Abstract. Avaya Solution & Interoperability Test Lab

Transcription

1 Avaya Solution & Interoperability Test Lab Site-to-Site VPN Configuration between Avaya SG208 Security Gateway, Enterasys XSR-1805 Security Router, and Cisco VPN 3000 Concentrator using AES-128, Perfect Forward Secrecy and Tunnel Persistence - Issue 1.0 Abstract These Application Notes address the setup and configuration of two site-to-site VPN tunnels, one between the Avaya SG208 Security Gateway and Enterasys Networks XSR-1805 Security Router, and another between the Avaya SG208 Security Gateway and Cisco Systems VPN 3000 Concentrator. The sample network provided demonstrates the use of the Advanced Encryption Standard with 128-bit key (AES-128) in conjunction with Perfect Forward Secrecy and Tunnel Persistence. A sample configuration, along with VPN specific configuration parameters for all VPN devices, is provided to help implement this capability. 1 of 32

2 1. Introduction These Application Notes demonstrate the steps required to configure two site-to-site VPN tunnels between an Avaya SG208 Security Gateway, Enterasys Networks XSR-1805 Security Router and Cisco Systems VPN 3000 Concentrator (Figure 1). The sample network provided demonstrates the use of the Advanced Encryption Standard using a 128-bit key (AES-128) in conjunction with Perfect Forward Secrecy and Tunnel Persistence. Avaya P333R Stackable Layer 3 Switch (B) Avaya P333R Stackable Layer 3 Switch (A) 1/ / /24 1/ /24 fe1 fe2 Enterasys XSR-1805 Security Router /24 1/2 Private Cisco VPN 3000 Concentrator 1/1 Public Encrypted Tunnel / /24 WAN Encrypted Tunnel / /24 1/1 Public Private Avaya SG208 Security Gateway Avaya P333R Stackable Layer 3 Switch (C) 1/ /24 Figure 1: Sample Site-to-Site VPN Configuration Notes: Configuration of the P333R Stackable Layer 3 Switches is not addressed in these Application Notes. Please reference the documentation for these switches for instructions on interface and routing administration Advanced Encryption Standard The Advanced Encryption Standard (AES) is a Federal Information Processing Standard (FIPS) that specifies a cryptographical algorithm which may be used by the U.S. Government to protect sensitive, unclassified information. The standard uses a symmetrical block cipher that can process data blocks of 128 bits in length using any one of the three available key lengths or flavors : AES-256, AES-192 and AES-128 (demonstrated in these Application Notes) Perfect Forward Secrecy Perfect Forward Secrecy (PFS) provides additional security by implementing a Diffie-Hellman shared secret value for secret key derivation. It is advantageous because if one key is compromised on a given tunnel, all previous and subsequent keys will remain secure because they are no longer derived from previous keys. 2 of 32

3 1.3. Tunnel Persistence The Tunnel Persistence feature allows changes to be made to individual VPN tunnels without adversely affecting existing active connections. Prior to implementing this feature, any change to any VPN tunnel would cause the entire VPN configuration to be flushed and rebuilt. If Tunnel Persistence is enabled, then any configuration change made to a VPN only affects the IPSec tunnels associated with that VPN, not those of any other VPN. Note: The Tunnel Persistence feature is disabled by default on Avaya Security Gateways Connectivity Matrix Please reference Table 1, below, for all interface IP address and routing information used to validate the sample configuration in these Application Notes: Device Phy. Port PVID Binding Mode Trunk Mode IP Interface Address and Routing P333R (A) 1/1 5 Static Off /24 Default Gateway P333R (A) 1/2 6 Static Off /24 P333R (B) 1/1 50 Static Off /24 Default Gateway P333R (B) 1/2 60 Static Off /24 P333R (C) 1/1 140 Static Off /24 Default Gateway P333R (C) 1/2 150 Static Off /24 SG208 Public /24 Default Gateway SG208 Private /24 Static Route to Private Network XSR-1805 FE /24 Default Gateway XSR-1805 FE /24 Static Route to Private Network VPN 3000 Public /24 Default Gateway VPN 3000 Private /24 Static Route to Private Network Table 1: Connectivity Matrix 3 of 32

