g450 Pix VPN

Avaya Solution & Interoperability Test Lab
IPSec Virtual Private Network (VPN) between an Avaya

G450 Media Gateway and a Cisco PIX 515 Firewall
- Issue 1.0
Abstract
These Application Notes provide a sample configuration to configure an IPSec Virtual Private
Network (VPN) between an Avaya G450 Media Gateway and a Cisco PIX 515 Firewall, over
a Frame Relay Wide Area Network (WAN). The Avaya G450 Media Gateway is controlled by
an Avaya S8500 Server. The sample configuration uses the Internet Key Exchange (IKE)
protocol to establish a secure Internet Security Association and Key Management Protocol
(ISAKMP) control channel between the Avaya G450 Media Gateway and the Cisco PIX 515.
In addition, Advanced Encryption Standard (AES) and Perfect Forward Secrecy (PFS) are also
provisioned.
JF; Reviewed: Solution & Interoperability Test Lab Application Notes 1 of 42

SPOC 9/2/2008 ©2008 Avaya Inc. All Rights Reserved. G450_PIX_VPN.doc
1. Introduction ................................................................................................................................................4
2. Equipment and Software Validated .........................................................................................................7
3. Configure the Avaya G450 Media Gateway ............................................................................................8

3.1. Ethernet Interface Configuration ............................................................................................................................ 8
3.2. WAN Interface Configuration ................................................................................................................................. 8
3.3. Access Control List Configuration (optional) ......................................................................................................... 9
3.4. Frame Relay Sub-Interface Configuration ............................................................................................................ 11
3.5. IP Routing Configuration...................................................................................................................................... 11
3.6. Virtual Private Network (VPN) Configuration...................................................................................................... 11
4. Configure the Cisco 3825 Router ............................................................................................................14

4.1. Ethernet Interface Configuration .......................................................................................................................... 14
4.2. Serial Interface Configuration .............................................................................................................................. 14
4.3. Serial Sub-Interface Configuration ....................................................................................................................... 15
5. Configure the Cisco 2811 Router ............................................................................................................16

5.1. Enable Frame Relay Switching ............................................................................................................................. 16
5.2. Serial Interface Configuration .............................................................................................................................. 16
6. Configure the Cisco PIX 515 Firewall....................................................................................................17

6.1. Inside and Outside Interface Configuration.......................................................................................................... 17
6.3. Virtual Private Network (VPN) Configuration...................................................................................................... 17
7. Configure Avaya Communication Manager..........................................................................................19

7.1. Avaya G450 Media Gateway Serial Number ........................................................................................................ 19
7.2. Add the Avaya G450 Media Gateway ................................................................................................................... 19
7.3. Configure IP-Codec Sets ....................................................................................................................................... 20
7.4. Configure IP-Network-Regions ............................................................................................................................. 21
7.5. Configure IP-Network-Map .................................................................................................................................. 23
7.6. Save Translations .................................................................................................................................................. 23
8. Configure Avaya 96xx SIP IP Telephone Codec Type..........................................................................23

8.1. Configure 46xxsettings.txt File to Enable the G.729B Codec. .............................................................................. 24
9. Verification Steps .....................................................................................................................................25

9.1. Verify Cisco PIX 515 Firewall Interfaces and Routing......................................................................................... 25
9.2. Avaya G450 Media Gateway Interfaces and Routing ........................................................................................... 26
9.3. Verify Cisco PIX 515 Firewall VPN Policies........................................................................................................ 27
9.4. Verify G450 Media Gateway VPN Policies........................................................................................................... 28

9.5. Verify IKE Negotiations using Cisco PIX 515 Firewall Debug Traces................................................................. 29
9.6. Verify IKE Negotiations using G450 Gateway Syslog .......................................................................................... 33
9.7. Verify Security Associations (SAs) on the Cisco PIX 515 Firewall....................................................................... 34
9.8. Verify Security Associations (SAs) on the G450 Gateway..................................................................................... 36
9.9. Verify the Avaya G450 Media Gateway Registration Status................................................................................. 37
9.10. Place Test Calls..................................................................................................................................................... 38
10. VPN Troubleshooting ..........................................................................................................................39

10.1. Clearing Avaya G450 Media Gateway SAs........................................................................................................... 39
10.2. Capturing IPSEC Data on the Avaya G450 Media Gateway................................................................................ 40
11. Conclusion ............................................................................................................................................40
12. References.............................................................................................................................................41

1. Introduction
These Application Notes describe a site-to-site IPSec Virtual Private Network (VPN) between an
Avaya G450 Media Gateway and a Cisco PIX 515 Firewall (Figure 1). The sample configuration
uses an IPSec VPN to secure communications between a Branch office containing Avaya IP
Telephones (SIP and H.323) and an Avaya G450 Media Gateway, and the Main office containing an
Avaya S8500C Server, Avaya G650 Media Gateway, Avaya SIP Enablement Services (SES) and
Avaya IP Telephones (SIP and H.323). The Main office uses a Cisco PIX 515 Firewall to terminate
the VPN. The Branch and Main offices are connected via a Frame Relay Wide Area Network (WAN)
utilizing T1 circuits. A Cisco 2811 router is used in the reference configuration to simulate the WAN
network and provide Frame Relay switching between the offices.
Note – These Application Notes describe the provisioning of the sample configuration as it applies to
configuring an IPSec VPN tunnel between the Avaya G450 Media Gateway and the Cisco PIX 515
Firewall. Provisioning of the sample configuration infrastructure is not covered.
Figure 1 – IPSec VPN Sample Configuration.

The sample configuration uses the Internet Key Exchange (IKE) protocol to establish a secure
Internet Security Association and Key Management Protocol (ISAKMP) control channel between
two peers; the Avaya G450 Media Gateway and the Cisco PIX 515.
ISAKMP defines procedures and packet formats to establish, negotiate, modify and delete Security
Associations (SA). SAs contain all the information required for execution of various network security
services. ISAKMP defines payloads for exchanging key generation and authentication data. These
formats provide a consistent framework for transferring key and authentication data which is
independent of the key generation technique, encryption algorithm and authentication mechanism.
There may be many different key exchange protocols, each with different security properties.
However, a common framework is required for agreeing to the format of SA attributes, and for
negotiating, modifying, and deleting SAs. ISAKMP serves as this common framework.
IKE establishes an ISAKMP SA by negotiating proposals in an exchange known as Phase 1 (Main

Mode). In order to successfully establish an ISAKMP SA, both peers must agree to a common set of
security attributes contained within the Phase 1 proposal.
1. ISAKMP Phase One (Main Mode, MM)

a. Negotiate and establish an ISAKMP SA, a secure communication channel for further
IKE communication. The two systems generate a Diffie-Hellman shared value (a
method to generate a symmetric key where two parties can exchange values and
generate the same symmetric key) that is used as the base for a symmetric shared key,
and further IKE communication is encrypted using this symmetric key.
b. Verify the remote system’s identity (primary authentication)
The following ISAKMP security attributes are administered on both peers in the sample
configuration (see Sections 3.6 and 6.3).
• ISAKMP (Phase 1) proposal:

o Encryption Algorithm: 3DES
o Hash Algorithm: SHA
o Lifetime (seconds): 86400
o Diffie-Hellman Group: 2
Once an ISAKMP SA is established, both peers can negotiate IPSec security attributes necessary to
establish IPSec SAs. The IKE protocol does this in a second proposal exchange known as Phase 2 (or
Quick Mode).
2. ISAKMP Phase Two (Quick Mode, QM)

a. Using the secure communication channel provided by the ISAKMP/MM SA, negotiate
one or more SAs for IPSec transforms (AH or ESP). A Phase Two negotiation
typically negotiates two SAs for an IPSec transform: one for inbound and one for
outbound traffic.

The following IPSec security attributes were administered on both peers in the sample configuration
(see Sections 3.6 and 6.3).
• IPSec (Phase 2) proposal:

o Encryption Algorithm: AES-ESP
o Hash Algorithm: HMAC-SHA-ESP
o Security Association Lifetime (seconds): 3600
o Perfect Forward Secrecy: Enabled
o Diffie-Hellman Group: 2
IP Encapsulating Security Payload (ESP) protocol is used to secure traffic in the sample
configuration because of the added confidentiality protection provided. The sample configuration
uses the Advanced Encryption Standard with 128-bit key (AES-128) to protect communications
between the Branch office and Main office.
Perfect Forward Secrecy (PFS) was also enabled on the VPN. The PFS feature provides additional
security protection by deriving new secret keys from a second Diffie-Hellman key agreement. This is
advantageous because if one key is compromised on a given tunnel, all previous and subsequent keys
will remain secure because they are no longer derived from previous keys.
During periods of congestion in the Wide Area Network (WAN) it is possible that IPSec packets are
queued such that they arrive to the G450 Media Gateway out of sequence. For devices that support a
very small anti-replay window, the end result would be dropped ESP packets and the loss of all data
contained within them. To counteract this problem, the Avaya G450 Media
Gateway implements a large 1K anti-replay window in order to sustain data forwarding and avoid
potential data loss even when IPSec packets arrive severely out of sequence.

