User Guide

ManualsBrandsAvaya ManualsBusiness Services GatewayAvaya BSGX4e Business Gateway

171

172

173

174

175

176

177

178

179

180

BSGX4e Business Gateway User Guide 175

Release 01.01 NN47928-102

VPN Configuration

Setting up a VPN requires that you configure both IKE and IPSec.

Packets are encrypted and decrypted by a hardware assist engine allowing both VoIP

and data traffic to be securely conveyed through IP networks.

Example

This example shows how to deploy VPN to secure VoIP and data traffic with a Cisco

router 3845. Plain routed is implemented.

Analyze

The difficulty to interoperate with a Cisco router when running a plain routing

through an IPSec tunnel is that the BSGX4e does not use the same source IP

addresses depending on the traffic forwarded. Traffic normally routed, such as FTP,

TFTP, and HTTP, is forwarded with the LAN source IP addresses unchanged. Relayed

traffic such as SIP, TFTP, SNTP, and DNS is forwarded with the IP address assigned to

the VPN interface as the source IP address.

IPSec does not work exactly the same on the BSGX4e and a Cisco router:

 The IPSec policies (ipsec policy) configured on the BSGX4e are not used at all for

encryption/decryption. No checking is done. Encryption is based on the routing

table only (in other words, if it must be sent over a VPN interface). Decryption is

based on which interface the ESP packets are received (in other words, if it

received on a VPN interface).

 The IPSec policies (access-list or crypto map) configured on a Cisco router are

used to check encryption/decryption. Encryption is based on these policies (you

cannot encrypt traffic that does not match these policies). Decryption is based on

these policies (decrypted traffic not matching these policies is discarded).

There is only one IPSec policy per tunnel, so this one policy must match both traffic

types (traffic plain routed and relayed traffic) exchanged between the BSGX4e and

the Cisco router. Another solution is to setup two tunnels, one for the traffic plain

routed, one for the relayed traffic (note that it would be the same for NATed

traffic).

Configuration of BSGX4e using a single tunnel

1. Configuring the IKE.

Configure the IKE preshared key (CA certificates are not supported).

BSG> config ike preshared 195.178.11.11 Key MyKey

UDP 500 does IKE negotiation. Configure the firewall to allow IKE.

BSG> config security policy new From eth0 To self DPort 500

Proto udp sip 195.178.11.1

Optionally, you can configure the IKE lifetime. When the lifetime timer expires,

the IKE SA is renegotiated as a security measure.

*BSG*> config ike parameters LifeTime 86400 MaxLifeTime

259200