Avaya IP Office (R3.0) User Manual
  1. Manuals
  2. Brands
  3. Avaya Manuals
  4. Software
  5. IP Office (R3.0)
  6. User manual
Avaya IP Office (R3.0) User Manual

Avaya IP Office (R3.0) User Manual

Virtual private networking
Hide thumbs Also See for IP Office (R3.0):
Table of Contents

Advertisement

Quick Links

Download this manual
IP Office (R3.0)
Virtual Private Networking
th
40DHB0002UKER Issue 3 (4
February 2005)

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the IP Office (R3.0) and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Avaya IP Office (R3.0)

Summary of Contents for Avaya IP Office (R3.0)

  • Page 1 IP Office (R3.0) Virtual Private Networking 40DHB0002UKER Issue 3 (4 February 2005)

  • Page 2: Table Of Contents

    Page 2 - Figures Contents Figures........................3 Introduction......................4 General........................... 4 Further Reading..........................4 Overview of IPSec and L2TP Technologies ............5 General........................... 5 IPSec .............................. 6 L2TP ............................... 7 Overview of Secure VPN Implementation ............9 IPSec Implementation......................9 L2TP Implementation......................

  • Page 3: Figures

    Contents (Cont.) Configuration Examples ..................34 Part 1: Basic Internet Access....................34 Internet Access using a Logical Interface ..................34 Basic Internet Access using LAN2....................36 Part 2: VPN configuration ..................... 37 IPSec - Between Two IP Office systems over ADSL using the Logical LAN ........ 37 L2TP/IPSec between two IP Office’s ....................

  • Page 4: Introduction

    The new VPN capability in Avaya’s IP Office gives small and medium sized businesses a cost effective alternative to private leased line or Frame Relay (FR) services for interconnecting sites.

  • Page 5: Overview Of Ipsec And L2Tp Technologies

    Overview of IPSec and L2TP Technologies - Page 5 Overview of IPSec and L2TP Technologies This section presents a brief overview and describes key terms and references specific to tunneling protocols that comprise the new IP Office 3.0+ features of secure VPN networking using Internet Security (IPSec) and L2TP.

  • Page 6: Ipsec

    Page 6 - Overview of IPSec and L2TP Technologies IPSec IP packets have no inherent security. Hence, where security is required, then IPSec is used. IPSec is a method of protecting IP datagrams and provides: 1. Data origin authentication 2. Data integrity authentication. 3.

  • Page 7: L2Tp

    Overview of IPSec and L2TP Technologies - Page 7 L2TP Layer 2 Tunneling Protocol (L2TP) provides a means for tunneling IP traffic at layer 2 and is derived from two other tunneling protocols (PPTP and L2F). L2TP is built upon the well-established Internet communications protocol Point-to-Point Protocol (PPP), and Transmission Control Protocol/Internet Protocol (TCP/IP).
  • Page 8 Page 8 - Overview of IPSec and L2TP Technologies Compulsory Tunneling A compulsory tunnel is an L2TP tunnel which is not controlled by the user. In compulsory tunneling the dial-up client PC accesses the Private Network by first dialing to an L2TP Access Concentrator (LAC), which terminates the Public Switched Telephone Network (PSTN) connection and then establishes an L2TP tunnel to the L2TP network Server (LNS).

  • Page 9: Overview Of Secure Vpn Implementation

    Overview of Secure VPN Implementation - Page 9 Overview of Secure VPN Implementation IP Office’s secure VPN solutions comprise both IPSec and L2TP tunneling protocols. Both of these protocols may be used independently or collectively to provide the required secure VPN. In order to explain the IP Office secure VPN solution this section describes each protocol implementation in turn and, for IPSec, how IP Office handles an unprotected packet arriving at an interface.

  • Page 10: Figure 5. Inbound Unprotected Packet Type Detection

    Page 10 - Overview of Secure VPN Implementation If the unprotected packet matches a condition for which there is not an established SA then IP Office will initiate IPSec tunnel establishment (ISAKMP) to the specified remote gateway. Once the tunnel is established the packet is encrypted and forwarded to the appropriate interface.

