Configuring IPSec VPN
Per-interface security policy with bypass capability
●
IPsec is integrated into the router and can be used with other features such as GRE
●
tunneling
Random pre-shared key generation service
●
Load balancing and resiliency achievable through integration with core routing features
●
such as backup interfaces and GRE
G250/G350 R3.0 VPN capabilities
R3.0 VPN supports the following, in addition to the R2.2 capabilities:
Dynamic local peer IP address support through IKE aggressive mode and self-identity
●
FQDN
Note:
The G250/G350 can acquire a dynamic IP address through PPPoE or DHCP
Note:
Enhanced remote peer failover support-
●
- Specifying a hostname rather than IP address for the remote peer, thus allowing for a
DNS server to perform a resiliency scheme when providing the IP address mapping.
- Specifying a group of redundant remote peers, rather then a single peer.
- Support for a standard based method called "Dead Peer Detection", or DPD for short,
which enables fast and efficient detection of connection failure at the IKE level.
- Detection of a dead remote peer through object tracking. For information about object
tracking, see
NAT Traversal. The G250/G350 supports both IETF NAT-T methods and the standard
●
method, as well as Avaya's proprietary method.
Stronger encryption algorithms – AES with 192 bit key and AES with 256 bit key.
●
Support of stronger Diffie-Hellman groups in IKE phase 1 – groups 5 and 14.
●
Support of additional Perfect Forward Secrecy (PFS) groups – 5 and 14.
●
Transport mode ESP encapsulation, intended for GRE over VPN.
●
IP Payload compression (IPPCP) with LZS support.
●
Continuous IKE SA and continuous IPSec SA. In this mode, SAs are negotiated as soon
●
as possible, even if no traffic is traversing the connection.
Configuration MIB, Monitoring MIB, and Traps – as described in avaya-ipsec-mib.my
●
(OID 1.3.6.1.4.1.6889.2.6.1.1).
448 Administration for the Avaya G250 and Avaya G350 Media Gateways
Object tracking
on page 256.