Administration of the Avaya G350 Media Gateway - Avaya Support
Administration of the Avaya G350 Media Gateway - Avaya Support Administration of the Avaya G350 Media Gateway - Avaya Support
Configuring IPSec VPN●hash: the hash (authentication) algorithm for the ISAKMP policy: sha or md5(default: md5)● group: the Diffie-Hellman group for the ISAKMP policy: 1 or 2 (default: 1)●●authentication: the authentication of the ISAKMP policy pre-shared secret:pre-sharelifetime: the lifetime of the ISAKMP SA, in secondsG350-001(config-isakmp:1)# description "lincroft ike"Done!G350-001(config-isakmp:1)# encryption desDone!G350-001(config-isakmp:1)# hash md5Done!G350-001(config-isakmp:1)# group 1Done!G350-001(super-isakmp:1)# authentication pre-shareDone!G350-001(config-isakmp:1)# lifetime 60000Done!3. Exit the ISAKMP policy context using the exit CLI command.G350-001(config-isakmp:1)# exitG350-001#Configuring transform-setsA transform-set defines the IKE phase 2 parameters. It specifies the encryption andauthentication algorithms to be used for, sets a security association lifetime, and specifieswhether PFS is enabled and which DH group it uses.Note:Note: You can define up to 20 transform-sets.To configure a transform-set:1. Enter transform-set context and create a new transform-set by using the crypto ipsectransform-set CLI command. The command variables include:●●●The name of the transform-setThe encryption algorithm used by the transform-set: esp-des, esp-3des, esp-aes oresp-null (no encryption)The authentication algorithm used by the transform-set: esp-md5-hmac oresp-sha-hmac.210 Administration of the Avaya G350 Media Gateway
Configuring a site-to-site IPSec VPNImportant:! Important:You must define at least one transform-set.G350-001# crypto ipsec transform-set ts1 esp-3des esp-md5-hmacG350-001(config-transform:ts1)#2. Configure the following transform-set parameters:●●●set pfs: specifies whether each IKE phase 2 negotiation will employ PFS (PerfectForward Secrecy), and if yes – which Diffie-Hellman group to employ. PFS ensures thateven if someone were to discover the long-term secret(s), the attacker would not be ableto recover the session keys, both past and present. In addition, the discovery of asession key compromises neither the long-term secrets nor the other session keys. Thedefault setting is no set pfs.set security-association lifetime seconds: the security association lifetimein seconds using the CLI commandset security-association lifetime kilobytes: the security associationlifetime in kilobytesG350-001001(config-transform:ts1ts1)# set pfs group2Done!G350-001(config-transform:ts1)# set security-association lifetime seconds7200Done!G350-001(config-transform:ts1)# set security-association lifetimekilobytes 2684354563. Exit the crypto transform-set context using the exit CLI command.G350-001(config-transform:ts1)# exitG350-001#Configuring ISAKMP peer informationISAKMP peer information defines the remote peer identification, the pre-shared key used forpeer authentication, and the ISAKMP policy to be used for IKE phase 1 negotiations betweenthe peers.Important:Note:! Important:It is mandatory to define at least one ISAKMP peer.Note:You can define up to 50 ISAKMP peers.Issue 3 January 2005 211
- Page 160 and 161: Configuring the routerOverview of t
- Page 162 and 163: Configuring the routerLayer 2 logic
- Page 164 and 165: Configuring the routerStatic routes
- Page 166 and 167: Configuring the routerRouting table
- Page 168 and 169: Configuring the routerRouting packe
- Page 170 and 171: Configuring the routerThe following
- Page 172 and 173: Configuring the routerDynamic MTU d
- Page 174 and 175: Configuring the routerAdditional GR
- Page 176 and 177: Configuring the routerYou can use t
- Page 178 and 179: Configuring the routerDHCP/BOOTP re
- Page 180 and 181: Configuring the routerApplication
- Page 182 and 183: Configuring the routerNote:Note:If
- Page 184 and 185: Configuring the routerG350-001(supe
- Page 186 and 187: Configuring the routerDirected broa
- Page 188 and 189: Configuring the routerDynamic ARP t