2. Equipment and Software Validated
Equipment Firmware Software
Avaya S8500C Server Avaya Communication Manager 5.0
-
(R015x.00.0.825.4)
Avaya G650 Media Gateway HW15 FW040
IPSI – TN2312BP HW01 FW024
-
CLAN – TN799DP HW20 FW117
MedPro – TN2302AP HW02 FW018
Avaya G450 Media Gateway 27.26.0 -
MM340 WAN - -
Avaya SIP Enablement Services (SES)
- 5.0 (5.0.0.0-825.31)
(Edge and Home)
Avaya 4621 SW IP Telephones (H.323) a20d01b3_8.bin -
Avaya 4621 SW IP Telephone (SIP) s20d01b2.2.2.bin -
Avaya 9640 IP Telephone (SIP) 2.0.1.34(5) -
Cisco 3825 Router - c3825-spservicesk9-mz 12.3(11)T
Cisco 2811 Router - c2800nm-ipvoicek9-mz.124-12.bin
Cisco PIX 515 Firewall - 6.3(5)
Wireshark IP Protocol Analyzer - V 0.99.5

3. Configure the Avaya G450 Media Gateway
The following steps use the Avaya G450 Media Gateway command line interface (CLI). Refer to [1]
for more information. Parameter values shown are specific to the sample configuration shown in
Figure 1.
3.1. Ethernet Interface Configuration

This section defines the Ethernet interface for the Avaya G450 Media Gateway as well as defining
the address of Avaya Communication Manager in the Main office for registration purposes.
1. Configure an Ethernet interface for the Voice domain on the Avaya G450 Media Gateway.
a. interface vlan 2
Creates the interface Vlan2.
b. ip address 73.73.73.2 255.255.255.0
Sets the network IP address and mask for the Avaya G450 Media Gateway .
c. pmi
Sets the Primary Management Interface.
d. exit
2. Configure the Media gateway Controller (MGC) list. This list specifies the IP address of the
C-LAN board located in the Avaya G650 Media Gateway at the Main office. The Avaya
G450 Media Gateway will register to this address.
a. set mgc list 50.50.50.100
b. exit
interface Vlan 2
icc-vlan
ip address 73.73.73.2 255.255.255.0
pmi
exit
set mgc list 50.50.50.100

set mediaserver 50.50.50.100 50.50.50.100 23 telnet
set mediaserver 50.50.50.100 50.50.50.100 5023 sat
Figure 2 – Avaya G450 Media Gateway IP Interface Configuration
3.2. WAN Interface Configuration

The following commands configure the MM340 WAN module as a T1 Frame Relay interface. In the
sample configuration, the MM340 WAN module is located in slot 8 of the Avaya G450 Media
Gateway.
1. Configure MM340 module as a T1 interface.
a. ds-mode t1
2. Configure the T1 controller.
a. controller t1 8/1
b. linecode b8zs
c. framing esf
d. channel-group 1 timeslots 1-24 speed 64
e. clock source line (default)
f. exit

3. Configure the Serial interface.
a. interface Serial 8/1:1
b. encapsulation frame-relay ietf
c. frame-relay lmi-type ansi
d. exit
ds-mode t1
!
controller t1 8/1
linecode b8zs
framing esf
channel-group 1 timeslots 1-24 speed 64
exit
!
interface Serial 8/1:1
encapsulation frame-relay ietf
frame-relay lmi-type ansi
exit
Figure 3 – Avaya G450 Media Gateway WAN Interface Configuration
3.3. Access Control List Configuration (optional)

An Access Control List (ACL) can be specified to permit trusted traffic only. The sample
configuration will work with or without the inbound ACL in place. However it is recommended that
an ACL be implemented on all public-facing interfaces in order to limit external access.
Note - Rule restrictions should be based on individual network security requirements. The rules
specified below should be viewed as examples and not as a security template.
The following ACL rules are defined in the sample configuration:

• Rule 1 - Allow ICMP messages to the reach the Avaya G450 Media Gateway local
address for Path MTU Discovery (PMTUD) from any source. PMTUD is a technique for
determining the maximum transmission unit size on the network path between two IP
hosts to avoid IP fragmentation.
• Rule 2 - Permit IKE protocol (UDP port 500) message exchanges from the peer to the
Avaya G450 Media Gateway local address.
• Rule 3 - Permit ESP protocol traffic from the peer to the Avaya G450 Media Gateway
local address.
• Rule 4 - Permit any traffic between trusted voice networks.
• Rule Default - Deny any other traffic flows, which do not match ACL criteria.
1. Configure ACL 301

a. ip access-control-list 301
b. name "Permit VPN Traffic Only"
2. Create ACL rules
a. ip-rule 1
i. ip-protocol icmp
ii. destination-ip host 30.30.30.2
IP address of the Main office 3825 router Frame Relay interface.
iii. exit
b. ip-rule 2

i. ip-protocol udp
iii. udp destination-port eq Ike
iv. exit
c. ip-rule 3
i. ip-protocol esp
iii. exit
d. ip-rule 4
i. source-ip 50.50.50.0 0.0.0.255
Main office voice subnet.
ii. destination-ip 73.73.73.0 0.0.0.255
Branch office voice subnet.
iii. exit
e. ip-rule default
i. composite-operation "Deny"
ii. exit
f. exit
ip access-control-list 301
name "Permit VPN Traffic Only"
!
ip-rule 1
ip-protocol icmp
destination-ip host 30.30.30.2
exit
ip-rule 2
ip-protocol udp
udp destination-port eq Ike
exit
ip-rule 3
ip-protocol esp
exit
ip-rule 4
source-ip 50.50.50.0 0.0.0.255
destination-ip 73.73.73.0 0.0.0.255
exit
ip-rule default
composite-operation "Deny"
exit
!
exit
Figure 4 – Avaya G450 Media Gateway ACL Configuration

3.4. Frame Relay Sub-Interface Configuration
The following commands configure the Serial sub-interface for the Frame Relay circuit to the Cisco
3825 router in the Main office (see Section 4.3).
1. Configure the Serial sub-interface.
a. interface Serial 8/1:1.1 point-to-point
b. description "To_2811_WAN_Router"
c. ip access-group 301 in
Value 301 is defined in Section 3.3 Step 1.
d. frame-relay interface-dlci 101 ietf
The DLCI value must match with the Cisco 3825 (see Section 4.3) as well as the
Cisco 2811 (see Section 5.2).
e. ip address 30.30.30.2 255.255.255.0
f. exit
interface Serial 8/1:1.1 point-to-point
description "To_Frame_Relay_Switch"
ip access-group 301 in
frame-relay interface-dlci 101 ietf
ip address 30.30.30.2 255.255.255.0
exit
Figure 5 – Avaya G450 Media Gateway Frame Relay Configuration
3.5. IP Routing Configuration

Routing information must be provided to reach the Main office Voice IP domain (50.50.50.0). In the
sample configuration, static routing is used.
1. Configure the default route for the Avaya G450 Media Gateway. The address specified is the
IP address of the Frame Relay interface of the Cisco 3825 router in the Main office.
a. ip route 0.0.0.0 0.0.0.0 30.30.30.1
3.6. Virtual Private Network (VPN) Configuration
Note: A valid VPN license must be installed on the Avaya G450 to enable these features. See [1] for
more information.
Note: The ISAKMP policy attributes must be configured identically on both the Avaya G450 and the
Cisco PIX 515 Firewall (see Section 6.3).
1. Configure an ISKAKMP Phase 1 policy.

a. crypto isakmp policy 1
i. description “G450 Policy1”
ii. encryption 3des
iii. hash sha
iv. group 2
v. authentication pre-share
vi. lifetime 86400
86400 (seconds, 24 hours) is the default value and need not be specified.

vii. exit
2. Configure the ISAKMP peer (Cisco PIX 515).
a. crypto isakmp peer address "1.1.1.2"
i. description "PIX Outside"
ii. encrypted-pre-shared-key <enter a key string>
Once entered, the CLI will display the key string in an encrypted format.
iii. isakmp-policy 1
iv. exit
crypto isakmp policy 1
description "G450 Policy1"
encryption 3des
hash sha
group 2
authentication pre-share
exit
crypto isakmp peer address "1.1.1.2"
description "PIX Outside"
encrypted-pre-shared-key 4deP+Z58jV6kWqSMeS/SsT9sDmvbna1b8fiRxn1/Icg=
isakmp-policy 1
exit
Figure 6 – Avaya G450 Media Gateway ISAKMP Configuration
3. Configure a transform-set (IKE Phase 2).

Transform-sets define security attributes.
a. crypto ipsec transform-set G450P2 esp-aes esp-sha-hmac
G450P2 is the name of the transform-set.
i. set security-association lifetime seconds 3600
This value is in seconds. 3600 is the default value and need not be specified.
ii. set pfs group2
iii. exit
crypto ipsec transform-set G450P2 esp-aes esp-sha-hmac
set pfs group2
exit
Figure 7 – Avaya G450 Media Gateway Transform-set Configuration
4. Configure a crypto-map.
Crypto-maps define the peers to negotiate with IKE Phase 2 and transform-sets.
a. crypto map 1
i. description "PIX_Outside"
ii. set peer 1.1.1.2
iii. set transform-set G450P2
Specified in Step 3 above.
iv. exit
crypto map 1
description "PIX_Outside"
set peer 1.1.1.2
set transform-set G450P2
exit
Figure 8 – Avaya G450 Media Gateway Crypto-map Configuration

5. Configure a crypto-list.
The crypto-list contains ip-rules which select traffic flows based on source and destination IP
addressing.
a. ip crypto-list 901
i. name "Encrypted traffic"
ii. local-address 30.30.30.2
Serial sub-interface IP address of the Avaya G450 Media Gateway
iii. ip-rule 1
1. protect crypto map 1
2. source-ip 73.73.73.0 0.0.0.255
Voice IP domain in the Branch office.
3. destination-ip 50.50.50.0 0.0.0.255
Voice IP domain in the Main office.
4. exit
iv. exit
ip crypto-list 901
name "Encrypted traffic"
local-address 30.30.30.2
ip-rule 1
protect crypto map 1
source-ip 73.73.73.0 0.0.0.255
destination-ip 50.50.50.0 0.0.0.255
exit
exit
Figure 9 – Avaya G450 Media Gateway Crypto-list Configuration
6. Assign a crypto-group to the Serial sub-interface defined in Section 3.4. The crypto-group
specifies the crypto-list defined in Step 5 above.
a. interface Serial 8/1:1.1 point-to-point
i. ip crypto-group 901
Defined in Step 5 above.
ii. exit
interface Serial 8/1:1.1 point-to-point
description "To_Frame_Relay_Switch"
ip access-group 301 in
ip crypto-group 901
frame-relay interface-dlci 101 ietf
ip address 30.30.30.2 255.255.255.0
exit
Figure 10 – Avaya G450 Media Gateway Crypto-group Configuration
7. Enter the command copy run start to save the configuration on the Avaya G450 Media
Gateway.

