Administration of the Avaya G350 Media Gateway - Avaya Support
Administration of the Avaya G350 Media Gateway - Avaya Support Administration of the Avaya G350 Media Gateway - Avaya Support
Configuring IPSec VPNIPSec VPN maintenanceYou can display IPSec VPN configuration and status, and clear IPSec VPN data, using certainshow and clear CLI commands. In addition, you can display the IPSec VPN log to verify thesuccess or failure of IPSec VPN operations, and to view the actual configuration of both peersfor a successful debug in case of a problem.The following sections describe these options.Displaying IPSec VPN configurationYou can use the following show CLI commands to display IPSec VPN configuration. For a fulldescription of the commands and their output fields see Avaya G350 Media Gateway CLIReference, 555-245-202.●●●●●●●Use the show crypto ipsec transform-set command to display configuration for aspecified transform-set or all transform-sets.Use the show crypto isakmp policy command to display ISAKMP policyconfiguration.Use the show crypto isakmp peer command to display crypto ISAKMP peerconfiguration.Use the show crypto map command to display all or specific crypto mapconfigurations.Use the show ip crypto-list list# command to display the configuration of aspecific crypto-list.Use the show ip crypto-list command to display all crypto-lists.Use the show ip active-lists command to display the crypto-lists active on eachinterface.Displaying IPSec VPN statusYou can use the following show CLI commands to display IPSec VPN status. For a fulldescription of the commands and their output fields see the CLI Reference Guide.●●●Use the show crypto isakmp sa command to display ISAKMP SA database status.Use the show crypto ipsec sa [detail] CLI command to display the IPsec SAdatabase status.Use the show crypto ipsec sa address CLI command to display the IPsec SAconfiguration by peer IP address.218 Administration of the Avaya G350 Media Gateway
IPSec VPN maintenanceTip:●●Use the show crypto ipsec sa list list-id [rule rule-id] [detail] CLIcommand to display the IPsec SA configuration by list ID and rule ID.Tip:The detail option in the various show crypto ipsec sa CLI commands,provides detailed counters information on each IPSec SA. To pinpoint the sourceof a problem, it is useful to check for a counter whose value grows with time.Use the clear crypto sa counters command to clear the crypto SA counters.IPSec VPN interventionYou can use the following clear CLI commands to intervene in IPSec VPN configuration:●●Use the clear crypto sa command to clear all IPSec SAs (security associationstructures).Use the clear crypto isakmp command to flush a specific entry in the ISAKMPdatabase or the entire ISAKMP database.Note:Note:If you wish to clear both an ISAKMP connection and the IPSec SAs, therecommended order of operations is:First clear the IPSec SAs using the clear crypto sa all command,then clear the ISAKMP SA using the clear crypto isakmp command.IPSec VPN loggingIPSec VPN logging allows you to view the start and finish of IKE phase 1 and IKE phase 2negotiations. Most importantly, it displays the configuration of both peers, so that you canpinpoint the problem in case of a mismatch between the IPSec VPN configuration of the peers.To view the IPSec VPN syslog:1. Use the set logging session enable command to enable syslog on the session.G350-001# set logging session enableDone!CLI-Notification: write: set logging session enableIssue 3 January 2005 219
- Page 168 and 169: Configuring the routerRouting packe
- Page 170 and 171: Configuring the routerThe following
- Page 172 and 173: Configuring the routerDynamic MTU d
- Page 174 and 175: Configuring the routerAdditional GR
- Page 176 and 177: Configuring the routerYou can use t
- Page 178 and 179: Configuring the routerDHCP/BOOTP re
- Page 180 and 181: Configuring the routerApplication
- Page 182 and 183: Configuring the routerNote:Note:If
- Page 184 and 185: Configuring the routerG350-001(supe
- Page 186 and 187: Configuring the routerDirected broa
- Page 188 and 189: Configuring the routerDynamic ARP t
- Page 190 and 191: Configuring the routerConfiguring I
- Page 192 and 193: Configuring the routerPoison-revers
- Page 194 and 195: Configuring the router●●●●U
- Page 196 and 197: Configuring the routerOSPF commands
