Avaya Contivity - BCM IPSec Peer-to-Peer Tunnel User's Manual
Contents
1. QoS Mo Web Car Local Endpoint 0 0 0 0 Net Link Alarm Se Remote Endpoint 0 0 0 0 NAT Q VPN Send All Traffic Through IPSec Tunnel wo 0 vj PPT T 9 IPSe Create Firewall Rules for this Tunnel No SA Keep Alive Enabled Wo Policy Ma Ready Ready Fill out the Add Branch Office Accounts window as follows Enter the Tunnel Number T1 Tunnel Number r Set the IPSec Status to Enabled IPSec Status Enabled 7 Leave PFS Enabled Perfect Forward Secrecy as Yes PFS Enabled Yes m i i l e LD D 0 i aL cLAIA A CA X9 Q t Leave the Idle Timeout as the default value Idle Timeout 00 1 s00 TT040922 1 00 September 2004 Page 18 of 27 Tech lip ae ono Contivity Secure IP Services Gateway Contivity BCM IPSec Peer to Peer Tunnel Using Pre Shared Key Authentication Set the Highest Encryption as desired and make sure it matches the Contivity setting We will set it to ESP 3DES MD5 as decided This setting is enabled by default on the Contivity Highest Encryption ESP 3DES NDS ww Ba mung Set the Key Type to Text da M PresharedKeyType Text 7 Set the Pre shared Key to 12345 and confirm it to match the key entered in Contivity configuration Preshared Key lon Confirm Preshared key ee Leave the Rekey Timeout as the default value Rekey Time2. Voice Mail Multimedia Call Center IVR IP Music DHCP DNS IP Routing SNMP QoS Monitor web Cache Net Link Mgr Alarm Service NAT Click on Confiquration in the top menu bar and select Add Local Accessible Network 2 https 10 1 1 1 Business Communications Manager Unified Manager Microsoft Internet Explorer Group Edit Configuration Performance Fault Report Tools Logoff View Help 10 1 1 1 sible Networks Remote Accessible Networks Comprehensive S IP Telephony Call Detail Recording Modify Local Accessible Network Delete Local Accessible Network Add Remote Accessible Network LAN CTE Configurati Modify Remote Accessible Network Voice Mail Delete Remote Accessible Network Multimedia Call Center gt IVR IP Music DHCP DNS IP Routing SNMP Q05 Monitor Weh Cache Net Link Mgr Alarm Service NAT Q VPN PPTP o IPSec 24 9 Branch Office Accoy ern 2 IP Address IP Addres TT040922 1 00 September 2004 Page 21 of 27 care NORT tons Contivity Secure IP Services Gateway Contivity BCM IPSec Peer to Peer Tunnel Using Pre Shared Key Authentication zinc the Local Accessible Network parameters L1 10 1 1 0 24 and click Save Local Accessible Networks Network Number E IP Addr
3. 1 manage manager htm a g Go Links gt SYSTEM Branch Office e GROUPS HELP LOGOFF SERVICES USERS ROUTING FILTERS 00s HOURS PROFILES mr EE 2 250180 Group E DOMAINS ADMIN NAT STATUS BRANCH OFFICE HELP Connections CLIENT POLICY Search Criteria OFF Select Enable Connection Name Connection Type Tunnel Type Local Ip Address Remote Ip Address Control Tunne To BCM Peer to Peer IPSec 30 1 1 2 30 1 1 1 Disabled Configuring Branch Office IPSec parameters Navigate Profiles gt Branch Office to configure branch office IPSec parameters Select the group the tunnel belongs to BO group and next to the group click Configure 192 168 10 1 Contivity Extranet Switch Microsoft Internet Explorer Edit View Favorites Tools Help ae Om gt x ia amp DO search jf Favorites gt m Address c http 192 168 10 1 manage manager htm v gt Go Links SYSTEM Branch Office GROUPS HELP LOGOFF SERVICES USERS ROUTING x FILTERS nos HOURS PROFILES NETWORKS SERVERS Group Base BO Group v Delete Configure DOMAINS ADMIN NAT STATUS BRANCH OFFICE z HELP Connections CLIENT POLICY Search Criteria OFF Select Enable Connection Name Connection Type Tunnel Type Local Ip Address Remote Ip Address Control Tunne To BCM Peer to Peer IPSec 30 1 1 2 30 1 1 1 Disabled TT040922 1 00 September 2004 Page 12 of 27 Tech Tip NORTEL NETWORKS Contivity Secure IP Services Gateway
4. 27 Tech lip Hr omo Contivity Secure IP Services Gateway Contivity BCM IPSec Peer to Peer Tunnel Using Pre Shared Key Authentication Leave MTU at the default setting MTU Tunnel MTU Enable MTU Value 1788 No NAT will be used in this example leave the default None selection for NAT NAT HAT None For the IP Configuration select Static IP Configuration Static Define local accessible networks Next to Local Network select Create Local Network Local Network None Create Local Network The Networks screen appears Enter the name of the network local 192 168 10 0 to be created and click Create Local Networks E 192 168 10 1 Contivity Extranet Switch Microsoft Internet Explorer File Edit View Favorites Tools Help Ox MAD Psat Sero O S B IB Address http 192 168 10 1 manage manager htm v Eco Links SYSTEM SROUPS Networks SERVICES GROUPS USERS FILTERS Return to Connection Configuration HOURS ROUTING 0n PROFILES 7 NETWORKS SERVERS Current Networks No networks defined DOMAINS BRANCH OFFICE CLIENT POLICY Local 192 168 10 0 Enter new Network name and press create TT040922 1 00 September 2004 Page 7 of 27 Tech lip Hr onn Contivity Secure IP Services Gateway Contivity BCM IPSec Peer to Peer Tunnel Using Pre Shared Key Authentication Enter the IP address of the Local Accessible Network CES pri
