Configuring VPN Failover Using a Peer Group and Generic Routing Encapsulation (GRE) Tunnel Over Ipsec on the Avaya G250 Media Gateway - Issue 1.0

Avaya Solution & Interoperability Test Lab

Configuring VPN Failover using a Peer Group and Generic Routing Encapsulation (GRE) Tunnel over IPSec on the Avaya G250 Media Gateway - Issue 1.0

Abstract

These Application Notes present the steps necessary to configure the VPN failover mechanism using a VPN peer group on an Avaya G250-BRI Media Gateway. A Cisco VPN 3000 Concentrator and an Enterasys XSR-1850 Security Router are configured to be two remote peer members in a peer group. Object Trackers are used for the VPN dead peer detection (DPD). GRE over IPSec with Open Shortest Path First (OSPF) is used for IP routing. The GRE tunnels on the Avaya G250-BRI Media Gateway are terminated on a Cisco Router behind the Cisco VPN 3000 Concentrator and the Enterasys XSR-1850 Security Router. Quality of Service (QoS) configuration is not covered in these Application Notes.

1. Introduction The network diagram in Figure 1 shows two offices. The office labeled “Main Office” contains an Avaya S8500 Media Server and an Avaya G650 Media Gateway. The office labeled “Small Office” contains an Avaya G250-BRI Media Gateway with S8300 Media Server LSP.

As shown in Figure 1, a Cisco VPN 3000 Concentrator and an Enterasys XSR-1850 Security Router are two VPN remote peers for the Avaya G250-BRI Media Gateway. These Application Notes illustrate how to configure a peer group on the G250-BRI Media Gateway so that the G250-BRI Media Gateway switches over to another peer if the current peer is detected to be dead. Object Trackers are used for the VPN Dead Peer Detection (DPD).

The access to the Internet from the Avaya G250-BRI Media Gateway is configured as PPP over T1 in the sample configuration. These Application Notes also apply to the scenario where an Ethernet WAN port on the Avaya G250-BRI Media Gateway is used for the Internet access via a DSL/Cable Modem or another Access Router.

The Avaya Inter-Gateway Alternate Routing (IGAR) feature provides a means of alternately using PSTN facilities when the IP link is incapable of carrying the bearer connection. The number of VoIP calls allowed on the IP link is determined by the Call Admission Control – Bandwidth Limit (CAC-BL) reported from the Avaya G250-BRI Media Gateway, and the IP Codec used. The overflow calls will use the PSTN facilities. A specific number of VoIP calls can be provisioned on a VPN peer by configuring a CAC-BL associated with that VPN peer. A different number of VoIP calls can be configured for each VPN peer.

Main Office Small Office

GRE/OSPF

Avaya S8500 VPN Tunnel Media Server Dynam ic-CAC 128kpbs Avaya S8300 Media Server LSP Cisco VPN 3000 with Avaya G250-BRI Media Gatew ay Cisco Catalyst Concentrator PMI: 192.168.203.1 6509 141.150.155.80 192.168.42.2 192.168.42.1 Internet 68.38.206.100 192.168.42.3 12.160.179.124 En t er as ys XSR-1850

Avaya IP Te le phone VPN Tunnel Dynam ic-CAC Avaya Analog Phone 64kpbs Avaya Analog Phone Avaya 4600 Series Avaya G650 IP Telephones Media Gateway PSTN ISDN BRI ISDN PRI

Figure 1: VPN Failover Configuration

2. Equipment and Software Validated Table 1 below shows the equipment and software versions used in these Application Notes.

Equipment Software Avaya Communication Manager Avaya S8500 Media Server 3.0 (load 337.0) Avaya S8300 Media Server (LSP) 3.0 (load 337.0) Avaya G650 Media Gateway IPSI (TN2312AP) HW03 FW012 C-LAN (TN799DP) HW01 FW012 MEDPRO (TN2302AP) HW15 FW102 Avaya G250-BRI Media Gateway 24.11.1 Avaya 4600 Series IP Telephones 2.1.3 Cisco VPN 3000 Concentrator 4.1.7.D Cisco Catalyst 6509 Switch Layer 2 8.3(4) Layer 3 12.1(13)E6 Enterasys XSR-1850 Security Router 7.5.0.0

Table 1: Version Information 3. Configurations IGAR is a single-server feature that provides an alternate bearer path between the Port Networks (PNs) and Gateways (GWs). In order to keep a single-server system, an IP connection must exist between the Avaya Media Server and Avaya PNs/GWs. As shown in Figure 1, the Avaya G250- BRI Media Gateway will register to the Avaya S8300 LSP when there is no IP connection between the Main and Small Offices.

Refer to reference [1] on how to configure the Avaya IGAR feature based on Figure 1. Refer to reference [2] for detailed VPN configuration on the Cisco VPN 3000 Concentrator and Enterasys XSR-1850 Security Router. Refer to reference [3] for an alternate generic routing encapsulation (GRE) over IPSec configuration.

