Avaya G250 Administration page 424

Configuring IPSec VPN
Configuring the VPN DNS topology
To configure the VPN DNS topology:
1. Define the private Vlan1 and Vlan2 interfaces (IP address and mask), and define one of
them as the PMI and ICC-VLAN.
2. Define the public Fast Ethernet 10/2 interface (IP address and mask).
3. Define the default gateway (the IP of the next router).
4. Define the DNS name-server-list and the IP address of the DNS server.
Note:
Alternatively, you can use DHCP Client or PPPoE to dynamically learn the DNS
Note:
server's IP address. Use the ip dhcp client request command when using
DHCP client, or use the ppp ipcp dns request command when using
PPPoE.
5. Define the ISAKMP policy using the crypto isakmp policy command.
6. Define the remote peer with FQDN, using the crypto isakmp peer address
command, including:
the pre-shared key
●
the ISAKMP policy
●
7. Define the IPSEC transform-set using the crypto ipsec transform-set command.
8. Define the crypto map using the crypto map command.
9. Define the crypto-list as follows:
Set the local address to the public interface name (for example, FastEthernet 10/2.0)
●
For each private interface, define an ip-rule using the following format:
●
source-ip <private subnet> <private subnet wild card mast>.
●
For example: 10.10.10.0 0.0.0.255
destination-ip any
●
protect crypto map 1
●
10. Define the Ingress access control list (ACL) to protect the device from Incoming traffic from
the public interface, as follows:
Permit DNS traffic to allow clear (unencrypted) DNS traffic.
●
Permit IKE Traffic (UDP port 500) for VPN control traffic (IKE).
●
Permit ESP traffic (IP Protocol ESP) for VPN data traffic (IPSEC).
●
Permit ICMP traffic, to support PMTU application support, for a better fragmentation
●
process.
424 Administration for the Avaya G250 and Avaya G350 Media Gateways