5. Contivity BCM IPSec Peer to Peer Tunnel Using Pre Shared Key Authentication File Edit View Favorites Tools Help Qm Scroll down to the IPSec section and click Confi 192 168 10 1 Contivity Extranet Switch Microsoft Internet Explorer ure BOD Powe from O 8 S a Address c http 192 168 10 1 manage manager htm SYSTEM SROLUPS Branch Office Edit Group SERVICES GROUPS USERS ROUTING FILTERS HOURS PROFILES NETWORKS SERVERS DOMAINS ADMIN NAT STATUS BRANCH OFFICE HELP CLIENT POLICY Connectivity IPsec N RTEL NETWORKS Group Name Base BO Group ge O Q HELP LOGOFF Return to Branch Offi Parent Group Base Current Configuration Nailed Up Disabled Access Hours Anytime Call Admission Priority Highest Priority Forwarding Priority Low Priority Idle Timeout 00 15 00 Forced Logoff 00 00 00 RSVP Disabled RSVP Token Bucket Depth 3000 Bytes RSVP Token Bucket Rate 28 Kbps Branch Office Bandwidth Policy Committed Rate 56 Kbps Excess Rate 128 Kbps Excess Action Mark Encyption ESP Triple DES with MD5 Integrity Disabled ESP 56 bit DES with MD5 Integrity Enabled ESP 40 bit DES with MD5 Integrity Disabled AH Authentication Only HMAC SHA1 Ensbled AH Authentication Only HMAC MD5 Enabled IKE Encryption and Diffie Hellman Group 56 bit DES with Group 1 788 bit prime Vendor ID Disabled Aggressive Mode ISAKMP In
6. Enable Connection Name Connection Type Tunnel Type Local Ip Address Remote Ip Address Control Tunne Add Enter a Name for Group BO Group and click OK c 192 168 10 1 Contivity Extranet Switch Microsoft Internet Explorer File Edit View Favorites Tools Help 4 O O A AG Das Jo e0 2 L3 Address http 192 168 10 1 manage manager htm lt 2k sie SYSTEM Add Group GROUPS SERVICES USERS ROUTING ES FILTERS Os HOURS PROFILES AM Group Name BO Group SERVERS avin Parent Group Name Base v NAT STATUS BRANCH OFFICE ok Cancel OK Apply CLIENT POLICY TT040922 1 00 September 2004 Page 4 of 27 Tech lip Hr onn Contivity Secure IP Services Gateway Contivity BCM IPSec Peer to Peer Tunnel Using Pre Shared Key Authentication From the drop down menu next to Group select the newly created group To add a new branch office connection under the Connections section click Add c 192 168 10 1 Contivity Extranet Switch Microsoft Internet Explorer File Edit View Favorites Tools Help ae Q O HAD Demo Kwan O BS BLISS Address http 192 168 10 1 manage manager htm be E co Links gt SYSTEM Branch Office GROUPS HELP LOGOFF SERVICES USERS ROUTING FILTERS nos HOURS PROFILES SERVERS Aes Group Base BO Group DOMAINS ADMIN NAT STATUS BRANCH OFFICE HELP Connections CLIENT POLICY Search Criteria OFF vi Select Enable Connection Name Con
7. and click OK c 192 168 10 1 Contivity Extranet Switch Microsoft Internet Explorer File Edit View Favorites Tools Help A Q sox wW ix A yp Search S Favorites 4 zh ie C A b m vs 2 Address http 192 168 10 1 manage manager htm w gt Go SYSTEM Add Remote Network GROUPS SERVICES USERS ROUTING FILTERS HOURS PROFILES NETWORKS SERVERS Connection DOMAINS ADMIN Group Name Base BO Group NAT NEL D Connection Name To BCM CLIENT POLICY STATUS Remote Network IP Address 10 1 1 0 IP Mask 255 255 255 0 Cost 10 Enabled Listed under the Remote Networks tab is the configured remote network Remote Networks Select IP Address IP Mask Cost Enabled 10 1 1 0 255 255 255 0 10 TT040922 1 00 September 2004 Page 10 of 27 Tech lip Homo Contivity Secure IP Services Gateway Contivity BCM IPSec Peer to Peer Tunnel Using Pre Shared Key Authentication Once all the parameters have been set at the bottom of the screen click OK a 192 168 10 1 Contivity Extranet Switch Microsoft Internet Explorer File Edit View Favorites Tools Help A Or 3 A Oso Krais Aa LJ BB Address 48 http 192 168 10 1 manage manager htm J gt Go Links SYSTEM Connection Configuration GROUPS HELP LOGOFF SERVICES USERS FILTERS Connection PROFILES o Group Name Base BO Group ns ee NETWORKS EM Connection Name To BCM ADMIN status MAU Control Tu
