JNPR Ac-Vpn

Avaya Solution & Interoperability Test Lab
Sample Configuration for Juniper Networks Auto Connect VPN to Support an Avaya Multi-Branch Voice over IP Solution Issue 1.0
Abstract
These Application Notes describe the steps for configuring Juniper Networks ScreenOS based devices for Auto Connect VPN to support an Avaya Multi-Branch Voice over IP solution. Auto Connect VPN allows for the dynamic provisioning of VPN tunnels between spoke sites in a Hub-and-Spoke VPN architecture. This complements the traffic flow patterns of interbranch VoIP calls.
AL; Reviewed: SPOC 10/3/2008
Solution & Interoperability Test Lab Application Notes 2008 Avaya Inc. All Rights Reserved.
1 of 32 JNPR_AC-VPN
1. Introduction
These Application Notes describe a solution for configuring the Juniper Networks ScreenOS based devices for Auto Connect Virtual Private Network (AC-VPN) to support a multi-branch Avaya Voice over IP (VoIP) solution. In traditional enterprise architecture, Hub-and-Spoke topology typically provides an efficient way for branch offices (Spokes) to access resources located at the HQ (Hub) location. With the increase use of VoIP throughout the enterprise, there is a corresponding need for inter-branch (inter-spoke) voice traffic for users placing call between branches. This is where AC-VPN provide increase value over traditional Hub-and-Spoke VPN architectures. AC-VPN dynamically establishes VPN tunnels between spoke sites as needed eliminating the need for inter-spoke traffic from passing through the Hub. For example, when a user places a call from branch-1 to branch-2, there is no need for VoIP traffic to travel from branch-1 (Spoke1) to HQ (Hub) and then to branch-2 (Spoke2). AC-VPN provides a short cut between the two branch locations by dynamically establishing a VPN tunnel between the two branches. This helps lower latency by shortening the path VoIP traffic needs to travel, increases the available resources at the Hub VPN gateway by not having to relay VoIP traffic, and increases throughput by eliminating unnecessary traffic from utilizing the Hubs Wide Area Network (WAN) connection. There is no need for additional equipment to configure AC-VPN other than the Juniper Networks ScreenOS based Gateway that have already been deployed as part of a Hub-and-Spoke VPN architecture. AC-VPN is a software feature that is available as part of Juniper Networks ScreenOS release 6.0 and above for the SSG, ISG and NS 5000 series, and functions as an enhancement to the existing Hub-and-Spoke VPN feature set.
1.1. Overview
The sample network used in these Application Notes consists of 3 locations - HQ, Branch, and Home, with HQ location serving as the VPN Hub while the Branch and Home locations serve as VPN Spokes. Juniper Networks ScreenOS devices are deployed in each location to provide WAN connectivity, firewall, and VPN functionality. IP addresses are statically administrated in order to focus on the necessary AC-VPN configuration. Each VPN spoke location supports 2 IP sub-networks, one for voice where Avaya IP Telephones are connected and the other for data where computers are connected. The AC-VPN is configured such that only inter-branch VoIP traffic generated by Avaya IP Telephones can trigger the establishment and use of the dynamic VPN tunnel. All data traffic is directed to the ISG 1000, HQ HUB VPN gateway. This is true for all data traffic whether the destination is the Hub or to another VPN spoke. Since Spoke locations in the sample network only have a simulated 10Mbps connection to the Internet, policy based traffic shaping is enabled and configured for VoIP traffic. This will preserve the quality of phone calls from competing data traffic. Through the use of policy based traffic shaping, specific bandwidth is allocated for both signaling and media traffic for Avaya VoIP calls. Local voice and data networks in each site are assigned to the Trust zone with the VPN tunnel assigned to the VPN zone to allow for greater control in writing security policies.
AL; Reviewed: SPOC 10/3/2008 Solution & Interoperability Test Lab Application Notes 2008 Avaya Inc. All Rights Reserved. 2 of 32 JNPR_AC-VPN
2. Configuration
Figure 1 illustrates the configuration used in these Application Notes. The Routing Information Protocol (RIP) is used among HQ, Branch, and Home locations while the Open Shortest Path First (OSPF) routing protocol is used in the Core IP network. The Juniper Networks ISG 1000 redistributed necessary routes between OSPF and RIP. All Juniper Networks ScreenOS devices are managed out of band via the 172.16.254.0 IP sub-network. All Avaya IP Telephones are assigned to the same IP Network Region within Avaya Communication Manager.
Figure 1: Sample Network Configuration

3. Equipment and Software Validated

The following equipment and software/firmware were used in the sample configuration: DEVICE DESCRIPTION Avaya Communication Manager with Avaya S8500 Server Avaya G650 Gateway Avaya 9640G IP Telephone (H.323) Avaya 4621SW IP Telephone (H.323) Avaya 4625SW IP Telephone (H.323) Juniper Networks Integrated Security Gateway 1000 Juniper Networks Security Services Gateway 20 Juniper Networks Security Services Gateway 5 VERSION R 5.0 (R015x.00.0.825.4) 1.5 1.8.3 1.8.3 ScreenOS 6.1R1 ScreenOS 6.1R1 ScreenOS 6.1R1
4. Configuring Juniper Networks ScreenOS Devices

This section describes the configuration for the different ScreenOS devices shown in Figure 1. It is assumed that basic configuration has been performed to allow for IP connectivity into each of the ScreenOS devices. All steps in this section are performed using the Command Line Interface (CLI). Although not shown, these same configuration steps can also be accomplished using the WebUI. Screen capture may be shown in certain steps to facilitate clarification. The configuration required for each device is broken up into the following 3 sub-sections: Basic configuration Provide basic configuration steps to provision a base Huband-Spoke VPN architecture. Provide additional steps to implement AC-VPN over existing Hub-and-Spoke architecture.
AC-VPN configuration -
Quality of Service (QoS) - Provide steps in configuring policy based traffic shaping for Avaya VoIP traffic Instead of completing the entire configuration one device at a time before verification, it may be beneficial to implement each sub-section for each of the devices in the network first and ensure it is working before moving on to the next sub-section. This will minimize complexity in verification and troubleshooting.
4 of 32 JNPR_AC-VPN
4.1. Configuring Juniper Network ISG 1000

This section describes the configuration for the ISG 1000 at the HQ location.
4.1.1. Base configuration

This section describes the base configuration needed to established basic network and static VPN connectivity. 1. Log in to the ISG 1000 using appropriate username and password.
login: username password:******* nsisg1000->
2. Create a new security zone called vpn.

set zone name vpn
3. Configure all the physical and logical interfaces.

