Manager Provisioning – IP-Codec-Set 1
2. change ip-codec-set 2
a. Audio Codec 1: G.729B
change ip-codec-set 2 Page 1 of 2
IP Codec Set
Codec Set: 2
Audio Silence Frames Packet
Codec Suppression Per Pkt Size(ms)
1: G.729B n 2 20
2:
3:
4:
Media Encryption
1: none
2:
3:
Figure 22– Avaya Communication Manager Provisioning – IP-Codec-Set 2
3. On page 3 of the form, the first line is pre-defined (Network Region 1 can communicate with
Network Region 1). On the second line, define the communication between Network Regions
1 and 2 by provisioning the following fields:
a. src rgn = 1
In the Network Region 1 form, Network Region 1 is always the source.
b. dst rgn = 2
Region 2 was the destination Network Region used in the sample configuration for the
Branch office.
c. codec set = 1
Let the remaining fields default.
6. On page 3 of the form, the first line is pre-defined (Network Region 2 can communicate with
Network Region 2). On the second line define the communication between Network Regions
1 and 2 by provisioning the following fields:
a. src rgn = 2
In the Network Region 2 form, Network Region 2 is always the source.
b. dst rgn = 1
Region 1 is the destination Network Region used in the sample configuration for the
Main office.
c. codec set = 2
d. Let the remaining fields self populate.
change ip-network-region 2 Page 3 of 19
Inter Network Region Connection Management
src dst codec direct WAN-BW-limits Video Dyn
rgn rgn set WAN Units Total Norm Prio Shr Intervening-regions CAC IGAR
2 1 2 y NoLimit n
2 2 1
Figure 26 – Avaya Communication Manager Provisioning – IP Network Region 2 – Page 3
As described in Section 7.3, the G.729 codec type is the most bandwidth efficient over the IPSec
VPN tunnel. Therefore the sample configuration defines calls between Network Regions 1 and 2 to
use G.729B codec, as it is supported by most Avaya IP telephone types in their default
configurations.
In order to allow G.729 call compatibility between the Avaya 96xx SIP IP telephone and the other
Avaya IP telephone types, the Avaya 96xx SIP IP telephones must be provisioned to also use the
G.729B codec. This is performed via the configuration file 46xxsettings.txt. The 46xxsettings.txt file
is available from http://support.avaya.com. The 46xxsettings.txt file must be installed on an HTTP
server that has IP connectivity to the Avaya 96xx SIP IP telephones. The 46xxsettings.txt file is
retrieved by the Avaya 96xx SIP IP telephones when they are connected for the first time, or are
reset. For information on using the 46xxsettings.txt file, and Avaya 96xx SIP IP telephone
implementation, see [4] and [5].
Note – Only the section of the 46xxsetings.txt file pertaining to G.729 codec provisioning is shown
for brevity.
##
##################### CODEC SETTINGS #####################
##
## G.729 Codec Enabled
## Determines whether G.729 codec is available on the
## phone.
## 0 for G.729(A) disabled
## 1 for G.729(A) enabled without Annex B support
## 2 for G.729(A) enabled with Annex B support
## SET ENABLE_G729 1
SET ENABLE_G729 2
##
##
Figure 28 – Enable the G.729B codec via the 46xxsettings.txt file
2. Verify that the configured IPSec transform-sets have the correct security attributes.
a. show crypto ipsec transform-set
pixfirewall# show crypto ipsec transform-set
Transform set HighAES: { esp-aes esp-sha-hmac }
will negotiate = { Tunnel, },
Figure 37 – Cisco PIX 515 Firewall – IPSec Transform Set.
1. Enable local debug output to the console from the CLI. When the isakmp lifetime timer
expires, verify ISAKMP (Phase 1) SA and IPSec (Phase 2) SAs are removed and recreated.
Alternatively, the Avaya G450 Media Gateway isakmp Phase 1 clear SA and the IPSec Phase
2 clear SA commands can be used to immediately reset the VPN state (see Sections 9.1 and
9.2).
a. debug crypto ipsec
b. debug crypto isakmp
ISAKMP: rekeying phase 1 SA, src 1.1.1.2, dst 30.30.30.2
ISAKMP (0): retransmitting phase 1 (0)...