8. 30 1 1 1 09 20 2004 16 24 13 0 Security 12 Session IPSECISO L l Ll s 11 physical addresses remote 30 1 1 1 local 30 1 1 2 09 20 2004 16 34 13 0 Security 12 Session IPSEC 12 physical addresses remote 30 1 1 1 local 30 1 1 2 09 2072004 16734213 0 Outbound ESP from 30 1 1 2 to 30 1 1 1 SPI 0x00163b9d 03 ESP encap session SPI 0x9d3b1600 bound to s w on cpu O0 09 20 2004 16 94 13 0 1nbound ESP from 30 1 1 L to 30 1 1 2 SPI 0x00094683 03 ESP decap session SPI 0x83460900 bound to s w on cpu 0 0972072004 16 34 13 0 Branch Office 00 4f999f0 BranchOfficeCtxtCls RegisterTunnel rem 10 1 1 0 290 299 4699 0 9L30 L 1L Locll92 109 1010 0 2092900 20040 Overwrltang tunnel context ffffffff with 4f7b8b8 09 20 2004 16 34 13 0 ISAKMP 03 Established IPsec SAs with 30 1 1 1 09 20 2004 16 34 13 0 ISAKMP 03 ESP 3DES CBC HMAC MD5 outbound SPI 0x1635b9d 09 20 2004 16 34 13 0 ISAKMP 03 ESP 3DES CBC HMAC MD5 inbound SPI 0x94683 TT040922 1 00 September 2004 Page 26 of 27 Tech lip Homo Contivity Secure IP Services Gateway Contivity BCM IPSec Peer to Peer Tunnel Using Pre Shared Key Authentication Copyright 2005 Nortel Networks Limited All Rights Reserved Nortel Nortel Networks the Nortel logo Globemark and Contivity are trademarks of Nortel Networks Limited The information in this document is subject to change without notice The statements configurations technical data and recommendations in this document are believe
9. Bay Modules 24 m Dial Up UE Description 10100 Base T Ethernet NIC Services Telephony Services p i versn jan Doorphones 2 IP Telephony 2 Speed 100000000 Call Detail Recording LAN CTE Configuration i Duplex Type m Voice Mail 24 Multimedia Call Center 4 Connection Type Auto Sense IVR IP Music Status UP T ONS mseus m v DNS Admin Status Up IP Routing Primary Wins Address Ei SNMP QoS Monitor i Web Cache Secondary Wins Address a Net Link Mar Alarm Service TT040922 1 00 September 2004 Page 16 of 27 Tech lip Hr ona Contivity Secure IP Services Gateway Contivity BCM IPSec Peer to Peer Tunnel Using Pre Shared Key Authentication Configuring Branch Office tunnel parameters On the navigation tree expand the Services key expand the VPN key and expand the IPSec key This will show two options Branch Office Accounts and Remote User Accounts Click on the Branch Office Accounts This will enable the Add button under the heading Comprehensive E Business Communications Manager Unified Manager Mozilla Edit Configuration Performance Fault Report Tools Logoff View Help 10 1 1 1 Comprehensive z Add Delete Del au A a a amen aa aya l Ga BCM 10 1 1 1 Tunnel Number Status Local Endpoint Remote Endpoint Senc Q Sy
10. CERTIFICATES IP Address Subnet Mask Interface Filter Actions SETTINGS permit all FORWARDING 192 168 10 2 Se Gg Contivity Interface Filter in use Interface Description State Type Actions Slot 1 Interface 1 Enabled Public IP Address Subnet Mask Interface Filter Actions permit all 3 112 255 255 255 0 Contivity Interface Filter in use In this configuration CES and BCM are directly connected if a router is used between CES and BCM a public default gateway must be configured on Routing Static Routes screen by clicking Add Public Route and specifying the address of a public default router TT040922 1 00 September 2004 Page 3 of 27 Tech Tip MONTEN ag Contivity Secure IP Services Gateway Contivity BCM IPSec Peer to Peer Tunnel Using Pre Shared Key Authentication Configuring Branch Office connection Configure the BO connection Navigate Profiles Branch Office To add a new group for the branch office next to Group click Add c 192 168 10 1 Contivity Extranet Switch Microsoft Internet Explorer File Edit View Favorites Tools Help Qe uM ix GD J Search Sj f Favorites 2 27 amp Address lt http 192 168 10 1 manage manager htm v Go Links SYSTEM Branch Office GROUPS HELP LOGOFF SERVICES USERS ROUTING FILTERS HOURS PROFILES M am S Group Base al DOMAINS ADMIN NAT STATUS BRANCH OFFICE HELP Connections CLIENT POLICY Search Criteria OFF v Select
11. DES56 MD5 NetLink Mgr 2 x B i LA E f X ESP DES40 SHA1 NAT 7 X ESP DES40 MD5 VPN 22 z aoe PPTP A X AH Authentication_Only SHA1 9 IPSec A X AH Authentication_OnlyiMD5 9 Branch Office 71 e T 24 Status Remote User Policy Management NTP Client Settings 41 LIPS GA Once the branch office tunnel is established the BOT status is shown as Connected https 10 1 1 1 Business Communications Manager Unified Manager Microsoft Internet Explorer Edit Configuration Performance Fault Report Tools Logoff View Help 10 1 3 Branch Office Summary Comprehensive 2 add Delete Det An aul Branch Office Summary System Tunnel Number Status Local Endpoint Remote Endpoint SendAl Resources 71 Connected 130 1 1 1 30 1 1 2 ING Q Q Services Bae Telephony Services Doorphones IP Telephony Call Detail Recording LAN CTE Configuration Voice Mail Multimedia Call Center IVR IP Music DHCP DNS IP Routing SNMP QoS Monitor Web Cache Net Link Mgr Alarm Service NAT 9 VPN PPTP Remote User Acco Policy Management TT040922 1 00 September 2004 Page 25 of 27 Tech lip ae ono Contivity Secure IP Services Gateway Contivity BCM IPSec Peer to Peer Tunnel Using Pre Shared Key Authent
