Avaya G430 Manual page 543

5. Define the ISAKMP policy, using the crypto isakmp policy command.
6. Define the 3 remote peers, using the crypto isakmp peer address command,
7. Define a peer group that include all three remote peers, using the crypto isakmp
8. Define the IPSEC transform-set, using the crypto ipsec transform-set
9. Define the Crypto map entity, using the crypto map command.
10. Define the crypto list as follows:
11. Define the ingress access control list to protect the device from incoming traffic from
Administering Avaya G430 Branch Gateway
and specify for each one:
• the pre-shared key
• the ISAKMP policy
• keepalive track. This track is the object tracker that checks if the peer is still
alive. If an active peer is considered dead, the next peer in the peer group
becomes the active peer.
peer-group command.
command.
a. Set the local address to the public interface name (for example,
FastEthernet 10/3.0).
b. For each private interface, define an ip-rule using the following format:
• source-ip <private subnet> <private subnet wild card mast>. For
example, 10.10.10.0 0.0.0.255
• destination-ip any
• protect crypto map 1
the public interface, as follows:
a. Permit IKE Traffic (UDP port 500) for VPN control traffic (IKE)
Note:
If you are using NAT Traversal, you must also open UDP port 4500
and 2070.
b. Permit ESP traffic (IP Protocol ESP) for VPN data traffic (IPSEC)
c. Permit ICMP traffic, to support PMTU application support, for a better
fragmentation process
d. For each private subnet, add a permit rule, with the destination being the
private subnet, and the source being any. This traffic will be allowed only
if it tunnels under the VPN, because of the crypto list.
e. Define all other traffic (default rule) as deny in order to protect the device
from non-secure traffic
IPSec VPN
October 2013 543