Procedure
1. To modify a parameter linked to an active crypto list, you must first deactivate the
list using the no ip crypto-group command in the context of the interface on
which the crypto list is activated.
Note:
If the crypto list is activated on more than one interface, deactivate the crypto list
for each of the interfaces on which it is activated.
For example:
G430-001# interface fastethernet 10/2
G430-001(if:FastEthernet 10/2)# no ip crypto-group
Done!
2. After modifying IPSec VPN parameters as desired, re-activate the crypto list on the
interface using the ip crypto-group crypto-list-id command.
For example:
G430-001# interface fastethernet 10/2
G430-001(if:FastEthernet 10/2)# ip crypto-group 901
Done!
Changing parameters of a crypto list.
Procedure
1. Use the ip policy-list-copyold listnew list command
2. Edit the new list
3. Activate it on the interface.
Note that activating the new list causes all the current IPSec tunnels to close.
Access control lists
Since VPN is intended for a public network such as the Internet, it is recommended to define
an access control list using the ip access-control-list command, to avoid traffic that
should not enter the device. You should, therefore, define an ingress access control list that
allows only IKE, ESP, and ICMP traffic to enter the device from the public interface. For a
configuration example see the access control list in Simple VPN topology – VPN hub and
spokes on page 505.
IPSec VPN
498 Administering Avaya G430 Branch Gateway October 2013
Comments? infodev@avaya.com
To Next Page
Loading...