12. Media Services Card 2 Media Bay Modules 24 Q Dial Up 4 aee el f 0 100 Base T Ethernet NIC 9 Q Services Telephony Services AID 452 Doorphones IP Telephony Speed 100000000 Call Detail Recording LAN CTE Configuration g Duplex Type ambu Voice Mail 2 E Multimedia Call Center 4 Connection Type Auto Sense IVR ae s IP Music Status UP Y DNS nsus DNS Admin Status Up gt IP Routing Primary Wins Address SNMP QoS Monitor 2 i Web Cache Secondary Wins Address NE Q Net Link Mar TT040922 1 00 September 2004 Page 15 of 27 Tech Tip Homo Contivity Secure IP Services Gateway Contivity BCM IPSec Peer to Peer Tunnel Using Pre Shared Key Authentication Click on LAN 2 This is the Public Interface Enter IP 30 1 1 1 with a mask of 255 255 255 0 https 10 1 1 1 Business Communications Manager Unified Manager Microsoft Internet Explorer Group Edt Configuration Performance auk Report Tools 00957 View Help 10 1 1 LAN Summary Additional IP Address Comprehensive z LAN Summary Add Delete De An System FEE Resources me ia Format 255 255 255 255 9 LAN 2 gt LAN 24 SubNet Mask 555555 25550 LANG 4 WAN ea i Physical Address 00 00 50 0E C2 5E Media LAN2 5 Card 24 Media
13. Networks is the configured network To return to the branch office configuration in the top right corner click on the Return to Connection Configuration link E 192 168 10 1 Contivity Extranet Switch Microsoft Internet Explorer File Edit View Favorites Tools Help 4 Qe J x Z f search fp Favorites 2 b E LJ Y 39 Address http 192 168 10 1 manage manager htm v Ec SYSTEM Networks GROUPS SERVICES USERS FILTERS Return to Connection Configuration HOURS ROUTING ons PROFILES 7 NETWORKS SERVERS Current Networks DOMAINS Local 192 168 10 0 BRANCH OFFICE CLIENT POLICY Delete Enter new Network name and press create From the drop down list next to Local Network select the newly configured local network local 192 168 10 0 Local Networks Local Network None v Create Local Metwork Local 132 168 10 0 Remote Networks LL Select IP Address IP Mask Cost Enabled Add Define the remote accessible networks Under the Remote Networks click Add Remote Metworks Select IP Address IP Mask Cost Enabled Add TT040922 1 00 September 2004 Page 9 of 27 Tech lip rona Contivity Secure IP Services Gateway Contivity BCM IPSec Peer to Peer Tunnel Using Pre Shared Key Authentication The Add Remote Network screen appears Enter the IP Address of the Remote Network BCM private network LAN 1 10 1 1 0 and Mask 255 255 255 0 Leave the Cost to its default Select Enabled
14. Tech lip ae ono Contivity Secure IP Services Gateway Contivity BCM IPSec Peer to Peer Tunnel Using Pre Shared Key Authentication Contents Serin CMT EE A BE ase E om 1 eui e 1 Sample Oil UM rel NON esc eec sagang naga aas Kaga NG BANA EGO tas Ka NGGONE NDE GAE BANA Ka sun a AA Laga na aa SE Lana aa AH ajana wia 2 SI NG TI NAN NAN A 2 KANTENAN VV A saja aan anaa alaa asa a aa nara maha pa ian aana aaa a Gaga SANA anga Na A a KDA AP AGA Da a Ba aaa dada a aa NG aaa a aa gana a 2 KAOTIANG W saa aa aaa paga aa naga b adani a aaa aa aaa ana saa dana Saha pa AN aa a aan Baja 3 KIDHIK O zo eaaa aaa aana ajaa aa ai ka EA a ajan aa A aapa Dana aaa A aa BA a ya daa agan aana 3 Configuring network parameters asas aeeaenen anae anana nean naa aana anaa eaaa nennen nnn enar nnn nnns 3 Configuring Branch Office connection sasae eee eaaa eaaa anaa aana enne 4 Configuring Branch Office IPSEC parameters aaasas a enanena naa anana nana anan anane ne naa aee 12 KAON GANG B RR IERMITCEECU 15 KONG AKING TINCT FAC CS EET 15 Configuring Branch Office tunnel parameters aasas aee enena aaa aane nana nana nana a ane nana aaa 17 Configuring local and remote accessible networks anana aa anana na nana en nana anae nenen aee 21
15. VE De GIP Miicie Remote Accessible Networks TT040922 1 00 September 2004 Page 23 of 27 Tech lip Homo Contivity Secure IP Services Gateway Contivity BCM IPSec Peer to Peer Tunnel Using Pre Shared Key Authentication Verifying firewall rules On the BCM for a branch office tunnel to work the Firewall has to enabled and the rules have to be configured to allow traffic through The rules get created automatically when Create Firewall Rules for this Tunnel is set to Yes in section Configuring Branch Office tunnel arameters On the navigation Tree expand Policy Management key and click on IP Firewall Filters Group View Help 10 1 1 1 Summary Comprehensive 2 Summary IP Music inti Lau Description pc Firewall Filter Module Read Only Field DNS IP Routing KAKEN a SNMP Status Enabled QoS Monitor web Cache Net Link Mar Alarm Service 9 IPSec 2 Branch Office 9 T 2 Remote User 9 Policy Management 1 QoS 24 COPS Client Policy Agent o9 LAN LAN Expand Policy Management key then expand IP Firewall Filters Key and click on LAN2 The following three rules illustrated on a screen shot below must be configured Group Configuration Report View Help kakak AR Logging Settings Log Viewing Options Default Rules Status InputFilters Rule Order Input Filters Ru InputF