3.1 Configure Avaya G250-BRI Media Gateway

3.1.1. Configure IP Routing on the Avaya G250-BRI Media Gateway The following screen shows VLAN configurations of VLAN 202 and 203. The Avaya G250-BRI Media Gateway will use interface VLAN 203 to register to the Media Gateway Controllers (MGC).

interface Vlan 202 ip address 192.168.202.1 255.255.255.0

interface Vlan 203 icc-vlan ip address 192.168.203.1 255.255.255.0 pmi

In the following screen, an MM340 T1/E1 WAN Media Module on the G250-BRI Media Gateway is connected to the Internet with a public IP address. The module is configured to T1 by default. Channel group 1 is configured with 24 channels. The corresponding Serial interface 2/1:1 is configured to PPP encapsulation.

ds-mode t1

controller t1 2/1 linecode b8zs framing esf channel-group 1 timeslots 1-24 speed 64

interface Serial 2/1:1 encapsulation ppp ip address 68.38.206.100 255.255.255.0

In the following screen, two Loopback interfaces and two GRE tunnel interfaces are configured. The tunnel source of tunnel 1 is configured to Loopback 1 and the tunnel source of tunnel 2 is configured to Loopback 2. Since both GRE tunnels terminate on the Cisco 6509 Layer 3 Router, the tunnel destinations must match the Loopback interfaces configured on the Cisco 6509 Layer 3 Router in Section 3.4. The VPN configuration in Section 3.1.3 will associate GRE tunnel 1 with the Cisco VPN 3000 concentrator and GRE tunnel 2 with the Enterasys XSR-1850 Security Router. In the sample configuration, tunnel 1 is configured with 128 kbps for the Dynamic-CAC and tunnel 2 is configured with 64 kbps for the Dynamic-CAC.

Avaya Communication Manager will count 27 kbps for each G.729 call. If the G.729 Codec is used between the Main and Small Offices, four VoIP calls will be supported on the VPN tunnel with the Cisco VPN 3000 Concentrator and 2 VoIP calls with the Enterasys XSR-8150 Security

Router. The overflow calls will use PSTN facilities. The Tunnel keepalives will be used to tear down the line protocol of the GRE tunnel interface if the far end becomes unreachable.

interface Loopback 1 ip address 192.168.204.1 255.255.255.255 exit ! interface Loopback 2 ip address 192.168.204.2 255.255.255.255 exit ! interface Tunnel 1 dynamic-cac 128 keepalive 10 3 tunnel source 192.168.204.1 tunnel destination 192.168.90.1 ip address 10.10.12.1 255.255.255.252 exit ! interface Tunnel 2 dynamic-cac 64 keepalive 10 3 tunnel source 192.168.204.2 tunnel destination 192.168.90.2 ip address 10.10.12.5 255.255.255.252 exit

The following screen shows the OSPF and default route configuration. The tunnel interfaces must be included in the OSPF configuration. The default route is configured to the Internet gateway.

router ospf network 10.10.12.0 0.0.0.3 area 0.0.0.0 network 10.10.12.4 0.0.0.3 area 0.0.0.0 network 192.168.202.0 0.0.0.255 area 0.0.0.0 network 192.168.203.0 0.0.0.255 area 0.0.0.0 ip default-gateway 68.38.206.1

3.1.2. Configure RTR and Tracking The Respond Time Report (RTR) is a network performance measure and diagnostics tool that uses active monitoring. The tracking feature provides complete separation between the objects to be tracked and the action to be taken by a client when a tracked object changes. The following commands define two RTRs and two tracking operations. rtr 1 defines an ICMP echo operation for tunnel interface 1 while rtr 2 defines an ICMP echo operation for tunnel interface 2. track 1 is associated with rtr 1 and track 2 is associated with rtr 2. Use the command rtr-schedule rtr- id start-time now life forever to activate the RTR operation. These trackers will be applied to the VPN tunnels in Section 3.1.3 for the VPN DPD.

rtr 1 type echo protocol ipIcmpEcho 10.10.12.2 source-address 10.10.12.1 exit rtr-schedule 1 start-time now life forever rtr 2 type echo protocol ipIcmpEcho 10.10.12.6 source-address 10.10.12.5 exit rtr-schedule 2 start-time now life forever ! track 1 rtr 1 exit track 2 rtr 2 exit

3.1.3. Configure VPN on the Avaya G250-BRI Media Gateway The Avaya G250-BRI Media Gateway is also a VPN appliance. The following shows the Internet Key Exchange (IKE) phase 1 policy configuration. Configurations on the Cisco VPN 3000 concentrator and Enterasys XSR-1850 Security Router, and Avaya G250-BRI Media Gateway must match for the IKE phase 1 proposal.

crypto isakmp policy 1 description "High Phase 1 Proposal" encryption aes hash md5 group 2 authentication pre-share

The following screen shows the Internet Security Association and Key Management Protocol (ISAKMP) peer configurations with the Cisco VPN 3000 Concentrator and Enterasys XSR-1850 Security Router. The Avaya G250-BRI Media Gateway is configured to initiate the IKE connection (aggressive mode). Object Tracker 1 is applied to the Cisco VPN 3000 concentrator and Object Tracker 2 is applied to the Enterasys XSR-1850 Security Router. Tunnel interface 1 and the Dynamic-CAC configured on tunnel interface 1 are associated with the Cisco VPN 3000 concentrator while tunnel interface 2 and the Dynamic-CAC configured on tunnel interface 2 are associated with the Enterasys XSR-1850 Security Router.