set set set set set set set set set set set set
The sample configuration uses the out-of-band management port with an IP address of 172.16.254.106 to manage the device. This configuration is optional. ping is allowed on the Untrust interface ethernet1/3 to facility troubleshooting.
ethernet1/1 zone Trust ethernet1/3 zone Untrust tunnel.1 zone vpn mgt ip 172.16.254.106/24 ethernet1/1 ip 192.168.100.12/24 ethernet1/1 nat ethernet1/3 ip 10.10.210.5/24 ethernet1/3 route tunnel.1 ip 172.172.0.1/24 ethernet1/1 ip manageable ethernet1/3 ip manageable ethernet1/3 manage ping
interface interface interface interface interface interface interface interface interface interface interface interface
4. To facilitate referencing, the sample network defined user friendly names to identify the different networks. Local-voice defines the IP sub-network where all Avaya IP Telephones are connected locally. all-internal-net defines the IP sub-network that encompasses the entire sample network.
set address Trust Local-voice 172.28.10.0 255.255.255.0 set address vpn all-internal-net 172.0.0.0 255.0.0.0
5 of 32 JNPR_AC-VPN
5. Define a custom service for Avaya VoIP traffic to be used by SreenOS security policies. The range of UDP ports used for Avaya media traffic is defined in the ip-network-region form in Avaya Communication Manager in Section 5, Step 1.
set set set set set service service service service service Avaya-Sgl-Fm-Spoke Avaya-Sgl-Fm-Spoke Avaya-Sgl-To-Spoke Avaya-Sgl-To-Spoke Avaya-RTP protocol protocol udp src-port 0-65535 dst-port 1719-1719 + tcp src-port 1720-1720 dst-port 0-65535 protocol udp src-port 1719-1719 dst-port 0-65535 + tcp src-port 0-65535 dst-port 1720-1720 udp src-port 2048-3329 dst-port 2048-3329
6. Define the VPN gateways. Two VPN gateways are defined at the ISG 1000 BranchSSG20 which points to the Branchs SSG20, and Home-SSG5 which points to the Homes SSG5. The sample network uses a pre-shared string of 1234567890. The same pre-shared string must also be used at the Branchs SSG20 and Homes SSG 5 in Section 4.2.1, Step 6 and Section 4.3.1, Step 6 respectively. It is advisable to use a more robust pre-shared key in a production environment.
set ike gateway Home-SSG5 address 10.10.230.6 outgoing-interface ethernet1/3 preshare 1234567890 sec-level standard set ike gateway Branch-SSG20 address 10.10.220.6 outgoing-interface ethernet1/3 preshare 1234567890 sec-level standard
7. Configure 2 VPN tunnels, one to the Branch and the other to the Home using the gateway defined in Step 6 and bind the VPN tunnels to the tunnel interface.
set vpn To_Home gateway Home-SSG5 no-replay tunnel idletime 0 sec-level standard set vpn To_Home id 2 bind interface tunnel.1 set vpn To_Branch gateway Branch-SSG20 no-replay tunnel idletime 0 sec-level standard set vpn To_Branch id 1 bind interface tunnel.1
8. Enable routing protocol and route re-distribution. The ISG 1000 in the sample network uses 2 routing protocols, OSPF and RIP. OSPF is enabled on the internal Trust interface to exchange routing information within the Core IP network. RIP is enabled on the tunnel interface to exchange routing information between VPN Hub and the Spokes. Routes learned from RIP are re-distributed into the OSPF network and routes learned from OSPF are re-distributed into RIP network. Access lists are configured to define what IP sub-networks are re-distributed.
set set set set set set set set set set vrouter trust-vr access-list 1 access-list 1 permit ip access-list 1 permit ip access-list 2 access-list 2 permit ip access-list 2 permit ip access-list 2 permit ip access-list 2 permit ip route-map name core-net
172.28.0.0/16 10 192.168.100.0/24 20 172.220.0.0/24 172.221.0.0/24 172.230.0.0/24 172.231.0.0/24 permit 1 20 21 30 31
6 of 32 JNPR_AC-VPN
set match ip 1 exit set route-map name spoke-net permit 1 set match ip 2 exit unset add-default-route set route 0.0.0.0/0 interface ethernet1/3 gateway 10.10.210.1 permanent set protocol ospf set redistribute route-map spoke-net protocol rip exit set protocol rip set redistribute route-map core-net protocol ospf set redistribute route-map core-net protocol connected exit exit set interface ethernet1/1 protocol ospf area 0.0.0.0 set interface ethernet1/1 protocol ospf enable set interface ethernet1/1 protocol ospf cost 1 set interface tunnel.1 protocol rip set interface tunnel.1 protocol rip enable
set interface tunnel.1 protocol rip demand-circuit
9. Define the necessary policy to allow traffic to traverse between the different zones. Logging is enabled to facilitate troubleshooting and analysis.
set policy id 11 from Trust to vpn CLAN-1 Any Avaya-Sgl-To-Spoke permit log traffic priority 2 dscp value 0 set policy id 11 set src-address CLAN-2 exit set policy id 12 from Trust to vpn Local-voice Any Avaya-RTP permit log traffic priority 2 dscp value 0 set policy id 13 from Trust to vpn Any Any ANY permit log set policy id 14 from Trust to vpn Any Any ANY deny log set policy id 21 from vpn to Trust all-internal-net CLAN-1 Avaya-Sgl-Fm-Spoke permit log traffic priority 2 set policy id 21 set dst-address CLAN-2 exit set policy id 22 from vpn to Trust all-internal-net Any Avaya-RTP permit log traffic priority 2 set policy id 23 from vpn to Trust all-internal-net Any ANY permit log set policy id 24 from vpn to Trust Any Any ANY deny log set policy id 31 from Trust to Untrust Any Any ANY permit log set policy id 32 from Trust to Untrust Any Any ANY deny log set policy id 41 from Untrust to Trust Any Any ANY deny log
7 of 32 JNPR_AC-VPN
The screen capture below shows the order of the security policies as seen from the WebUI.
4.1.2. Configure AC-VPN on the ISG 1000

This section shows configuration steps relevant to the configuration of the AC-VPN feature. 1. Define a gateway to be used by the AC-VPN tunnel.
set ike gateway ac-vpn-hub acvpn-profile sec-level standard
2. Configure the ac-vpn tunnel. The AC-VPN tunnel in the sample network is configured for automatically tear-down after 1 minute of in-activity. This parameter is configured via the idletime option. This idle time parameter will be downloaded to and used by the Spoke gateways when establishing the AC-VPN tunnel.
set vpn ac-vpn acvpn-profile ac-vpn-hub replay tunnel idletime 1 sec-level standard
3. Enable and configure Next Hop Routing Protocol (NHRP) and bind it to the tunnel interface. VPN spoke gateways rely on the NHRP protocol to learn the IP addresses of the peer spokes which is needed to dynamically establish the spoke to spoke tunnels.
set vrouter trust-vr set protocol nhrp set protocol nhrp acvpn-profile ac-vpn exit set interface tunnel.1 protocol nhrp enable exit
8 of 32 JNPR_AC-VPN
4.1.3. Configure Quality of Service for Avaya VoIP traffic

1. Enable and configure policy based traffic shaping for voice traffic. As part of Section 4.3.1, Step 9, these policies should already be in place. This step is to amend the security policy to enable the traffic shaping option for the Avaya VoIP related policies. Although it may seem unnecessary from a security stand point, it is absolutely essential to have corresponding policies configured from Trust VPN and VPN Trust zones with traffic shaping enabled and configured. Depending on which direction VoIP traffic starts, policies from either direction may be activated.
set policy id 11 from Trust to vpn traffic priority 2 dscp value 0 set policy id 11 set src-address CLAN-2 exit set policy id 12 from Trust to vpn traffic priority 2 dscp value 0 set policy id 21 from vpn to Trust permit log traffic priority 2 set policy id 21 set dst-address CLAN-2 exit set policy id 22 from vpn to Trust traffic priority 2 CLAN-1 Any Avaya-Sgl-To-Spoke permit log
Local-voice Any Avaya-RTP permit log all-internal-net CLAN-1 Avaya-Sgl-Fm-Spoke
all-internal-net Any Avaya-RTP permit log
4.2. Configuring Juniper Network SSG 20

This section describes the configuration for the SSG 20 at the Branch location. This section is divided into 3 sub-sections to better illustrate the specific configuration pertaining to each operation of the security device.