16. Verifying firewall rules sarawa saa rana ga kak Ag Aan ang ga NE Naga Aa E Ag A aaa WAE nennen nnne nnn nnns nnns 24 EEDI WPS CC NE TTE A a a aaa E a ja 25 EVON EOD aia saa ana ana naa ates aa aa tae aa aa ala a a a a aa TEN EE ede a ag E aa aga aaa a a a a ana a a anga 26 Overview This technical tip illustrates a sample IPSec peer to peer tunnel configuration between Contivity Secure IP Services Gateway and Business Communication Manager BCM using pre shared key authentication TT040922 1 00 September 2004 Page 1 of 27 Tech lip Hr omo Contivity Secure IP Services Gateway Contivity BCM IPSec Peer to Peer Tunnel Using Pre Shared Key Authentication Sample Configuration Setup 30 1 1 0 24 192 168 10 0 24 10 1 1 0 24 LH P Branch Office Tunnel M EI CES WS1 Windows 2000 workstation IP 192 168 10 11 24 WS2 Windows 2000 workstation IP 10 1 1 10 24 CES Contivity Secure IP Services Gateway code version V04 85 management IP 192 168 10 1 24 private IP 192 168 10 2 24 public IP 30 1 1 2 24 BCM Business Communication Manager Private IP LAN 1 10 1 1 1 24 public IP LAN 2 30 1 1 1 24 The goal of the configuration is to set up an IPSec peer to peer branch office tunnel between a CES and a BCM using 3DES with MD5 integrity and a pre shared key authentication Configuring WS1 Configure the IP address 192 168 10 11 24 on the WS1 and the CES private interface 192 168 10 2 as the default g
17. ateway C N ipconfig Windows IP Configuration Ethernet adapter Local Area Connection 2 Connection specific DNS Suffix DpPOAddbes foe ee ee LOS 0568 10 11 Subnet Mask a 2 a 2 2 255 255 255 0 Default Gateway 2 a a a 192 168 10 2 TT040922 1 00 September 2004 Page 2 of 27 Tech lip ae ono Contivity Secure IP Services Gateway Contivity BCM IPSec Peer to Peer Tunnel Using Pre Shared Key Authentication Configuring WS2 Configure the IP address 10 1 1 10 24 on the WS2 and the NG private interface 10 1 1 1 asa default gateway C gt ipconfig Windows IP Configuration Ethernet adapter Local Area Connection 2 Connection specific DNS Suffix IPAddress a a a IG 2 2 O 10 S bnet Mask c a ae a a a e n 255 255 255 0 Default Gateway 0 1 1 1 Configuring CES Configuring network parameters Configure IP address for management 192 268 10 1 24 private 192 168 10 2 24 and public 30 1 1 2 24 interfaces c 192 168 10 1 Contivity Extranet Switch Microsoft Internet Explorer Fie Edit View Favorites Tools Help ae Q D ix 2 p gt Search ST Favorites A B ES LJ YS 3 Address amp http 192 168 10 1 manage manager htm v Go TOME ROUTING SYSTEM LAN Interfaces IDENTITY SERVICES LAN WAN uu ne DIALINTERFACE Interface Description State Type Actions SERVERS wa tl Fast Ethernet Enabled Private j
18. d Yes IP Telephony Call Detail Record idle Timeout 0015 00 LAN CTE Configu Voice Mail of Highest Encryption ESP 3DES MDS Q Multimedia Call Cr IVR E Preshared Key Type Text vj IP Music 2 DHCP A Preshared Key p DONS IF Routing 2 Rekey Timeout 08 00 00 SNMP aos monitor B RekeyDataCount KB p Web Cache AE Met Link Mar E Local Endpoint Address 454 4 4 Alarm Service 2 NAT HE i s Remate Endpoint Address ap 445 PFTF IPSar Send All Traffic Through IPSec Tunnel No hd Create Firewall Rules far this Tunnel Yes bd Keep Alive Enabled Yes TT040922 1 00 September 2004 Page 20 of 27 care NORT tons Contivity Secure IP Services Gateway i Contivity BCM IPSec Peer to Peer Tunnel Using Pre Shared Key Authentication Configuring local and remote accessible networks On the BOT screen Click on Local Accessible Networks tab https 10 1 1 1 Business Communications Manager Unified Manager Microsoft Internet Explorer Group Edt Configuration Perormance Faul Report Tools Logoff View Help I Parameters Local Accessible Networks Remote Accessible Networks Comprehensive 2 MaA ible Network Add Delete Del ail ocal Accessible Networks IP Telephony aj Network Number IP Address IPAddres Call Detail Recording LAN CTE Configuration
19. d to be accurate and reliable but are presented without express or implied warranty Users must take full responsibility for their applications of any products specified in this document The information in this document is proprietary to Nortel Networks Limited To access more technical documentation search our knowledge base or open a service request online please visit Nortel Networks Technical Support on the web at http www nortel com support If after following this guide you are still having problems please ensure you have carried out the steps exactly as in this document If problems still persist please contact Nortel Networks Technical Support contact information is available online at http www nortel com cgi bin comments comments cgi key techsupport cu We welcome you comments and suggestions on the quality and usefulness of this document If you would like to leave a feedback please send your comments to CRCONTQnortel com Author Hitesh Patel TT040922 1 00 September 2004 Page 27 of 27