4 2. Equipment and Software Validated Please reference Table 2, below, to review the equipment and software validated for the sample configuration provided: Equipment Software Avaya P333R Stackable Layer 3 Switches v4.0 Avaya SG208 Security Gateway VPNos v4.4 Cisco Systems VPN 3000 Concentrator v3.6.7 Enterasys Networks XSR-1805 Xpedition Security Router v Table 2: Equipment and Software Validated 3. Configure Enterasys Networks XSR-1805 Security Router The following configuration steps can be used to build the configuration depicted in Figure 1. These Application Notes assume that the XSR-1805 router is provisioned with factory default settings. These steps can be generalized for most configurations. 1. Start a HyperTerminal session to the XSR-1805 via the console port. Bits per second 9600 Data bits 8 Parity None Stop bits 1 Flow control None 2. Log in using a valid login ID and password 3. Create a Master Encryption Key from the configuration mode A Master Encryption Key must be created on the XSR-1805 router prior to VPN administration. If the XSR-1805 has been configured with VPNs in the past, the existing Master Encryption Key may be used, or a new one may be generated, as shown below. XSR-1805>enable XSR-1805#configure XSR-1805(config)#crypto key master generate Sample Output: Your key is ac48 42d6 07b2 17d e000 c7dd 1ff0 f d c7df d384 Note: The Master Encryption key is used to encode locally stored information on the Enterasys XSR router. It is unrelated to IPSec encryption key lengths. 4 of 32

5 4. Configure Access Control Lists (ACLs) for protection and tunnel traffic control ACL 101 was created to restrict forwarding all but IKE, IPSec encryption, and AH authentication traffic flows on the public-facing router interface. ACLs 120 through 123 were used in conjunction with crypto maps in order to filter and encrypt interesting traffic between designated networks. These ACLs were created for demonstration purposes only. Further customization of these or other ACLs may be necessary depending on network security requirements. XSR-1805(config)#access-list 101 permit udp any any eq 500 XSR-1805(config)#access-list 101 permit esp any any XSR-1805(config)#access-list 101 permit ah any any XSR-1805(config)#access-list 120 permit ip XSR-1805(config)#access-list 121 permit ip XSR-1805(config)#access-list 122 permit ip XSR-1805(config)#access-list 123 permit ip Note: For the version of Enterasys Networks XSR software validated in these Application Notes, each individual network-to-network Security Association (SA) must have its own dedicated ACL list for interoperability with the Avaya SG208 Security Gateway. 5. Set up IKE Phase 1 security proposal The name of the IKE proposal (e.g. avaya3des) is user definable. In this sample configuration a pre-shared key was used for authenticating the tunnel. A short lifetime value of 600 seconds (or 10 minutes) was chosen solely to demonstrate re-key interoperability in a reasonably short interval. The default lifetime value of 8 hours may be preferable for performance reasons. XSR-1805(config)#crypto isakmp proposal avaya3des XSR-1805(config-isakmp)#authentication pre-share XSR-1805(config-isakmp)#lifetime 600 XSR-1805(config-isakmp)#exit Note: The configuration demonstrated in Figure 1 used several IKE proposal defaults. These defaults have been listed below for reference, as they will not appear in the startup or running configuration files. Encryption: 3DES Group: 2 Hash: SHA-1 5 of 32

6 6. Configure the IKE policy for the remote peer The IKE policy, configured below, was created to accept tunnel negotiations from any peer. The actual IKE proposal parameters that were offered to other peers, including the SG208, were defined previously in step 5. XSR-1805(config)#crypto isakmp peer XSR-1805(config-isakmp-peer)#proposal avaya3des XSR-1805(config-isakmp-peer)#exit 7. Create an IPSec Phase 2 transform-set proposal The transform-set name is user definable. In this example the name esp-aes-sha was used to identify the transform-set, because it uses AES-128 encryption (defined by esp-aes) and HMAC_SHA hashing (defined by esp-sha-hmac). Perfect Forward Secrecy (PFS) was enabled using Diffie-Hellman (DH) Group 2, and an arbitrary SA lifetime value of seconds (maximum supported by SG208) was selected. XSR-1805(config)#crypto ipsec transform-set esp-aes-sha esp-aes esp-shahmac XSR-1805(cfg-crypto-tran)#set pfs group2 XSR-1805(cfg-crypto-tran)#set security-association lifetime seconds XSR-1805(cfg-crypto-tran)#exit Note: The Avaya SG208 Security Gateway requires that the DH Groups used in Phase 1 and Phase 2 PFS match. 8. Configure a crypto map list for all ACLs being used to protect interesting traffic Crypto maps classify packets to be protected based on Access Control List (ACL) matches for interesting traffic. Each crypto map list entry specifies the peer with which to negotiate specific IP Security proposals. An ACL match must be met to encrypt and forward interesting traffic flows to the peer. The name of the crypto map is user definable. Each ACL protecting interesting traffic must have its own list entry. In this example, there are four map entries required to protect traffic between all four private networks, two protected by the Enterasys XSR-1805 router, and two protected by the Avaya SG208 Security Gateway. XSR-1805(config)#crypto map avayaaes 1 XSR-1805(config-crypto-m)#set transform-set esp-aes-sha XSR-1805(config-crypto-m)#match address 120 XSR-1805(config-crypto-m)#set peer XSR-1805(config-crypto-m)#exit XSR-1805(config)#crypto map avayaaes 2 XSR-1805(config-crypto-m)#set transform-set esp-aes-sha XSR-1805(config-crypto-m)#match address 121 XSR-1805(config-crypto-m)#set peer XSR-1805(config-crypto-m)#exit XSR-1805(config)#crypto map avayaaes 3 6 of 32