This section describes the base configuration needed to established basic network and static VPN connectivity. 1. Log in to the SSG 20 using appropriate username and password.
login: username password:******* ssg20-wlan->

set zone name vpn
9 of 32 JNPR_AC-VPN
3. Configure all the physical and logical interfaces. The sample configuration uses Ethernet port ethernet0/1 as the management port with an IP address of 172.16.254.111 to manage the device. This configuration is optional. ping is allowed on external Untrust interface ethernet0/0 to facility troubleshooting.
unset interface bgroup0 port ethernet0/4 set interface ethernet0/0 zone Untrust set interface ethernet0/1 zone DMZ set interface ethernet0/4 zone Trust set interface bgroup0 zone Trust set interface tunnel.1 zone vpn set interface ethernet0/0 ip 10.10.220.6/24 set interface ethernet0/0 route set interface ethernet0/1 ip 172.16.254.111/24 set interface ethernet0/1 route set interface ethernet0/4 ip 172.221.0.1/24 set interface ethernet0/4 nat set interface bgroup0 ip 172.220.0.1/24 set interface bgroup0 route set interface tunnel.1 ip 172.172.0.2/24 set interface ethernet0/0 ip manageable set interface ethernet0/1 ip manageable set interface ethernet0/4 ip manageable set interface bgroup0 ip manageable set interface ethernet0/1 manage ssh set interface ethernet0/1 manage web set interface ethernet0/0 manage ping
4. To facilitate referencing, the sample network defined user friendly name to identify the different networks.
set set set set set
Local-voice defines the IP sub-network where all Avaya IP Telephones are connected to locally. Local-data defines the IP sub-network where all computer users are connected to locally. all-internal-net defines the IP sub-network that encompasses the entire sample network. CLAN-1 and CLAN-2 defines the IP addresses of the CLAN boards Avaya VoIP signaling traffic communicate with.
Trust Local-voice 172.220.0.0 255.255.255.0 Trust Local-data 172.221.0.0 255.255.255.0 VPN all-internal-net 172.0.0.0 255.0.0.0 VPN CLAN-1 172.28.10.7 255.255.255.255 VPN CLAN-2 172.28.10.17 255.255.255.255
address address address address address
10 of 32 JNPR_AC-VPN
5. Define custom service for Avaya VoIP traffic to be used by ScreenOS security policies. The range of UDP ports used for Avaya media traffic is defined in the ip-network-region form in Avaya Communication Manager in Section 5, Step 1.
set set set set set service service service service service Avaya-Sgl-up protocol udp src-port 0-65535 dst-port 1719-1719 Avaya-Sgl-up + tcp src-port 1720-1720 dst-port 0-65535 Avaya-Sgl-dn protocol udp src-port 1719-1719 dst-port 0-65535 Avaya-Sgl-dn + tcp src-port 0-65535 dst-port 1720-1720 Avaya-RTP protocol udp src-port 2048-3329 dst-port 2048-3329
6. Define the VPN gateways. Two VPN gateways are defined at the ISG 1000 BranchSSG20 which points to the Branchs SSG20, and Home-SSG5 which points to the Homes SSG5. The sample network uses a pre-shared string of 1234567890. The same pre-shared string must also be used at the HQs ISG 1000 and Homes SSG 5 in Section 4.1.1, Step 6 and Section 4.3.1, Step 6. It is advisable to use a more robust pre-shared key in a production environment.
set ike gateway HQ-ISG1000 address 10.10.210.5 outgoing-interface ethernet0/0 preshare 1234567890 sec-level standard
7. Configure the VPN tunnels to the HQ location using the gateway defined in Step 6 and bind the VPN tunnels to the tunnel interface.
set vpn To_HQ gateway HQ-ISG1000 no-replay tunnel idletime 0 sec-level standard set vpn To_HQ id 3 bind interface tunnel.1
8. Enable and configure the RIP routing protocol. RIP is enabled on the tunnel interface to exchange routing information between the VPN Hub and Spokes. Access lists are configured to definite what IP sub-networks are learned and advertised.
set vrouter trust-vr set protocol rip set enable exit exit set vrouter untrust-vr exit set vrouter trust-vr set router-id 172.172.0.2 set access-list 1 set access-list 1 permit ip 172.220.0.0/24 10 set access-list 1 permit ip 172.172.0.0/24 20 set access-list 1 permit ip 172.221.0.0/24 30 set access-list 2 set access-list 2 permit ip 172.0.0.0/8 10 set route-map name local-net permit 1 set match ip 1 exit set route-map name comp-net permit 2 set match ip 2 exit unset add-default-route
set route 0.0.0.0/0 interface ethernet0/0 gateway 10.10.220.1 preference 100 permanent set protocol rip set redistribute route-map local-net protocol connected set route-map comp-net in set route-map local-net out exit exit set interface tunnel.1 protocol rip set interface tunnel.1 protocol rip enable set interface tunnel.1 protocol rip demand-circuit
9. Define the necessary policy to allow traffic to traverse between the different zones. Logging is enable to facilitate troubleshooting and analysis.
set policy id 11 from Trust to VPN Local-voice CLAN-1 Avaya-Sgl-up permit log set policy id 11 set dst-address CLAN-2 exit set policy id 12 from Trust to VPN Local-voice all-internal-net Avaya-RTP permit log set policy id 13 from Trust to VPN Local-data all-internal-net ANY permit log set policy id 14 from Trust to VPN Any Any ANY deny log set policy id 21 from VPN to Trust CLAN-1 Any Avaya-Sgl-dn permit log set policy id 21 set src-address CLAN-2 exit set policy id 22 from VPN to Trust all-internal-net Local-voice Avaya-RTP permit log set policy id 23 from VPN to Trust all-internal-net Local-data ANY permit log set policy id 24 from VPN to Trust Any Any ANY deny log set policy id 31 from Trust to Untrust Any Any ANY permit log set policy id 32 from Trust to Untrust Any Any ANY deny log set policy id 41 from Untrust to Trust Any Any ANY deny log
The screen capture below shows the order of the security policies as seen from the WebUI.
4.2.2. Configure AC-VPN on the SSG 20

set ike gateway ac-vpn-gw acvpn-dynamic local-id Branch set ike gateway ac-vpn-gw cert peer-ca self-signed
2. Configure the AC-VPN tunnel using the ac-vpn-gw defined in Step 1. 3.

set vpn ac-vpn acvpn-dynamic ac-vpn-gw To_HQ
set vrouter trust-vr set protocol nhrp set protocol nhrp nhs 172.172.0.1 set protocol nhrp cache 172.220.0.0/24 exit set interface tunnel.1 protocol nhrp enable set traffic-shaping mode on

