VPN conﬁguration | Patton electronic SmartNode 4110 Series specification

Chapter 32 VPN conﬁguration
Chapter contents
Introduction	363
Authentication	363
Encryption	363
Transport and tunnel modes	364
Permanent IKE Tunnels	364
Key management	364
VPN configuration task list	365
Creating an IPsec transformation profile	365
Creating an IPsec policy profile	365
Creating/modifying an outgoing ACL profile for IPsec	367
Configuration of an IP interface and the IP router for IPsec	368
Displaying IPsec configuration information	368
Debugging IPsec	369
Key management (IKE)	370
Main differences between manual & IKE IPSEC configurations	370
Creating an ISAKMP transform profile	371
Creating an ISAKMP IPSEC policy profile	372
Creating/modifying an outgoing ACL profile for IPSEC	373
Configuration of an IP interface and the IP router for IPSEC	373
Policy matching	373
Sample configuration snippet	373
Troubleshooting	374
Encrypted Voice - Performance considerations	375
Performance considerations	375
Enabling RTP encryption support	375
Using an alternate source IP address for specific destinations	376
Sample configurations	377
IPsec tunnel, DES encryption	377
SmartNode configuration	377
Cisco router configuration	378
IPsec tunnel, AES encryption at 256 bit key length, AH authentication with HMAC-SHA1-96	378
SmartNode configuration	378
Cisco router configuration	378
IPsec tunnel, 3DES encryption at 192 bit key length, ESP authentication with HMAC-MD5-96	379
SmartNode configuration	379
Cisco router configuration	379

362

Image 362

Patton electronic SmartNode 4110 Series manual VPN conﬁguration, Chapter contents