7 XSR-1805(config-crypto-m)#set transform-set esp-aes-sha XSR-1805(config-crypto-m)#match address 122 XSR-1805(config-crypto-m)#set peer XSR-1805(config-crypto-m)#exit XSR-1805(config)#crypto map avayaaes 4 XSR-1805(config-crypto-m)#set transform-set esp-aes-sha XSR-1805(config-crypto-m)#match address 123 XSR-1805(config-crypto-m)#set peer XSR-1805(config-crypto-m)#exit 9. Configure router interfaces and assign crypto maps to the public facing interface Configure router interfaces and assign a crypto map list to the routers Tunnel Endpoint (TEP) interface. In addition, configure an ACL to only permit IKE, IPSec and AH traffic types on the TEP interface. XSR-1805(config)#interface FastEthernet 1 XSR-1805(config-if<F1>)#description private side XSR-1805(config-if<F1>)#ip address XSR-1805(config-if<F1>)#no shutdown XSR-1805(config-if<F1>)#exit XSR-1805(config)#interface FastEthernet 2 XSR-1805(config-if<F2>)#description public side XSR-1805(config-if<F2>)#ip address XSR-1805(config-if<F2>)#crypto map avayaaes XSR-1805(config-if<F2>)#ip access-group 101 in XSR-1805(config-if<F2>)#ip access-group 101 out XSR-1805(config-if<F2>)#no shutdown XSR-1805(config-if<F2>)#exit 10. Configure the pre-shared secret key Configured the pre-shared secret key. Pre-shared keys used by peer-to-peer tunnels were configured using the Authentication, Authorization and Accounting (AAA) user commands. The user name is designated as the IP address of the peer and the password contains the pre-shared secret key. XSR-1805(config)#aaa user XSR-1805(aaa-user)#password MySeCrEtKeY XSR-1805(aaa-user)#exit Note: The AAA user and password used for the pre-shared secret key do not appear in the startup or running configuration files. 11. Configure the default route and static route to the protected networks Configure default route and static routes to private networks. XSR-1805(config)#ip route XSR-1805(config)#ip route of 32

8 12. Exit the configuration mode and save changes 4. Configure Avaya SG208 Security Gateway This section describes the configuration of Avaya SG208 Security Gateway Firewall, Static Route and VPN security parameters only. Basic public and private interface administration is not covered. Please reference the SG208 system documentation for details on interface administration. 1. Establish HTTP connection to Security Gateway private interface 2. Log in using a valid login ID and password 3. Verify media interfaces and default gateway Navigate to Inspect Interfaces; the Interfaces window appears (Figure 2). Verify the interface IP addresses, and use the horizontal slide bar to verify the default route. Figure 2: Interfaces Window The following interface parameters were used in the sample configuration provided: Media Int. Zone IP Config IP Address Mask Default Route ethernet0 private static ethernet1 public static of 32

9 4. Enable the Firewall Navigate to Configure Security Firewall Rules Setup Predefined Rules (Figure 3). Figure 3: Firewall Rules Setup window The Predefined Firewall Rules window appears (Figure 4). Click Apply to enable the High predefined rules for all configured zones. Figure 4: Predefined Firewall Rules Window 9 of 32