  • Page 11: L2Tp Implementation

    Overview of Secure VPN Implementation - Page 11 L2TP Implementation With IP Office version 3.0+, VPN implementation of an L2TP tunnel presents a routable destination. The configured L2TP tunnel is available in the routing table as an IP destination interface. IPSec is different in this respect in that it applies a treatment or protection to specified IP addresses.

  • Page 12: Figure 6. L2Tp Implementation

    Page 12 - Overview of Secure VPN Implementation For any routable packet the routing table is referenced to determine the appropriate destination. If the packet is for an L2TP destination then IP Office checks the status of the tunnel. If established the packet is forwarded. If the packet is addressed to an L2TP destination and the tunnel is not active, then IP Office uses the remote gateway entry on the L2TP form and initiates the tunnel setup.

  • Page 13: Logical Lan Implementation

    Overview of Secure VPN Implementation - Page 13 Logical LAN Implementation The Logical LAN feature is new to IP Office (2.0+ software). Logical LAN feature allows a second LAN interface to operate together with the primary System LAN interface (LAN 1). The Logical LAN feature allows a second LAN interface to operate together with the primary System LAN interface (LAN1).
  • Page 14 Page 14 - Overview of Secure VPN Implementation The Logical and System LAN interfaces use different MAC addresses, function on a common Layer 2 collision domain but operate on separate Layer 3 subnets. Both the Logical and System LANs are tied to a same Physical LAN The Logical LAN feature allows single LAN systems such as the IP403 and IP406 to be used in conjunction with an external Internet router or xDSL device.

  • Page 15: Typical Vpn Deployment

    Overview of Secure VPN Implementation - Page 15 Typical VPN Deployment The diagram below shows a typical IP Office VPN networking deployment using the Internet and other public access network. Within this section the elements that are detailed in the diagram will be discussed with respect to the IP Office 3.0+ VPN implementation.

  • Page 16: Public Access Networks

    Page 16 - Overview of Secure VPN Implementation Public Access Networks IP Office can be connected to the Internet or other public networks in a number of ways. This section details the supported technologies and media types for connection to public networks. Media Description Frame Relay...

  • Page 17: Public Interface

    Overview of Secure VPN Implementation - Page 17 Public Interface A public interface is one that is used to connect IP Office directly to an xDSL or Internet router and thereby provide Internet access. (A public LAN is sometimes referred to as a demilitarized zone.) It is the function of the public interface to secure the Internal LAN from the Internet.

  • Page 18: Internal Lan

    Microsoft Management Console (MMC) to add the IP Security Policy management snap-in. A windows register key change is required in order to support IPSec in pre- shared mode. To avoid this requirement, Avaya recommends the use of the NetScreen VPN client.

  • Page 19: Vpn And Voip

    Overview of Secure VPN Implementation - Page 19 VPN and VoIP Telephony IP Office incorporates many advance telephony features which can be used in conjunction with VPN networking to provide secure speech over the Internet. Using such features as Small Community Networking, it is possible to create a virtual PABX that is transparent to the physical location.

  • Page 20: Bandwidth Calculation Variables

    IPHC. IPHC Fax header Fax_header The Fax header comprising: Without IP = 20, UDP = 8, RTP = 12 and Avaya info = 6 IPHC See note below: Payload Payload The number of bytes per sample...

  • Page 21: Bandwidth Requirement Calculation

    Overview of Secure VPN Implementation - Page 21 Bandwidth Requirement Calculation Example 1 The following example uses the formula below to determine the total bandwidth required for a G729 call using IPSec encryption (3DES) over Ethernet. See page 20 for details of the variables.

  • Page 22: Example 2

    Page 22 - Overview of Secure VPN Implementation Example 2 The following example uses the formula below to determine the total bandwidth required for a 14400 baud fax call using PPP encapsulated in Frame Relay. See page 21 for details of the variables. (L2_ header + Fax_header + Payload) X Payload_per_sec Use the calculation above to determine total bandwidth requirement then set the appropriate values (in terms of the allowed number of calls) by using IP Line...