Contents

SmartWare Release Patton Electronics Company, Inc Summary Table of Contents SmartWare Software Configuration Guide Table of Contents Command line interface CLI Copying configurations to and from a remote storage location IP context overview 11 NAT/NAPT configuration Serial port configuration PRI port configuration Isdn Overview Basic IP routing configuration Snmp configuration Dhcp configuration CS context overview VPN configuration CS interface configuration FXO interface configuration SIP interface configuration Table of Contents 524 45 H.323 gateway configuration Pstn profile configuration Location Service Terms and definitions List of Figures SmartWare Software Configuration Guide List of Tables Audience How to read this guideAbout this guide Structure About this guide About this guide General conventions PrecautionsTypographical conventions used in this document Garamond bold type SmartWare Software Configuration GuideAbout this guide Patton support headquarters in the USA Service and supportMouse conventions Fax +1 253 Patton Electronics Company Warranty coverageRMA numbers Chapter contents System overview Introduction VoIP Gateway Circuit SwitchSmartWare embedded software IP Router Applications Carrier networks Enterprise networks WAN LAN telephony Typical LAN telephony system with a SmartNode gateway Conﬁguration concepts Conﬁguration concept overview Example Contexts and GatewaysContext Gateway Ports and circuits Interfaces, Ports, and BindingsInterfaces Bindings Proﬁles Proﬁles and Use commandsUse Commands Command line interface CLI Operator exec mode, the system prompt is displayed as Command modesCLI prompt Command completion Command editingCommand help Navigating the CLI Command history Command Editing Shortcuts Accessing the CLI Accessing the SmartWare CLI task list If desired Ending a Telnet or console port session see Accessing via the console portConsole port procedure Using an alternate TCP listening port for the Telnet server Accessing via a Telnet sessionTelnet Procedure Disabling the Telnet server Selecting a secure password Login display Conﬁguring operators and administrators Password encryptionFactory preset administrator account Creating an operator account Opening a secure conﬁguration session over SSH Creating an administrator accountName and password password Nodecfg#copy running-conﬁg startup-conﬁg Displaying account information Mode EnableDisplaying the CLI version Node# who Switching to another accountChecking identity and connected users Node who Used in operator execution mode Command index numbers Accessing the CLI Showing command default values Ending a Telnet or console port session System image handling System image handling Memory regions in SmartWare System image handling task list Local Persistent Volatile Flash Show version Displaying system image informationCopying system images from a network server to Flash memory Step Command Purpose Upgrading the software directly Here’s an example for conﬁguration provisioning Auto provisioning of ﬁrmware and conﬁgurationExplanation To use and debug provisioning Boot procedure Boot procedure IP Addresses in the Factory Conﬁguration Default Startup ConﬁgurationFactory conﬁguration Conﬁguration ﬁle handling Understanding conﬁguration ﬁles Configuration file handling Conﬁguration ﬁle handling task list Sample conﬁguration ﬁle Copying conﬁgurations within the local memory Local Memory Regions Name nvramtarget-name Node# copy nvram backup startup-conﬁgBackup already present in ﬂash memory Name into the local memory Copying conﬁgurations to and from a remote storage location Remote memory regions for SmartWare New-startupnvramstartup-conﬁg Displaying conﬁguration ﬁle informationNodecfg# copy tftp//ip-addressport Modifying the running conﬁguration at the CLI Node#reload Modifying the running conﬁguration ofﬂineNode#copy running-conﬁg tftp//node-ip Example Deleting a speciﬁed conﬁguration Example Modifying the running conﬁguration ofﬂineDeleting a speciﬁed conﬁguration Delete the conﬁguration named minimal explicitly Encrypted Conﬁguration Download CLI copy command copy tftp//host/path conﬁg-ﬁleEncrypted ﬁle download Auto provisioning Install a custom encryption key optional Use Cases Upload an encrypted conﬁguration ﬁle Encrypt a conﬁguration ﬁleDownload an encrypted conﬁguration ﬁle Basic system management Basic system management conﬁguration task list Node cfg#copy tftp//tftp-server/path/ﬁle Managing feature license keysDownloads the license key ﬁle and install Name licenses Licenses Setting system information Setting the system banner System banner with message to operators Setting time and date Display clock information Determining and deﬁning the active CLI version Display time since last restartConﬁguring the Web server De en Restarting the system Displaying the system logs Unit Controlling command executionDisplaying reports Ctrl-cterminate current command Ctrl-zsuspend active commandShow the currently running commands Bring job 0 to foreground Some examples Timed execution of CLI commandMode System Displaying the checksum of a conﬁguration Name sys#no terminal idle-time Radius Client Conﬁguration AAA component Authentication procedure with a Radius server General AAA Conﬁguration Authentication proﬁle-name Nodecfg#proﬁle authentication nameNodepf-authname#server-timeout Nodecfg#show proﬁle authentication Radius conﬁguration Conﬁguring Radius clients Example Conﬁgure the Radius clients as shown in ﬁgure Conﬁguring Radius accounting Vendor 109 Conﬁguring the Radius server Attributes in the Radius request message Conﬁguring the local database accounts Attributes in the Radius accept message Password Example Create an administrator and an operator accountWord password Base. The no form removes an existing account Storing call logs with quality information IP context overview IP context and related elements IP context overview conﬁguration task list Creating and conﬁguring IP interfaces Planning your IP conﬁgurationConﬁguring physical ports IP interface related information Conﬁguring RIP Conﬁguring NaptConﬁguring static IP routing Conﬁguring access control lists Conﬁguring quality of service QoS IP interface conﬁguration Nodectx-iprouter#interface name IP interface conﬁguration task listCreating an IP interface Nodeif-ip name# Deleting an IP interface Name if-ip if-name# no napt Setting the IP address and netmaskConﬁguring a Napt DMZ interface Inside