crypto isakmp peer address 141.150.155.80 description "Cisco VPN 3000" pre-shared-key **** isakmp-policy 1 initiate mode aggressive keepalive-track 1 ! crypto isakmp peer address 12.160.179.124 description "Enterasys XSR-1850" pre-shared-key **** isakmp-policy 1 initiate mode aggressive keepalive-track 2 exit

The following screen creates an IPSec Phase 2 transform-set proposal. Perfect Forward Secrecy (PFS) is enabled to strengthen the tunnel against brute force attacks.

crypto ipsec transform-set H2 esp-aes esp-sha-hmac set pfs group2

The following screen defines a peer group with two members: the Cisco VPN 3000 Concentrator and the Enterasys XSR-1850 Security Router. The Avaya G250-BRI Media Gateway will try the peer group members in order after a reset. When the Avaya G250-BRI Media Gateway detects a current peer as a dead peer via the Object Tracker, the Avaya G250-BRI Media Gateway will tear down the dead VPN connection and switch to another peer in sequence for a new connection.

crypto isakmp peer-group vpn_main set peer 12.160.179.124 set peer 141.150.155.80

The following screen assigns an IPSec phase 2 proposal to the peer group via a crypto map:

crypto map 10 set peer-group vpn_main set transform-set H2

The following screen configures a crypto-list 901 to define the VPN traffic between the Avaya G250-BRI Media Gateway and the remote peer group. Since two members are configured in the same peer group, the crypto-list 901 must be configured to work with both peers. The source IP addresses in crypto-list 901 correspond to the GRE source IP addresses (Loopback interfaces 1 and 2 on the Avaya G250-BRI Media Gateway) and the destination IP addresses correspond to the GRE destination IP addresses (Loopback interfaces 1 and 2 on the Cisco 6509 Layer 3 Router).

ip crypto-list 901 name "peer-Group" local-address Serial 2/1:1 ! ip-rule 1 protect crypto map 10 source-ip 192.168.204.0 0.0.0.3 destination-ip 192.168.90.0 0.0.0.3

Apply an IP crypto-list to the public facing interface, which is Serial 2/1:1 in the sample:

interface Serial 2/1:1 encapsulation ppp ip crypto-group 901 ip address 68.38.206.100 255.255.255.0 exit

3.2 Configure Enterasys XSR-1850 Security Router The following screen shows the interfaces and static route configuration. Interface FastEthernet1 is connected to the Cisco Catalyst 6509 and Interface FastEthernet2 is connected to the Internet with the default route 12.160.179.1. 192.168.42.2 is the IP address on the Cisco 6509 Layer 3 router.

interface FastEthernet1 ip address 192.168.42.3 255.255.255.0

interface FastEthernet2 crypto map G250 ip address 12.160.179.124 255.255.255.0

ip route 192.168.0.0 255.255.128.0 192.168.42.2 ip route 0.0.0.0 0.0.0.0 12.160.179.1

The following shows the IKE phase 1 policy and pre-shared key configuration with the G250- BRI Media Gateway. These configurations must match the configurations of the Avaya G250- BRI Media Gateway.

crypto isakmp proposal G250-isakmp authentication pre-share encryption aes hash md5 lifetime 86400

crypto isakmp peer 68.38.206.100 255.255.255.255 proposal G250-isakmp

Use the following commands to configure the pre-shared key for the Avaya G250-BRI Media Gateway using Authentication, Authorization and Accounting (AAA). The user name is designated as the IP address of the Avaya G250-BRI Media Gateway and the password is the pre-shared secret key.

aaa user 68.38.206.100 password MySeCr

The following screen shows the IPSec (IKE phase 2) configuration. Access list 100 is configured to define the VPN traffic. Since the GRE tunnels are used, the Enterasys XSR-1850 Security Router can only see the tunneled IP traffic. The source IP addresses in access list 100 correspond to the GRE source IP addresses (Loopback interfaces 1 and 2 on the Cisco 6509 routing engine) and the destination IP addresses correspond to the GRE destination IP addresses (Loopback interfaces 1 and 2 on the G250-BRI Media Gateway).

access-list 100 permit ip 192.168.90.0 0.0.0.3 192.168.204.0 0.0.0.3 crypto ipsec transform-set H2 esp-aes esp-sha-hmac set pfs group2 crypto map G250 1 set transform-set H2 match address 100 set peer 68.38.206.100

Apply IP crypto map to the public facing interface (Interface FastEthernet 2):

interface FastEthernet2 crypto map G250 ip address 12.160.179.124 255.255.255.0

3.3 Configure Cisco VPN 3000 Concentrator Log in to the Cisco VPN 3000 Concentrator via the WEB interface. Navigate to Configuration Æ Interfaces and verify that the IP addresses and default gateway are configured properly. The default gateway is configured to the Internet. Ethernet 1 is connected to the Cisco Catalyst 6509.

Default Interface Status IP Address Subnet Mask MAC Address Gateway Ethernet 1 UP 192.168.42.1 255.255.255.0 00.05.00.B8.0D.14 (Private) Ethernet 2 UP 141.150.155.80 255.255.255.224 00.05.00.B8.0D.15 141.150.155.65 (Public) Ethernet 3 DOWN 172.16.254.85 255.255.255.0 00.05.00.B8.0D.16 (External) DNS DNS Server Not Configured Server(s) DNS Domain

Name

• Power Supplies

Navigate to Configuration Æ System Æ IP Routing Æ Static Routes and verify that the static routes are configured properly.