This section shows configuration steps for configuring QoS for Avaya VoIP traffic. 1. Define the bandwidth for the external Untrust Ethernet interface and bandwidth allocation for the logical tunnel interface. The available bandwidth for the Ethernet connection between ethernet0/0 and the simulated Internet is 10Mbps; therefore the sample network defines the Maximum Bandwidth (mbw) as 10000 kbps. Out of this total 1000 kbps bandwidth 8000 kbps is guaranteed for the tunnel interface with a maximum of 10000 kbps. The guaranteed bandwidth of 8000 kbps will be used by all incoming and outgoing voice and data traffic traversing any VPN tunnel.
set interface ethernet0/0 phy full 10mb set interface ethernet0/0 bandwidth egress mbw 10000 ingress mbw 10000 set interface tunnel.1 bandwidth egress gbw 8000 mbw 10000 ingress mbw 8000
2. Enable and configure policy based traffic shaping for voice traffic. As part of Section 4.2.1, Step 9, these policies should already be in place. This step is to amend the security policy to enable the traffic shaping option for the Avaya VoIP related policies. Although it may seem unnecessary from a security stand point, it is absolutely essential to have corresponding policies configured from Trust VPN and VPN Trust zones with traffic shaping enabled and configured. Depending on which direction VoIP traffic start, policies from either direction may be activated. The table below shows the bandwidth allocation for the Avaya VoIP traffic used in the sample network. This allocation is for demonstration purpose only; actual bandwidth allocation should take into account the total number of all outbound simultaneous call as well as audio codec used. The allocation should be able to accommodate approximately 10 simultaneous call using G.711 codec. Purpose of VoIP traffic Avaya VoIP registration Avaya H.323 signaling Avaya VoIP Media Guaranteed bandwidth (gbw) 5 kbps 1000 kbps Maximum bandwidth (mbw) 10 kbps 1100 kbps
set policy id 11 from Trust to VPN Local-voice CLAN-1 Avaya-Sgl-up permit log traffic gbw 5 priority 2 mbw 10 set policy id 11 set dst-address CLAN-2 exit set policy id 12 from Trust to VPN Local-voice all-internal-net Avaya-RTP permit log traffic gbw 1000 priority 2 mbw 1100 set policy id 13 from Trust to VPN Local-data all-internal-net ANY permit log set policy id 14 from Trust to VPN Any Any ANY deny log set policy id 21 from VPN to Trust CLAN-1 Any Avaya-Sgl-dn permit log traffic gbw 5 priority 2 mbw 10 set policy id 22 from VPN to Trust all-internal-net Local-voice Avaya-RTP permit log traffic gbw 1000 priority 2 mbw 1100
The screen capture below provides a quick view of traffic shaping for each of the policies. The icon indicates that traffic shaping is enabled for that particular security policy. This screen can be accessed by selecting Reports Policies from the left panel menu in the WebUI.
4.3. Configuring Juniper Network SSG 5

This section describes the configuration for the SSG 5 at the Home location.

This section describes the base configuration needed to established basic network and static VPN connectivity. 1. Log in to the SSG 5 using appropriate username and password.
login: username password:******* ssg5-serial-wlan->

set zone name vpn
3. Configure all the physical and logical interfaces. The sample configuration uses Ethernet port ethernet0/1 as the management port with an IP address of 172.16.254.107 to manage the device. This configuration is optional. ping is allowed on external Untrust interface ethernet0/0 to facility troubleshooting.
unset interface bgroup0 port ethernet0/6 set interface ethernet0/0 zone Untrust set interface ethernet0/1 zone Trust set interface ethernet0/6 zone Trust set interface wireless0/0 zone Null set interface bgroup0 zone Trust set interface tunnel.1 zone vpn set interface bgroup0 port ethernet0/2 set interface bgroup0 port ethernet0/3 set interface ethernet0/0 ip 10.10.230.6/24 set interface ethernet0/0 route set interface ethernet0/1 ip 172.16.254.107/24 set interface ethernet0/1 route set interface ethernet0/6 ip 172.231.0.1/24 set interface ethernet0/6 nat set interface bgroup0 ip 172.230.0.1/24 set interface bgroup0 nat set interface tunnel.1 ip 172.172.0.3/24 set interface ethernet0/0 ip manageable set interface ethernet0/1 ip manageable set interface ethernet0/6 ip manageable set interface bgroup0 ip manageable set interface ethernet0/0 manage ping
4. To facilitate referencing, the sample network defined user friendly name to identify the different networks.
set set set set set
Local-voice defines the IP Sub-network where all Avaya IP Telephones are connected to locally. Local-data defines the IP Sub-network where all computer users are connected to locally. all-internal-net defines the IP Sub-network that encompasses the entire sample network. CLAN-1 and CLAN-2 defines the IP addresses of the CLAN boards where Avaya VoIP signaling traffic communicate with.
Trust Local-voice 172.230.0.0 255.255.255.0 Trust Local-data 172.231.0.0 255.255.255.0 vpn all-internal-net 172.0.0.0 255.0.0.0 vpn CLAN-1 172.28.10.7 255.255.255.255 vpn CLAN-2 172.28.10.17 255.255.255.255
address address address address address
5. Define custom service for Avaya VoIP traffic to be used by ScreenOS security policies. The range of UDP port used for Avaya media traffic is defined in the ip-network-region form in Avaya Communication Manager in Section 5, Step 1.
set set set set set service service service service service Avaya-Sgl-up protocol udp src-port 0-65535 dst-port 1719-1719 Avaya-Sgl-up + tcp src-port 1720-1720 dst-port 0-65535 Avaya-Sgl-dn protocol udp src-port 1719-1719 dst-port 0-65535 Avaya-Sgl-dn + tcp src-port 0-65535 dst-port 1720-1720 Avaya-RTP protocol udp src-port 2048-3329 dst-port 2048-3329
6. Define the VPN gateways. Two VPN gateways are defined at the ISG 1000 BranchSSG20 which points to the Branchs SSG20, and Home-SSG5 which points to the Homes SSG5. The sample network uses a pre-shared string of 1234567890. The same pre-shared string must also be use at the Branchs SSG20 and Homes SSG 5 in Section 4.1.1, Step 6 and Section 4.2.1, Step 6. It is advisable to use a more robust pre-shared key in a production environment.
set ike gateway HQ_ISG1000 address 10.10.210.5 outgoing-interface ethernet0/0 preshare 1234567890 sec-level standard
7. Configure the VPN tunnels to the HQ location using the gateway defined in Step 6 and bind the VPN tunnels to the tunnel interface.
set vpn To_HQ gateway HQ_ISG1000 no-replay tunnel idletime 0 sec-level standard set vpn To_HQ id 3 bind interface tunnel.1
8. Enable and configure the RIP routing protocol. RIP is enabled on the tunnel interface to exchange routing information between the VPN Hub and. Access lists are configured to definite what IP sub-networks are advertised.
set vrouter trust-vr set protocol rip set enable exit exit set vrouter trust-vr set router-id 172.172.0.3 set access-list 1 set access-list 1 permit ip 172.230.0.0/24 set access-list 1 permit ip 172.172.0.0/24 set access-list 1 permit ip 172.231.0.0/24 set access-list 2 set access-list 2 permit ip 172.220.0.0/24 set access-list 2 permit ip 172.0.0.0/8 10 set route-map name local-net permit 1 set match ip 1 exit set route-map name comp-net permit 2 set match ip 2 exit unset add-default-route
1 2 3 5
set route 0.0.0.0/0 interface ethernet0/0 gateway 10.10.230.1 preference 100 permanent set protocol rip set redistribute route-map local-net protocol connected set route-map comp-net in set route-map local-net out exit exit set interface tunnel.1 protocol rip set interface tunnel.1 protocol rip enable set interface tunnel.1 protocol rip send-version v1v2 set interface tunnel.1 protocol rip receive-version v1v2 set interface tunnel.1 protocol rip demand-circuit
9. Define the necessary policy to allow traffic traverse between the different zones. Logging is enable to facilitate troubleshooting and analysis.
set policy id 11 from Trust to vpn Local-voice CLAN-1 Avaya-Sgl-up permit log set policy id 11 set dst-address CLAN-2 exit set policy id 12 from Trust to vpn Local-voice all-internal-net UDP-ANY permit log set policy id 13 from Trust to Local-data all-internal-net ANY permit log set policy id 14 from Trust to vpn Any Any ANY deny log set policy id 21 from vpn to Trust CLAN-1 Local-voice Avaya-Sgl-dn permit log set policy id 21 set src-address CLAN-2 exit set policy id 22 from vpn to Trust all-internal-net Local-voice Avaya-RTP permit log set policy id 23 from vpn to Trust all-internal-net Local-data ANY permit log set policy id 24 from vpn to Trust Any Any ANY deny log set policy id 31 from Trust to Untrust Any Any ANY permit set policy id 32 from Trust to Untrust Any Any ANY deny log set policy id 41 from Untrust to Trust Any Any ANY deny log
The screen capture below shows the order of the security policies as seen form the WebUI.
4.3.2. Configure AC-VPN on the SSG 5

set ike gateway ac-vpn-gw acvpn-dynamic local-id Home1 set ike gateway ac-vpn-gw cert peer-ca self-signed
2. Configure the AC-VPN tunnel using the ac-vpn-gw defined in Step 1.