4. Configure the Cisco 3825 Router
As described in Section 1, the 3825 router connects the Main office to the WAN and terminates the
Frame Relay connection to the Branch office. The serial interfaces are configured as DTE. The
following commands were entered via Cisco CLI from the enable/config t access prompt. See [8] for
more information.
4.1. Ethernet Interface Configuration

Configure the Ethernet interface connected to the Cisco PIX Firewall.
1. Configure the Ethernet interface.
a. interface FastEthernet 2/0
i. description To_PIX
ii. ip address 1.1.1.1 255.255.255.252
iii. duplex full
iv. speed 100
v. no shutdown
vi. exit
interface FastEthernet2/0
description To_PIX
ip address 1.1.1.1 255.255.255.252
duplex full
speed 100
Figure 11 – Cisco 3825 Router IP Interface Configuration
4.2. Serial Interface Configuration

Configure the Serial interface connected to the Cisco 2811 WAN router.
1. Configure the Serial interface.
a. interface serial 1/0/0
i. description To_WAN_2811
ii. encapsulation frame-relay IETF
iii. service-module t1 timeslots 1-24 speed 64
iv. service-module t1 framing esf
This is the default value.
v. service-module t1 linecode b8zs
vi. service-module t1 clock source line
vii. frame-relay lmi-type ansi
viii. frame-relay intf-type dte
ix. no shutdown
x. exit
interface Serial1/0/0
description To_WAN_2811
no ip address
encapsulation frame-relay IETF
service-module t1 timeslots 1-24 speed 64
Figure 12 – Cisco 3825 Router Serial Interface Configuration

4.3. Serial Sub-Interface Configuration
Configure the Serial sub-interface for the Frame-relay circuit to the Avaya G450 Media Gateway (see
Section 3.4).
1. Configure the Serial sub-interface.
a. interface serial 1/0/0.1 point-to-point
i. description Frame_Relay_To_G450
ii. ip address 30.30.30.1 255.255.255.0
iii. frame-relay interface-dlci 101 ietf
This DLCI value must match with the Avaya G450 Media Gateway (see
Section 3.4) as well as the Cisco 2811 WAN router (see Section 5.2).
iv. no shutdown
v. exit
interface Serial1/0/0.1 point-to-point
description Frame_Relay_To_G450
ip address 30.30.30.1 255.255.255.0
frame-relay interface-dlci 101 IETF
Figure 13 – Cisco 3825 Router Serial Sub-Interface Configuration

Routing information must be provided to reach the Main office Voice IP domain (50.50.50.0) and the
Branch office Voice IP domain (73.73.73.0). In the sample configuration, static routing is used.
1. Add static routes.
a. ip route 50.50.50.0 255.255.255.0 1.1.1.2
To reach the Main office, route to the Cisco PIX 515 Firewall outside interface.
b. ip route 73.73.73.0 255.255.255.0 30.30.30.2
To reach the Branch office, route to the Avaya G450 Media Gateway Serial interface.
c. exit
ip route 50.50.50.0 255.255.255.0 1.1.1.2
ip route 73.73.73.0 255.255.255.0 30.30.30.2
Figure 14 – Cisco 3825 Router Static Routing Configuration
2. Enter wr mem to save the router configuration.

5. Configure the Cisco 2811 Router
As described in Section 1, the Cisco 2811 router simulates a Frame Relay WAN. The Cisco 2811
connects the Main office Cisco 3825 edge router to the Avaya G450 Media Gateway in the Branch
office. The Cisco 2811 serial interfaces are configured as DCE. The following commands were
entered via Cisco CLI from the enable/config t access prompt. See [8] for more information.
5.1. Enable Frame Relay Switching

1. Enable frame relay switching on the 2811 router.
a. frame-relay switching
5.2. Serial Interface Configuration

1. Configure the Serial interface to the Avaya G450 Media Gateway.
a. interface Serial0/2/0
i. description To_G450
ii. no ip address
iii. encapsulation frame-relay IETF
iv. frame-relay lmi-type ansi
v. frame-relay intf-type dce
vi. frame-relay route 101 interface Serial0/3/0 101
This DLCI value must match the Avaya G450 Media Gateway (see Section 3.4)
2. Configure the Serial interface to the Cisco 3825 edge router.

a. interface Serial0/3/0
i. description To_HDQ_3825
ii. no ip address
iii. encapsulation frame-relay IETF
iv. frame-relay lmi-type ansi
v. frame-relay intf-type dce
vi. frame-relay route 101 interface Serial0/2/0 101
This DLCI value must match the Cisco 3825 edge router (see Section 4.3).
3. Enter wr mem to save the router configuration.
frame-relay switching
!
description To_G450
no ip address
frame-relay intf-type dce
frame-relay route 101 interface Serial0/3/0 101
!
description To_HDQ_3825
no ip address
frame-relay intf-type dce
frame-relay route 101 interface Serial0/2/0 101
Figure 15 – Cisco 2811WAN Router Configuration

6. Configure the Cisco PIX 515 Firewall
As described in Section 1, the Cisco PIX 515 Firewall connects the Main office to the Cisco 3825
edge router. It provides access security between the secure inside Main office Voice IP domain
(50.50.50.0) and any unsecure outside domains. The Cisco PIX 515 Firewall also terminates the
IPSec VPN tunnel from the Avaya G450 Media Gateway in the Branch office. The following
commands were entered via Cisco CLI from the enable/config t access prompt. See [6] and [7] for
more information.
6.1. Inside and Outside Interface Configuration

Configure the Ethernet interfaces connected to the Main office Voice IP domain (secure), and the
Cisco 3825 edge router (unsecure).
1. Configure the Ethernet interfaces.
a. ip address inside 50.50.50.1 255.255.255.0
b. ip address outside 1.1.1.2 255.255.255.252
c. interface ethernet0 auto
d. interface ethernet1 auto
ip address inside 50.50.50.1 255.255.255.0
ip address outside 1.1.1.2 255.255.255.252
interface ethernet0 auto
interface ethernet1 auto
Figure 16 – Cisco PIX 515 Firewall Interface Configuration

Routing information must be provided for the Main office Voice IP domain (50.50.50.0) to reach the
Branch office Voice IP domain (73.73.73.0). In the sample configuration, static routing is used.
1. Add static route.
a. route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
To reach the Branch office, route to the Cisco 3825 router.
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
Figure 17 – Cisco PIX 515 Firewall Routing Configuration
6.3. Virtual Private Network (VPN) Configuration

Note: The ISAKMP policy attributes must be configured identically on both the Avaya G450 and the
Cisco PIX 515 Firewall (see Section 3.6).
1. Configure access-lists to prevent NATing of VPN traffic by the Cisco PIX 515 Firewall.
a. access-list novpnnat permit ip 50.50.50.0 255.255.255.0 73.73.73.0 255.255.255.0
“novpnnat” is a name assigned to the access-list.
b. nat (inside) 0 access-list novpnnat
Disables NAT for access-list novpnnat.
2. Defining NATing for all non-VPN traffic.

a. nat (inside) 1 0.0.0.0 0.0.0.0

3. Configure an ISKAKMP policy (Phase 1).
a. isakmp enable outside
b. isakmp key <key string> address 30.30.30.2 netmask 255.255.255.255
Once entered, the key will be displayed as “******” on the CLI.
c. isakmp identity address
d. isakmp policy 1 athentication pre-share
e. isakmp policy1 encryption 3des
f. isakmp policy 1 hash sha
g. isakmp policy 1 group 2
h. isakmp policy 1 lifetime 86400
4. Configure access-lists that define VPN traffic between the Main office and Branch office.
a. access-list 101 permit ip 50.50.50.0 255.255.255.0 73.73.73.0 255.255.255.0
5. Configure transform-set (Phase 2).
a. Crypto ipsec transform-set HighAES esp-aes esp-sha-hmac
“HighAES” is a name assigned to the transform-set.
6. Configure crypto-maps (Phase 2).
a. Crypto map BranchVPN 1 ipsec-isakmp
b. Crypto map BranchVPN 1 match address 101
c. Crypto map BranchVPN 1 set pfs group2
d. Crypto map BranchVPN 1 set peer 30.30.30.2
e. Crypto map BranchVPN 1 set transform-set HighAES
f. Crypto map BranchVPN 1 set security-association lifetime seconds 3600
g. Crypto map BranchVPN 1 interface outside
7. Configure the Cisco PIX 515 Firewall to permit any packet from the IPSec tunnel.
a. Sysopt connection permit-ipsec
8. Enter wr mem to save the configuration.
access-list novpnnat permit ip 50.50.50.0 255.255.255.0 73.73.73.0 255.255.255.0
nat (inside) 0 access-list novpnnat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
isakmp enable outside
isakmp key ******** address 30.30.30.2 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
access-list 101 permit ip 50.50.50.0 255.255.255.0 73.73.73.0 255.255.255.0
crypto ipsec transform-set HighAES esp-aes esp-sha-hmac
crypto map BranchVPN 1 ipsec-isakmp
crypto map BranchVPN 1 match address 101
crypto map BranchVPN 1 set pfs group2
crypto map BranchVPN 1 set peer 30.30.30.2
crypto map BranchVPN 1 set transform-set HighAES
crypto map BranchVPN 1 set security-association lifetime seconds 3600
crypto map BranchVPN interface outside
sysopt connection permit-ipsec
Figure 18 – Cisco PIX 515 Firewall VPN Configuration

