Abstract. Avaya Solution & Interoperability Test Lab

Transcription

1 Avaya Solution & Interoperability Test Lab Configuring VPN backup for Avaya S8700 Media Servers and Avaya G600 Media Gateways Controlling Avaya G350 Media Gateways, using the Avaya Security Gateway and Cisco PIX - Issue 1.0 Abstract These Application Notes present a sample configuration of VPN backup across the Internet for a leased line using the Avaya Security Gateway and Cisco PIX for Avaya S8700 Media Servers and Avaya G600 Media Gateways in the main office controlling Avaya G350 Media Gateways in the small office. Under normal operations, a leased line is used between a main office and a small office. If the leased line is down, the VPN backup will be used automatically for communication between the main and the small office. These Application Notes focus on the VPN backup configuration. 1 of 18

2 1. Introduction The network diagram in Figure 1 shows two offices. The office labeled Main Office uses Avaya Communication Manager, Avaya S8700 Media Servers, and Avaya G600 Media Gateway. The office labeled Small Office contains an Avaya G350 Media Gateway with an Avaya S8300 Media Server, configured as a Local Survivable Processor (LSP). Under normal operation, the main office and the small office communicate through a leased line. The Cisco 3640 access router and the Avaya G350 Media Gateway with a WAN module are used for the WAN access. If the leased line is down, the Internet-based VPN tunnel between the Avaya Security Gateway 203 and the Cisco PIX 525 can be used automatically as a backup. The access to the Internet from the Avaya SG203 in the small office might be cable modem, DSL modem, etc. If the S8300 Media Server is not installed on the G350 Media Gateway, the VPN backup will allow the Avaya G350 Media Gateway to function when the leased line is down. If the VPN backup cannot provide high quality VoIP calls, it is recommended to use PSTN bypass as a last resort (not covered in these Application Notes). Avaya S8700 Media Servers Avaya G600 Media Gateway Main Office DHCP/TFTP Cisco Cat 6509 Avaya 4612 IP Telephone Avaya 6210 Analog Telephone Avaya 6402D Digital Telephone Local IP networks: S8700 Media Server: /24 IP telephones: /24 PCs: /24 Public: Private: Cisco PIX Cisco 3640 Avaya IP Softphone PC Internet VPN Leased Line Small Office Public: Private: Avaya SG203 Avaya 6402D Digital Telephone Avaya S8300 Media Server LSP with Avaya G350 Media Gateway Avaya 6210 Analog Telephone Cisco 2950 Avaya 4620 IP Tel ephone PC Avaya 4606 IP Telephone Local IP networks: G350 Media Gateway, IP telephones: /24 S8300 Media Server LSP: PCs: /24 Figure 1: VPN backup across the Internet for the Avaya VoIP infrastructure 2 of 18

3 2. Equipment and Software Validated Table 1 below shows the versions verified in these Application Notes. Equipment Software Avaya Communication Manager Avaya S8700 Media Server Avaya S8300 Media Server LSP R012x R012x Avaya G600 Media Gateway IPSI (TN2312AP) C-LAN (TN799DP) MEDPRO (TN2302AP) HW02 FW005 HW01 FW009 HW03 FW055 Avaya G350 Media Gateway Avaya IP Telephones 1.81 Avaya IP Softphones Avaya SG203 Security Gateway Cisco 3640 Access Router IOS 12.2(19) Cisco Catalyst 6509 Switch Layer 2 Layer 3 7.6(1) 12.1(16)E6 Cisco Catalyst 2950 Switch IOS 12.0 (5.3) WC (1) Cisco PIX (2) Table 1: Software Versions 3. Configurations Refer to reference [1] for detailed configurations of the Avaya VoIP components, as well as the LAN and WAN switches and routers. The OSPF routing protocol is used across the leased line while the default routes are used for the VPN backup on the Avaya G350 Media Gateway and the Cisco Catalyst Sections 3.1 to 3.4 show the VPN related configuration on the Avaya G350 Media Gateway, the Avaya SG203, the Cisco Catalyst 6509 and the Cisco PIX. Note that private IP addresses are used for the public IP addresses of the SG203 and the Cisco PIX for demonstration purposes. These IP addresses must be replaced in real scenarios Configuring Avaya G350 Media Gateways The private port of the Avaya SG203 in Figure 1 is connected to the Ethernet WAN port of the Avaya G350 Media Gateway, which is identified as FastEthernet 10/2. This interface is configured with an IP address The default gateway on the Avaya G350 Media Gateway is configured to the private IP address of the Avaya SG203, which is interface FastEthernet 10/2 ip address exit ip default-gateway low 3 of 18