  • Page 23: Maximum Load

    Overview of Secure VPN Implementation - Page 23 Maximum Load The table below shows the maximum load figures for VPN and VoIP calls for all IP Office platforms running 3.0+ software. The bandwidth figures quoted below are for both directions. IP406 V2 IP412 IP403/IP406...

  • Page 24: Configuration

    Page 24 - Configuration Configuration IPSec Configuration The IP Security form is used to configure an IPSec security policy between two IPSec peers. Three tabs are available on the IPSec form (Main, IKE and IPSec). The Main tab is used to set the IP addressing conditions and Local/Remote gateway IP addresses while the IKE and IPSec Policies tabs are used to configure specific IPSec parameters.
  • Page 25 Configuration - Page 25 The table below details the parameters that are included on the Main tab of the IPSec Security menu. Main tab Description Name A unique name for the tunnel. Local Configuration: • IP Address The IP Address and IP Mask are used in conjunction with each other to configure and set the conditions for this Security Association (SA) •...

  • Page 26: Guidelines - Local And Remote Ip Address/Mask Configuration

    Page 26 - Configuration Guidelines - Local and Remote IP Address/Mask configuration 1. When both IP Address and IP Mask fields are left un-configured this means “match all”. Typically this case is used to match Internet traffic. 2. Unless an explicit policy exists for the local subnet it will not be matched. This means an un-configured entry as detailed above will not match any locally attached subnets (i.e.

  • Page 27: Ike And Ipsec Policies Tabs

    Configuration - Page 27 IKE and IPSec Policies Tabs Previously, the way in which the Main tab is used to set the conditions that “trigger” the SA was described (see page 24). The IKE and IPSec Policies tabs are used to configure and complete the rest of the policy for the SA.

  • Page 28: Ike Policies Tab

    Page 28 - Configuration IKE Policies tab During Phase 1 negotiations, Internet Key Exchange (IKE) is used to establish a secure channel for performing further IKE negotiations (see page 27). In Phase 2, IKE is used to negotiate the SA (using either the Authentication Header or Encapsulation Security Payload).

  • Page 29: Ipsec Policies Tab

    Configuration - Page 29 IPSec Policies tab The IPSec Policies tab is used to configure and complete the SA policy. Each SA requires a unique IPSec form for each peer, which can be either a client or another IPSec Gateway (see page 27). Figure 12.

  • Page 30: L2Tp Configuration

    Page 30 - Configuration L2TP Configuration The L2TP form consists of three tabs (Tunnel, L2TP and PPP). Access to these tabs is: 1. With the Manager application open, click on Tunnel and then right click in the display panel. 2. Select New and the Tunnel Selection menu is displayed. 3.

  • Page 31: L2Tp/L2Tp Tab

    Configuration - Page 31 L2TP/L2TP tab Figure 14. The L2TP/L2TP tab Parameter Options Description Shared Secret/Confirm User setting used for authentication. Password Must be matched by both peers. This password is separate to the PPP authentication parameters defined on the L2TP/Tunnel tab (see page 30). Total Control Retransmission Default = 0 The time delay before retransmission.

  • Page 32: L2Tp/Ppp Tab

    Page 32 - Configuration L2TP/PPP tab Figure 15. The L2TP/PPP tab Parameter Options Description CHAP Challenge A time interval between the successive Interval CHAP challenges on an active link. Header Compression Default = Off IP header Compression. IPHC Compression Mode Default = all Off Data compression of PPP packets.

  • Page 33: Logical Lan Menu

    Configuration - Page 33 Logical LAN Menu The Logical LAN feature allows a secondary LAN or logical Ethernet interface to be created. Hence, single LAN systems, such as the IP403 or IP406, can be used as dual LAN systems. Using this arrangement the Logical LAN provides the public interface and the physical LAN1 provides the internal LAN functions.