- Page 190 and 191: Configuring the routerConfiguring I
- Page 192 and 193: Configuring the routerPoison-revers
- Page 194 and 195: Configuring the router●●●●U
- Page 196 and 197: Configuring the routerOSPF commands
- Page 198 and 199: Configuring the routerand what metr
- Page 200 and 201: Configuring the router●●●●
- Page 202 and 203: Configuring the routerReassembly pa
- Page 204 and 205: Configuring IPSec VPNConfiguring a
- Page 206 and 207: Configuring IPSec VPNConfiguring IP
- Page 208 and 209: Configuring IPSec VPNPrerequisite -
- Page 212 and 213: Configuring IPSec VPNTo configure p
- Page 214 and 215: Configuring IPSec VPN3. Exit crypto
- Page 216 and 217: Configuring IPSec VPN9. Exit crypto
- Page 218 and 219: Configuring IPSec VPNIPSec VPN main
- Page 220 and 221: Configuring IPSec VPN2. Use the set
- Page 222 and 223: Configuring IPSec VPNConfiguring th
- Page 224 and 225: Configuring IPSec VPNip-rule 30sour
- Page 226 and 227: Configuring IPSec VPNFull or partia
- Page 228 and 229: Configuring IPSec VPN2. Configure b
- Page 230 and 231: Configuring IPSec VPNip-rule 4sourc
- Page 232 and 233: Configuring IPSec VPNip-rule 10sour
- Page 234 and 235: Configuring IPSec VPN2. Configure B
- Page 236 and 237: Configuring IPSec VPNip-rule 20sour
- Page 238 and 239: Configuring IPSec VPNInterface vlan
- Page 240 and 241: Configuring IPSec VPN3. Allowed ICM
- Page 242 and 243: Configuring IPSec VPNip access-cont
- Page 244 and 245: Configuring IPSec VPNip-rule 70sour
- Page 246 and 247: Configuring IPSec VPNFigure 21: Ful
- Page 248 and 249: Configuring IPSec VPNConfiguration
- Page 250 and 251: Configuring IPSec VPNip-rule 30sour
- Page 252 and 253: Configuring IPSec VPN252 Administra
- Page 254 and 255: Configuring policyAccess control li
- Page 256 and 257: Configuring policyDefining policy l
- Page 258 and 259: Configuring policyAttaching policy
Configuring IPSec VPN●hash: <strong>the</strong> hash (au<strong>the</strong>ntication) algorithm for <strong>the</strong> ISAKMP policy: sha or md5(default: md5)● group: <strong>the</strong> Diffie-Hellman group for <strong>the</strong> ISAKMP policy: 1 or 2 (default: 1)●●au<strong>the</strong>ntication: <strong>the</strong> au<strong>the</strong>ntication <strong>of</strong> <strong>the</strong> ISAKMP policy pre-shared secret:pre-sharelifetime: <strong>the</strong> lifetime <strong>of</strong> <strong>the</strong> ISAKMP SA, in seconds<strong>G350</strong>-001(config-isakmp:1)# description "lincr<strong>of</strong>t ike"Done!<strong>G350</strong>-001(config-isakmp:1)# encryption desDone!<strong>G350</strong>-001(config-isakmp:1)# hash md5Done!<strong>G350</strong>-001(config-isakmp:1)# group 1Done!<strong>G350</strong>-001(super-isakmp:1)# au<strong>the</strong>ntication pre-shareDone!<strong>G350</strong>-001(config-isakmp:1)# lifetime 60000Done!3. Exit <strong>the</strong> ISAKMP policy context using <strong>the</strong> exit CLI command.<strong>G350</strong>-001(config-isakmp:1)# exit<strong>G350</strong>-001#Configuring transform-setsA transform-set defines <strong>the</strong> IKE phase 2 parameters. It specifies <strong>the</strong> encryption andau<strong>the</strong>ntication algorithms to be used for, sets a security association lifetime, and specifieswhe<strong>the</strong>r PFS is enabled and which DH group it uses.Note:Note: You can define up to 20 transform-sets.To configure a transform-set:1. Enter transform-set context and create a new transform-set by using <strong>the</strong> crypto ipsectransform-set CLI command. The command variables include:●●●The name <strong>of</strong> <strong>the</strong> transform-setThe encryption algorithm used by <strong>the</strong> transform-set: esp-des, esp-3des, esp-aes oresp-null (no encryption)The au<strong>the</strong>ntication algorithm used by <strong>the</strong> transform-set: esp-md5-hmac oresp-sha-hmac.210 <strong>Administration</strong> <strong>of</strong> <strong>the</strong> <strong>Avaya</strong> <strong>G350</strong> <strong>Media</strong> <strong>Gateway</strong>