10 Click Save upon being returned to the Firewall Rules Setup window (Figure 5). Figure 5: Firewall Rules Setup Window The Confirmation window appears (Figure 6). Click OK to confirm the save. Figure 6: Confirmation Window 10 of 32

11 5. Add static routes to private networks Navigate to Configure Network Static Routes Add (Figure 7). Figure 7: Static Routes Window The Add Static Routes window appears (Figure 8). Enter the following: Next Hop: IP Address: Network Mask: Click Add Click OK Figure 8: Add Static Routes Window 11 of 32

12 Click Save upon being returned to the Static Routes window (Figure 9). Figure 9: Static Routes Window The Confirmation window appears (Figure 10). Click OK to confirm the save. Figure 10: Confirmation Window 12 of 32

13 6. Enable VPN Tunnel Persistence Navigate to Configure Security VPN Setup Tunnel Persistence (Figure 11). Figure 11: VPN Setup Window The VPN Tunnel Persistence window appears (Figure 12). Enter the following: Select Maintain VPN Tunnels on Device Update Click Save Figure 12: VPN Tunnel Persistence 13 of 32

14 7. Add New Virtual Private Network (VPN) to Enterasys Navigate to Configure Security VPN Setup Add (Figure not shown for brevity). The Add New VPN (Page 1 of 4) window appears (Figure 13). Enter the following: VPN Name - VPN Name: Enterasys_XSR1805 Authentication - Secret Key: MySeCrEtKeY Local IP Groups - IP Address: Mask: Click Add IP Address Mask: Click Add again Click Next > This sequence adds each network protected by the SG 208 to the VPN Figure 13: Add New VPN (Page 1 of 4) Window 14 of 32

15 The Add New VPN (Page 2 of 4) window appears (Figure 14). Enter the following: Remote TEP IP: Click Add in the middle of the window IP Address: This sequence adds Mask: each network Click Add on the right side of the window protected by the IP Address: Enterasys XSR-1805 Mask: to the VPN Click Add on the right side of the window again Click Next > Add New VPN (Page 3 of 4) window appears. Figure not shown for brevity. Click Next > Figure 14: Add New VPN (Page 2 of 4) Window 15 of 32

16 The Add New VPN (Page 4 of 4) window appears (Figure 15). Enter the following: Note: Modify the highlighted parameters only, leaving remaining defaults untouched. IKE Security - Time-based Lifetime: 600 Time-based Lifetime Increment (select): SEC DH Group (select): 2 IPSec Security - Encryption (select): AES-128 Compression (select): NONE Perfect Forward Secrecy (select): YES DH Group (select): 2 Time-based Lifetime: Time-based Lifetime Increment (select): SEC Click Add Click Finish Figure 15: Add New VPN (Page 4 of 4) Window 16 of 32

17 8. Add New VPN to Cisco Repeat Step 7 using the following information: Add New VPN (Page 1 of 4) VPN Name - VPN Name: Cisco_VPNConcentrator Authentication - Secret Key: mysecretkey Local IP Groups - IP Address: Mask: IP Address Mask: Add New VPN (Page 2 of 4) Remote Tunnel Endpoints (TEP) - Remote TEP IP: Remote IP Groups - IP Address: Mask: IP Address: Mask: Add New VPN (Page 4 of 4) IKE Security - Time-based Lifetime: 600 Time-based Lifetime Increment (select): SEC DH Group (select): 5 IPSec Security - Encryption (select): AES-128 Compression (select): NONE Perfect Forward Secrecy (select): YES DH Group (select): 5 Time-based Lifetime: Time-based Lifetime Increment (select): SEC Note: The decision to show Diffie-Hellman (DH) Group 2 between Avaya and Enterasys and DH group 5 between Avaya and Cisco was arbitrary. The purpose was to convey AES-128 interoperability using any DH group. Either group may be used with either vendor. 17 of 32

18 5. Configure Cisco VPN 3000 Concentrator The following steps assume that the Cisco VPN 3000 Concentrator has its Private and Public IP addresses and a default gateway assigned. All other parameters are configured with factory defaults. Please reference Cisco Systems documentation for steps on configuring interfaces and default gateways. 1. Establish HTTP connection to VPN 3000 Concentrator private interface 2. Log in using a valid login ID and password 3. Verify media interfaces and default gateway Navigate to Configuration Interfaces; the Interfaces window appears (Figure 16). Verify the interface IP addresses and default gateway. Figure 16: Interfaces Window 18 of 32