7. Configure Avaya Communication Manager
In the sample configuration, there are two Network Regions. The Avaya equipment in the Main
office is defined in Network Region 1 and the Avaya equipment in the Branch office is defined in
Network Region 2.
Note – With the exception of Section 6.1, the following commands were entered using an Avaya
Communication Manager SAT session. For information on these commands see [2].
7.1. Avaya G450 Media Gateway Serial Number

1. On the Avaya G450 Media Gateway enter the command show system and copy down the
serial number. This is required when the Avaya G450 Media Gateway is provisioned on
Avaya Communication Manager in the next step.
G450-001(super)# show system
System Name : Branch_G450
System Location :
System Contact :
Uptime (d,h:m:s) : 7,02:56:35
MV Time : 08:04:49 29 FEB 2008
Serial No : 07IS13107508
Model No : G450
Figure 19 – Avaya G450 Media Gateway Serial Number
7.2. Add the Avaya G450 Media Gateway

1. add media-gateway 1
a. Type: g450
b. Name: <text>
c. Serial No: <serial number>
Enter the Avaya G450 Media Gateway serial number taken from the show system
command entered in the Avaya G450 Media Gateway in Section 7.1.
d. Network Region: 2
e. Other fields will auto-populate once the Avaya G450 Media Gateway registers.
add media-gateway 1 Page 1 of 1
MEDIA GATEWAY
Number: 1 Registered? n
Type: g450 FW Version/HW Vintage:
Name: G450_Branch MGP IP Address:
Serial No: 07IS13107508 Controller IP Address:
Encrypt Link? y MAC Address:
Network Region: 2
Location: 1 Site Data:
Recovery Rule: 1
Slot Module Type Name DSP Type FW/HW version
V1:
V2:
Figure 20 – Avaya Communication Manager – Add Avaya G450 Media Gateway

7.3. Configure IP-Codec Sets
In the sample configuration, calls between the Main office (Network Region 1) and the Branch office
(Network Region 2) will use codec set 2. Intra-region calls will use codec set 1. Codec set 1 will use
G.711MU while codec set 2 will use G.729B.
Note - See Section 8 for additional details on these codec choices.
The G.729 codec is preferable over a VPN in order to conserve bandwidth. In addition, the frames
per packet value was left as 2 (default) in this example because the G450 serial interface is optimized
for G.729 using the default 20ms packet size. Administrators may wish to increase the frames per
packet from the default 2 to 3. Increasing the RTP payload sample size actually reduces the per call
bandwidth slightly, because the increased payload counteracts the additional IPSec encryption
overhead.
1. change ip-codec-set 1
a. Audio Codec 1: G.711MU
change ip-codec-set 1 Page 1 of 2
IP Codec Set
Codec Set: 1
Audio Silence Frames Packet
Codec Suppression Per Pkt Size(ms)
1: G.711MU n 2 20
2:
3:
4:
Media Encryption
1: none
2:
3:
Figure 21 – Avaya Communication Manager Provisioning – IP-Codec-Set 1
2. change ip-codec-set 2
a. Audio Codec 1: G.729B
change ip-codec-set 2 Page 1 of 2
IP Codec Set
Codec Set: 2
Audio Silence Frames Packet
Codec Suppression Per Pkt Size(ms)
1: G.729B n 2 20
2:
3:
4:
Media Encryption
1: none
2:
3:
Figure 22– Avaya Communication Manager Provisioning – IP-Codec-Set 2

7.4. Configure IP-Network-Regions
The Main office is defined as Network Region 1. The Branch office is defined as Network Region 2.
1. Configure Network Region 1.
a. change ip-network-region 1
This opens the Network Region form.
2. On page 1 of the form, provision the field:
a. Codec Set: 1
Let the remaining fields default.
change ip-network-region 1 Page 1 of 19
IP NETWORK REGION
Region: 1
Location: 1 Authoritative Domain: main.com
Name:
MEDIA PARAMETERS Intra-region IP-IP Direct Audio: yes
Codec Set: 1 Inter-region IP-IP Direct Audio: yes
UDP Port Min: 2048 IP Audio Hairpinning? n
UDP Port Max: 3329
DIFFSERV/TOS PARAMETERS RTCP Reporting Enabled? y
Call Control PHB Value: 46 RTCP MONITOR SERVER PARAMETERS
Audio PHB Value: 46 Use Default Server Parameters? y
Video PHB Value: 26
802.1P/Q PARAMETERS
Call Control 802.1p Priority: 5
Audio 802.1p Priority: 5
Video 802.1p Priority: 5 AUDIO RESOURCE RESERVATION PARAMETERS
H.323 IP ENDPOINTS RSVP Enabled? n
H.323 Link Bounce Recovery? y
Idle Traffic Interval (sec): 20
Keep-Alive Interval (sec): 5
Figure 23 – Avaya Communication Manager Provisioning – IP Network Region 1 – Page 1
3. On page 3 of the form, the first line is pre-defined (Network Region 1 can communicate with
Network Region 1). On the second line, define the communication between Network Regions
1 and 2 by provisioning the following fields:
a. src rgn = 1
In the Network Region 1 form, Network Region 1 is always the source.
b. dst rgn = 2
Region 2 was the destination Network Region used in the sample configuration for the
Branch office.
c. codec set = 1
Let the remaining fields default.

Inter Network Region Connection Management
src dst codec direct WAN-BW-limits Video Dyn
rgn rgn set WAN Units Total Norm Prio Shr Intervening-regions CAC IGAR
1 1 1
1 2 1 y NoLimit n

4. Configure Network Region 2.
a. change ip-network-region 2
This opens the Network Region form.
5. On page 1 of the form provision the field:

a. Codec Set: 1
b. Let the remaining fields default.
IP NETWORK REGION
Region: 2
Location: 1 Authoritative Domain: main.com
Name:
MEDIA PARAMETERS Intra-region IP-IP Direct Audio: yes
Codec Set: 1 Inter-region IP-IP Direct Audio: yes
UDP Port Min: 2048 IP Audio Hairpinning? n
UDP Port Max: 3329
DIFFSERV/TOS PARAMETERS RTCP Reporting Enabled? y
Call Control PHB Value: 46 RTCP MONITOR SERVER PARAMETERS
Audio PHB Value: 46 Use Default Server Parameters? y
Video PHB Value: 26
802.1P/Q PARAMETERS
Call Control 802.1p Priority: 5
Audio 802.1p Priority: 5
Video 802.1p Priority: 5 AUDIO RESOURCE RESERVATION PARAMETERS
H.323 IP ENDPOINTS RSVP Enabled? n
H.323 Link Bounce Recovery? y
Idle Traffic Interval (sec): 20
Keep-Alive Interval (sec): 5
6. On page 3 of the form, the first line is pre-defined (Network Region 2 can communicate with
Network Region 2). On the second line define the communication between Network Regions
1 and 2 by provisioning the following fields:
a. src rgn = 2
In the Network Region 2 form, Network Region 2 is always the source.
b. dst rgn = 1
Region 1 is the destination Network Region used in the sample configuration for the
Main office.
c. codec set = 2
d. Let the remaining fields self populate.
Inter Network Region Connection Management
src dst codec direct WAN-BW-limits Video Dyn
rgn rgn set WAN Units Total Norm Prio Shr Intervening-regions CAC IGAR
2 1 2 y NoLimit n
2 2 1

7.5. Configure IP-Network-Map
The IP Network Map form defines Network Regions to IP address domains used by IP telephones.
1. change ip-network-map
a. Under the From IP Address heading enter 50.50.50.0
This is the voice IP domain in the Main office.
b. Tab to the Subnet or Mask heading and enter 24
The To IP Address fields will self populate after the form in entered.
c. Under the Region heading enter 1
The Main office is assigned to Network Region 1.
d. Under the From Ip Address heading enter 73.73.73.0
This is the voice IP domain in the Branch office.
e. Tab to the Subnet or Mask heading and enter 24
f. Under the Region heading enter 2
The Branch office is assigned to Network Region 2.
g. Let the remaining fields default.
change ip-network-map Page 1 of 32
IP ADDRESS MAPPING
Subnet Location
From IP Address (To IP Address or Mask) Region VLAN Extension
50 .50 .50 .0 50 .50 .50 .255 24 1 n
73 .73 .73 .0 73 .73 .73 .255 24 2 n
. . . . . . n
. . . . . . n
Figure 27 – Avaya Communication Manager Provisioning – IP-Network-Map
7.6. Save Translations

After the provisioning is completed, enter the command save trans to save the configuration on
Avaya Communication Manager.
8. Configure Avaya 96xx SIP IP Telephone Codec Type

The Avaya 46xx H.323 and SIP IP telephones use the G.729B variety of the G.729 codec by default.
The Avaya 96xx H.323 IP telephones also use G.729B. However the Avaya 96xx SIP IP telephones
use G729A as the default type G.729 codec.
As described in Section 7.3, the G.729 codec type is the most bandwidth efficient over the IPSec
VPN tunnel. Therefore the sample configuration defines calls between Network Regions 1 and 2 to
use G.729B codec, as it is supported by most Avaya IP telephone types in their default
configurations.
In order to allow G.729 call compatibility between the Avaya 96xx SIP IP telephone and the other
Avaya IP telephone types, the Avaya 96xx SIP IP telephones must be provisioned to also use the
G.729B codec. This is performed via the configuration file 46xxsettings.txt. The 46xxsettings.txt file
is available from http://support.avaya.com. The 46xxsettings.txt file must be installed on an HTTP
server that has IP connectivity to the Avaya 96xx SIP IP telephones. The 46xxsettings.txt file is
retrieved by the Avaya 96xx SIP IP telephones when they are connected for the first time, or are
reset. For information on using the 46xxsettings.txt file, and Avaya 96xx SIP IP telephone
implementation, see [4] and [5].

