Avaya G250 Administration page 485

Configuring the mesh VPN topology
1. Configure branch office 1 as follows:
The default gateway is the Internet interface.
●
VPN policy is configured on the Internet interface egress as follows:
●
- Traffic from the local subnets to the second spoke subnets -> encrypt, using tunnel
mode IPSec, with the remote peer being the second spoke.
- Traffic from the local subnets to any IP address -> encrypt, using tunnel mode
IPSec,
with the remote peer being the main office (VPN hub).
An access control list (ACL) is configured on the Internet interface to allow only the
●
VPN / ICMP traffic. See
Note:
For information about using access control lists, see the chapter
Note:
policy on page 531.
Table 62: Configuring the mesh VPN topology - branch 1
Traffic ACL parameter
Direction
Ingress IKE from Main Office IP to
Branch IP
Ingress ESP from Main Office IP
to Branch IP
Ingress IKE from Second Branch
IP to Branch IP
Ingress ESP from Second Branch
IP to Branch IP
Ingress ICMP from any IP address
to local tunnel endpoint
Ingress All allowed services from
any IP address to any
local subnet
Ingress Default
Egress IKE from Branch IP to
Main Office IP
Egress ESP from Branch IP to
Main Office IP
Table 62 for configuration settings.
ACL
value
Permit
Permit
Permit
Permit
Permit
Permit
Deny
Permit
Permit
Typical installations
Configuring
Description
-
-
-
-
This allows PMTUD application
to work.
Due to the definition of the VPN
Policy, this will be allowed only if
traffic comes over ESP.
-
-
-
Issue 3 February 2007
1 of 2
485