19 4. Add static routes to private networks Navigate to Configuration System IP Routing Static Routes Add; the Add Static Route window appears (Figure 17). Enter the following: Network Address: Subnet Mask: Metric: 1 Router Address: Click Apply Figure 17: Add Static Route Window 19 of 32

20 5. Create new IKE proposal Navigate to Configuration System Tunneling Protocols IPSec IKE Proposals Add; the IKE Proposal window appears (Figure 18). Enter the following: Proposal Name: pre-3des-sha-g5-10min Authentication Method (default): Preshared Keys Authentication Method: SHA/HMAC-160 Encryption Algorithm (default): 3DES-168 Diffie-Hellman Group: Group 5 (1536-bits) Lifetime Measurements (default): Time Time Lifetime (seconds): 600 Click Add Figure 18: IKE Proposal Window Note: The lifetime of 600 seconds (10 minutes) was chosen solely to observe rekey interoperability in a reasonably short duration. The default value of seconds (24 hours) may be preferable for performance reasons. 20 of 32

21 6. Activate the new IKE proposal Navigate to Configuration System Tunneling Protocols IPSec IKE Proposals Add; the Activate IKE Proposal window appears (Figure 19). Perform the following: Select pre-3des-sha-g5-10min from the Inactive Proposals list Click << Activate Figure 19: Activate IKE Proposal Window 21 of 32

22 7. Create network lists for the local and remote protected networks Navigate to Configuration Policy Management Traffic Management Network Lists Add; the Network List window appears (Figure 20). Enter the following: List Name: Concentrator Networks Network List: / <Enter>, / <Enter> Click Apply Figure 20: Network List Window 22 of 32

23 Navigate to Configuration Policy Management Traffic Management Network Lists Add; the Network List window appears (Figure 21). Enter the following: List Name: SG208 Networks Network List: / <Enter>, / <Enter> Click Apply 8. Add a new LAN-to-LAN tunnel Figure 21: Network List Window Navigate to Configuration System Tunneling Protocols IPSec LAN-to-LAN Add; the LAN-to-LAN Tunnel window appears (Figure 22). Enter the following: Name: SG208 Interface (default): Ethernet 2 (Public) ( ) Peer: Preshared Key: mysecretkey Authentication: ESP/SHA/HMAC-160 Encryption: AES-128 IKE Proposal: pre-3des-sha-g5-10min Select Concentrator Networks from the Local Network List drop-down. Select SG208 Networks from the Remote Network List drop-down. Click Apply 23 of 32

24 Figure 22: LAN-to-LAN Tunnel Window 24 of 32

25 9. Make final modifications to Security Association (SA) parameters Navigate to Configuration Policy Management Traffic Management Security Associations. Select L2L:SG208, click Modify; the Security Associations window appears (Figure 23). Enter the following: Perfect Forward Secrecy (select): Group 5 (1536-bits) Time Lifetime (seconds): Click Apply Figure 23: Security Associations Window Note: The lifetime of seconds was chosen because it matches the maximum value allowed in seconds on the Avaya SG208 Security Gateway. 25 of 32

26 6. Verification Steps The following steps can be used to validate the configuration. In order to verify that a VPN tunnel is configured correctly, one of the devices must initiate security negotiations. For the purposes of these Application Notes, two PCs were used to initiate the tunnel using constant ICMP request messages. The side that begins sending ICMP request messages first will initiate the tunnel as well. The following verification steps assume that ICMP request messages are being sent between all protected networks using PCs as targets. Note: Target PCs are not shown in the sample configuration diagram for brevity SG208 Security Gateway The following steps can be helpful in verifying security negotiations on the Avaya SG208 Security Gateway. The steps assume that actual SAs have been successfully negotiated. 1. Verify that Phase 1 negotiations have completed successfully Navigate to Monitor VPNs IKE SA; the IKE SA window appears (Figure 24). Verify that the SG has initiated or responded to phase 1 negotiation, with a particular remote peer, and the condition is Alive. Figure 24: IKE SA Window Note: Only the IKE SA between Avaya and Cisco is shown in Figure 24 above. If both tunnels were active, at the time that this image was captured, a second IKE SA would appear for the siteto-site tunnel between Avaya and Enterasys Tunnel End Points (TEPs). 26 of 32

