Traffic
direction
ACL parameter ACL
value
Description
Ingress All allowed services from any IP
address to any local subnet
Permit Due to the definition of the VPN
Policy, this will be allowed only if
traffic comes over ESP
Ingress Default Deny -
Egress IKE from Branch IP to Main
Office IP
Permit -
Egress ESP from Branch IP to Main
Office IP
Permit -
Egress IKE from Branch IP to First
Branch IP
Permit This enables the PMTUD
application to work
Egress ESP from Branch IP to First
Branch IP
Permit This traffic is tunnelled using
VPN
Egress ICMP from local tunnel endpoint
to any IP address
Permit This enables the PMTUD
application to work
Egress All allowed services from any
local subnet to any IP address
Permit This traffic is tunnelled using
VPN
Egress Default Deny -
Mesh VPN topology example
Branch Office 1 configuration
crypto isakmp policy 1
encryption aes
hash sha
group 2
exit
crypto isakmp peer address <Main Office Public Internet Static IP
Address>
pre-shared-key <secret key>
isakmp-policy 1
exit
crypto isakmp peer address <Second Branch Office Public Internet Static
IP Address>
pre-shared-key <secret key 2>
isakmp-policy 1
exit
crypto ipsec transform-set ts1 esp-3des esp-sha-hmac
set pfs 2
exit
crypto map 1
set peer <Main Office Public Internet Static IP Address>
set transform-set ts1
exit
crypto map 2
set peer <Second Branch Office Public Internet Static IP Address>
set transform-set ts1
IPSec VPN
Administering Avaya G430 Branch Gateway October 2013 517
To Next Page
Loading...