set vpn ac-vpn acvpn-dynamic ac-vpn-gw To_HQ
set vrouter trust-vr set protocol nhrp set protocol nhrp nhs 172.172.0.1 set protocol nhrp cache 172.230.0.0/24 exit set interface tunnel.1 protocol nhrp enable exit

This section shows configuration steps for configuring QoS for Avaya VoIP traffic. 1. Define the bandwidth for the external Untrust Ethernet interface and bandwidth allocation for the logical tunnel interface. The available bandwidth for the Ethernet connection between ethernet0/0 and the simulated Internet is 10Mbps; therefore the sample network defines the Maximum Bandwidth (mbw) as 10000 kbps. Out of this total 1000 kbps bandwidth 8000 kbps is guaranteed for the tunnel interface with a maximum of 10000 kbps. The guaranteed bandwidth of 8000 kbps will be used by all incoming and outgoing voice and data traffic traversing any VPN tunnel.
set interface ethernet0/0 bandwidth egress mbw 10000 ingress mbw 0 set interface tunnel.1 bandwidth egress gbw 8000 mbw 8000 ingress mbw 8000
2. Enable and configure policy based traffic shaping for voice traffic. As part of Section 4.3.1, Step 9, these policies should already be in place. This step is to amend the security policy to enable the traffic shaping option for the Avaya VoIP related policies. Although it may seem unnecessary from a security stand point, it is absolutely essential to have corresponding policies configured from Trust VPN and VPN Trust zones with traffic shaping enabled and configured. Depending on which direction VoIP traffic start, policies from either direction may be activated. The table below shows the bandwidth allocation for the Avaya VoIP traffic used in the sample network. This allocation is for demonstration purpose only; actual bandwidth allocation should take into account the total number of all outbound simultaneous call as well as audio codec used. The allocation should be able to accommodate approximately 10 simultaneous call using G.711 codec. Purpose of VoIP traffic Avaya VoIP registration Avaya H.323 signaling Avaya VoIP Media
set policy id 11 from Trust to vpn traffic gbw 5 priority 2 mbw 10 set policy id 11 set dst-address CLAN-2 exit set policy id 12 from Trust to vpn log traffic gbw 1000 priority 2 mbw set policy id 21 from vpn to Trust traffic gbw 5 priority 2 mbw 10 set policy id 21 set src-address CLAN-2
Guaranteed bandwidth (gbw) 5 kbps 1000 kbps
Maximum bandwidth (mbw) 10 kbps 1100 kbps
Local-voice CLAN-1 Avaya-Sgl-up permit log
Local-voice all-internal-net UDP-ANY permit 1100 CLAN-1 Local-voice Avaya-Sgl-dn permit log
exit set policy id 22 from vpn to Trust all-internal-net Local-voice Avaya-RTP permit log traffic gbw 1000 priority 2 mbw 1100
The screen capture below shows provides a quick view of whether traffic shaping is enabled for icon indicates that traffic shaping is enabled for that particular each of the policy. The security policy. This screen can be accessed by selecting Reports Policies from the left panel menu in the WebUI.
5. Configure Avaya Communication Manager

