Avaya G430 Manual page 498

IPSec VPN
Procedure
1. To modify a parameter linked to an active crypto list, you must first deactivate the
2. After modifying IPSec VPN parameters as desired, re-activate the crypto list on the
Procedure
1. Use the ip policy-list-copyold listnew list command
2. Edit the new list
3. Activate it on the interface.
Access control lists
Since VPN is intended for a public network such as the Internet, it is recommended to define
an access control list using the ip access-control-list command, to avoid traffic that
should not enter the device. You should, therefore, define an ingress access control list that
allows only IKE, ESP, and ICMP traffic to enter the device from the public interface. For a
configuration example see the access control list in
spokes on page 505.
498 Administering Avaya G430 Branch Gateway
list using the no ip crypto-group command in the context of the interface on
which the crypto list is activated.
Note:
If the crypto list is activated on more than one interface, deactivate the crypto list
for each of the interfaces on which it is activated.
For example:
G430-001# interface fastethernet 10/2
G430-001(if:FastEthernet 10/2)# no ip crypto-group
Done!
interface using the ip crypto-group crypto-list-id command.
For example:
G430-001# interface fastethernet 10/2
G430-001(if:FastEthernet 10/2)# ip crypto-group 901
Done!
Changing parameters of a crypto list.
Note that activating the new list causes all the current IPSec tunnels to close.
Comments? infodev@avaya.com
Simple VPN topology – VPN hub and
October 2013