8.1. Configure 46xxsettings.txt File to Enable the G.729B Codec.
1. On the HTTP server, go to the /initpub/wwwroot directory (Windows Internet Information
Services was used for the HTTP Server in the reference configuration).
2. Using a text editor, open the 46xxsettings.txt file.
3. Find the section labeled ##### CODEC SETTINGS #####
4. By default, the G.729A codec is enabled, (## SET ENABLE_G729 1). Enter a new line SET
ENABLE_G729 2 (without the leading # comment characters).
5. Save and close the 46xxsettings.txt file.
6. Reset the Avaya 96xx SIP IP telephones to install the updated 46xxsettings.txt file. The Avaya
96xx SIP IP telephones will now use the G.729B codec.
Note – Only the section of the 46xxsetings.txt file pertaining to G.729 codec provisioning is shown
for brevity.
##
##################### CODEC SETTINGS #####################
##
## G.729 Codec Enabled
## Determines whether G.729 codec is available on the
## phone.
## 0 for G.729(A) disabled
## 1 for G.729(A) enabled without Annex B support
## 2 for G.729(A) enabled with Annex B support
## SET ENABLE_G729 1
SET ENABLE_G729 2
##
##
Figure 28 – Enable the G.729B codec via the 46xxsettings.txt file

9. Verification Steps
The following steps can be used to validate the sample configuration.
9.1. Verify Cisco PIX 515 Firewall Interfaces and Routing

1. Check that “inside” and “outside” interface/line protocols are up and IP addressing is correct.
a. show interface ethernet0
This is the “outside” interface
pixfirewall# show interface ethernet0
interface ethernet0 "outside" is up, line protocol is up
Hardware is i82559 ethernet, address is 0003.6bf7.25e8
IP address 1.1.1.2, subnet mask 255.255.255.252
MTU 1500 bytes, BW 100000 Kbit half duplex
517521 packets input, 74718903 bytes, 0 no buffer
Received 1406 broadcasts, 0 runts, 0 giants
1 input errors, 1 CRC, 0 frame, 0 overrun, 1 ignored, 0 abort
508963 packets output, 80276706 bytes, 0 underruns
0 output errors, 15 collisions, 0 interface resets
0 babbles, 6 late collisions, 34 deferred
1 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/9)
output queue (curr/max blocks): hardware (0/9) software (0/1)
Figure 29 – Cisco PIC 515 – Interface Ethernet0 (outside).
b. show interface ethernet1

This is the “inside” interface.
pixfirewall# show interface ethernet1
interface ethernet1 "inside" is up, line protocol is up
Hardware is i82559 ethernet, address is 0003.6bf7.25e9
IP address 50.50.50.1, subnet mask 255.255.255.0
MTU 1500 bytes, BW 100000 Kbit full duplex
843942 packets input, 69016077 bytes, 0 no buffer
Received 314685 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
541973 packets output, 43070045 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
4 lost carrier, 0 no carrier
input queue (curr/max blocks): hardware (128/128) software (0/9)
output queue (curr/max blocks): hardware (0/9) software (0/1)
Figure 30 – Cisco PIC 515 – Interface Ethernet1 (inside).
2. Examine Cisco PIX 515 Firewall route table entries.
a. show route
pixfirewall# show route
outside 0.0.0.0 0.0.0.0 1.1.1.1 1 OTHER static
outside 1.1.1.0 255.255.255.252 1.1.1.2 1 CONNECT static
inside 50.50.50.0 255.255.255.0 50.50.50.1 1 CONNECT static
Figure 31 – Cisco PIC 515 – Route Table.

9.2. Avaya G450 Media Gateway Interfaces and Routing
1. Verify Serial interface status.
a. show interface serial 8/1:1
G450-001(super)# show interface serial 8/1:1
Serial 8/1:1 is up, line protocol is up
MTU 1500 bytes, Bandwidth 1536 kbit
Reliability 255/255 txLoad 1/255 rxLoad 1/255
Encapsulation FRAME-RELAY IETF
Link status trap enabled
LMI enq sent 77737, LMI stat recvd 77737, LMI upd recvd 0, DTE LMI up
LMI DLCI 0, LMI type is ANSI Annex D, frame relay DTE
Weighted Fair VoIP queueing mode
Last input 00:00:00, Last output 00:00:01
Last clearing of 'show interface' counters never
5 minute input rate 708 bits/sec, 0 packets/sec
5 minute output rate 784 bits/sec, 0 packets/sec
0 input drops, 0 output drops, 0 unknown protocols
587790 packets input, 76396277 bytes
0 broadcasts received, 0 giants
0 input errors, 0 CRC, 0 abort
597153 packets output, 70441367 bytes
0 output errors, 0 collisions
Figure 32 – Avaya G450 Media Gateway – Serial Interface.
2. Verify Serial subinterface status.
a. show interface serial 8/1:1
G450-001(super)# show interface serial 8/1:1.1
Serial 8/1:1.1 is up, line protocol is up
Description: To_Frame_Relay_Switch
Internet address is 30.30.30.2, mask is 255.255.255.0
MTU 1500 bytes, Bandwidth 1536 kbit
IPSec PMTU: copy df-bit, Min PMTU is 300
Encapsulation FRAME-RELAY IETF
Link status trap enabled
Keepalive-track not set
Last input 00:00:01, Last output 00:00:01
Last clearing of 'show interface' counters never
0 input drops, 0 output drops, 0 unknown protocols
510055 packets input, 73203176 bytes
0 broadcasts received, 0 giants
0 input errors, 0 CRC, 0 abort
519418 packets output, 46223882 bytes
0 output errors, 0 collisions
Figure 33 – Avaya G450 Media Gateway – Serial Sub-Interface.

3. Verify Frame Relay PVC status.
a. show frame-relay pvc
G450-001(super)# show frame-relay pvc
Showing 1 PVC
PVC Statistics for interface Serial 8/1:1 (Frame Relay DTE)
Active Inactive Deleted Static
Local 1 0 0 0
Unused 0 0 0 0
DLCI = 101, USAGE = LOCAL , PVC STATUS = ACTIVE, INTERFACE = Serial 8/1:1.1
ROLE = Primary , PRIORITY CLASS = None
input pkts 510059, output pkts 519422, dropped pkts 0
in bytes 75243940, out bytes 48301864
in FECN pkts 0
in BECN pkts 0
in DE pkts 0, out DE pkts 0
pvc create time 8d20h, last time pvc status changed 00:48:36
Figure 34 – Avaya G450 Media Gateway – Frame-Relay PVC.
4. Verify G450 Media Gateway IP route table entries.

a. show ip-route
G450-001(super)# show ip route
Showing 3 rows
Network Mask Interface Next-Hop Cost TTL Source
--------------- ---- ------------------- ------------------- ----- --- ---------
0.0.0.0 0 Serial 8/1:1.1 30.30.30.1 1 n/a STAT-LO
30.30.30.0 24 Serial 8/1:1.1 30.30.30.2 1 n/a LOCAL
73.73.73.0 24 Vlan 1 73.73.73.2 1 n/a LOCAL
Figure 35 – Avaya G450 Media Gateway – Show IP Route.
9.3. Verify Cisco PIX 515 Firewall VPN Policies

1. Verify that configured ISAKMP policies have the correct security attributes.
a. show crypto isakmp
pixfirewall# show crypto isakmp
isakmp enable outside
isakmp key ******** address 30.30.30.2 netmask 255.255.255.255
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400
Figure 36 – Cisco PIX 515 Firewall – Isakmp Policies.
2. Verify that the configured IPSec transform-sets have the correct security attributes.
a. show crypto ipsec transform-set
pixfirewall# show crypto ipsec transform-set
Transform set HighAES: { esp-aes esp-sha-hmac }
will negotiate = { Tunnel, },
Figure 37 – Cisco PIX 515 Firewall – IPSec Transform Set.

9.4. Verify G450 Media Gateway VPN Policies
1. Verify that the remote peer (Cisco PIX 515 Firewall) has been defined under crypto isakmp
peer.
a. show crypto isakmp peer
G450-001(super)# show crypto isakmp peer
Showing 1 rows
Description Peer identity Self identity Plc Md DPD Auth
Track Cnt
K-alv Id
------------- ------------------ ------------------ ----- --- -- ----- ----- ---
PIX Outside 1.1.1.2 IPv4 Address psk 1 MM none No
Figure 38 – Avaya G450 Media Gateway – Isakmp Peer.
2. Verify that configured ISAKMP policies have the correct security attributes.
a. show crypto isakmp policy
G450-001(super)# show crypto isakmp policy
Showing 1 rows
Id Description Encr Hash Authentication DH group life sec
-- -------------------- ------- ------- -------------- -------- ----------
1 High 3des sha Preshared key 2 86400
Figure 39 – Avaya G450 Media Gateway – Isakmp Policy.
3. Verify that the configured IPSec transform-sets have the correct security attributes.
a. show crypto ipsec transform-set
G450-001(super)# show crypto ipsec transform-set
Showing 1 rows
Name ESP Enc ESP Hash PCP PFS Life Sec Life KB Mode
----------------------- ------- -------- --- --- ---------- ---------- ------
HIGH aes sha-hmac No #2 3600 4608000 Tunnel
Figure 40 – Avaya G450 Media Gateway – Isakmp Policy.
4. Verify that the crypto-list is configured with proper wildcard masking and crypto-mapping
corresponds to the correct transform-set. Any traffic that does not match the crypto-list
bypasses IPSec processing.
a. show ip crypto-list 901
G450-001(super)# show ip crypto-list 901
Index Description Status Owner
----- ------------------------------- --------- --------------------------
901 Encrypted traffic valid other
Local address: 30.30.30.2
Rules:
Index Proto IP Wildcard Port Action Frag
DSCP Crypto map Rule
----- ------- --- ---------------- --------------- ------------ ---------- ----
1 Any Src 73.73.73.0 0.0.0.255 Any protect No
Any Dst 50.50.50.0 0.0.0.255 Any 1
Deflt Any Src Any Any bypass No
Any Dst Any Any -
Applicable crypto maps:
Id Description Remote peer/group Transform-set DSCP C-cnl
-- -------------------- ------------------ ----------------------- ---- -----
1 PIX_Outside 1.1.1.2 HIGH copy No
Figure 41 – Avaya G450 Media Gateway – IP Crypto List 901.