  • Page 34: Configuration Examples

    Page 34 - Configuration Examples Configuration Examples This section details example configuration and guidelines for IP Office VPN scenarios. To aid clarity, the configuration procedure for VPN has been separated from general IP connectivity and therefore this section is divided into three parts: Part 1 Basic Internet Access: Highlights a number of ways to connect IP Office to the Internet (see page 34).
  • Page 35 Configuration Examples - Page 35 Task Description Step 1 Within Manager, right click the Logical See page 33. LAN entity and create a new Logical LAN. Step2 The logical interface is in effect a secondary LAN and is normally used on single LAN IP Office Logical LAN values system, to connect to ADSL routers for example.

  • Page 36: Basic Internet Access Using Lan2

    Page 36 - Configuration Examples Basic Internet Access using LAN2 This configuration example provides similar functionally as the previous example (see page 34) but is different in that a physical interface is used to provide Internet access. VPN connections are typically between two systems. This configuration forms the basis of the configuration examples detailed in Parts 1 and 2 (see pages 34 and 37).

  • Page 37: Part 2: Vpn Configuration

    Configuration Examples - Page 37 Part 2: VPN configuration IPSec - Between Two IP Office systems over ADSL using the Logical LAN The network consists of two IP403 systems that are linked to the Internet using ADSL modems. The configuration utilizes NAT functionality to access the Internet and IPSec to establish a secure VPN between the two sites.
  • Page 38 Page 38 - Configuration Examples Task Description Step 1 See the Basic Internet access section - Internet Access using a Logical Interface on page 34. In order to establish IP connectivity, configure the two systems using the IP addressing details above. Step 2 Before beginning the configuration of the IPSec element of this example it must be possible to perform...
  • Page 39 Configuration Examples - Page 39 Task Description Step 6 For IP Office A perform the following. IPSec Policies tab • Protocol = ESP Protocol set to Encapsulating Security Payload. Encryption set to DES • Encryption = DES Authentication set to MD5 •...

  • Page 40: L2Tp/Ipsec Between Two Ip Office's

    Page 40 - Configuration Examples L2TP/IPSec between two IP Office’s The network consists of an IP412 at the corporate office and a number of IP Office - Small Office Editions at the branch offices. These are linked to the Internet using xDSL/Internet routers.

  • Page 41: Part 1 - L2Tp Configuration

    Configuration Examples - Page 41 Part 1 - L2TP configuration In order to establish IP connectivity, configure the systems using the IP addresses detailed in Figure 20 (see page 40). Task Description Step 1 For IPO_CO create an L2TP tunnel (see page 30).
  • Page 42 Page 42 - Configuration Examples Task Description Step 5 Create the following two IP Routes on IPO_CO: • IP Address = 192.168.50.0 The default route pointing all traffic into the L2TP Tunnel. • IP Mask = 255.255.255.0 • Gateway = <un-configured> •...

  • Page 43: Part 2 - Ipsec Configuration

    Configuration Examples - Page 43 Part 2 - IPSec configuration With Part 1 completed (see page 41), perform the following: Task Description Step 1 Install the IPSec Licence. An IPSec Licence is required per IP Office. Make sure the IPSec licences are valid on both PC’s. Licence name –...

  • Page 44: Task Step

    Page 44 - Configuration Examples Task Description Step 6 In order for an IPSec SA to be established between two systems the IKE and IPSec Policies form must be For Branch No. 1, use the identical for each peer. parameters shown in Steps 3 and 4 to complete the IPSec form configuration.

  • Page 45: Ipsec Client Application (Dynamic Mode)

    Configuration Examples - Page 45 IPSec Client Application (Dynamic Mode) The following example shows a simple configuration that allows a client initiated IPsec connection to be terminated on IP Office. Using this network, the homeworker is able to access the corporate office over a secure IPsec connection for both telephony and to access corporate resources.

  • Page 46: Part 1 - Vpn Client Configuration

    Page 46 - Configuration Examples Part 1 - VPN Client Configuration Install the NetScreen-Remote VPN Client application and create a new connection using the details shown in the table below. The information shown here is specific to NetScreen-Remote 10.0.0 (build 10). NetScreen-Remote VPN Client My Connection New Connection...

