Configuring IPSec VPN
2. Configure the IP address of the interface. You can configure either a static or a dynamic IP
address.
To configure a static IP address:
●
Make sure to specify an IP address (not an interface name) as the local-address
●
in the crypto-list (see
Within the interface context, specify the IP address and mask using the ip address
●
command.
G350-001(config-if:FastEthernet 10/2)# ip address 192.168.49.1
25.255.255.0
To configure a dynamic IP address, see
●
3. Use the ip crypto-group command, followed by the index of the crypto-group, to assign
a crypto-group to the interface.
!
Important:
ip crypto-group is a mandatory parameter.
Important:
4. Optionally, you can set the following parameters:
The crypto ipsec minimal pmtu command is intended for advanced users only. It
●
sets the minimal PMTU value which can be applied to an SA when the G250/G350
participates in Path MTU Discovery (PMTUD) for the tunnel pertaining to that SA.
The crypto ipsec df-bit command is intended for advanced users only. It sets the
●
Do Not Fragment (DF) bit to either clear or copy mode:
copy – the DF bit of the encapsulated packet is copied from the original packet, and
●
Path MTU Discovery (PMTUD) is maintained for the IPSec tunnel.
clear – the DF bit of the encapsulated packet is never set, and PMTUD is not
●
maintained for the IPSec tunnel. Packets traversing an IPSec tunnel are
pre-fragmented according to the MTU of the SA, regardless of their DF bit. In case
packets are fragmented, the DF bit is copied to every fragment of the original packet
G350-001(config-if:FastEthernet 10/2)# ip crypto-group 901
Done!
G350-001(config-if:FastEthernet 10/2)# crypto ipsec minimal pmtu 500
Done!
G350-001(config-if:FastEthernet 10/2)# crypto ipsec df-bit copy
Done!
5. Exit the interface context using the exit command.
G350-001(config-if:FastEthernet 10/2)# exit
G350-001#
382 Administration for the Avaya G250 and Avaya G350 Media Gateways
Configuring crypto-lists
Using dynamic local peer IP
on page 377).
on page 392.
.