Administration of the Avaya G350 Media Gateway - Avaya Support
Administration of the Avaya G350 Media Gateway - Avaya Support Administration of the Avaya G350 Media Gateway - Avaya Support
Configuring IPSec VPN9. Exit crypto-list context using the exit CLI command.G350-001(Crypto 901)# exitG350-001#Configuring interfacesA crypto-list is activated on an interface. G-350 can have multiple crypto-lists activated ondifferent interfaces.To configure an interface:1. Enter interface context using the interface CLI command.G350-001# interface Serial 2/1G350-001(if: Serial 2/1)#2. Configure the following interface parameters:●ip crypto-group: the crypto-list to be activated on this interfaceImportant:●●! Important:ip crypto-group is a mandatory parameter.crypto ipsec minimal pmtu: This command is intended for advanced users only. Itsets the minimal PMTU value which can be applied to an SA when the G350 participatesin Path MTU Discovery (PMTUD) for the tunnel pertaining to that SA.crypto ipsec df-bit copy: This command is intended for advanced users only. Itsets the Don’t-Fragment bit to either clear or copy mode:●copy – the DF bit of the encapsulated packet is copied from the original packet, andPath MTU Discovery (PMTUD) is maintained for the IPSec tunnel.● clear – the DF bit of the encapsulated packet is never set, and PMTUD is notmaintained for the IPSec tunnel.Packets traversing an IPSec tunnel are pre-fragmented according to the MTU of the SA,regardless of their DF bit. In case packets are fragmented, the DF bit is copied to everyfragment of the original packet.G350-001(if: Serial 2/1)# ip crypto-group 901Done!G350-001(if: Serial 2/1)# crypto ipsec minimal pmtu 500Done!G350-001(if: Serial 2/1)# crypto ipsec df-bit copyDone!216 Administration of the Avaya G350 Media Gateway
Configuring a site-to-site IPSec VPN3. Exit the interface context using the exit CLI command.G350-001(if: Serial 2/1)# exitG350-001#Deactivating crypto lists to modify IPSec VPN parametersMost IPSec VPN parameters cannot be modified if they are linked to an active crypto list. Tomodify a parameter linked to an active crypto list, you must first deactivate the list using theno ip crypto-group CLI command in the context of the interface on which the crypto list isactivated.Note:Note: If the crypto list is activated on more than one interface, deactivate the crypto listfor each of the interfaces on which it is activated.For example:G350-001# interface Serial 2/1G350-001(if: Serial 2/1)# no ip crypto-groupDone!After modifying IPSec VPN parameters as desired, re-activate the crypto list on the interfaceusing the ip crypto-group crypto-list-id CLI command. For example:G350-001# interface Serial 2/1G350-001(if: Serial 2/1)# ip crypto-group 901Done!Issue 3 January 2005 217
- Page 166 and 167: Configuring the routerRouting table
- Page 168 and 169: Configuring the routerRouting packe
- Page 170 and 171: Configuring the routerThe following
- Page 172 and 173: Configuring the routerDynamic MTU d
- Page 174 and 175: Configuring the routerAdditional GR
- Page 176 and 177: Configuring the routerYou can use t
- Page 178 and 179: Configuring the routerDHCP/BOOTP re
- Page 180 and 181: Configuring the routerApplication
- Page 182 and 183: Configuring the routerNote:Note:If
- Page 184 and 185: Configuring the routerG350-001(supe
- Page 186 and 187: Configuring the routerDirected broa
- Page 188 and 189: Configuring the routerDynamic ARP t
- Page 190 and 191: Configuring the routerConfiguring I
- Page 192 and 193: Configuring the routerPoison-revers
- Page 194 and 195: Configuring the router●●●●U
- Page 196 and 197: Configuring the routerOSPF commands
- Page 198 and 199: Configuring the routerand what metr
- Page 200 and 201: Configuring the router●●●●
- Page 202 and 203: Configuring the routerReassembly pa
- Page 204 and 205: Configuring IPSec VPNConfiguring a
- Page 206 and 207: Configuring IPSec VPNConfiguring IP
- Page 208 and 209: Configuring IPSec VPNPrerequisite -
- Page 210 and 211: Configuring IPSec VPN●hash: the h
- Page 212 and 213: Configuring IPSec VPNTo configure p
- Page 214 and 215: Configuring IPSec VPN3. Exit crypto
- Page 218 and 219: Configuring IPSec VPNIPSec VPN main
- Page 220 and 221: Configuring IPSec VPN2. Use the set
- Page 222 and 223: Configuring IPSec VPNConfiguring th
- Page 224 and 225: Configuring IPSec VPNip-rule 30sour
- Page 226 and 227: Configuring IPSec VPNFull or partia
- Page 228 and 229: Configuring IPSec VPN2. Configure b
- Page 230 and 231: Configuring IPSec VPNip-rule 4sourc
- Page 232 and 233: Configuring IPSec VPNip-rule 10sour
- Page 234 and 235: Configuring IPSec VPN2. Configure B
- Page 236 and 237: Configuring IPSec VPNip-rule 20sour
- Page 238 and 239: Configuring IPSec VPNInterface vlan
- Page 240 and 241: Configuring IPSec VPN3. Allowed ICM
- Page 242 and 243: Configuring IPSec VPNip access-cont
- Page 244 and 245: Configuring IPSec VPNip-rule 70sour
- Page 246 and 247: Configuring IPSec VPNFigure 21: Ful
- Page 248 and 249: Configuring IPSec VPNConfiguration
- Page 250 and 251: Configuring IPSec VPNip-rule 30sour
- Page 252 and 253: Configuring IPSec VPN252 Administra
- Page 254 and 255: Configuring policyAccess control li
- Page 256 and 257: Configuring policyDefining policy l
- Page 258 and 259: Configuring policyAttaching policy
- Page 260 and 261: Configuring policyDevice-wide polic
- Page 262 and 263: Configuring policyEditing and creat
- Page 264 and 265: Configuring policySource and destin
Configuring a site-to-site IPSec VPN3. Exit <strong>the</strong> interface context using <strong>the</strong> exit CLI command.<strong>G350</strong>-001(if: Serial 2/1)# exit<strong>G350</strong>-001#Deactivating crypto lists to modify IPSec VPN parametersMost IPSec VPN parameters cannot be modified if <strong>the</strong>y are linked to an active crypto list. Tomodify a parameter linked to an active crypto list, you must first deactivate <strong>the</strong> list using <strong>the</strong>no ip crypto-group CLI command in <strong>the</strong> context <strong>of</strong> <strong>the</strong> interface on which <strong>the</strong> crypto list isactivated.Note:Note: If <strong>the</strong> crypto list is activated on more than one interface, deactivate <strong>the</strong> crypto listfor each <strong>of</strong> <strong>the</strong> interfaces on which it is activated.For example:<strong>G350</strong>-001# interface Serial 2/1<strong>G350</strong>-001(if: Serial 2/1)# no ip crypto-groupDone!After modifying IPSec VPN parameters as desired, re-activate <strong>the</strong> crypto list on <strong>the</strong> interfaceusing <strong>the</strong> ip crypto-group crypto-list-id CLI command. For example:<strong>G350</strong>-001# interface Serial 2/1<strong>G350</strong>-001(if: Serial 2/1)# ip crypto-group 901Done!Issue 3 January 2005 217