Static Routes Actions Default -> 141.150.155.65 192.168.0.0/255.255.128.0 -> 192.168.42.2 Add

Modify

Delete

Navigate to Configuration Æ Tunneling and Security Æ IPSec Æ IKE Proposals and verify that an IKE phase 1 proposal to match the Avaya G250-BRI Media Gateway is configured and activated. The following screen shows that the IKE phase 1 proposal named Match-G250 is configured and activated:

Active Inactive Proposals Actions Proposals

<< Activate

Match-G250 CiscoV PNClient-3DES-MD5 Deactivate >> IKE- 3DES- MD5 Cis c oV PNClient-3DES-MD5-RSA -DH5 IKE-DES-MD5-DH1 CiscoV PNClient-3DES-SHA -DSA -DH5 IKE- 3DES- MD5- DH7 Mov e Up CiscoVPNClient-AES128-SHA CiscoVPNClient-3DES-MD5-DH5 CiscoVPNClient-AES256-SHA IKE-AES128-SHA IKE-AES256-SHA Mov e Dow n IKE-DES-MD5-DH2 HYBRID_AES256_SHA_RSA_DH5 Add HYBRID_AES256_SHA_RSA_DH2 HYBRID_AES192_SHA_RSA_DH2 HYBRID_3DES_SHA_RSA_DH5 Modify HYBRID_3DES_SHA_RSA_DH2 HYBRID_AES128_SHA_RSA_DH2 HYBRID_3DES_MD5_RSA_DH5 Copy HYBRID_3DES_MD5_RSA_DH2

Delete

Highlight the proposal Match-G250 and press Modify button to verify or change the configuration:

Modify a configured IKE Proposal.

Specify the name of this IKE Proposal Name Match-G250 Proposal. Authentication Mode Preshared Keys Select the authentication mode to use.

Authentication MD5/HMAC-128 Select the packet authentication Algorithm algorithm to use. Select the encryption algorithm to Encryption Algorithm AES-128 use. Select the Diffie Hellman Group to Diffie-Hellman Group Group 2 (1024-bits) use.

Lifetime Time Select the lifetime measurement of Measurement the IKE keys. Specify the data lifetime in kilobytes Data Lifetime 10000 (KB).

86400 Time Lifetime Specify the time lifetime in seconds.

Apply Cancel

Navigate to Configuration Æ Policy Management Æ Traffic Management Æ Network Lists and create network lists for the local and remote protected networks. List name G250 is the protected network for the Avaya G250-BRI Media Gateway (GRE tunnel source IP addresses on the G250-BRI Media Gateway).

G250 List Name 192.168.204.0/0.0.0.3

Network List

Apply Cancel Generate Local List

List name VPN3000 is the protected network for the local networks (GRE tunnel source IP addresses on the Cisco 6509 Layer 3 Router).

VPN3000 List Name 192.168.90.0/0.0.0.3

Network List

Apply Cancel Generate Local List

Navigate to Configuration Æ Tunneling and Security Æ IPSec Æ LAN-to-LAN Æ Add to add a VPN tunnel with the Avaya G250-BRI Media Gateway.

Enable G250 Name

Ethernet 2 (Public) (141.150.155.80) Interface

Bi-directional Connection Type Peers 68.38.206.100

None (Use Preshared Keys) Digital Certificate Certificate Transmission Entire certificate chain

My SeCr Preshared Key

ESP/SHA /HMA C- 160 Authentication

AES-128 Encryption

Match-G250 IKE Proposal

--None-- Filter

IPSec NAT-T

---None--- Bandwidth Policy

None Routing

VPN3000 Network List

IP Address

Wildcard Mask

G250 Network List

IP Address

Wildcard Mask

Apply Cancel

Navigate to Configuration Æ Policy Management Æ Traffic Management Æ Security Association to make final modifications to Security Association (SA) parameters:

L2L: G250 SA Name From Rule Inheritance ESP/SHA /HMA C- 160 Authentication Algorithm AES-128 Encryption Algorithm Tunnel Encapsulation Mode Group 2 (1024-bits) Perfect Forward Secrecy Time Lifetime Measurement 10000 Data Lifetime 3600 Time Lifetime Connection Type Bidirectional IKE Peers 68.38.206.100

Main Negotiation Mode None (Use Preshared Keys) Digital Certificate Entire certificate chain Certificate Transmission Identity certificate only

Match-G250 IKE Proposal

Apply Cancel

3.4 Configure Cisco 6509 Layer 3 Router The GRE tunnels configured on the Avaya G250-BRI Media Gateways are terminated on the Cisco 6509 Layer 3 Router. In the following screen, two Loopback interfaces and GRE tunnel interfaces are configured. The Cisco 6509 and the Avaya G250-BRI Media Gateway must match for the tunnel configuration. The tunnel IP addresses on the Avaya G250-BRI Media Gateway and Cisco Access Router must be configured on the same network in order for the OSPF routing protocol to work properly. The tunnel keepalives will be used to take down the line protocol of the GRE tunnel interface if the far end becomes unreachable.