ISAKMP (0): retransmitting phase 1 (1)...
crypto_isakmp_process_block:src:30.30.30.2, dest:1.1.1.2 spt:500 dpt:500
ISAKMP (0): processing DELETE payload. message ID = 3099254529, spi size =
4IPSEC(key_engine): got a
queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
VPN Peer: ISAKMP: Peer ip:30.30.30.2/500 Ref cnt decremented to:0 Total VPN
Peers:1
VPN Peer: ISAKMP: Deleted peer: ip:30.30.30.2/500 Total VPN peers:0
ISADB: reaper checking SA 0xffaf44, conn_id = 0
crypto_isakmp_process_block:src:30.30.30.2, dest:1.1.1.2 spt:500 dpt:500
ISAKMP (0): processing DELETE payload. message ID = 1115737207, spi size = 16
return status is IKMP_NO_ERR_NO_TRANS
VPN Peer: IPSEC: Peer Info not found during IPSEC deletion Peer ip:30.30.30.2/500
map_free_entry: freeing entry 2
CRYPTO(epa_release_conn): released conn 2
VPN Peer: IPSEC: Peer Info not found during IPSEC deletion Peer ip:30.30.30.2/500
04/22/2008,09:46:50:ISAKMP-Informational:
Sending IKE DELETE message (ISAKMP SA):
Peers 30.30.30.2<->1.1.1.2
Icookie - 8323fecb991b7cd0, Rcookie - 73159c04f0b63f69
04/22/2008,09:47:58:ISAKMP-Warning:
Peer 1.1.1.2 is presumed dead: IKE phase 1 negotiation failure
04/22/2008,09:48:11:ISAKMP-Informational:
Begin IKE phase 1 negotiation, initiated by 1.1.1.2:
Peers 30.30.30.2<->1.1.1.2, mode main
04/22/2008,09:48:11:ISAKMP-Debug:
Sending vendor ID to 1.1.1.2 (VID length = 16):
Peers 30.30.30.2<->1.1.1.2
draft-ietf-ipsec-dpd-00.txt (0xafcad71368a1f1c96b8696fc77570100)
04/22/2008,09:48:11:ISAKMP-Debug:
Received vendor ID from 1.1.1.2 (VID length = 8):
Peers 30.30.30.2<->1.1.1.2
Unknown (0x09002689dfd6b712)
04/22/2008,09:48:11:ISAKMP-Debug:
Received vendor ID from 1.1.1.2 (VID length = 16):
Peers 30.30.30.2<->1.1.1.2
draft-ietf-ipsec-dpd-00.txt (0xafcad71368a1f1c96b8696fc77570100)
04/22/2008,09:48:11:ISAKMP-Debug:
Received vendor ID from 1.1.1.2 (VID length = 16):
Peers 30.30.30.2<->1.1.1.2
Unknown (0x12f5f28c457168a9702d9fe274cc0100)
04/22/2008,09:48:11:ISAKMP-Debug:
Received vendor ID from 1.1.1.2 (VID length = 16):
Peers 30.30.30.2<->1.1.1.2
04/22/2008,09:48:11:ISAKMP-Informational:
Finished IKE phase 1 negotiation, creating ISAKMP SA:
Peers 30.30.30.2<->1.1.1.2
Icookie - 8323fecb81ecb35d, Rcookie - 643f0ef3bd44bc4e
esp-3des, esp-sha-hmac, DH group 2, Lifetime 120 seconds
DPD enabled
04/22/2008,09:48:12:ISAKMP-Informational:
Begin IKE phase 2 negotiation, initiated by 1.1.1.2:
Peers 30.30.30.2<->1.1.1.2
04/22/2008,09:48:12:ISAKMP-Informational:
Finished IKE phase 2, creating outbound IPSEC SA:
SPI 0xfbea09c7, Peers 30.30.30.2<->1.1.1.2
Identities: 73.73.73.0/255.255.255.0->50.50.50.0/255.255.255.0
esp-aes, esp-sha-hmac, 3600 seconds, 4608000 KB, PFS #2
Tunnel mode
04/22/2008,09:48:12:ISAKMP-Informational:
Finished IKE phase 2, creating inbound IPSEC SA:
9.7. Verify Security Associations (SAs) on the Cisco PIX 515 Firewall
1. Verify ISAKMP SA using the show command.
a. show crypto isakmp sa
pixfirewall# show crypto isakmp sa
Total : 1
Embryonic : 0
dst src state pending created
30.30.30.2 1.1.1.2 QM_IDLE 0 1
Figure 44 – Cisco PIX 515 Firewall – ISAKMP SA.
2. Verify IPSec SAs using the show command.
a. show crypto ipsec sa detail
pixfirewall# show crypto ipsec sa detail
interface: outside
Crypto map tag: BranchVPN, local addr. 1.1.1.2
local ident (addr/mask/prot/port): (50.50.50.0/255.255.255.0/1/0)
remote ident (addr/mask/prot/port): (73.73.73.0/255.255.255.0/1/0)
current_peer: 30.30.30.2:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
outbound ah sas:
outbound pcp sas:
pixfirewall#
Figure 45 – Cisco PIX 515 Firewall – IPSec SA.