20. erfect Forward Secrecy Compression Rekey Timeout ISAKMP Retransmission Interval ISAKMP Retransmission Max Attempts Keepalive interval Keepalive On Demand connections Anti Replay IPsec DFBit N RTEL NETWORKS The Contivity gateway is now configured TT040922 1 00 September 2004 oarameters have been set at the bottom of the screen select OK Rekey Data Count 0 MI E HELP LOGOFF 56 bit DES with Group 1 768 bitprime Disabled Disabled Enabled Disabled 08 00 00 4 Range 0 10 00 01 00 Disabled v Enabled v Clear Page 14 of 27 Tech lip ae ono Contivity Secure IP Services Gateway Contivity BCM IPSec Peer to Peer Tunnel Using Pre Shared Key Authentication Configuring BCM Configuring Interfaces Log into the BCM Unified Manager On the navigation Tree expand the Resources key and then the LAN key Click on LAN 1 This is the Private Interface Enter IP 10 1 1 1 with a mask of 255 255 255 0 https 10 1 1 1 Business Communications Manager Unified Manager Microsoft Internet Explorer Edt Configuration Performance Faut Report Tools Logo View Help 10 1 1 1 LAN Summary Additional IP Address Comprehensive d E ada Delete Del AN ummary System 9 Q Resources IPAddress jioa LAN gt TANI A SubNet Mask 255 255 255 0 LAN2 WAN Physical Address 00 00 50 0E C2 60
21. ess 1 0 1 1 0 IP Address Mask 255 255 255 0 Format 255 255 255 255 Cancel A local network is defined Group r Configuration Performance Fault Repor Tools Logoff View Help Meu Local Accessible Networks z Comprehensive TEF md Add Delete Der air ocal Accessible Networks LAN CTE Configuration Network Number IP Address IP Address a amp Q Voice Mail L1 10 1 1 0 255 255 255 0 Ba On the BOT screen Click on Remote Accessible Networks tab 2 https 10 1 1 1 Business Communications Manager Unified Manager Microsoft Internet Explorer Group Edit Configuration 7005500 Faul Report Tools 005955 View Help Misit NN Parameters Local Accessible Networks Remote Accessible Networks Comprehensive 2 s Add Delete Del Al Remote Accessible Networks LAN CTE Configuration NetworkNumber IPAddress IPAd voice Mail Multimedia Call Center IVR IP Music DHCP DNS IP Routing SNMP QoS Monitor Web Cache Net Link Mgr Alarm Service NAT VPN PPTP 9 IPSec 24 9 Branch Office Acco e fi 4 Remnte User Acci E TT040922 1 00 September 2004 Page 22 of 27 Contvty S NORE WORKS Contivity Secure IP Services Gateway WS Contivity BCM IPSec Peer to Peer Tunnel Using Pre Shared Key Authentication Click on Configuration on the menu bar and select Add Rem
22. ication Event Log Below is CES event log of the successful tunnel establishment 09 20 2004 16 34 13 0 Branch Office 01 IPSEC branch office connection initiated to rem 10 1 1 0 255 255 255 0 30 1 1 1 loc 192 168 10 0 255 255 255 0 0972072004 16234 15 0 Security 11 Session IPSEC 30 L 1 1 attempting login 0972072004 16 34 13 0 Security 01 Session IPSEC SO0 l 1 1 has no active sessions 09 20 2004 16734213 0 Security OI Session IPSEC 30 1 1 1 TO BOM has no active accounts 09 20 2004 16 34 13 0 Security 01 Session IPSEC 30 1 1 1 11 SHARED SECRET authenticate attempt 09 20 2004 16 34 13 0 Security 01 Session IPSEC ISO 1 1 1 11 attempting authentication using LOCAL 0972072004 16 94 15 0 Security 11 Session IPSECISOO l1 l l1 411 authenticated using LOCAL 09 20 2004 16 34 13 0 Security 11 Session IPSEC 30 1 1 1 11 bound to group Base BO Group TO BCM 09 20 2004 16 34 13 0 Security 01 Session IPSEC 30 1 1 1 11 Building group filter permit all 09 20 2004 16 34 13 0 Security 01 Sessions IPSECISO 1 1 1 211 Applying group filter permit all 09 20 2004 16 34 13 0 Security 11 Session IPSEC 30 1 1 1 11 authorized 0972072004 16 34 13 0 Security 11 Session network IPSECIITIO L l1 0 299a 209420990 attempting Login 09 20 2004 16 34 13 0 Security 11 Session network IPSEC 10 1 1 0 255 255 255 0 logged in from gateway 30 1 1 1 09 20 2004 16 34 13 0 ISAKMP 02 ISAKMP SA established with
23. ilters Rule Setting IP Music Rule Name Rs Statefu Disposition Protocol Source IP Type SourcelP Source Range Mask 9 DHCP IRA Yes Pass IPSEC_AH Fixed 30 1 1 2 255 255 255 255 DNS IR2 Yes Pass IPSEC ESP Fixed 30 1 1 2 255 255 255 255 IP Routing IR3 Yes Pass UDP Fixed 30 1 1 2 255 255 255 255 SNMP 9 IPSec 24 Branch Office ev B Remote User Policy Management GoS 24 COPS Client Policy Agent 22 9 Q IP FirewallFilters LAN 24 fw SC Lirih TT040922 1 00 September 2004 Page 24 of 27 Tech Tip Hr omo Contivity Secure IP Services Gateway Contivity BCM IPSec Peer to Peer Tunnel Using Pre Shared Key Authentication Enabling IPSec From the navigation tree expand the VPN key and click on IPSec and select Enabled next to Status https 10 1 1 1 Business Communications Manager Unified Manager Microsoft Internet Explorer Group Edit Configuration Performance Fault Report Tools Logoff View Help LU Global Settings Comprehensive Ay Add Delete Del All Global Settings LAN CTE Configurati E Voice Mail Description IPSec VPN Serice Multimedia Call Cente amp IVR Version 3 6 0 IP Music DHCP Encryption ix e DNS X ESP 3DES SHA1 IP Routing X ESP 3DES MD5 SNMP x E s P E Nu X ESP DES56 SHAI Q Web Cache 7 X ESP