27 2. Verify that Phase 2 negotiations have completed successfully Navigate to Monitor VPNs IPSec SA; the IPSec SA window appears (Figure 25). Verify that the SG has initiated or responded to phase 2 negotiations, with all expected remote TEPs, and the State for each SA is ALIVE. Figure 25: IPSec SA Window 6.2. XSR-1805 Security Router The following Command Line Interface (CLI) commands are helpful in verifying security negotiations on the Enterasys Networks XSR-1805 Security Router. The steps depicting actual SAs negotiated assume that interesting traffic has already initiated the tunnel. 1. Verify that ISAKMP proposal parameters are defined correctly XSR1805#show crypto isakmp proposal Name Authentication Encrypt Integrity Group Lifetime *ez-ike-3des-sha-psk PreSharedKeys 3DES HMAC-SHA Modp *ez-ike-3des-md5-psk PreSharedKeys 3DES HMAC-MD5 Modp *ez-ike-3des-sha-rsa RSASignature 3DES HMAC-SHA Modp *ez-ike-3des-md5-rsa RSASignature 3DES HMAC-MD5 Modp avaya3des PreSharedKeys 3DES HMAC-SHA Modp Verify that the avaya3des proposal was successfully created and is being offered XSR1805#show crypto isakmp peer Applicable Subnet Exch-Mode Config-Mode NAT User ID Proposals /0 Main Disabled Off avaya3des 27 of 32

28 3. Verify that the pre-shared key AAA user is defined for the peer XSR-1805#show aaa user AAA User Stats : User name: Group name: DEFAULT IP address: Mask: Access Policy: Privilege Level: 0 4. Verify that Phase 1 negotiations have completed successfully with remote peer XSR1805#show crypto isakmp sa Connection-ID State Source Destination Lifetime QM_IDLE Verify that the correct transform-set exists XSR1805#show crypto ipsec transform-set esp-aes-sha Name PFS ESP ESP-AH AH IPCOMP esp-aes-sha Modp1024 AES HMAC-SHA None None 6. Verify that the transform-set is mapped to all ACLs responsible for interesting traffic XSR1805# show crypto map Crypto Map Table Name Policy rule list ezipsec avaya avaya.1;avaya.2;avaya.3;avaya.4 IPSec Policy Rule Table Name ACL Disp Mode Bundle Gateway Proposals avaya Process Tunnel SPD esp-aes-sha avaya Process Tunnel SPD esp-aes-sha avaya Process Tunnel SPD esp-aes-sha avaya Process Tunnel SPD esp-aes-sha 28 of 32

29 7. Verify that Phase 2 negotiations have completed successfully and SAs have been formed XSR1805# show crypto ipsec sa /24, ANY, 0 ==> /24, ANY, 0 : 3038 packets ESP: SPI=92f4fb6d, Transform=AES/HMAC-SHA, Life=557S/0KB /24, ANY, 0 ==> /24, ANY, 0 : 3038 packets ESP: SPI=5a9f72d2, Transform=AES/HMAC-SHA, Life=557S/0KB /24, ANY, 0 ==> /24, ANY, 0 : 3038 packets ESP: SPI=2957ce2f, Transform=AES/HMAC-SHA, Life=556S/0KB /24, ANY, 0 ==> /24, ANY, 0 : 3038 packets ESP: SPI=164dcfbd, Transform=AES/HMAC-SHA, Life=556S/0KB 6.3. VPN 3000 Concentrator The VPN 3000 Concentrator Filterable Event Log is a useful tool for verifying the successful negotiation of Phase 1 and 2 Security Associations (SAs). Navigate to Monitoring Filterable Event Log; a new window appears (Figure 26). Use the CTRL key to select IKE, IKEDBG, IKEDECODE, IPSEC, IPSECDBG and PSECDECODE from the Event Class drop-down list. Select ALL from the Severities drop-down list. Click Get Log after attempting to initialize the VPN tunnel. Figure 26: Filterable Event Log Window 29 of 32

