How it Works
Avaya
Loading...
B
C
Loading...
Loading...
Branch Office Tunnel between a Contivity
User Manual
29 pgs553.52 Kb0
Table of contents
Loading...

Avaya Branch Office Tunnel between a Contivity User Manual

Tech Tip
Contivity Secure IP Services Gateway
Configuring Branch Office Tunnel between a Contivity and a BayRS router

Contents

Contents .......................................................................................................................................... 1
Overview.......................................................................................................................................... 1
Setup........................................................................................................................................... 1
Configuring ARN ......................................................................................................................... 2
Configuring CES........................................................................................................................ 11
Branch Office Group IPSec Settings .................................................................................... 11
Branch Office Connection Configuration.............................................................................. 12
Reviewing the BayRS Router event log.................................................................................... 14
Reviewing the Contivity event log............................................................................................. 15
Router Troubleshooting Tips..................................................................................................... 17
Router Scripts....................................................................................................................... 17
Interpreting Log Messages on the Router............................................................................ 18
Contivity troubleshooting tips.................................................................................................... 21
Interpreting Log Messages on the Contivity......................................................................... 21
Appendix A – Setting the NPK on the BayRS router..................................................................... 23
Appendix B – Adding the capi.exe file to the router image ........................................................... 25

Overview

This technical tip illustrates a sample branch office tunnel configuration between Contivity Secure IP Services Gateway and BayRS router.
Sample Configuration Setup
In this sample configuration, a Contivity 1010 running V04_85.160 code and an ARN running
15.5.0.0 code were used in the following configuration:
10.1.1.2 10.1.1.13.1.1.2
10.1.1.0/24
CES ARN
3.1.1.0/24
3.1.1.1 2.1.1.1
CES – code version V04_85.160, Private IP 3.1.1.2, Mgmt IP 3.1.1.254, Public IP 10.1.1.2 ARN – code version V15.5.0.0, Private IP 2.1.1.2, Public IP 10.1.1.1
2.1.1.2
2.1.1.0/24
TT040916 1.00 September 2004 Page: 1 of 29
Tech Tip
Contivity Secure IP Services Gateway
Configuring Branch Office Tunnel between a Contivity and a BayRS router

Configuring ARN

1. First, both IPSec and IKE must be loaded on the public side Ethernet interface of the ARN. Click on corresponding Ethernet connector:
2. Click on Edit Circuit in the window that pops up:
TT040916 1.00 September 2004 Page: 2 of 29
Tech Tip
Contivity Secure IP Services Gateway
Configuring Branch Office Tunnel between a Contivity and a BayRS router
3. In the Protocols drop down menu, select Add/Delete. Check the boxes next to IPSEC and IKE on the Select Protocols window that appears and then click OK:
TT040916 1.00 September 2004 Page: 3 of 29
Tech Tip
Contivity Secure IP Services Gateway
Configuring Branch Office Tunnel between a Contivity and a BayRS router
4. Click Done to exit out of the next screen that appears. Next, from the drop down menus go to Protocols | Edit IP | IKE. Enter the Node Protection Key (NPK) configured on the router and click OK. Note: The NPK is configured from the secure shell in the console.
5. The Edit IKE SA Destination screen will appear. Click Add:
TT040916 1.00 September 2004 Page: 4 of 29
Tech Tip
Contivity Secure IP Services Gateway
Configuring Branch Office Tunnel between a Contivity and a BayRS router
6. This process will define the endpoint address and pre-shared key for the Branch Office Tunnel. Configure a Name (For example, To CES), the Destination IP address of the endpoint of the tunnel (CES public IP address), and either an Ascii or Hex Pre-shared Key. This Pre-shared Key must match the key configured on the CES. When finished, click Done:
7. Click Done on the Edit IKE SA Destination screen.
TT040916 1.00 September 2004 Page: 5 of 29
Tech Tip
Contivity Secure IP Services Gateway
Configuring Branch Office Tunnel between a Contivity and a BayRS router
8. From the drop down menu go to Protocols | Edit IP | IP Security | Outbound Policies. First we need to make a template to define the IPSec policy, so click on the Template button, and then Create on the IPSec Policy Template Management screen:
TT040916 1.00 September 2004 Page: 6 of 29
Tech Tip
Contivity Secure IP Services Gateway
Configuring Branch Office Tunnel between a Contivity and a BayRS router
9. Using the drop-down menus, create a policy containing Action->Protect, and Criteria- >Source & Destination IP address ranges corresponding to the Local (ARN local
network, 2.1.1.0/24 in this case) and Remote (CES local network, 3.1.1.0/24 in this case) networks respectively. This is an example of what the template should look like when done:
** NOTE ** It is important to include the network and broadcast addresses in the range, i.e. x.x.x.0 and x.x.x.255 for a 24 bit subnet.
10. Click Done, and then Done again on the previous screen to return to the IPSec Outbound Policies screen.
TT040916 1.00 September 2004 Page: 7 of 29
Tech Tip
Contivity Secure IP Services Gateway
Configuring Branch Office Tunnel between a Contivity and a BayRS router
11. Click Add Policy. Supply the policy a name, making sure the correct interface and the template just created are highlighted, and then click OK:
12. On the next screen click Automated SA, which indicates the tunnel will use IKE for the key exchange. Click the button next to SA Destination and select the entry for the CES. This endpoint was defined in the IKE configuration process:
TT040916 1.00 September 2004 Page: 8 of 29
Tech Tip
Contivity Secure IP Services Gateway
Configuring Branch Office Tunnel between a Contivity and a BayRS router
13. Click the New Proposal button to set up a proposal list defining the encryption/integrity capabilities of the CES. The CES and the ARN need to have at least one option in common in order to establish a tunnel. For simplicity, only 3DES/MD5 is selected in this example, however, as many selections can be checked as needed. Click Done when finished:
14. Click the button labeled None next to Priority 1, select the proposal just created and click OK:
TT040916 1.00 September 2004 Page: 9 of 29
Loading...
+ 20 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use