4 3.2. Configuring Avaya SG Basic configurations via the console port for interfaces, static and default routes With the proper user name and password, log on to the Avaya SG203 via the console port. Configure the Avaya SG203 with the following IP parameters: Public IP: Default Gateway: Private IP: Static Route: /24 and /24 with next hop Note that and are local networks configured on the Avaya G350 Media Gateway. The following screen shows these configurations: VSU(root)[29]# config VSU(configure)[32]# interface VSU(configure interface)[34]# set public mode ipstatic ip mask gateway VSU(configure interface)[38]# set private -mode ipstatic -ip mask VSU(configure interface)[40]# config VSU(configure)[42]# route VSU(configure route)[65]# add VSU(configure route)[65]# add The following screen shows how to verify the above configuration: VSU(configure interface)[36]# show public Interface Port: public Configured as: ipstatic IP address : Mask: Mac address : 00:60:a1:00:ca:d5 Link: up Default Route : VSU(configure interface)[39]# show private Interface Port: private Configured as: ipstatic IP address : Mask: Mac address : 00:60:a1:00:ca:d4 Link: up VSU(configure route)[50]# show Routing tables Internet: Destination Gateway Flags Refs Use Mtu Interface default UGS fxp1 127/8 localhost UGRS lo0 localhost localhost UH lo0 4 of 18

5 /24 link#1 UC fxp :4:d:29:c7:b4 UHL fxp /24 link#2 UC fxp link#2 UHL fxp / UGS fxp / UGS fxp NAT and VPN configurations via the Web access Log on to the Avaya SG203 at from a PC on the /24 or /24 network with the proper username and password. To eliminate some potential problems in implementing Network Address Translation (NAT) for the VoIP protocol, do not configure NAT for VoIP traffic. Navigate to Configure Security VPN Setup. The VPN Setup window opens. Click Add The new VPN window opens (Figure 2). Provide the following information: VPN Name: PIX Secret Text: secret Local IP Groups: / / /24 The above Local IP Groups are the local networks configured on the Avaya G350 Media Gateway. Figure 2: Add New VPN 5 of 18

6 Click Next> and a new window (Figure 3) opens. Provide the following information: Zone: public Remote TEP IP: Member Remote TEPs: IP Groups for : / / / /24 The public IP address of the Cisco PIX is The IP groups for are the local IP networks configured on the Cisco Catalyst Figure 3: Add New VPN Remote End Points Configuration Click Next> and a new window for VPN remote users opens. The configuration for remote users is not discussed in these Application Notes. Click Next> to skip this window. Provide the following information (Figure 4): IKE Security: Encryption: 3DES Authentication: SHA1 Lifetime(Time-based): 1 DAYS 6 of 18

7 Liftime(Throughput): 0 GB DH Group: 2 IPSec Security: AH/ESP: ESP Perfect Forward Secrecy: NO Encryption: 3DES Authentication: HMC_SHA Compression: NONE Lifetime(Time-based): 1 DAYS Lifetime(Throughput): 0 GB Figure 4: Add New VPN IKE and IPSec Security Configuration All the VPN parameters including IKE, IPSec and Pre-shared Secret on the Avaya SG203 must match with the Cisco PIX (see Section 3.4). 7 of 18

8 3.3. Configuring Cisco 6509 The private interface of the Cisco PIX is connected to the Cisco Catalyst A separate network /24 is configured for this connection. The default gateway on the Cisco 6509 is configured to the private IP address of the Cisco PIX, which is interface Vlan103 ip address IP route The private interface is connected to port 4/14 on the Cisco Catalyst The following shows how to configure port 4/14 in VLAN 103 in the Layer 2 mode of the Cisco Catalyst The show trunk 4/14 command can be used to verify the configuration. Console> (enable) set vlan 103 4/14 VLAN Mod/Ports /14 Console> (enable) show trunk 4/14 * - indicates vtp domain mismatch # - indicates dot1q-all-tagged enabled on the port Port Mode Encapsulation Status Native vlan /14 auto negotiate not-trunking 103 Port Vlans allowed on trunk / , Port Vlans allowed and active in management domain / Port Vlans in spanning tree forwarding state and not pruned /14 8 of 18

9 3.4. Configuring Cisco PIX The following configurations use CLI on the Cisco PIX Basic Configuration The following shows the basic configurations for interfaces, static routes and default routes. Ethernet 0 is configured as a public interface with IP address while Ethernet 1 is configured as a private interface with IP address nameif ethernet0 outside security0 nameif ethernet1 inside security100 interface ethernet0 auto interface ethernet1 auto ip address outside ip address inside route outside route inside route inside route inside Access List Configuration An access list is configured on the Cisco PIX for the traffic to be encrypted to the Avaya SG203. This includes the traffic from the local networks on the private side of the Cisco PIX to the local networks on the private side of the Avaya SG203. Three local networks are configured on the Avaya SG203: /24, /24 and /24. Four local networks are configured on the Cisco PIX: /24, /24, /24 and /24. The following shows the access list configuration for the SG203-tunnel: access-list SG203-tunnel permit ip access-list SG203-tunnel permit ip access-list SG203-tunnel permit ip access-list SG203-tunnel permit ip access-list SG203-tunnel permit ip access-list SG203-tunnel permit ip access-list SG203-tunnel permit ip access-list SG203-tunnel permit ip access-list SG203-tunnel permit ip access-list SG203-tunnel permit ip access-list SG203-tunnel permit ip access-list SG203-tunnel permit ip of 18