30 The following highlighted messages are excerpts of the log output from a successful tunnel establishment: Note: The sample log output shows the SG208 acting as initiator and the VPN 3000 Concentrator acting as responder. Log messages will vary depending on the configuration. ** Blue text = Authors comments ** 4 02/02/ :09: SEV=4 IKE/119 RPT= PHASE 1 COMPLETED ** Phase 1 SA negotiated successfully ** 5 02/02/ :09: SEV=4 AUTH/22 RPT=2 User connected 6 02/02/ :09: SEV=5 IKE/35 RPT= Received remote IP Proxy Subnet data in ID Payload: Address , Mask , Protocol 0, Port /02/ :09: SEV=5 IKE/34 RPT= Received local IP Proxy Subnet data in ID Payload: Address , Mask , Protocol 0, Port /02/ :09: SEV=5 IKE/66 RPT= IKE Remote Peer configured for SA: L2L: SG /02/ :09: SEV=4 IKE/49 RPT= Security negotiation complete for LAN-to-LAN Group ( ) Responder, Inbound SPI = 0x1ba793bf, Outbound SPI = 0x055429a /02/ :09: SEV=4 IKE/120 RPT= PHASE 2 COMPLETED (msgid=52dcc1da) ** 1 st Phase 2 SA pair negotiated ** 17 02/02/ :09: SEV=5 IKE/35 RPT= Received remote IP Proxy Subnet data in ID Payload: Address , Mask , Protocol 0, Port /02/ :09: SEV=5 IKE/34 RPT= Received local IP Proxy Subnet data in ID Payload: Address , Mask , Protocol 0, Port /02/ :09: SEV=5 IKE/66 RPT= IKE Remote Peer configured for SA: L2L: SG /02/ :09: SEV=4 IKE/49 RPT= Security negotiation complete for LAN-to-LAN Group ( ) Responder, Inbound SPI = 0x71e3401e, Outbound SPI = 0x6ca3bdf /02/ :09: SEV=4 IKE/120 RPT= of 32

31 PHASE 2 COMPLETED (msgid=9229b9d1) ** 2 nd Phase 2 SA pair negotiated ** 28 02/02/ :10: SEV=5 IKE/35 RPT= Received remote IP Proxy Subnet data in ID Payload: Address , Mask , Protocol 0, Port /02/ :10: SEV=5 IKE/34 RPT= Received local IP Proxy Subnet data in ID Payload: Address , Mask , Protocol 0, Port /02/ :10: SEV=5 IKE/66 RPT= IKE Remote Peer configured for SA: L2L: SG /02/ :10: SEV=4 IKE/49 RPT= Security negotiation complete for LAN-to-LAN Group ( ) Responder, Inbound SPI = 0x1ea0086c, Outbound SPI = 0x c 38 02/02/ :10: SEV=4 IKE/120 RPT= PHASE 2 COMPLETED (msgid=ef58958b) ** 3 rd Phase 2 SA pair negotiated ** 39 02/02/ :10: SEV=5 IKE/35 RPT= Received remote IP Proxy Subnet data in ID Payload: Address , Mask , Protocol 0, Port /02/ :10: SEV=5 IKE/34 RPT= Received local IP Proxy Subnet data in ID Payload: Address , Mask , Protocol 0, Port /02/ :10: SEV=5 IKE/66 RPT= IKE Remote Peer configured for SA: L2L: SG /02/ :10: SEV=4 IKE/49 RPT= Security negotiation complete for LAN-to-LAN Group ( ) Responder, Inbound SPI = 0x , Outbound SPI = 0x5adc64a /02/ :10: SEV=4 IKE/120 RPT= PHASE 2 COMPLETED (msgid=a209b376) ** 4 th Phase 2 SA pair negotiated ** 7. Conclusion Site-to-Site VPN connectivity between the Avaya SG208 Security Gateway, Enterasys Networks XSR-1805 Security Router and Cisco Systems VPN 3000 Concentrator using AES-128 encryption with Perfect Forward Secrecy (PFS) can be achieved using the guidelines demonstrated in these Application Notes. The steps described in these Application Notes can be generalized for most configurations. 31 of 32

32 Avaya and the Avaya Logo are trademarks of Avaya Inc. All trademarks identified by and are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners. The information provided in these Application Notes is subject to change without notice. The configurations, technical data, and recommendations provided in these Application Notes are believed to be accurate and dependable, but are presented without express or implied warranty. Users are responsible for their application of any products specified in these Application Notes. Please any questions or comments pertaining to these Application Notes along with the full title name and filename, located in the lower right corner, directly to the Avaya Solution & Interoperability Test Lab at 32 of 32