Remote Access: User Group; Remote Access: Mode Configuration - Avaya 1000 Series Configuration Manual

Remote Access VPN

Remote Access: User Group

One of the methods to achieve IPSec remote access in Avaya is the user group method. In
this method, the administrator creates an IKE policy for a logical group of users such as a
department in an organization. Each user in the group is identified with unique information that
is uniquely configured in the IKE policy. Also, an IPSec template is attached to the user group.
Once the VPN user is authenticated using IKE, the users dynamically-assigned IP address is
added to the destination address field in the IPSec template attached to the user group. The
VPN user now has the required IPSec policy that allows access through the gateway to the
corporate LAN.

Remote Access: Mode Configuration

The other method to achieve IPSec remote access in Avaya is the mode configuration method.
This method makes the VPN client an extension of the LAN being accessed by the VPN client.
The remote client appears as a network accessing some resource behind the VPN server.
The VPN client is allocated a private IP address by the VPN server and the client uses this as
the source IP address in the inner IP header in tunnel mode.
In tunnel mode, at each IKE end point, the IP traffic to be protected is completely encapsulated
with another IP packet. In this, the inner IP header remains the same as seen in the original
traffic to be protected. In the outer IP header, the source and destination addresses are the
addresses of the tunnel end points.
Typically, for a remote user, the source address of the outer IP header is the dynamic public
IP address provided by the ISP. When mode configuration is enabled, the source address of
the inner IP header is the private address allocated by the VPN server to the VPN client.
As in the case of user group method, the administrator creates an IKE policy for a logical group
of users such as a department in an organization. The identity information used to identify each
user uniquely is configured in the IKE policy. The IKE policy is attached to a mode configuration
record. The mode configuration record contains an IPSec policy template to be used for
creating dynamic IPSec policy. Also, the record contains one or more pools of private IP
addresses to be used for allocating the addresses to the VPN clients. Besides the private IP
address, the VPN server can also provide WINS and DNS server addresses.
Upon successful IKE authentication of a VPN client, the server checks whether the IKE policy
used to authenticate the VPN client is enabled for mode configuration. If so, the server allocates
a private IP address from one of the IP pools in the mode configuration record to the VPN
client. The destination address field in the IPSec template attached to the user group is filled
in with the private IP address allocated to the VPN client and this is installed as an IPSec policy.
234 Avaya Secure Router 1000 Series Configuration Guide December 2010