C-id Local Remote State Encr Hash Aut DH TTL DPD Nat-T
---- --------------- --------------- ------- ------- ---- --- -- ----- --- -----
109 30.30.30.2 1.1.1.2 Ready 3des sha psk 2 85726 Yes No
Figure 46 – Avaya G450 Media Gateway – ISAKMP SA.
2. Verify inbound and outbound IPSec SAs using the show command.
a. show crypto ipsec sa detail
G450-001(super)# show crypto ipsec sa detail
Inbound pkts errors (global):
Invalid spi 0
Invalid interface 0
Interface: Serial 8/1:1.1
Crypto list id: 901, Local address: 30.30.30.2
Rule: 1, Crypto map: 1, "PIX_Outside"
Local address: 30.30.30.2
Remote address: 1.1.1.2
Local identity: 73.73.73.0/255.255.255.0
Remote identity: 50.50.50.0/255.255.255.0
path mtu 1500, media mtu 1500, configured min PMTU 300
Current outbound spi: 0xd9e32a9f
2. Verify the registration status of the Avaya G450 Media Gateway with the S8500 Server via
the Avaya Communication Manager SAT.
a. display media-gateway 1
display media-gateway 1
MEDIA GATEWAY
Number: 1 Registered? y
Type: g450 FW Version/HW Vintage: 27 .26 .0 /0
Name: G450_Branch MGP IP Address: 73 .73 .73 .2
Serial No: 07IS13107508 Controller IP Address: 50 .50 .50 .100
Encrypt Link? y MAC Address: 00:04:0d:ea:ab:b8
Network Region: 2
Location: 1 Site Data:
Recovery Rule: 1
Alternatively, the Administrator may choose to remove a specific ISAKMP SA from a list
of SAs based on the C-id.
b. Enter the show crypto isakmp sa command and note the “C-id” number you wish to
clear (depending on the configuration, more than one may be listed).
G450-001(super)# show crypto isakmp sa
C-id Local Remote State Encr Hash Aut DH TTL DPD Nat-T
---- --------------- --------------- ------- ------- ---- --- -- ----- --- -----
109 30.30.30.2 1.1.1.2 Ready 3des sha psk 2 85726 Yes No
Figure 51 – Output of show crypto isakmp sa command.
c. Enter clear crypto isakmp xxx, where xxx is the C-id number (109 in the example
above).
Note – The capture feature has many options to customize the data that is collected. For more
information on this command see [1].
7. Copy the captured data to an external device to be viewed via Wireshark. The file can be
copied via FTP, TFTP, SCP, or to a USB device. In the sample configuration the captured
data was copied to a USB flash drive inserted into a USB interface on the Avaya G450 Media
Gateway.
g. Copy capture-file usb <name the file> usbdevice0
h. Before removing the usb device enter safe-removal usb usbdevice0
11. Conclusion
Site-to-site IPSec Virtual Private Network (VPN) connectivity between an Avaya G450 Media
Gateway and a Cisco PIX 515 Firewall, using the Internet Key Exchange (IKE) protocol to establish
a secure Internet Security Association and Key Management Protocol (ISAKMP) control channel
between two peers, can be achieved using the guidelines demonstrated in these Application Notes.
[1] Administration for the Avaya G450 Media Gateway, 03-602055, Issue 1, January 2008
[2] Administrator Guide for Avaya Communication Manager, 03-300509, Issue 4.0, Release 5.0,
January 2008
[3] IPSec Virtual Private Network (VPN) between an Avaya G350 Media Gateway and a Cisco PIX
525 Firewall - Issue 1.0, March 2005
[4] Avaya one-X™ Deskphone Edition for 9600 Series SIP IP Telephones Administrator Guide
Release 2.0, 16-601944, Issue 2, December 2007
[5] Avaya one-X™ Deskphone Editionfor 9600 Series SIP IP Telephones Installation and
Maintenance Guide Release 2.0, 16-601943, Issue 2l December 2007
[6] Cisco PIX Firewall Command Reference, Version 6.3, 78-14890-01, 2004
[7] PIX 6.x: Simple PIX−to−PIX VPN Tunnel Configuration Example, Document ID: 6211, 2007
[8] Cisco IOS Wide-Area Networking Command Reference, Release 12.3, OL-4432-01
Please e-mail any questions or comments pertaining to these Application Notes along with the
full title name and filename, located in the lower right corner, directly to the Avaya Solution &
Interoperability Test Lab at interoplabnotes@list.avaya.com