24. itial Contact Payload Disabled Perfect Forward Secrecy Enabled Compression Disabled Rekey Timeout 08 00 00 Rekey Data Count None ISAKMP Retransmission Interval 16 ISAKMP Retransmission Max Attempts 4 Ma nanlisamn imtenminl nn n4Kemn To interoperate with the BCM Vendor ID must be disabled for the group Next to Vendor ID click Configure Vendor ID Enabled Base Configure Screen refreshes Next to Vendor ID select Disabled Vendor ID Disabled se Inherited Compression also needs to be disabled to interoperate with BCM Next to Compression select Configure Compression Enabled Next to Compression select Disabled Compression Disabled TT040922 1 00 September 2004 Base Configure Lise Inherited Page 13 of 27 Tech Tip NORTEL NETWORKS Contivity Secure IP Services Gateway Contivity BCM IPSec Peer to Peer Tunnel Using Pre Shared Key Authentication Once all the c 192 168 10 1 Contivity Extranet Switch Microsoft Internet Explorer Help File Edit View Favorites Tools O I x a gp Search Sf Favorites 3 ga EMPR E Address amp http 192 168 10 1 manage manager htm SYSTEM Branch of GROUPS SERVICES SROUPS AUTINE USERS gos lt IKE Encryption and Diffie Hellman i Group HOURS PROFILES NETWORKS SERVERS DOMAINS 2 NAT pou BRANCH OFFICE CLIENT POLICY Vendor ID Aggressive Mode ISAKMP Initial Contact Payload P
25. nection Type Tunnel Type Local Ip Address Remote Ip Address Control Tunne Add Enter a Connection Name To BCM leave the rest of the fields to their defaults Control Tunnel Disabled Tunnel Type IPSec Connection Type Peer to Peer Click OK c 192 168 10 1 Contivity Extranet Switch Microsoft Internet Explorer File Edit View Favorites Tools Help ae Q sae amp x a A 2 Search Sj Favorites gt X LJ v3 35 Address http 192 168 10 1 manage manager htm v Eje us SYSTEM Add Connection NGO GROUPS HELP LOGOFF SERVICES USERS ROUTING s FILTERS HOURS NETWORKS Con nection DOMAINS PROFILES SERVERS Group Name Base BO Group NAT BRANCH OFFICE Connection Name To BCM CLIENT POLICY f Control Tunnel Disabled Tunnel Type IPSec v Connection Type Peerto Peer v TT040922 1 00 September 2004 Page 5 of 27 Tech Tip NORTEL Contivity Secure IP Services Gateway NETWORKS Contivity BCM IPSec Peer to Peer Tunnel Using Pre Shared Key Authentication The Connection Configuration screen appears Select the Enable option Tunnel Type IPSec v Select CES public IP address 30 1 1 2 as the Local Endpoint IP Address Enter BCM public IP address 30 1 1 1 as the Remote Endpoint IP Address Leave the Filter at Permit All For Authentication select the Text Pre Shared Key selected by default TT040922 1 00 September 2004 Page 6 of
26. nnel Disabled BRANCH OFFICE ROUTING a Tunnel Type PSec v Connection Type PeertoPeer v Enable Endpoints Local Ip Address 30 1 1 2 M Remote Ip Address 30 1 1 1 Filters Filter permit all vi Authentication Text Pre Shared Key v N CRTE L Text Pre Shared Key eeeee Confirm eee NETWOP KS a 192 168 10 1 Contivity Extranet Switch Microsoft Internet Explorer File Edit View Favorites Tools Help D JJ ix 2 Search Sf Favorites 2 b E LJ BB Ad ss http il 192 168 10 1 manage manager htm v g Go SYSTEM Connection Configuration 9 e GROUPS HELP LOGOFF SERVICES USERS ROUTING FILTERS MTU Value 1788 nos HOURS NETWORKS SERVERS NAT DOMAINS ADMIN NAT None NAT PROFILES STATUS BRANCH OFFICE CLIENT POLICY IP Configuration Static v HELP Local Networks Local Network Local 192 168 1 0 v IP Address IP Mask Cost Enabled 192 168 1 0 255 255 255 0 10 TRUE Remote Networks Select IP Address IP Mask Cost Enabled 10 1 1 0 255 255 255 0 10 NORTEL NETWORKS TT040922 1 00 September 2004 Page 11 of 27 Tech lip Hr onn Contivity Secure IP Services Gateway Contivity BCM IPSec Peer to Peer Tunnel Using Pre Shared Key Authentication Branch office connection is configured c 192 168 10 1 Contivity Extranet Switch Microsoft Internet Explorer File Edit View Favorites Tools Help a O O DEO Pm ke OS SB UBS Address ss http 192 168 10
