Avaya G430 Manual page 544

IPSec VPN
12. Optionally, define the egress access control list to protect the device from sending
13. Activate the crypto list, the ingress access control list, and the egress access control
Failover VPN topology using a peer-group example
!
! Define the Private Subnet1
!
interface vlan 1
description "Branch Subnet1"
ip address
icc-vlan
pmi
exit
!
! Define the Private Subnet2
!
interface vlan 2
description "Branch Subnet2"
ip address
exit
!
! Define the Public Subnet
!
interface fastethernet 10/3
ip address 100.0.0.2 255.255.255.0
exit
!
! Define the default gateway the public interfce
!
ip default-gateway 100.0.0.1
!
! We wish to check 5 hosts in the Corporate intranet behind the current VPN
! remote peer, and if 2 or more hosts don't work then keepalive-track will fail ,
! and we will move to the next peer in the peer-group
544 Administering Avaya G430 Branch Gateway
traffic that is not allowed to the public interface:
a. Permit IKE Traffic (UDP port 500) for VPN control traffic (IKE)
Note:
If you are using NAT Traversal, you also need to open UDP port 4500
and 2070.
b. Permit ESP traffic (IP Protocol ESP) for VPN data traffic (IPSEC)
c. Permit ICMP traffic, to support the PMTU application, for a better
fragmentation process
d. For each private subnet add a permit rule, with the source being the
private subnet, and the destination being any
e. Define all other traffic (default rule) as deny in order to protect the device
from sending non-secure traffic
list, on the public interface.
10.0.10.1 255.255.255.0
10.0.20.1 255.255.255.0
Comments? infodev@avaya.com
October 2013