interface Loopback1 ip address 192.168.90.1 255.255.255.255 ! interface Loopback2 ip address 192.168.90.2 255.255.255.255 ! interface Tunnel1 ip address 10.10.12.2 255.255.255.252 keepalive 10 3 tunnel source 192.168.90.1 tunnel destination 192.168.204.1 ! interface Tunnel2 ip address 10.10.12.6 255.255.255.252 keepalive 10 3 tunnel source 192.168.90.2 tunnel destination 192.168.204.2

The following screen shows the OSPF and default route configuration. The tunnel interfaces must be included in the OSPF configuration. Two static routes are configured to the private IP addresses of the Cisco VPN 3000 Concentrator and Enterasys XSR-1850 Security Router. Note that Loopback interface 1 on the Avaya G250-BRI Media Gateway is associated with the Cisco VPN 3000 Concentrator and Loopback interface 2 is associated with the Enterasys XSR-1850 Security Router.

router ospf 1 log-adjacency-changes network 10.10.12.0 0.0.0.255 area 0 network 192.168.87.0 0.0.0.255 area 0 network 192.168.88.0 0.0.0.255 area 0 network 192.168.89.0 0.0.0.255 area 0 ip route 192.168.204.1 255.255.255.255 192.168.42.1 ip route 192.168.204.2 255.255.255.255 192.168.42.3

4. Verification Steps

4.1 Verify VPN, GRE, Dynamic CAC-BL and RTR Status on the Avaya G250-BRI Media Gateway

Use the command show crypto isakmp sa on the Avaya G250-BRI Media Gateway to display the current IKE SA. As shown below, the ISAKMP SA is associated with the Cisco VPN 3000 Concentrator (IP address 141.150.155.80 as shown in Figure 1).

G250-BRI-001(super)# show crypto isakmp sa

C-id Local Remote State Encr Hash Aut DH TTL DPD Nat-T ------113 68.38.206.100 141.150.155.80 Ready aes md5 psk 2 80965 Yes No

Use the command show crypto ipsec sa on the Avaya G250-BRI Media Gateway to display the current IPSec status.

G250-BRI-001(super)# show crypto ipsec sa

Interface: Serial 2/1:1 Crypto list id: 901, Local address: Serial 2/1:1.0

Rule: 1, Crypto map: 10 Local address: 68.38.206.100, Remote address: 141.150.155.80 Local identity: 192.168.204.0/255.255.255.252 Remote identity: 192.168.90.0/255.255.255.252 path mtu 1500, media mtu 1500 Current outbound spi: 0xe0ee3b0

Inbound packets Outbound packets ------Total 8684 Total 9395 Total OK 8684 Total OK 9394 Decrypt 8684 Encrypt 9394 Verify 8684 Digest 9394 Decaps 8684 Encaps 9394 Total discards 0 Total discards 1

SA Type SPI Transform PFS Secs left KB left Mode ------Inbound ESP 0x54c5 esp-aes #2 1117 4607500 Tunnel esp-sha-hmac

Outbound ESP 0xe0ee3b0 esp-aes #2 1117 4607447 Tunnel esp-sha-hmac

If the VPN is up, use the command show ip interface brief to verify that the associated GRE tunnel is up (Tunnel 1 is associated with the Cisco VPN 3000 Concentrator). Note that the Loopback interfaces are always up.

G250-BRI-001(super)# show ip int brief Showing 7 Interfaces Interface Address Mask Method Status ------Tunnel 1 10.10.12.1 30 manual up Tunnel 2 10.10.12.5 30 manual down Serial 2/1:1 68.38.206.100 24 manual up Vlan 202 192.168.202.1 24 manual up Vlan 203 192.168.203.1 24 manual up Loopback 1 192.168.204.1 32 manual up Loopback 2 192.168.204.2 32 manual up

Use the command show ip route to verify that the route entries are learned via OSPF through the tunnel interface:

G250-BRI-001(super)# show ip route

Network Mask Interface Next-Hop Cost TTL Source ------0.0.0.0 0 Serial 2/1:1 68.38.206.1 1 n/a STAT-LO 10.4.4.0 24 Tunnel 1 10.10.12.2 11116 n/a OSPF 10.10.12.0 30 Tunnel 1 10.10.12.1 1 n/a LOCAL 68.38.206.0 24 Serial 2/1:1 68.38.206.100 1 n/a LOCAL 68.38.206.1 32 Serial 2/1:1 68.38.206.100 1 n/a LOCAL 192.168.42.0 24 Tunnel 1 10.10.12.2 11112 n/a OSPF 192.168.87.0 24 Tunnel 1 10.10.12.2 11112 n/a OSPF 192.168.88.0 24 Tunnel 1 10.10.12.2 11112 n/a OSPF 192.168.89.0 24 Tunnel 1 10.10.12.2 11112 n/a OSPF 192.168.202.0 24 Vlan 202 192.168.202.1 1 n/a LOCAL 192.168.203.0 24 Vlan 203 192.168.203.1 1 n/a LOCAL 192.168.204.1 32 Loopback 1 192.168.204.1 1 n/a MY-ADDR 192.168.204.2 32 Loopback 2 192.168.204.2 1 n/a MY-ADDR

Syslog debugging can be enabled on the G250-BRI Media Gateway to troubleshoot VPN issues. Enter the following commands from the console port to enable VPN debugging.