10 To eliminate some potential problems in implementing Network Address Translation (NAT) for the VoIP protocol, access list nonattosg is configured for VoIP traffic in the following: access-list nonattosg permit ip access-list nonattosg permit ip access-list nonattosg permit ip access-list nonattosg permit ip access-list nonattosg permit ip access-list nonattosg permit ip access-list nonattosg permit ip access-list nonattosg permit ip access-list nonattosg permit ip access-list nonattosg permit ip access-list nonattosg permit ip access-list nonattosg permit ip When access list nonattosg is applied to the inside interface of the Cisco PIX, the VoIP traffic defined in this access list is not NATed. nat (inside) 0 access-list nonattosg VPN Configuration The following shows the configuration for IKE phase I attributes, which include the source interface for the VPN, pre-shared key, and ISAKMP policy. The attributes must match the configuration of the Avaya SG203 in Section isakmp enable outside isakmp key ******** address netmask isakmp identity address isakmp policy 11 authentication pre-share isakmp policy 11 encryption 3des isakmp policy 11 hash sha isakmp policy 11 group 2 isakmp policy 11 lifetime This following shows the configuration for IPSec (IKE phase 2), which must match the configuration of the Avaya SG203 in Section crypto ipsec transform-set SG203-Set esp-3des esp-sha-hmac crypto map mapforsgs 12 ipsec-isakmp crypto map mapforsgs 12 match address SG203-tunnel crypto map mapforsgs 12 set peer crypto map mapforsgs 12 set transform-set SG203-Set crypto map mapforsgs interface outside 10 of 18

11 Enter the sysopt connection permit-ipsec command to implicitly permit IPSec packets to bypass PIX Firewall Access Lists, access groups, and conduits. The command no fixup protocol h must be entered to ensure that the Avaya VoIP signaling packets can pass through the Cisco PIX without any change to their contents. sysopt connection permit-ipsec no fixup protocol h Verification Steps 4.1. IP Routing When the WAN link is up, Use the command show ip route on the Cisco Catalyst 6509 and the Avaya G350 Gateway to verify that all the traffic between the main office and the small office is routed through the WAN link using the OSPF routing protocol. The following shows the output of the show ip route command from the Layer 3 mode of the Cisco Catalyst Ensure that the default route is configured to the Cisco PIX ( ). Router#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is to network C /24 is directly connected, Vlan47 C /24 is directly connected, Vlan46 O /24 [110/67] via , 00:04:26, Vlan102 O /24 [110/67] via , 00:04:26, Vlan102 C /24 is directly connected, Vlan102 C /24 is directly connected, Vlan103 C /24 is directly connected, Vlan87 O /24 [110/66] via , 00:04:26, Vlan102 S* /0 [1/0] via of 18

12 The following shows the output of the show ip route command from the Avaya G350 Media Gateway. Ensure that the default route is configured to the Avaya SG203 ( ). G (super)# show ip route Showing 11 rows Network Mask Interface Next-Hop Cost TTL Source FastEth 10/ n/a STAT-LO FastEth 10/ n/a LOCAL Serial 5/ n/a OSPF Serial 5/ n/a OSPF Serial 5/ n/a OSPF Serial 5/ n/a LOCAL Serial 5/ n/a LOCAL Serial 5/ n/a OSPF Serial 5/ n/a OSPF Vlan n/a LOCAL Vlan n/a LOCAL Follow the verification steps in Section 14 of Reference [1] when the WAN link is up. Disconnect or disable the WAN link. Use the command show ip route on the Cisco Catalyst 6509 and the Avaya G350 Gateways to verify that all the traffic between the main office and the small office is routed through the VPN link using their default routes. The following shows the output of the show ip route command from Layer 3 mode of the Cisco Catalyst Note that there are no OSPF routes for the networks of the small office. Router#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is to network C /24 is directly connected, Vlan47 C /24 is directly connected, Vlan46 C /24 is directly connected, Vlan102 C /24 is directly connected, Vlan103 C /24 is directly connected, Vlan87 S* /0 [1/0] via of 18