27. ote Accessible Network 2 https 10 1 1 1 Business Communications Manager Unified Manager Microsoft Internet Explorer Group Edit Configuration Performance Fault Report Tools Logoff View Help 10 1 1 1 Add Local Accessible Network Remote Accessible Networks Comprehensive Modify Local Accessible Network Adel Delete pe a Delete Local Accessible Network LAN CTE Configurati E 25 IP Address IP Address Q Voice Mail Multimedia Call ceni Modify Remote Accessible Network gt IVR Delete Remote Accessible Network IP Music DHCP DNS IP Routing SNMP GoS Monitor Web Cache Net Link Mgr Alarm Service NAT VPN PPTP 9 IPSec 2 Branch Office Acco T1 21 FK Ph Mawes aba o i Enter the Remote Accessible Network parameters R1 192 168 10 0 24 and click Save D BCM Dialog Box i Network Number Roo IP Address 192 168 10 0 IP Address Mask Format 255 255 255 255 Save Cancel n pathy Java Applet Window A remote network is created Group Edit Configuration Perormeance faut Report Tools Logol Mew Help 10 1 1 Parameters Local ssihl Comprehensive i Add Delete Det an Remote Accessible Networks E LAN CTE Configuration MetworkNumber IP Address IP Address T G Voice Mail R1 192 168 10 0 255 255 255 0 E Multimedia Call Center amp I
28. out 08 00 00 Leave the Rekey Data Count KB at 0 We are not using this for this setup Rekey Data Count KE Io o Set the Local Endpoint to 30 1 1 1 LAN 2 IP Address of the BCM Public Local Endpoint 30 1 11 Mi hbe FU alun m i d Set the Remote Endpoint to 30 1 1 2 Public IP address of the Contivity Remate Endpoint EME Leave the Send All Traffic Through IPSec Tunnel to default of No Send All Traffic Through IPSec Tunnel No x TT040922 1 00 September 2004 Page 19 of 27 Tech lip ae ono Contivity Secure IP Services Gateway Contivity BCM IPSec Peer to Peer Tunnel Using Pre Shared Key Authentication Set Create Firewall Rules for This Tunnel to Yes This will create appropriate Firewall rules to allow tunnel traffic to pass through the Firewall Create Firewall Rules for this Tunnel Yes Set Keep Alive Enabled to Yes Leave this setting at the default value of No for IPSec tunnel connections to systems other than BCM or Contivity Keep Alive Enabled Yes Below are all the settings Ds 10 1 1 1 Business Communications Manager Unified Manager Microsoft Internet Explorer Configuration View Help 10 1 1 1 Parameters Local Accessible Networks Remote Accessible Networks Comprehensive 5 Delete Parameters System i Tunnel Number i e Resouces D ak an 9 Q Services E Disconnected Telephony Service FSI iones ose cete Doorphanes 24 PFS Enable
29. stem 23 Resources 2 Q9 Services Telephony Services Doorphones IP Telephony Call Detail Recording LAN CTE Configuration Voice Mail Multimedia Call Center amp IVR IP Music DHCP DNS IP Routing SNMP GoS Monitor Web Cache Net Link Mar Alarm Service NAT VPN PPTP 9 IPSec E Remote User Accounts Policy Management Branch Office Summary TT040922 1 00 September 2004 Page 17 of 27 Tech lip oo Le Contivity Secure IP Services Gateway Contivity BCM IPSec Peer to Peer Tunnel Using Pre Shared Key Authentication Click Add This will bring up the Add Branch Office Accounts window E3 Business Communications Manager Unified Manager Mozilla ME BCM Dialog Box Add Branch Office Accounts 10 1 1 1 Comprehensive _ Tunnel Number Add Delete Del A GD BCM 10 1 1 1 IPSec Status Disabled System les Resources PFS Enabled Yes 9 Services Idle Timeout zoe 6 Talojho 00 15 00 Doorpho SE Ee IP Telep Highest Encryption EsP 3DES MD5 v Call Det Preshared Key Type Text v LAN CTE Voice Ma Preshared Key Multimed amp IVR Confirm Preshared Key Q IP Music DHCP Rekey Timeout an 6 DNS 08 00 00 IP Routi SNMP Rekey Data Count KB c
30. vate network 192 168 10 0 Mask associated with the address 255 255 255 0 and click Add E 192 168 10 1 Contivity Extranet Switch Microsoft Internet Explorer File Edit View Favorites Tools Help Q 7 ix 2 JJ search Sf Favorites 27 ee EMPR 3 Address http 192 168 10 1 manage manager htm v EF co SYSTEM Networks gt Edit GROUPS SERVICES USERS FILTERS HOURS Current Subnets for Network Local 192 168 10 0 NETWORKS ROUTING PROFILES y SERVERS S No subnets defined ADMIN T STATUS BRANCH OFFICE HELP CLIENT POLICY New Subnet IP Address 192 168 10 0 Mask 255 255 255 0 Add Listed under the Current Subnets for Network window is the configured subnet for the network Click Close E 192 168 10 1 Contivity Extranet Switch Microsoft Internet Explorer File Edit View Favorites Tools Help O O AAA sot erm O 2 3 EL YS 39 Address 48 http 192 168 10 1 manage manager htm v Ec SYSTEM EM Networks gt Edit SERVICES vine USERS ROUTING ___ FILTERS m iF Current Subnets for Network Local 192 168 10 0 PROFILES n NETWORKS SERVERS FR 192 168 10 0 255 255 255 0 own DR ma BRANCH OFFICE CLIENT POLICY New Subnet IP Address Mask Add TT040922 1 00 September 2004 Page 8 of 27 Tech lip Hr ona Contivity Secure IP Services Gateway Contivity BCM IPSec Peer to Peer Tunnel Using Pre Shared Key Authentication Listed under the Current
Download Pdf Manuals
Related Search