G250-001(super)# set logging session condition isakmp debug

G250-001(super)# set logging session condition ipsec debug

G250-001(super)# set logging session enable

The following screen shows annotated syslog debug messages from the console port of the Avaya G250-BRI Media Gateway when the Cisco VPN 3000 Concentrator is disconnected.

!--- The Object Tracker detected the dead peer with the Cisco Concentrator

05/05/2005,16:27:12:ISAKMP-Warning: Peer 141.150.155.80 is presumed dead: keepalive-track down

!--- Switch to the Enterasys XSR for a new VPN connection

05/05/2005,16:27:12:ISAKMP-Informational: Peer-group vpn_main: switching from peer 141.150.155.80 to peer 12.160.179.124

!--- Send IKE delete to the dead peer

05/05/2005,16:27:12:ISAKMP-Informational: Sending IKE DELETE message (IPSEC SA): SPI 0x13ed, Peers 68.38.206.100<->141.150.155.80 Icookie - 766651ed27b4ee1a, Rcookie - 4a2840c0da6dba3c

!--- Delete IPSec SA for the dead peer

05/05/2005,16:27:12:ISAKMP-Informational: Delete IPSEC SA: SPI 0x46c78cbf, Peers 68.38.206.100->141.150.155.80, SPD ID: 901_1 Identities: 192.168.204.0/255.255.255.252->192.168.90.0/255.255.255.252

05/05/2005,16:27:12:ISAKMP-Informational: Delete IPSEC SA: SPI 0x13ed, Peers 141.150.155.80->68.38.206.100, SPD ID: 901_1 Identities: 192.168.90.0/255.255.255.252->192.168.204.0/255.255.255.252

!--- Object Tracker 1 is down

05/05/2005,16:27:12:TRACKER-Informational: track 1 state changed to down.

05/05/2005,16:27:12:SAA-Informational: rtr 1 state changed to down.

05/05/2005,16:27:12:ISAKMP-Informational: Sending IKE DELETE message (ISAKMP SA): Peers 68.38.206.100<->141.150.155.80 Icookie - 766651ed27b4ee1a, Rcookie - 4a2840c0da6dba3c

!---G250 initiates IKE phase 1 with the Enterasys XSR in the aggressive mode

05/05/2005,16:27:12:IPSEC-Informational: Call IKE negotiation for outgoing SPD entry 901_1: Peers 68.38.206.100<->12.160.179.124

05/05/2005,16:27:27:IPSEC-Informational: Call IKE negotiation for outgoing SPD entry 901_1: Peers 68.38.206.100<->12.160.179.124

05/05/2005,16:27:27:ISAKMP-Informational: Initiating IKE phase 1 negotiation: Peers 68.38.206.100<->12.160.179.124, mode aggressive

05/05/2005,16:27:27:ISAKMP-Debug: Sending vendor ID to 12.160.179.124 (VID length = 16): Peers 68.38.206.100<->12.160.179.124

Avaya Gateway VPN v1.0 (0x133bc1e3f926a020cad5bed4ffe04c8f)

!---G250 sends IKE phase 1 proposal to the Enterasys XSR

05/05/2005,16:27:27:ISAKMP-Debug: Sending vendor ID to 12.160.179.124 (VID length = 16): Peers 68.38.206.100<->12.160.179.124 draft-ietf-ipsec-dpd-00.txt (0xafcad71368a1f1c96b8696fc77570100)

05/05/2005,16:27:27:ISAKMP-Debug: Sending vendor ID to 12.160.179.124 (VID length = 16): Peers 68.38.206.100<->12.160.179.124 Avaya VPNos v3.2 (0x4485152d18b6bbcc0be8a8469579ddcc)

05/05/2005,16:27:27:ISAKMP-Debug: Sending vendor ID to 12.160.179.124 (VID length = 16): Peers 68.38.206.100<->12.160.179.124 draft-ietf-ipsec-nat-t-ike-00 (0x4485152d18b6bbcd0be8a8469579ddcc)

05/05/2005,16:27:27:ISAKMP-Debug: Sending vendor ID to 12.160.179.124 (VID length = 16): Peers 68.38.206.100<->12.160.179.124 draft-ietf-ipsec-nat-t-ike-02 (0xcd60464335df21f87cfdb2fc68b6a448)

05/05/2005,16:27:27:ISAKMP-Debug: Sending vendor ID to 12.160.179.124 (VID length = 16): Peers 68.38.206.100<->12.160.179.124 draft-ietf-ipsec-nat-t-ike-02-cisco (0x90cb80913ebb696e086381b5ec427b1f)

05/05/2005,16:27:27:ISAKMP-Debug: Sending vendor ID to 12.160.179.124 (VID length = 16): Peers 68.38.206.100<->12.160.179.124 draft-ietf-ipsec-nat-t-ike-03 (0x7d9419a65310ca6f2c179d9215529d56)

05/05/2005,16:27:27:ISAKMP-Debug: Sending vendor ID to 12.160.179.124 (VID length = 16): Peers 68.38.206.100<->12.160.179.124 RFC 3947 (0x4a131c81070358455c5728f20e95452f)