  • Page 47: Part 2 - Ip Office Configuration

    Configuration Examples - Page 47 Part 2 - IP Office Configuration Task Description Step 1 Within Manager, create and configure a Logical LAN interface using the details below (see page 33). See Basic Internet access section - Internet Access using a Logical Interface on page 34. •...
  • Page 48 Page 48 - Configuration Examples Task Description Step 6 For IP Office, perform the following on the IPSec Policies tab: • Protocol = ESP Protocol set to Encapsulating Security Payload. • Encryption = DES Encryption set to DES • Authentication = MD5 Authentication set to MD5 This is the time period before a new key is •...

  • Page 49: Ipsec Over The Wan

    Configuration Examples - Page 49 IPSec over the WAN The IPSec Tunnel will be established over the WAN in order to secure all IP traffic between subnets. As an alternative, Frame Relay could be use instead of the dedicated WAN link. This section is split into two parts as follows: 1.
  • Page 50 Page 50 - Configuration Examples Task Description A discrete name for the IPSec tunnel is Step 3 required. For IP Office Location A create an IPSec The Local Configuration for the IP tunnel (see The IP Security Menu on page 24). Address/Mask and Remote IP Address/Mask Main tab: determines the range of IP addresses to be...

  • Page 51: An Un-Numbered Ppp Wan Link

    Configuration Examples - Page 51 An Un-numbered PPP WAN Link Figure 23. An Un-numbered PPP WAN Link Task Description Step1 Configure the WAN link using the diagram The IPSec tunnel will be established over above and check for correct operation. the WAN in order secure IP traffic between the two subnets.

  • Page 52: Dh Group = Group

    Page 52 - Configuration Examples Task Description Step 4 For IP Office Location B create an IPSec tunnel (see The IP Security Menu on page 24). Main tab: See notes in step 3 above. Local Configuration: The Local Tunnel Endpoint IP Address is the •...

  • Page 53: Part 3 Voip Configuration

    Configuration Examples - Page 53 Part 3 VoIP Configuration Once a VPN connection is established and working, VoIP configuration can be applied. For this reason it is important to have full IP connectivity before beginning VoIP configuration. Because the VoIP configuration is transparent to the means of IP connectivity, the configuration procedure described here can be applied to any of the examples shown in earlier sections (see pages 34 and 37).
  • Page 54 Page 54 - Configuration Examples Task Description Step 5 The IP Line is used to configure the VoIP Within Manager, for Office A set the Gateway for IP Office. Although the LAN2 destination VoIP Gateway to the IP interface can be used to terminate a VoIP address of the internal interface address of gateway.
  • Page 55 Configuration Examples - Page 55 Task Description Step 8a (optional) Voice Networking Make sure that the telephone extension ranges on the two IP Offices are different. To enable Voice networking select the following option on the VoIP tab of the IP Line form.

  • Page 56: Glossary

    Page 56 - Glossary Glossary Authentication Header. Within the IPSec architecture, the packet format for algorithms and general issues associated with authentication. See SA. Address Resolution Protocol. A low level protocol within the TCP/IP suite that maps IP addresses to the corresponding Ethernet addresses. ASN.1 Abstract Syntax Notation (1).
  • Page 57 Glossary - Page 57 Glossary (cont.) Provider Edge. The router that is on the provider's side of the customer-provider interface. Public Key Infrastructure. The mechanisms used both to allow a recipient of a signed message to trust the signature and to allow a sender to find the encryption key for a recipient. Point-to-Point Protocol.
  • Page 58 Avaya Inc. All other trademarks are the property of their respective owners. This document contains propriety information of Avaya and is not to be disclosed or used except in accordance with applicable agreements. Any comments or suggestions regarding this document should be sent to "wgctechpubs@avaya.com".

This manual is also suitable for:

Ip office virtual private networking

Table of Contents