This section describes the Avaya Communication Manager configuration. All commands are administered via the System Administration Terminal (SAT) of Avaya Communication Manager. Although these Application Notes do not describe the configuration for Dynamic Call Admission Control (D-CAC), it is recommended that some form of bandwidth management control be used in Avaya Communication Manager to manage inter-office calls. For detail information on configuring Avaya Communication Manager, please consult references [1], [2], and [3]. 1. Use the ip-network-region form to display the UDP ports used for Avaya VoIP Media traffic. The sample network uses the UDP port range of 2048 3329 for Avaya VoIP Media traffic. Verify that Intra-region IP-IP Direct Audio is set to yes to allow for direct media exchange between Avaya IP Telephones.
display ip-network-region 1 IP NETWORK REGION Region: 1 Location: Authoritative Domain: interop.com Name: MEDIA PARAMETERS Intra-region IP-IP Direct Audio: yes Codec Set: 1 Inter-region IP-IP Direct Audio: yes UDP Port Min: 2048 IP Audio Hairpinning? n UDP Port Max: 3329 Page 1 of 19
DIFFSERV/TOS PARAMETERS RTCP Reporting Enabled? y Call Control PHB Value: 46 RTCP MONITOR SERVER PARAMETERS Audio PHB Value: 46 Use Default Server Parameters? y Video PHB Value: 26 802.1P/Q PARAMETERS Call Control 802.1p Priority: 6 Audio 802.1p Priority: 6 Video 802.1p Priority: 5 AUDIO RESOURCE RESERVATION PARAMETERS H.323 IP ENDPOINTS RSVP Enabled? n H.323 Link Bounce Recovery? y Idle Traffic Interval (sec): 20 Keep-Alive Interval (sec): 5 Keep-Alive Count: 5
2. Use the display station form to verify whether Direct IP-IP Audio connections is set to y. This allows for direction media exchange between Avaya IP Telephones.
display station 11011 STATION FEATURE OPTIONS LWC Reception: LWC Activation? LWC Log External Calls? CDR Privacy? Redirect Notification? Per Button Ring Control? Bridged Call Alerting? Active Station Ringing: H.320 Conversion? Service Link Mode: Multimedia Mode: MWI Served User Type: spe y n n y n n single Auto Select Any Idle Appearance? Coverage Msg Retrieval? Auto Answer: Data Restriction? Idle Appearance Preference? Bridged Idle Line Preference? Restrict Last Appearance? n y none n n n y n Page 2 of 5
EMU Login Allowed? n Per Station CPN - Send Calling Number? as-needed enhanced Audible Message Waiting? qsig-mwi Display Client Redirection? Select Last Used Appearance? Coverage After Forwarding?
n n n s
Remote Softphone Emergency Calls: as-on-local Direct IP-IP Audio Connections? y Emergency Location Ext: 11011 Always Use? n IP Audio Hairpinning? n
6. Conclusion
These Application Notes have described the administrative steps required to configure the Juniper Networks ScreenOS based devices for Auto Connect VPN to support an Avaya VoIP solution.
7. Verification
1. Ping may be used to verify the external Untrust interface of all security gateways is reachable over the Simulated Internet or WAN network. An unreachable external interface will prevent static VPN tunnel from being established. 2. Verify all VPN tunnels and VPN gateways are configured with the same phase I and phase II security proposal for tunnel establishment. Incompatible phase I and/or phase II security proposal will prevent VPN tunnels from being established. The get ike gateway and get vpn commands can be used to list the proposals selected for each gateway and VPN tunnel.
nsisg1000-> get ike gateway Id Name Gateway Address Gateway ID ---- --------------- --------------- --------------0 Home-SSG5 10.10.230.6 g2-aes128-sh a 1 Branch-SSG20 10.10.220.6 g2-aes128-sh a 2 ac-vpn-hub none (profile acvpn) g2-aes128-sh a,dsa-g2-3des-sha,dsa-g2-aes128-sha Total Gateways: 3 (3 including dynamic peers) nsisg1000-> get vpn Name Gateway Interface --------------- ---------------------------To_Home Home-SSG5 eth1/3 To_Branch Branch-SSG20 eth1/3 ac-vpn ac-vpn-hub null Total Auto VPN: 3 Mode Proposals ---- --------Main pre-g2-3des-sha,pre-
Main pre-g2-3des-sha,pre-
Aggr rsa-g2-3des-sha,rsa-
Mode RPlay 1st Proposal
Monitor Use Cnt
---- ----- -------------------- ------- -------
tunl No tunl No tunl Yes
g2-esp-3des-sha g2-esp-3des-sha g2-esp-3des-sha
on on off
0 0 0
Similar output can also be obtained via the WebUI by selecting VPNs AutoKey Advanced Gateway and VPNs AutoKey IKE from the left panel menu of the WebUI.
3. Use the get sa active command to verify whether the VPN tunnel is active. The following is an output from the ISG 1000 showing 2 active VPN tunnels.
nsisg1000-> get sa active Total active sa: 2 total configured sa: 2 HEX ID Gateway Port Algorithm SPI Life:sec kb vsys 00000002< 10.10.230.6 500 esp:3des/sha1 31e96159 2048 unlim 00000002> 10.10.230.6 500 esp:3des/sha1 b7be3c94 2048 unlim 00000001< 10.10.220.6 500 esp:3des/sha1 31e96158 2036 unlim 00000001> 10.10.220.6 500 esp:3des/sha1 c96fd8ec 2036 unlim
Sta A/U A/U A/U A/U
PID -1 -1 -1 -1 0 0 0 0
The following is an output from the Branchs SSG 20 showing 1 active VPN tunnel to the HQs ISG 1000 before the dynamic tunnel is established.
ssg20-wlan-> get sa active Total active sa: 1 total configured sa: 2 HEX ID Gateway Port Algorithm SPI Life:sec kb Sta vsys 00000003< 10.10.210.5 500 esp:3des/sha1 c96fd948 1543 unlim A/U 00000003> 10.10.210.5 500 esp:3des/sha1 425c5093 1543 unlim A/U
PID -1 0 -1 0
The following is an output from the Branchs SSG 20 showing 2 active VPN tunnel. One to the HQs ISG 1000 and the other one to the Homes SSG 5 that was dynamically provisioned.
ssg20-wlan-> get sa active Total active sa: 2 total configured sa: 3 HEX ID Gateway Port vsys 00000003< 10.10.210.5 500 00000003> 10.10.210.5 500 00008006< 10.10.230.6 500 00008006> 10.10.230.6 500
Algorithm esp:3des/sha1 esp:3des/sha1 esp:3des/sha1 esp:3des/sha1
SPI c96fd948 425c5093 c96fd94a b7be3cf4
Life:sec kb Sta 1499 1499 3572 3572 unlim unlim unlim unlim A/U A/U A/A/-
PID -1 -1 -1 -1 0 0 0 0
4. Use the get vrouter trust-vr protocol nhrp command to verify whether NHRP is running and configured properly in all ScreenOS device configured with AC-VPN. The following is an output from the ISG 1000 showing that NHRP is enabled and running on the tunnel.1 interface.
nsisg1000-> get vrouter trust-vr protocol nhrp NHRP instance at Vroute(trust-vr): ------------------------------------------------------------------------------NHRP Server : 0.0.0.0 holdtime : 300 resolution-request retry : 3 retry interval : 6 sec total NHRP cache entry : 4 static NHRP entry : 0 pending resolution-request : 0 NHRP enabled interface : 1 ACVPN profile in use : ac-vpn ------------------------------------------------------------------------------interface Enabled Req-ID ------------------------------------------------------------------------------tunnel.1 Yes 0
The following is an output from the SSG 20 showing the IP address of the NHRP Server which is the ISG 1000s tunnel.1 interfaces IP address. The output also shows that NHRP is enabled and running on the tunnel.1 interface.
ssg20-wlan-> get vrouter trust-vr protocol nhrp NHRP instance at Vroute(trust-vr): ------------------------------------------------------------------------------NHRP Server : 172.172.0.1 holdtime : 300 resolution-request retry : 3 retry interval : 6 sec total NHRP cache entry : 1 static NHRP entry : 1 pending resolution-request : 0 NHRP enabled interface : 1 ACVPN profile in use : none ------------------------------------------------------------------------------interface Enabled Req-ID ------------------------------------------------------------------------------tunnel.1 Yes 3512
5. Use the get vrouter trust-vr protocol nhrp peer command to verify any established NHRP peer. The following is an output from the ISG 1000 showing two NHRP peers Branch and Home along with their respective IP address.
nsisg1000-> get vrouter trust-vr protocol nhrp peer ------------------------------------------------------------------------------Registered peers (Total 2): ------------------------------------------------------------------------------Peer src prot Self-cert-hash ID type ID --------------- ---------------------------------------------- ------- -------172.172.0.2 <2793dafe cc9c6d8d a150c064 8b3001cd ad5d154e> 2 Branch 172.172.0.3 <d8cd73c7 a822f290 2206f92e 21cf33ae 55b08926> 2 Home
The following are two outputs from the SSG 20. The first output shows no NHRP peer when the AC-VPN tunnel is in-active. The second output shows a newly discovered NHRP peer with an IP address of 172.172.0.3 and an ID of Home which is the SSG 5 in the sample network after the AC-VPN tunnel has been established.
ssg20-wlan-> get vrouter trust-vr protocol nhrp peer ------------------------------------------------------------------------------Learned peers (Total = 1): ------------------------------------------------------------------------------Peer nhop prot Self-cert-hash ID type ID --------------- ---------------------------------------------- ------- -------172.172.0.3
ssg20-wlan-> get vrouter trust-vr protocol nhrp peer ------------------------------------------------------------------------------Learned peers (Total = 1): ------------------------------------------------------------------------------Peer nhop prot Self-cert-hash ID type ID --------------- ---------------------------------------------- ------- -------172.172.0.3 <d8cd73c7 a822f290 2206f92e 21cf33ae 55b08926> 2 Home
6. Use the get vrouter trust-vr protocol nhrp cache command to verify whether the appropriate IP sub-network is being advertised by the NHRP peer. The following is an output from the ISG 1000 showing the 2 hosts and 2 IP sub-networks it learns from its NHRP peers along with the IP addresses to reach these hosts and subnetworks.
nsisg1000-> get vrouter trust-vr protocol nhrp cache ------------------------------------------------------------------------------flags: R-registered, C-cached, L-replied, P-pushed, S-static, I-imported, F-in FIB, D-being deleted. ------------------------------------------------------------------------------Prefix nhop-public-IP nhop-private-IP Pref Flags Expire(in sec) ------------------------------------------------------------------------------172.172.0.2/32 10.10.220.6 172.172.0.2 128 C 284 172.172.0.3/32 10.10.230.6 172.172.0.3 128 C 282 172.220.0.0/24 10.10.220.6 172.172.0.2 128 RF 284 172.230.0.0/24 10.10.230.6 172.172.0.3 128 RF 282