!---Receive the IKE phase 1 proposal from the Enterasys XSR

05/05/2005,16:27:27:ISAKMP-Debug: Received vendor ID from 12.160.179.124 (VID length = 16): Peers 68.38.206.100<->12.160.179.124 draft-ietf-ipsec-nat-t-ike-02-ci (0x90cb80913ebb696e086381b5ec427b1f)

05/05/2005,16:27:27:ISAKMP-Debug: Received vendor ID from 12.160.179.124 (VID length = 16): Peers 68.38.206.100<->12.160.179.124 Unknown (0x1e5ef2c843b4630afbfd5f688f076726)

!--- The IKE phase 1 proposal is selected

05/05/2005,16:27:27:ISAKMP-Informational: Selected NAT-T draft: draft-ietf-ipsec-nat-t-ike-02-cisco Peers 68.38.206.100<->12.160.179.124

05/05/2005,16:27:27:ISAKMP-Informational: No NAT device was detected: Peers 68.38.206.100<->12.160.179.124

!--- Finished IDE phase 1 negotiation

05/05/2005,16:27:27:ISAKMP-Informational: Finished IKE phase 1 negotiation, creating ISAKMP SA: Peers 68.38.206.100<->12.160.179.124 Icookie - 95591ab0d3bd7166, Rcookie - 589b1cac9dc968f9 esp-aes, esp-md5-hmac, DH group 2, Lifetime 86400 seconds

!--- Initiating IKE phase 2 negotiation

05/05/2005,16:27:27:ISAKMP-Informational: Initiating IKE phase 2 negotiation: SPD entry - 901_1 Peers 68.38.206.100<->12.160.179.124

!--- Finished IKE phase 2

05/05/2005,16:27:28:ISAKMP-Informational: Finished IKE phase 2, creating outbound IPSEC SA: SPI 0xb8c5c77e, Peers 68.38.206.100<->12.160.179.124 Identities: 192.168.204.0/255.255.255.252->192.168.90.0/255.255.255.252 esp-aes, esp-sha-hmac, 3600 seconds, 4608000 KB, PFS #2 Tunnel mode

05/05/2005,16:27:28:ISAKMP-Informational: Finished IKE phase 2, creating inbound IPSEC SA: SPI 0x495e, Peers 12.160.179.124<->68.38.206.100 Identities: 192.168.90.0/255.255.255.252->192.168.204.0/255.255.255.252 esp-aes, esp-sha-hmac, 3600 seconds, 4608000 KB, PFS #2 Tunnel mode

Use the command show dynamic-cac on the G250-BRI to check the reported Region Bearer Bandwidth Limit (RBBL). When the VPN tunnel with the Cisco VPN 3000 Concentrator is up, the value of the Dynamic-CAC (128 kbps) configured on tunnel 1 should be reported.

G250-BRI-001(super)# show dynamic-cac

Current RBBL : 128 kbps Last event : 0 Days, 00:00:03 Last event BBL: 128 kbps

If the VPN tunnel is switched to the Enterasys XSR-1850 Security Access Router, the value of the Dynamic-CAC (64 kbps) configured on tunnel 2 should be reported. Note that both VPN tunnels cannot be up at the same time.

G250-BRI-001(super)# show dynamic-cac

Current RBBL : 64 kbps Last event : 0 Days, 17:44:47 Last event BBL: 64 kbps

Use the command show rtr configuration to display configuration values including all defaults and operation status. The following screen shows that rtr 2 is up, which means that the VPN with the peer Enterasys XSR-1850 is up. Note that Object Tracker 2 is associated with rtr 2 and is applied to the VPN peer Enterasys XSR-1850 VPN.

G250-BRI-001(super)# show rtr configuration RTR# 1 ------Type: ipIcmpEcho Operational Status: down Operational Status Last Change (d,h:m:s): 0,6:25:9 Target Address: 10.10.12.2 Frequency (Milliseconds): 1000 Wait Interval (Milliseconds): 1000 Success Retries: 1 Failure Retries: 5 DSCP: 48 Source Address: 10.10.12.1

RTR# 2 ------Type: ipIcmpEcho Operational Status: up Operational Status Last Change (d,h:m:s): 0,6:25:5 Target Address: 10.10.12.6 Frequency (Milliseconds): 1000 Wait Interval (Milliseconds): 1000 Success Retries: 1 Failure Retries: 5 DSCP: 48 Source Address: 10.10.12.5

4.2 Verify VPN Status on the Enterasys XSR-1850 Security Router

Use the command show crypto isakmp sa on the Enterasys XSR-1850 Security Router to display the current IKE SA.

XSR-1850#show crypto isakmp sa Connection-ID State Source Destination Lifetime ------1381 QM_IDLE 12.160.179.124 68.38.206.100 84503

Use the command show crypto ipsec sa on the Enterasys XSR-1850 Security Router to display the current IPSec status.

XSR-1850#show crypto ipsec sa

192.168.204.0/30, ANY, 0 ==> 192.168.90.0/30, ANY, 0 : 3349 packets ESP: SPI=b8c5c77e, Transform=AES/HMAC-SHA, Life=1552S/4607666KB Local crypto endpt.=12.160.179.124, Remote crypto endpt.=68.38.206.100 Encapsulation=Tunnel

192.168.90.0/30, ANY, 0 ==> 192.168.204.0/30, ANY, 0 : 3078 packets ESP: SPI=495e, Transform=AES/HMAC-SHA, Life=1552S/4607697KB Local crypto endpt.=12.160.179.124, Remote crypto endpt.=68.38.206.100 Encapsulation=Tunnel

4.3 Verify VPN Status on the Cisco VPN 3000 Concentrator

Navigate to Monitoring Æ Sessions Æ LAN-to-LAN sessions to verify the VPN status.