- Page 198 and 199: Configuring the routerand what metr
- Page 200 and 201: Configuring the router●●●●
- Page 202 and 203: Configuring the routerReassembly pa
- Page 204 and 205: Configuring IPSec VPNConfiguring a
- Page 206 and 207: Configuring IPSec VPNConfiguring IP
- Page 208 and 209: Configuring IPSec VPNPrerequisite -
- Page 210 and 211: Configuring IPSec VPN●hash: the h
- Page 212 and 213: Configuring IPSec VPNTo configure p
- Page 214 and 215: Configuring IPSec VPN3. Exit crypto
- Page 216 and 217: Configuring IPSec VPN9. Exit crypto
- Page 220 and 221: Configuring IPSec VPN2. Use the set
- Page 222 and 223: Configuring IPSec VPNConfiguring th
- Page 224 and 225: Configuring IPSec VPNip-rule 30sour
- Page 226 and 227: Configuring IPSec VPNFull or partia
- Page 228 and 229: Configuring IPSec VPN2. Configure b
- Page 230 and 231: Configuring IPSec VPNip-rule 4sourc
- Page 232 and 233: Configuring IPSec VPNip-rule 10sour
- Page 234 and 235: Configuring IPSec VPN2. Configure B
- Page 236 and 237: Configuring IPSec VPNip-rule 20sour
- Page 238 and 239: Configuring IPSec VPNInterface vlan
- Page 240 and 241: Configuring IPSec VPN3. Allowed ICM
- Page 242 and 243: Configuring IPSec VPNip access-cont
- Page 244 and 245: Configuring IPSec VPNip-rule 70sour
- Page 246 and 247: Configuring IPSec VPNFigure 21: Ful
- Page 248 and 249: Configuring IPSec VPNConfiguration
- Page 250 and 251: Configuring IPSec VPNip-rule 30sour
- Page 252 and 253: Configuring IPSec VPN252 Administra
- Page 254 and 255: Configuring policyAccess control li
- Page 256 and 257: Configuring policyDefining policy l
- Page 258 and 259: Configuring policyAttaching policy
- Page 260 and 261: Configuring policyDevice-wide polic
- Page 262 and 263: Configuring policyEditing and creat
- Page 264 and 265: Configuring policySource and destin
- Page 266 and 267: Configuring policyComposite operati
Configuring IPSec VPNIPSec VPN maintenanceYou can display IPSec VPN configuration and status, and clear IPSec VPN data, using certainshow and clear CLI commands. In addition, you can display <strong>the</strong> IPSec VPN log to verify <strong>the</strong>success or failure <strong>of</strong> IPSec VPN operations, and to view <strong>the</strong> actual configuration <strong>of</strong> both peersfor a successful debug in case <strong>of</strong> a problem.The following sections describe <strong>the</strong>se options.Displaying IPSec VPN configurationYou can use <strong>the</strong> following show CLI commands to display IPSec VPN configuration. For a fulldescription <strong>of</strong> <strong>the</strong> commands and <strong>the</strong>ir output fields see <strong>Avaya</strong> <strong>G350</strong> <strong>Media</strong> <strong>Gateway</strong> CLIReference, 555-245-202.●●●●●●●Use <strong>the</strong> show crypto ipsec transform-set command to display configuration for aspecified transform-set or all transform-sets.Use <strong>the</strong> show crypto isakmp policy command to display ISAKMP policyconfiguration.Use <strong>the</strong> show crypto isakmp peer command to display crypto ISAKMP peerconfiguration.Use <strong>the</strong> show crypto map command to display all or specific crypto mapconfigurations.Use <strong>the</strong> show ip crypto-list list# command to display <strong>the</strong> configuration <strong>of</strong> aspecific crypto-list.Use <strong>the</strong> show ip crypto-list command to display all crypto-lists.Use <strong>the</strong> show ip active-lists command to display <strong>the</strong> crypto-lists active on eachinterface.Displaying IPSec VPN statusYou can use <strong>the</strong> following show CLI commands to display IPSec VPN status. For a fulldescription <strong>of</strong> <strong>the</strong> commands and <strong>the</strong>ir output fields see <strong>the</strong> CLI Reference Guide.●●●Use <strong>the</strong> show crypto isakmp sa command to display ISAKMP SA database status.Use <strong>the</strong> show crypto ipsec sa [detail] CLI command to display <strong>the</strong> IPsec SAdatabase status.Use <strong>the</strong> show crypto ipsec sa address CLI command to display <strong>the</strong> IPsec SAconfiguration by peer IP address.218 <strong>Administration</strong> <strong>of</strong> <strong>the</strong> <strong>Avaya</strong> <strong>G350</strong> <strong>Media</strong> <strong>Gateway</strong>