The following are 2 outputs from the SSG 20. The first output shows the IP network that is being advertised to other NHRP peer. The second output shows an IP sub-network 172.230.0.0/24 the SSG 20 learned through NHRP after an AC-VPN tunnel has been established. In this sample output the AC-VPN tunnel is established between the Branch and Home locations.
ssg20-wlan-> get vrouter trust-vr protocol nhrp cache ------------------------------------------------------------------------------flags: R-registered, C-cached, L-replied, P-pushed, S-static, I-imported, F-in FIB, D-being deleted. ------------------------------------------------------------------------------Prefix nhop-public-IP nhop-private-IP Pref Flags Expire(in sec) ------------------------------------------------------------------------------172.220.0.0/24 0.0.0.0 0.0.0.0 128 S 300 ssg20-wlan-> get vrouter trust-vr protocol nhrp cache ------------------------------------------------------------------------------flags: R-registered, C-cached, L-replied, P-pushed, S-static, I-imported, F-in FIB, D-being deleted. ------------------------------------------------------------------------------Prefix nhop-public-IP nhop-private-IP Pref Flags Expire(in sec) ------------------------------------------------------------------------------172.220.0.0/24 0.0.0.0 0.0.0.0 128 S 300 172.230.0.0/24 10.10.230.6 172.172.0.3 0 PF 251
7. Use the get route command to verify NHRP routing is working as expected. The following is an abbreviated output from the SSG 20 when the AC-VPN tunnel is inactive. Noticed there is only one RIP advertised route to each of the IP sub-networks for the Home location.
Ssg20-wlan-> get route ID 11 10 1 4 50 49 8 5 7 40 39 3 2 9 IP-Prefix 0.0.0.0/0 172.172.0.2/32 10.10.220.0/24 172.16.254.111/32 172.28.11.0/24 172.28.10.0/24 172.220.0.1/32 172.221.0.0/24 172.220.0.0/24 172.231.0.0/24 172.230.0.0/24 172.16.254.0/24 10.10.220.6/32 172.172.0.0/24 Interface eth0/0 tun.1 eth0/0 eth0/1 tun.1 tun.1 bgroup0 eth0/4 bgroup0 tun.1 tun.1 eth0/1 eth0/0 tun.1 Gateway P 10.10.220.1 SP 0.0.0.0 H 0.0.0.0 C 0.0.0.0 H 172.172.0.1 R 172.172.0.1 R 0.0.0.0 H 0.0.0.0 C 0.0.0.0 C 172.172.0.1 R 172.172.0.1 R 0.0.0.0 C 0.0.0.0 H 0.0.0.0 C Pref 100 0 0 0 100 100 0 0 0 100 100 0 0 0 Mtr 1 0 0 0 11 11 0 0 0 12 12 0 0 0 Vsys Root Root Root Root Root Root Root Root Root Root Root Root Root Root
* * * * * * * * * * * * * *
The following is an abbreviated output from the SSG 20 after the AC-VPN tunnel has been established. Noticed in addition to the RIP advertised route for the Home location IP sub-networks, there is an additional NHRP route to the Homes voice IP sub-network. This new NHRP route points to the to Homes SSG 5 tunnel interfaces IP address as the gateway instead of the ISG 1000s. Because of this NHRP route lower Preference number, traffic destined to the Homes voice IP sub-network will be routed to the Homes SSG 5 gateway directly over the AC-VPN tunnel.
ssg20-wlan-> get route -----------------------------------------------------------------------------ID IP-Prefix Interface Gateway P Pref Mtr Vsys ------------------------------------------------------------------------------* 11 0.0.0.0/0 eth0/0 10.10.220.1 SP 100 1 Root * 10 172.172.0.2/32 tun.1 0.0.0.0 H 0 0 Root * 1 10.10.220.0/24 eth0/0 0.0.0.0 C 0 0 Root * 4 172.16.254.111/32 eth0/1 0.0.0.0 H 0 0 Root * 50 172.28.11.0/24 tun.1 172.172.0.1 R 100 11 Root * 49 172.28.10.0/24 tun.1 172.172.0.1 R 100 11 Root * 6 172.221.0.1/32 eth0/4 0.0.0.0 H 0 0 Root * 8 172.220.0.1/32 bgroup0 0.0.0.0 H 0 0 Root * 5 172.221.0.0/24 eth0/4 0.0.0.0 C 0 0 Root * 7 172.220.0.0/24 bgroup0 0.0.0.0 C 0 0 Root * 40 172.231.0.0/24 tun.1 172.172.0.1 R 100 12 Root * 52 172.230.0.0/24 tun.1 172.172.0.3 N 35 0 Root 39 172.230.0.0/24 tun.1 172.172.0.1 R 100 12 Root * 3 172.16.254.0/24 eth0/1 0.0.0.0 C 0 0 Root * 42 172.28.240.0/24 tun.1 172.172.0.1 R 100 11 Root * 2 10.10.220.6/32 eth0/0 0.0.0.0 H 0 0 Root * 9 172.172.0.0/24 tun.1 0.0.0.0 C 0 0 Root
8. Use the get session command to verify that Avaya VoIP traffic is utilizing the appropriate policy. The following is an abbreviated output from SSG 20 showing that policy 12, 21 and 22, which is enabled and configured with traffic shaping, are being used by Avaya VoIP traffic.
ssg20-wlan-> get session alloc 14/max 8064, alloc failed 0, mcast alloc 0, di alloc failed 0 total reserved 0, free sessions in shared pool 8050 id 8047/s**,vsys 0,flag 00000040/0000/0001,policy 22,time 5, dip 0 module 0 if 20(nspflag 2801):172.28.10.8/2633->172.220.0.111/3259,17,000000000000,sess token 16,vl an 0,tun 40000003,vsd 0,route 49 if 9(nspflag 800800):172.28.10.8/2633<-172.220.0.111/3259,17,00040de9794e,sess token 3,vl an 0,tun 0,vsd 0,route 7 id 8048/s**,vsys 0,flag 00000040/0000/0001,policy 21,time 179, dip 0 module 0 if 20(nspflag 3801):172.28.10.7/61441->172.220.0.111/1720,6,000000000000,sess token 16,vl an 0,tun 40000003,vsd 0,route 49,wsf 0 if 9(nspflag 801800):172.28.10.7/61441<-172.220.0.111/1720,6,00040de9794e,sess token 3,vl an 0,tun 0,vsd 0,route 7,wsf 0 id 8050/s**,vsys 0,flag 00000040/0000/0001,policy 22,time 5, dip 0 module 0 if 20(nspflag 2801):172.28.10.8/2632->172.220.0.111/3258,17,000000000000,sess token 16,vl an 0,tun 40000003,vsd 0,route 49 if 9(nspflag 800800):172.28.10.8/2632<-172.220.0.111/3258,17,00040de9794e,sess token 3,vl an 0,tun 0,vsd 0,route 7 id 8051/s**,vsys 0,flag 00000040/0000/0001,policy 12,time 6, dip 0 module 0 if 9(nspflag 800801):172.220.0.111/3259->172.230.0.112/3059,17,00040de9794e, sess token 3,vlan 0,tun 0,vsd 0,route 7 if 20(nspflag 2800):172.220.0.111/3259<-172.230.0.112/3059,17,000000000000, sess token 16,vlan 0,tun 40008008,vsd 0,route 55 id 8053/s**,vsys 0,flag 00000040/0080/0021,policy 320002,time 6, dip 0 module 0 if 0(nspflag 800601):10.10.230.6/500->10.10.220.6/500,17,000496265f34,sess token 4,vlan 0,tun 0,vsd 0,route 11 if 3(nspflag 2002010):10.10.230.6/500<-10.10.220.6/500,17,000000000000,sess token 5,vlan0,tun 0,vsd 0,route 0 id 8060/s**,vsys 0,flag 00000040/0080/0021,policy 320002,time 180, dip 0 module 0 if 3(nspflag 2002011):172.172.0.2/1->172.172.0.1/1,54,000000000000,sess token 5,vlan 0,tun 0,vsd 0,route 0 if 20(nspflag 2600):172.172.0.2/1<-172.172.0.1/1,54,000000000000,sess token 16,vlan 0,tun 40000003,vsd 0,route 9 id 8061/s**,vsys 0,flag 00000040/0000/0001,policy 22,time 6, dip 0 module 0 if 20(nspflag 2801):172.230.0.112/3058->172.220.0.111/3258,17,000000000000, sess token 16,vlan 0,tun 40008008,vsd 0,route 55 if 9(nspflag 800800):172.230.0.112/3058<-172.220.0.111/3258,17,00040de9794e, sess token 3,vlan 0,tun 0,vsd 0,route 7 Total 8 sessions shown
9. Use the get policy id <policy #> command to display configuration and usage information. The following is an output from SSG 20 for policy 22 during an active Avaya VoIP call. The output shows the policy, bandwidth utilization (in and outside the tunnel), and guarantee/maximum bandwidth settings along with other statistics.
ssg20-wlan-> get policy id 22 name:none (id 22), zone VPN -> Trust,action Permit, status enabled src all-internal-net, dst Local-voice, serv Avaya-RTP Rules on this VPN policy: 0 nat off, Web filtering : disabled vpn unknown vpn, policy flag 00010000, session backup: on, idle reset: on traffic shaping on, scheduler n/a, serv flag 00 log close, log count 39, alert no, counter no(0) byte rate(sec/min) 0/0 total octets 16982516, counter(session/packet/octet) 0/0/0 priority 2, diffserv marking Off tadapter: state on, gbw/mbw 1000/1100 policing (no) ---------------------------------------------------------------------------tmng (27): interface tunnel.1 state on priority 2 bw usage [for last one second]: 107 kbps pak queue(cur/max): 0/15 pak received: 30370 pak dropped(out/shared): 0/0 PreShapingBytes (dropped/total): 0/8192628 diffserv-marking: 0x0 elapsed time: 351809253 ms gbw/mbw: 1000/1100 (kbps) gbw_q/mbw_q: 125/137 shared_tmng: 20 PostShapingBytes(total/borrowed):8192628/0 tokens (regular/borrowd): 0/8192628 token bucket (gbl/mbl): 125000/140625 tokens(gua/max): 124980/140625 ---------------------------------------------------------------------------tmng (28): interface bgroup0 state on priority 2 bw usage [for last one second]: 86 kbps pak queue(cur/max): 0/15 pak received: 49084 pak dropped(out/shared): 0/0 PreShapingBytes (dropped/total): 0/10489948 diffserv-marking: 0x0 elapsed time: 351809374 ms gbw/mbw: 1000/1100 (kbps) gbw_q/mbw_q: 125/137 shared_tmng: 16 PostShapingBytes(total/borrowed):10489948/0 tokens (regular/borrowd): 0/10489948 token bucket (gbl/mbl): 125000/140625 tokens(gua/max): 125000/140625 No Authentication No User, User Group or Group expression set
8. Additional References
Product documentation for Avaya products may be found at http://support.avaya.com [1] Administrator Guide for Avaya Communication Manager, Doc # 03-300509, Issue 3.1, February 2007 [2] Avaya Communication Manager Advanced Administration Quick Reference, Doc # 03300364, Issue 3, February 2007 [3] Administration for Network Connectivity for Avaya Communication Manager, Doc # 555233-504, Issue 12, February 2007 Product documentation for Juniper Networks products may be found at http://www.Juniper.net [4] Concepts & Examples ScreenOS Reference Guide, Volume 1: Overview, Release 6.1.0 Rev. 01, Part Number 530-022543-01, Revision 01 [5] Concepts & Examples ScreenOS Reference Guide, Volume 2: Fundamentals, Release 6.1.0 Rev. 01, Part Number 530-022530-01, Revision 01 [6] Concepts & Examples ScreenOS Reference Guide, Volume 3: Administration, Release 6.1.0 Rev. 01, Part Number 530-022531-01, Revision 01 [7] Concepts & Examples ScreenOS Reference Guide, Volume 5: Virtual Private Networks, Release 6.1.0 Rev. 01, Part Number 530-022533-01, Revision 01
2008 Avaya Inc. All Rights Reserved.
Avaya and the Avaya Logo are trademarks of Avaya Inc. All trademarks identified by and are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners. The information provided in these Application Notes is subject to change without notice. The configurations, technical data, and recommendations provided in these Application Notes are believed to be accurate and dependable, but are presented without express or implied warranty. Users are responsible for their application of any products specified in these Application Notes. Please e-mail any questions or comments pertaining to these Application Notes along with the full title name and filename, located in the lower right corner, directly to the Avaya Solution & Interoperability Test Lab at interoplabnotes@list.avaya.com