9.5. Verify IKE Negotiations using Cisco PIX 515 Firewall Debug Traces
1. Enable local debug output to the console from the CLI. When the isakmp lifetime timer
expires, verify ISAKMP (Phase 1) SA and IPSec (Phase 2) SAs are removed and recreated.
Alternatively, the Avaya G450 Media Gateway isakmp Phase 1 clear SA and the IPSec Phase
2 clear SA commands can be used to immediately reset the VPN state (see Sections 9.1 and
9.2).
a. debug crypto ipsec
b. debug crypto isakmp
ISAKMP: rekeying phase 1 SA, src 1.1.1.2, dst 30.30.30.2
ISAKMP (0): retransmitting phase 1 (0)...
crypto_isakmp_process_block:src:30.30.30.2, dest:1.1.1.2 spt:500 dpt:500
ISAKMP (0): processing DELETE payload. message ID = 3099254529, spi size =
4IPSEC(key_engine): got a
queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
return status is IKMP_NO_ERR_NO_TRANS


OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy

ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 120
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): remote peer supports dead peer detection
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

return status is IKMP_NO_ERROR
ISAKMP (0): deleting SA: src 1.1.1.2, dst 30.30.30.2
ISAKMP: drop msg for deleted sa
ISADB: reaper checking SA 0xffaf44, conn_id = 0
ISADB: reaper checking SA 0x116da8c, conn_id = 0 DELETE IT!
VPN Peer: ISAKMP: Peer ip:30.30.30.2/500 Ref cnt decremented to:0 Total VPN
Peers:1
VPN Peer: ISAKMP: Deleted peer: ip:30.30.30.2/500 Total VPN peers:0
ISADB: reaper checking SA 0xffaf44, conn_id = 0
ISAKMP (0): processing DELETE payload. message ID = 1115737207, spi size = 16
return status is IKMP_NO_ERR_NO_TRANS

ISAKMP (0): deleting IPSEC SAs with peer at 30.30.30.2IPSEC(key_engine): got a
queue event...
IPSEC(key_engine_delete_sas): delete all SAs shared with 30.30.30.2
map_free_entry: freeing entry 1
CRYPTO(epa_release_conn): released conn 1
VPN Peer: IPSEC: Peer Info not found during IPSEC deletion Peer ip:30.30.30.2/500
map_free_entry: freeing entry 2
CRYPTO(epa_release_conn): released conn 2
VPN Peer: IPSEC: Peer Info not found during IPSEC deletion Peer ip:30.30.30.2/500
ISAKMP (0): deleting SA: src 1.1.1.2, dst 30.30.30.2

ISADB: reaper checking SA 0xffaf44, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for 30.30.30.2/500 not found - peers:0

IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): delete all SAs shared with 30.30.30.2

ISAKMP: sa not found for ike msg

ISAKMP (0): beginning Main Mode exchange


ISAKMP (0): deleting SA: src 1.1.1.2, dst 30.30.30.2IPSEC(key_engine): request
timer fired: count =
1,
(identity) local= 1.1.1.2, remote= 30.30.30.2,
local_proxy= 50.50.50.0/255.255.255.0/0/0 (type=4),
remote_proxy= 73.73.73.0/255.255.255.0/0/0 (type=4)
ISAKMP (0): beginning Main Mode exchange

ISADB: reaper checking SA 0x116da8c, conn_id = 0
ISADB: reaper checking SA 0xffaf44, conn_id = 0 DELETE IT!
VPN Peer:ISAKMP: Peer Info for 30.30.30.2/500 not found - peers:0
ISADB: reaper checking SA 0x116da8c, conn_id = 0


OAK_MM exchange
ISAKMP (0): Checking ISAKMP transform 1 against priority 1 policy

ISAKMP: encryption 3DES-CBC
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 120
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): processing vendor id payload
ISAKMP (0): remote peer supports dead peer detection
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR

OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0
ISAKMP (0): processing NONCE payload. message ID = 0
ISAKMP (0): ID payload

next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated
ISAKMP (0): beginning Quick Mode exchange, M-ID of -

1071189158:c026f35aIPSEC(key_engine): got a queu
e event...
IPSEC(spi_response): getting spi 0xfbea09c7(4226419143) for SA
from 30.30.30.2 to 1.1.1.2 for prot 3

OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP : Checking IPSec proposal 1
ISAKMP: transform 1, ESP_AES

ISAKMP: attributes in transform:
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 3600
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: authenticator is HMAC-SHA
ISAKMP: key length is 128
ISAKMP: group is 2
ISAKMP (0): atts are acceptable.IPSEC(validate_proposal_request): proposal part
#1,

(key eng. msg.) dest= 30.30.30.2, src= 1.1.1.2,
dest_proxy= 73.73.73.0/255.255.255.0/0/0 (type=4),
src_proxy= 50.50.50.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-aes esp-sha-hmac ,
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x24
ISAKMP (0): processing NONCE payload. message ID = 3223778138
ISAKMP (0): processing KE payload. message ID = 3223778138
ISAKMP (0): processing ID payload. message ID = 3223778138

ISAKMP (0): processing ID payload. message ID = 3223778138map_alloc_entry:
allocating entry 2
map_alloc_entry: allocating entry 1
ISAKMP (0): Creating IPSec SAs

inbound SA from 30.30.30.2 to 1.1.1.2 (proxy 73.73.73.0
to 50.50.50.0)
has spi 4226419143 and conn_id 2 and flags 25
lifetime of 3600 seconds
lifetime of 4608000 kilobytes
outbound SA from 1.1.1.2 to 30.30.30.2 (proxy
50.50.50.0 to 73.73.73.0)
has spi 6940 and conn_id 1 and flags 25
lifetime of 3600 seconds
lifetime of 4608000 kilobytesIPSEC(key_engine): got a queue event...
IPSEC(initialize_sas): ,
(key eng. msg.) dest= 1.1.1.2, src= 30.30.30.2,
dest_proxy= 50.50.50.0/255.255.255.0/0/0 (type=4),
src_proxy= 73.73.73.0/255.255.255.0/0/0 (type=4),
spi= 0xfbea09c7(4226419143), conn_id= 2, keysize= 128, flags= 0x25
IPSEC(initialize_sas): ,
(key eng. msg.) src= 1.1.1.2, dest= 30.30.30.2,
src_proxy= 50.50.50.0/255.255.255.0/0/0 (type=4),
dest_proxy= 73.73.73.0/255.255.255.0/0/0 (type=4),
spi= 0x1b1c(6940), conn_id= 1, keysize= 128, flags= 0x25
VPN Peer: ISAKMP: Added new peer: ip:30.30.30.2/500 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:30.30.30.2/500 Ref cnt incremented to:1 Total VPN
Peers:1
pixfirewall#
Figure 42 – Cisco PIX 515 Firewall – IPSec and Isakmp Debug.

9.6. Verify IKE Negotiations using G450 Gateway Syslog
1. Enable local Syslog message output to the console from the CLI. When the isakmp lifetime
timer expires, verify ISAKMP (Phase 1) SA and IPSec (Phase 2) SAs are removed and
recreated. Alternatively, the Avaya G450 Media Gateway isakmp Phase 1 clear SA and the
IPSec Phase 2 clear SA commands can be used to immediately reset the VPN state (see
Sections 9.1 and 9.2).
a. set logging session enable
b. set logging session condition ISAKMP debug
c. set logging session condition IPSEC debug
2. When completed, disable the logging.

a. set logging session disable
04/22/2008,09:46:50:ISAKMP-Informational:
ISAKMP SA lifetime expiration
Peers 30.30.30.2<->1.1.1.2
Icookie - 8323fecb991b7cd0, Rcookie - 73159c04f0b63f69
Sending IKE DELETE message (ISAKMP SA):
Peers 30.30.30.2<->1.1.1.2
Icookie - 8323fecb991b7cd0, Rcookie - 73159c04f0b63f69
04/22/2008,09:47:42:VOICE-Warning: H248 link is DOWN
04/22/2008,09:47:58:ISAKMP-Warning:
Peer 1.1.1.2 is presumed dead: IKE phase 1 negotiation failure
Begin IKE phase 1 negotiation, initiated by 1.1.1.2:
Peers 30.30.30.2<->1.1.1.2, mode main
04/22/2008,09:48:11:ISAKMP-Debug:
Sending vendor ID to 1.1.1.2 (VID length = 16):
Peers 30.30.30.2<->1.1.1.2
draft-ietf-ipsec-dpd-00.txt (0xafcad71368a1f1c96b8696fc77570100)
04/22/2008,09:48:11:ISAKMP-Debug:
Received vendor ID from 1.1.1.2 (VID length = 8):
Peers 30.30.30.2<->1.1.1.2
Unknown (0x09002689dfd6b712)
04/22/2008,09:48:11:ISAKMP-Debug:
Peers 30.30.30.2<->1.1.1.2
draft-ietf-ipsec-dpd-00.txt (0xafcad71368a1f1c96b8696fc77570100)
04/22/2008,09:48:11:ISAKMP-Debug:
Peers 30.30.30.2<->1.1.1.2
Unknown (0x12f5f28c457168a9702d9fe274cc0100)
04/22/2008,09:48:11:ISAKMP-Debug:
Peers 30.30.30.2<->1.1.1.2