13 The following shows the output of the show ip route command from the Avaya G350 Media Gateway. Note that there are no OSPF routes for the networks of the main office. G (super)# show ip route Showing 4 rows Network Mask Interface Next-Hop Cost TTL Source FastEth 10/ n/a STAT-LO FastEth 10/ n/a LOCAL Vlan n/a LOCAL Vlan n/a LOCAL 4.2. Avaya VoIP Connectivity Use the verification steps below to validate VoIP connectivity. Verify that the Avaya G600 and the G350 Media Gateways are registered to the Avaya S8700 Media Server. Verify that the Avaya S8300 Media Server LSP is registered to the Avaya S8700 Media Server. Verify that all the IP telephones and Softphones are registered to the C-LAN on the Avaya G600 Media Gateway. Verify that intra-office and the inter-office calls are successful If the Avaya G350 Media Gateway, or the IP telephones or Softphones are registered with the Avaya S8300 Media Server LSP, use the command reset system 4 on the SAT of the Avaya S8300 Media Server LSP to reset the Avaya S8300 Media Server. If the VPN tunnel is established successfully, the Avaya G350 Media Gateway, the IP telephones, the Softphones, and the Avaya S8300 Media Server LSP will register with the Avaya G600 Media Gateway C- LAN. 13 of 18

14 4.3. VPN Status The following shows how to check the VPN status on the Cisco PIX and the Avaya SG203. Use the command show crypto isakmp sa on the Cisco PIX to display the current IKE SA: pixfirewall# show crypto isakmp sa Total : 1 Embryonic : 0 dst src state pending created QM_IDLE 0 15 Use the command show crypto ipsec sa on the Cisco PIX to display the current IPSec status. The following shows one IPSec tunnel between /24 in the main office and /24 in the small office. pixfirewall# show crypto ipsec sa interface: outside Crypto map tag: mapforsgs, local addr local ident (addr/mask/prot/port): ( / /0/0) remote ident (addr/mask/prot/port): ( / /0/0) current_peer: PERMIT, flags={origin_is_acl,} #pkts encaps: 2242, #pkts encrypt: 2242, #pkts digest 2242 #pkts decaps: 2496, #pkts decrypt: 2496, #pkts verify 2496 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: , remote crypto endpt.: path mtu 1500, ipsec overhead 56, media mtu 1500 current outbound spi: 62809c88 inbound esp sas: spi: 0xa2da9a9c( ) transform: esp-3des esp-sha-hmac, in use settings ={Tunnel, } slot: 0, conn id: 16, crypto map: mapforsgs sa timing: remaining key lifetime (k/sec): ( /7668) IV size: 8 bytes replay detection support: Y outbound esp sas: spi: 0x62809c88( ) transform: esp-3des esp-sha-hmac, in use settings ={Tunnel, } slot: 0, conn id: 15, crypto map: mapforsgs sa timing: remaining key lifetime (k/sec): ( /7668) IV size: 8 bytes replay detection support: Y 14 of 18

15 Log on to the Avaya SG203 at Navigate to Monitor VPNs. Click IKE SA, and then Refresh to check IKE SA status (Figure 5). Figure 5: ISAKMP SA Status on the Avaya SG of 18

16 Click IPSec SA, and then Refresh to check IPSec SA status (Figure 6). Figure 6: IPSec Status on the Avaya SG203 In order to troubleshoot VPN problems, use the debug commands debug crypto engine and debug crypto isakmp on the Cisco PIX and check the IKE log by navigating to Monitor Logs IKE Log on the Avaya SG203 Security Gateway. Refer to the related administration guide for the Cisco PIX and Avaya SG203 for detailed information on Firewall configurations. 5. Conclusion As illustrated by these Application Notes, the Avaya SG203 and Cisco PIX can be configured to establish a VPN tunnel across the Internet to back up a leased line between the main office and the small office. When the leased line is down, the VPN tunnel will be used automatically as a backup. The leased line is always used whenever it is active. This backup configuration also applies to the Avaya G700 Media Gateway with an X330 WAN module. 16 of 18

17 6. Additional References Application Notes: [1] Configuring Avaya Communication Manager for Avaya S8700 Media Servers and Avaya G600 Media Gateways Controlling Avaya G350 Media Gateways with Avaya S8300 Media Servers as Local Survivable Processors 17 of 18

18 Avaya and the Avaya Logo are trademarks of Avaya Inc. All trademarks identified by and are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners. The information provided in these Application Notes is subject to change without notice. The configurations, technical data, and recommendations provided in these Application Notes are believed to be accurate and dependable, but are presented without express or implied warranty. Users are responsible for their application of any products specified in these Application Notes. Please any questions or comments pertaining to these Application Notes along with the full title name and filename, located in the lower right corner, directly to the Avaya Solution & Interoperability Test Lab at 18 of 18