Connection Login Bytes Bytes IP Address Protocol Encryption Duration Name Time Tx Rx IPSec/LAN- May 05 G250 68.38.206.100 AES-128 2:00:57 872928 982288 to-LAN 13:45:36

IKE Sessions: 1 IPSec Sessions: 1 IKE Session Session ID 1 Encryption Algorithm AES-128 Hashing Algorithm MD5 Diffie-Hellman Group Group 2 (1024-bit) Authentication Mode Pre-Shared Keys IKE Negotiation Mode Aggressive Rekey Time Interval 86400 seconds IPSec Session Session ID 2 Remote Address 192.168.204.0/0.0.0.3 Local Address 192.168.90.0/0.0.0.3 Encryption Algorithm AES-128 Hashing Algorithm SHA-1 Encapsulation Mode Tunnel PFS Group 2 Rekey Time Interval 3600 seconds Rekey Data Interval 4608000 KBytes Bytes Received 982288 Bytes Transmitted 872928

4.4 Verify GRE status on the Cisco Catalyst 6509 Layer 3 Router

Use the command show ip interface brief on the Cisco Catalyst 6509 Layer 3 Router to verify the GRE tunnel status. As shown below, tunnel interface 2 is up. The Enterasys XSR-1850 Security Router is used for the VPN connection when tunnel interface 2 is up.

Router#show ip int brief

Interface IP-Address OK? Method Status Protocol

Vlan42 192.168.42.2 YES manual up up Vlan87 192.168.87.1 YES NVRAM up up Vlan88 192.168.88.1 YES NVRAM up up Vlan89 192.168.89.1 YES NVRAM up up Vlan102 192.168.200.2 YES NVRAM up up Loopback1 192.168.90.1 YES manual up up Loopback2 192.168.90.2 YES manual up up Tunnel1 10.10.12.2 YES manual up down Tunnel2 10.10.12.6 YES manual up up

Use the command show ip route to verify that the route entries are learned via OSPF through the tunnel interface:

Router#show ip route

Gateway of last resort is 192.168.200.1 to network 0.0.0.0

C 192.168.89.0/24 is directly connected, Vlan89 C 192.168.88.0/24 is directly connected, Vlan88 70.0.0.0/24 is subnetted, 1 subnets 192.168.90.0/32 is subnetted, 2 subnets C 192.168.90.2 is directly connected, Loopback2 C 192.168.90.1 is directly connected, Loopback1 C 192.168.42.0/24 is directly connected, Vlan42 S 192.168.128.0/24 [1/0] via 192.168.200.1 80.0.0.0/24 is subnetted, 1 subnets C 192.168.200.0/24 is directly connected, Vlan102 O 192.168.202.0/24 [110/11112] via 10.10.12.5, 19:06:10, Tunnel2 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.10.12.4/30 is directly connected, Tunnel2 O 192.168.203.0/24 [110/11112] via 10.10.12.5, 19:06:10, Tunnel2 192.168.204.0/32 is subnetted, 2 subnets S 192.168.204.1 [1/0] via 192.168.42.1 S 192.168.204.2 [1/0] via 192.168.42.3 C 192.168.87.0/24 is directly connected, Vlan87

5. Conclusion As illustrated by these Application Notes, the VPN failover can be configured on the Avaya G250-BRI Media Gateway using a peer group. The Object Tracker can be applied to a VPN tunnel for the VPN DPD. The Avaya G250-BRI Media Gateway will fail over to another VPN peer when the current VPN peer is detected to be dead. If the IGAR feature is configured, different numbers of VoIP calls can be provisioned on different VPN peers in a peer group. The overflow calls will use PSTN facilities. 6. Additional References The following Applications Notes can be found at http://www.avaya.com.

[1] Configuring Avaya Communication Manager with Inter-Gateway Alternate Routing (IGAR) and Call Administration Control-Bandwidth Limit (CAC-BL) Features

[2] Site-to-Site Configuration between Avaya SG208 Security Gateway, Enterasys XSR- 1850 Security Router, and Cisco VPN 3000 Concentrator using AES-128, Perfect Forward Secrecy and Tunnel Persistence

[3] Configuring a Generic Routing Encapsulation (GRE) Tunnel Over IPSec VPN Using Transport Mode with Open Shortest Path First (OSPF) Routing Protocol between an Avaya G250 Media Gateway and a Cisco Access Router

©2005 Avaya Inc. All Rights Reserved. Avaya and the Avaya Logo are trademarks of Avaya Inc. All trademarks identified by ® and ™ are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners. The information provided in these Application Notes is subject to change without notice. The configurations, technical data, and recommendations provided in these Application Notes are believed to be accurate and dependable, but are presented without express or implied warranty. Users are responsible for their application of any products specified in these Application Notes.

Please e-mail any questions or comments pertaining to these Application Notes along with the full title name and filename, located in the lower right corner, directly to the Avaya Solution & Interoperability Test Lab at [email protected]