Unknown (0x76e459d681edb35dc5fb95461256e04f)
Finished IKE phase 1 negotiation, creating ISAKMP SA:
Peers 30.30.30.2<->1.1.1.2
Icookie - 8323fecb81ecb35d, Rcookie - 643f0ef3bd44bc4e
esp-3des, esp-sha-hmac, DH group 2, Lifetime 120 seconds
DPD enabled
Begin IKE phase 2 negotiation, initiated by 1.1.1.2:
Peers 30.30.30.2<->1.1.1.2
Finished IKE phase 2, creating outbound IPSEC SA:
SPI 0xfbea09c7, Peers 30.30.30.2<->1.1.1.2
Identities: 73.73.73.0/255.255.255.0->50.50.50.0/255.255.255.0
esp-aes, esp-sha-hmac, 3600 seconds, 4608000 KB, PFS #2
Tunnel mode
Finished IKE phase 2, creating inbound IPSEC SA:
SPI 0x1b1c, Peers 1.1.1.2<->30.30.30.2

Identities: 50.50.50.0/255.255.255.0->73.73.73.0/255.255.255.0
esp-aes, esp-sha-hmac, 3600 seconds, 4608000 KB, PFS #2
Tunnel mode
Figure 43 – Avaya G450 Media Gateway – IPSec and Isakmp Debug.
9.7. Verify Security Associations (SAs) on the Cisco PIX 515 Firewall
1. Verify ISAKMP SA using the show command.
a. show crypto isakmp sa
pixfirewall# show crypto isakmp sa
Total : 1
Embryonic : 0
dst src state pending created
30.30.30.2 1.1.1.2 QM_IDLE 0 1
Figure 44 – Cisco PIX 515 Firewall – ISAKMP SA.
2. Verify IPSec SAs using the show command.
a. show crypto ipsec sa detail
pixfirewall# show crypto ipsec sa detail
interface: outside
Crypto map tag: BranchVPN, local addr. 1.1.1.2
local ident (addr/mask/prot/port): (50.50.50.0/255.255.255.0/1/0)
remote ident (addr/mask/prot/port): (73.73.73.0/255.255.255.0/1/0)
current_peer: 30.30.30.2:0
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#pkts no sa (send) 0, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0

#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: 1.1.1.2, remote crypto endpt.: 30.30.30.2

path mtu 1500, ipsec overhead 0, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (50.50.50.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (73.73.73.0/255.255.255.0/0/0)
current_peer: 30.30.30.2:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 508147, #pkts encrypt: 508147, #pkts digest 508147
#pkts decaps: 514309, #pkts decrypt: 514309, #pkts verify 514309
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#pkts no sa (send) 110, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0
local crypto endpt.: 1.1.1.2, remote crypto endpt.: 30.30.30.2

path mtu 1500, ipsec overhead 72, media mtu 1500
current outbound spi: 80ce
inbound esp sas:

spi: 0xd9e32a9f(3655543455)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 1, crypto map: BranchVPN
sa timing: remaining key lifetime (k/sec): (4607925/2586)
IV size: 16 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x80ce(32974)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: BranchVPN
sa timing: remaining key lifetime (k/sec): (4607953/2586)
IV size: 16 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
pixfirewall#
Figure 45 – Cisco PIX 515 Firewall – IPSec SA.

9.8. Verify Security Associations (SAs) on the G450 Gateway
1. Verify ISAKMP SA using the show command.
a. show crypto isakmp sa
G450-001(super)# show crypto isakmp sa
C-id Local Remote State Encr Hash Aut DH TTL DPD Nat-T
---- --------------- --------------- ------- ------- ---- --- -- ----- --- -----
109 30.30.30.2 1.1.1.2 Ready 3des sha psk 2 85726 Yes No
Figure 46 – Avaya G450 Media Gateway – ISAKMP SA.
2. Verify inbound and outbound IPSec SAs using the show command.
a. show crypto ipsec sa detail
G450-001(super)# show crypto ipsec sa detail
Inbound pkts errors (global):
Invalid spi 0
Invalid interface 0
Interface: Serial 8/1:1.1
Crypto list id: 901, Local address: 30.30.30.2
Rule: 1, Crypto map: 1, "PIX_Outside"
Local address: 30.30.30.2
Remote address: 1.1.1.2
Local identity: 73.73.73.0/255.255.255.0
Remote identity: 50.50.50.0/255.255.255.0
path mtu 1500, media mtu 1500, configured min PMTU 300
Current outbound spi: 0xd9e32a9f
Inbound packets Outbound packets

------------------------------------ -----------------------------------
Total 1592 Total 1862
Total OK 1592 Total OK 1861
Decrypt 1592 Encrypt 1861
Verify 1592 Digest 1861
Decaps 1592 Encaps 1861
Total discards 0 Total discards 1
Invalid len 0 No sa 1
Replay failed 0 Seq rollover 0
Sa expired 0 Sa expired 0
Auth failed 0
Bad padding 0
Invalid identity 0
Unprotected 0
Other discards 0 Other discards 0
SA Type SPI Transform PFS Secs left KB left Mode

--------------- ---------- ------------- --- ---------- ---------- ------
Outbound ESP 0xd9e32a9f esp-aes #2 2888 4607938 Tunnel
esp-sha-hmac
Inbound ESP 0x80ce esp-aes #2 2888 4607937 Tunnel
esp-sha-hmac
Figure 47 – Avaya G450 Media Gateway – IPSec SA.

9.9. Verify the Avaya G450 Media Gateway Registration Status
1. Check the MGC controller status from the Avaya G450 Media Gateway CLI.
a. show mgc
G450-001(super)# show mgc
CALL CONTROLLER STATUS
-------------------------------------------
Registered : YES
Active Controller : 50.50.50.100
H248 Link Status : UP
H248 Link Error Code: 0x0
CONFIGURED MGC HOST

---------------------
50.50.50.100
-- Not Available --
-- Not Available --
sls disabled
Done!
G450-001(super)#
Figure 48 – Avaya G450 Media Gateway – MGC Status.
2. Verify the registration status of the Avaya G450 Media Gateway with the S8500 Server via
the Avaya Communication Manager SAT.
a. display media-gateway 1
display media-gateway 1
MEDIA GATEWAY
Number: 1 Registered? y
Type: g450 FW Version/HW Vintage: 27 .26 .0 /0
Name: G450_Branch MGP IP Address: 73 .73 .73 .2
Serial No: 07IS13107508 Controller IP Address: 50 .50 .50 .100
Encrypt Link? y MAC Address: 00:04:0d:ea:ab:b8
Network Region: 2
Location: 1 Site Data:
Recovery Rule: 1
Slot Module Type Name DSP Type FW/HW version

V1:
V2: MM710 DS1 MM
V3: MM342 USP WAN MM
V4: MP80 8 1
V5: MM711 ANA MM
V6: MM712 DCP MM
V7: MM716 ANA MM Max Survivable IP Ext: 8
V8: MM340 DS1 WAN MM
V9:
Figure 49 – Avaya S8500 Server – Avaya G450 Media Gateway Status.

9.10. Place Test Calls
Place calls (H.323/H.323, SIP/SIP, SIP/H.323) between the Branch office and the Main office.
1. Verify call establishment and voice quality over the VPN.
2. Place an IP protocol analyzer on the network between the Cisco PIX 515 Firewall and the
Cisco 2811 WAN router. Verify that the traffic is encrypted (ESP). In the sample
configuration, 1.1.1.2 is the outside interface of the Cisco PIX 515 Firewall and 30.30.30.2 is
the serial interface of the Avaya G450 Media Gateway.
No. Time Source Destination Protocol Info
851 09:44:17.815564 30.30.30.2 1.1.1.2 ESP ESP (SPI=0xfbea09c7)
853 09:44:17.841574 1.1.1.2 30.30.30.2 ESP ESP (SPI=0x00001b1c)
854 09:44:17.850941 1.1.1.2 30.30.30.2 ESP ESP (SPI=0x00001b1c)
857 09:44:17.881470 1.1.1.2 30.30.30.2 ESP ESP (SPI=0x00001b1c)
858 09:44:17.890920 1.1.1.2 30.30.30.2 ESP ESP (SPI=0x00001b1c)
860 09:44:17.912655 1.1.1.2 30.30.30.2 ESP ESP (SPI=0x00001b1c)
862 09:44:17.918881 1.1.1.2 30.30.30.2 ESP ESP (SPI=0x00001b1c)
864 09:44:17.921324 1.1.1.2 30.30.30.2 ESP ESP (SPI=0x00001b1c)
868 09:44:17.931331 1.1.1.2 30.30.30.2 ESP ESP (SPI=0x00001b1c)
869 09:44:17.934303 1.1.1.2 30.30.30.2 ESP ESP (SPI=0x00001b1c)
871 09:44:17.941325 1.1.1.2 30.30.30.2 ESP ESP (SPI=0x00001b1c)
872 09:44:17.954010 1.1.1.2 30.30.30.2 ESP ESP (SPI=0x00001b1c)
874 09:44:17.960390 1.1.1.2 30.30.30.2 ESP ESP (SPI=0x00001b1c)
877 09:44:17.981452 1.1.1.2 30.30.30.2 ESP ESP (SPI=0x00001b1c)
878 09:44:18.072626 1.1.1.2 30.30.30.2 ESP ESP (SPI=0x00001b1c)
Figure 50 – IP Protocol Trace – Encapsulated Security Protocol.