JNPR Ac-Vpn

Загружено:

Сведения о документе

Исходное описание:

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

JNPR Ac-Vpn

Загружено:

Авторское право:

Доступные форматы

Avaya Solution & Interoperability Test Lab

AL; Reviewed: SPOC 10/3/2008

Figure 1: Sample Network Configuration

3. Equipment and Software Validated

4. Configuring Juniper Networks ScreenOS Devices

AL; Reviewed: SPOC 10/3/2008

4.1. Configuring Juniper Network ISG 1000

4.1.1. Base configuration

2. Create a new security zone called vpn.

3. Configure all the physical and logical interfaces.

AL; Reviewed: SPOC 10/3/2008

172.28.0.0/16 10 192.168.100.0/24 20 172.220.0.0/24 172.221.0.0/24 172.230.0.0/24 172.231.0.0/24 permit 1 20 21 30 31

AL; Reviewed: SPOC 10/3/2008

set interface tunnel.1 protocol rip demand-circuit

AL; Reviewed: SPOC 10/3/2008

4.1.2. Configure AC-VPN on the ISG 1000

AL; Reviewed: SPOC 10/3/2008

4.1.3. Configure Quality of Service for Avaya VoIP traffic

Local-voice Any Avaya-RTP permit log all-internal-net CLAN-1 Avaya-Sgl-Fm-Spoke

all-internal-net Any Avaya-RTP permit log

4.2. Configuring Juniper Network SSG 20

4.2.1. Base configuration

2. Create a new security zone called vpn.

AL; Reviewed: SPOC 10/3/2008

address address address address address

AL; Reviewed: SPOC 10/3/2008

AL; Reviewed: SPOC 10/3/2008

AL; Reviewed: SPOC 10/3/2008

4.2.2. Configure AC-VPN on the SSG 20

2. Configure the AC-VPN tunnel using the ac-vpn-gw defined in Step 1. 3.

AL; Reviewed: SPOC 10/3/2008

4.2.3. Configure Quality of Service for Avaya VoIP traffic

AL; Reviewed: SPOC 10/3/2008

4.3. Configuring Juniper Network SSG 5

4.3.1. Base configuration

2. Create a new security zone called vpn.

set zone name vpn

address address address address address

AL; Reviewed: SPOC 10/3/2008

AL; Reviewed: SPOC 10/3/2008

AL; Reviewed: SPOC 10/3/2008

4.3.2. Configure AC-VPN on the SSG 5

2. Configure the AC-VPN tunnel using the ac-vpn-gw defined in Step 1.

AL; Reviewed: SPOC 10/3/2008

4.3.3. Configure Quality of Service for Avaya VoIP traffic

Guaranteed bandwidth (gbw) 5 kbps 1000 kbps

Maximum bandwidth (mbw) 10 kbps 1100 kbps

Local-voice CLAN-1 Avaya-Sgl-up permit log

AL; Reviewed: SPOC 10/3/2008

5. Configure Avaya Communication Manager

AL; Reviewed: SPOC 10/3/2008

AL; Reviewed: SPOC 10/3/2008

Mode RPlay 1st Proposal

Monitor Use Cnt

---- ----- -------------------- ------- -------

tunl No tunl No tunl Yes

g2-esp-3des-sha g2-esp-3des-sha g2-esp-3des-sha

AL; Reviewed: SPOC 10/3/2008

Sta A/U A/U A/U A/U

AL; Reviewed: SPOC 10/3/2008

Algorithm esp:3des/sha1 esp:3des/sha1 esp:3des/sha1 esp:3des/sha1

SPI c96fd948 425c5093 c96fd94a b7be3cf4