10. VPN Troubleshooting
Recommended troubleshooting order:
1. Physical Connectivity
2. Network Connectivity
3. Confirm Phase 1 ISAKMP SA establishment
4. Confirm Phase 2 inbound and outbound IPSec SA establishment
5. Confirm bi-directional VPN forwarding
If network connectivity appears to be working correctly, check SA establishment (see Section 9). If
an ISAKMP SA and IPSec SAs are created between the peers, the problem is usually routing. Check
the encryption and decryption statistics for the IPSec SAs. If there is a routing problem on one side of
the tunnel, the Administrator will notice encryption/decryption in only one direction. This usually
indicates that the remote network cannot route back through the tunnel. The most commonly
encountered problems with VPNs are either mismatched ISAKMP or IPSec security attributes or
routing problems. Be sure to pay close attention to these configuration items when administering a
VPN.
10.1. Clearing Avaya G450 Media Gateway SAs

The following Avaya G450 Media Gateway commands may be used to clear ISAKMP (Phase 1) and
IPSec (Phase 2) SAs. Administrators should always clear Phase 2 IPSec SAs prior to clearing Phase 1
ISAKMP SAs in order to ensure proper operation.
1. IPSEC Phase 2 SA
a. clear crypto sa all
2. ISAKMP Phase 2 SA
a. clear crypto isakmp
Alternatively, the Administrator may choose to remove a specific ISAKMP SA from a list
of SAs based on the C-id.
b. Enter the show crypto isakmp sa command and note the “C-id” number you wish to
clear (depending on the configuration, more than one may be listed).
G450-001(super)# show crypto isakmp sa
C-id Local Remote State Encr Hash Aut DH TTL DPD Nat-T
---- --------------- --------------- ------- ------- ---- --- -- ----- --- -----
109 30.30.30.2 1.1.1.2 Ready 3des sha psk 2 85726 Yes No
Figure 51 – Output of show crypto isakmp sa command.
c. Enter clear crypto isakmp xxx, where xxx is the C-id number (109 in the example
above).

10.2. Capturing IPSEC Data on the Avaya G450 Media Gateway
The Avaya G450 Media Gateway has a capture function allowing a protocol trace to be taken that
decrypts the IPSec data streams. This captured data can then be read by the Wireshark open-source IP
protocol analyzer to help in debugging protocol issues on the VPN tunnel.
Note – The capture feature has many options to customize the data that is collected. For more
information on this command see [1].
1. Enable the capture feature

a. capture-service
2. Specify the interface where the capture will be performed. In the sample configuration this is
the Frame Relay Serial sub-interface that terminates the VPN at the Avaya G450 Media
Gateway (see Section 3.4).
b. capture interface serial 8/1:1.1
3. Enable IPSec decryption for the capture.
c. capture ipsec decrypted
4. Start the capture.
d. capture start
5. After the test is performed, stop the capture.
e. capture stop
6. Verify that data has been captured into the buffer with the show capture command. Figure 51
shows a sample output from this command.
f. show capture
G450-001> show capture
Capture service is enabled and inactive
Capture start time 19/06/2004-13:57:40
Capture stop time 19/06/2004-13:58:23
Current buffer size is 1024 KB
Buffer mode is cyclic
Maximum number of bytes captured from each frame: 1515
Capture list 527 on interface "Serial 8/1:1.1"
Number of captured frames in file: 3596 (out of 3596 total captured frames)
Size of capture file: 266 KB (26.6 %)
Figure 51 – Output of show capture command.
7. Copy the captured data to an external device to be viewed via Wireshark. The file can be
copied via FTP, TFTP, SCP, or to a USB device. In the sample configuration the captured
data was copied to a USB flash drive inserted into a USB interface on the Avaya G450 Media
Gateway.
g. Copy capture-file usb <name the file> usbdevice0
h. Before removing the usb device enter safe-removal usb usbdevice0
11. Conclusion
Site-to-site IPSec Virtual Private Network (VPN) connectivity between an Avaya G450 Media
Gateway and a Cisco PIX 515 Firewall, using the Internet Key Exchange (IKE) protocol to establish
a secure Internet Security Association and Key Management Protocol (ISAKMP) control channel
between two peers, can be achieved using the guidelines demonstrated in these Application Notes.

12. References
The following references are available from www.avaya.com
[1] Administration for the Avaya G450 Media Gateway, 03-602055, Issue 1, January 2008
[2] Administrator Guide for Avaya Communication Manager, 03-300509, Issue 4.0, Release 5.0,
January 2008
[3] IPSec Virtual Private Network (VPN) between an Avaya G350 Media Gateway and a Cisco PIX
525 Firewall - Issue 1.0, March 2005
[4] Avaya one-X™ Deskphone Edition for 9600 Series SIP IP Telephones Administrator Guide
Release 2.0, 16-601944, Issue 2, December 2007
[5] Avaya one-X™ Deskphone Editionfor 9600 Series SIP IP Telephones Installation and
Maintenance Guide Release 2.0, 16-601943, Issue 2l December 2007
The following references are available from www.cisco.com
[6] Cisco PIX Firewall Command Reference, Version 6.3, 78-14890-01, 2004
[7] PIX 6.x: Simple PIX−to−PIX VPN Tunnel Configuration Example, Document ID: 6211, 2007
[8] Cisco IOS Wide-Area Networking Command Reference, Release 12.3, OL-4432-01

©2008 Avaya Inc. All Rights Reserved.
Avaya and the Avaya Logo are trademarks of Avaya Inc. All trademarks identified by ® and
™ are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks
are the property of their respective owners. The information provided in these Application
Notes is subject to change without notice. The configurations, technical data, and
recommendations provided in these Application Notes are believed to be accurate and
dependable, but are presented without express or implied warranty. Users are responsible for
their application of any products specified in these Application Notes.
Please e-mail any questions or comments pertaining to these Application Notes along with the
full title name and filename, located in the lower right corner, directly to the Avaya Solution &
Interoperability Test Lab at interoplabnotes@list.avaya.com


g450 Pix VPN

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

g450 Pix VPN

Uploaded by

Copyright:

Available Formats

Avaya Solution & Interoperability Test Lab

IPSec Virtual Private Network (VPN) between an Avaya

JF; Reviewed: Solution & Interoperability Test Lab Application Notes 1 of 42

2. Equipment and Software Validated .........................................................................................................7

3. Configure the Avaya G450 Media Gateway ............................................................................................8

4. Configure the Cisco 3825 Router ............................................................................................................14

5. Configure the Cisco 2811 Router ............................................................................................................16

6. Configure the Cisco PIX 515 Firewall....................................................................................................17

7. Configure Avaya Communication Manager..........................................................................................19

8. Configure Avaya 96xx SIP IP Telephone Codec Type..........................................................................23

9. Verification Steps .....................................................................................................................................25

JF; Reviewed: Solution & Interoperability Test Lab Application Notes 2 of 42

10. VPN Troubleshooting ..........................................................................................................................39

11. Conclusion ............................................................................................................................................40

JF; Reviewed: Solution & Interoperability Test Lab Application Notes 3 of 42

Figure 1 – IPSec VPN Sample Configuration.

JF; Reviewed: Solution & Interoperability Test Lab Application Notes 4 of 42

IKE establishes an ISAKMP SA by negotiating proposals in an exchange known as Phase 1 (Main

1. ISAKMP Phase One (Main Mode, MM)

• ISAKMP (Phase 1) proposal:

2. ISAKMP Phase Two (Quick Mode, QM)

JF; Reviewed: Solution & Interoperability Test Lab Application Notes 5 of 42

• IPSec (Phase 2) proposal:

JF; Reviewed: Solution & Interoperability Test Lab Application Notes 6 of 42

JF; Reviewed: Solution & Interoperability Test Lab Application Notes 7 of 42

3.1. Ethernet Interface Configuration

set mgc list 50.50.50.100

3.2. WAN Interface Configuration

JF; Reviewed: Solution & Interoperability Test Lab Application Notes 8 of 42

3.3. Access Control List Configuration (optional)

The following ACL rules are defined in the sample configuration:

1. Configure ACL 301

JF; Reviewed: Solution & Interoperability Test Lab Application Notes 9 of 42

JF; Reviewed: Solution & Interoperability Test Lab Application Notes 10 of 42

3.5. IP Routing Configuration

3.6. Virtual Private Network (VPN) Configuration

1. Configure an ISKAKMP Phase 1 policy.

JF; Reviewed: Solution & Interoperability Test Lab Application Notes 11 of 42

3. Configure a transform-set (IKE Phase 2).

JF; Reviewed: Solution & Interoperability Test Lab Application Notes 12 of 42

JF; Reviewed: Solution & Interoperability Test Lab Application Notes 13 of 42

4.1. Ethernet Interface Configuration

4.2. Serial Interface Configuration

JF; Reviewed: Solution & Interoperability Test Lab Application Notes 14 of 42

4.4. IP Routing Configuration

2. Enter wr mem to save the router configuration.

JF; Reviewed: Solution & Interoperability Test Lab Application Notes 15 of 42

5.1. Enable Frame Relay Switching

5.2. Serial Interface Configuration

2. Configure the Serial interface to the Cisco 3825 edge router.

JF; Reviewed: Solution & Interoperability Test Lab Application Notes 16 of 42

6.1. Inside and Outside Interface Configuration

6.2. IP Routing Configuration

6.3. Virtual Private Network (VPN) Configuration

2. Defining NATing for all non-VPN traffic.

JF; Reviewed: Solution & Interoperability Test Lab Application Notes 17 of 42

JF; Reviewed: Solution & Interoperability Test Lab Application Notes 18 of 42

7.1. Avaya G450 Media Gateway Serial Number

7.2. Add the Avaya G450 Media Gateway

JF; Reviewed: Solution & Interoperability Test Lab Application Notes 19 of 42

Note - See Section 8 for additional details on these codec choices.

JF; Reviewed: Solution & Interoperability Test Lab Application Notes 20 of 42

change ip-network-region 1 Page 3 of 19