Router advertisement broadcast message Icmp message processingIcmp redirect messages Example Deﬁning the MTU of the interface Nodeif-ipname#tcp adjust-mssDeﬁning the MTU and MSS of the interface MTU packet size value must be in the range from Conﬁguring an interface as a point-to-point link Displaying IP interface information Flushing dynamic ARP entries Testing connections with the ping commandDisplaying dynamic ARP entries Processing gratuitous ARP requests IP link supervision Mode Either operator or administrator executionBer timeout seconds Node#ping address num Debug connectivity Check connectivity of an IP linkShow IP link status Debug ARP Traceroute Example Debug ARP output Conﬁguring the Igmp Proxy Example Display the ARP information NAT/NAPT conﬁguration Dynamic Napt Dynamic NAT Tftp because the SmartNode might become inaccessibleStatic Napt Static NAT Napt traversal Node cfg#proﬁle napt name NAT/NAPT conﬁguration task listCreating a Napt proﬁle Optional Optional Ahespgreipv6 localip Conﬁguring a Napt DMZ hostDeﬁning Napt port ranges AH, ESP, GRE, or IPv6 respectively directed to Name pf-napt pf-name# udp-handling symmetricaddress Preserving TCP/UDP port numbers in NaptDeﬁning the UDP Napt type Node cfg#context ip router Activate NAT/NAPTDisplaying NAT/NAPT conﬁguration information Node cfg#show proﬁle napt Conﬁguring NAT static protocol entries Mode proﬁle napt pf-naptExample Display NAT/NAPT conﬁguration information Ethernet port conﬁguration Conﬁguring medium for an Ethernet port Entering the Ethernet port conﬁguration modeEthernet port conﬁguration task list Nodeprt-eth slot/port#encapsulation ip Conﬁguring Ethernet encapsulation type for an Ethernet portBinding an Ethernet port to an IP interface Conﬁgures the encapsulation type to IP Multiple IP addresses on Ethernet ports Nodeprt-eth slot/port#bind interface name router Conﬁguring a Vlan Nodevlanid#encapsulation ippppoemulti Nodeconﬁg#port ethernet slot portNodeprt-ethslot/port#vlan id Nodevlanid#bind interface name router Nodeprt-eth slot/port#cos rx-map layer Adding a receive mapping table entryExample Adding a receive mapping table entry Adding a transmit mapping table entry Closing an Ethernet port Using the built-in Ethernet sniffer Nvramethernet-0-0-1.cap Following is an example of how the sniffer is normally usedNvramethernet-0-slot-port.cap Link scheduler conﬁguration Using trafﬁc classes Applying scheduling at the bottleneck Priority Weighted fair queuing WFQIntroduction to Scheduling Shaping Burst tolerant shaping or wfq Hierarchy Setting the modem rate Quick references Link scheduler conﬁguration task list Command cross referencePolicy-map policy-map Proﬁle service-policy Source trafﬁc-class class Packet classiﬁcation Enable statistics gathering seeDeﬁning the access control list proﬁle Creating an access control list Scenario with Web server regarded as a single source host Nodepf-acl name#permit ip host ip-address any trafﬁc-class Creating a service policy proﬁleNodecfg#proﬁle acl name Nodepf-acl name#permit ip any any Structure of a Service-Policy Proﬁle Deﬁning fair queuing weight Specifying the handling of trafﬁc-classes Deﬁning the bit-rate Mode SourceSpecifying the type-of-service TOS ﬁeld Deﬁning absolute priority Nodesrc name#set ip tos value Specifying differentiated services codepoint Dscp markingSpecifying the precedence ﬁeld Nodesrc name#set ip precedence value Nodesrc name#set ip dscp value Deﬁnes the Class-Of-Service value applied to packets of forSpecifying layer 2 marking Value is from 0 to Discarding Excess Load Quality of Service for routed RTP streamsDeﬁning random early detection Nodesrc name#random-detect burst-tolerance Mode proﬁle service-policy/proﬁle Policy name in out Devoting the service policy proﬁle to an interfaceNodeif-ip if-name#use proﬁle service Displaying link scheduling proﬁle information Enable statistics gatheringDisplaying link arbitration status Optional Value Implication on Command Output Serial port conﬁguration Serial port conﬁguration task list Disabling an interface Enabling an interface Port Conﬁguring the serial encapsulation typeConﬁguring the hardware port protocol Conﬁguring the active clock edge Conﬁguring the baudrate Baudrate 176 Frame Relay conﬁguration Frame Relay conﬁguration task list Conﬁguring Frame Relay encapsulation Conﬁguring the LMI type Conﬁguring the keep-alive interval Nodepvc dlci#fragment size Enabling fragmentationBer to be used on the speciﬁed virtual circuit For this PVC only FRF.12 end-to-end fragmentation Entering Frame Relay PVC conﬁguration mode Conﬁguring the PVC encapsulation type Binding the Frame Relay PVC to IP interface Mode PVC IP interface wan is bound to PVC 1 on port serial 0 Enabling a Frame Relay PVC Disabling a Frame Relay PVC Debugging Frame Relay Displaying Frame Relay information Integrated service access 188 Conﬁgure the serial interface settings Check that the Frame Relay settings are correct Example 2 Frame Relay on e1t1 with a channel-group PRI port conﬁguration Terminology PRI port conﬁguration task list Conﬁguring PRI port-type Enable/Disable PRI portPRI Debugging Conﬁguring PRI clock-mode Ami b8zs hdb3 Conﬁguring PRI framingName prt-e1t1 slot/port# linecode Name prt-e1t1 slot/port# framing Conﬁguring PRI application mode E1T1 only Conﬁguring PRI line-build-out E1T1 in T1 mode onlyConﬁguring PRI used-connector E1T1 in E1 mode only Conﬁguring PRI LOS threshold E1T1 only Conﬁguring PRI Loopback detection E1T1 only Default disabled Conﬁguring PRI encapsulation Conﬁguring Channel-Group Timeslots Mode channel-group group-nameCreate a Channel-Group Conﬁguring Channel-Group Encapsulation Mode hdlc Entering Hdlc Conﬁguration ModeMode channel-group group Conﬁguring Hdlc CRC-Type PRI Debugging Default no encapsulationConﬁguring Hdlc Encapsulation PRI Conﬁguration Examples Example 3 RBS with a channel-group Example 1 IsdnExample 2 RBS without a channel-group Example 4 Frame Relay without a channel-group Example 7 PPP with a channel-group Example 5 Framerelay with a channel-groupExample 6 PPP without a channel-group BRI port conﬁguration Conﬁguring BRI clock-mode Enable/Disable BRI portBRI port conﬁguration task list Conﬁguring BRI encapsulation Conﬁguring BRI Power-FeedFeed Default disabled Creating a channel group Timeslots timeslots Default no timeslotsName ch-grp group-name#no Selects the timeslot to be used Name#show port bri BRI DebuggingName#no debug bri BRI Conﬁguration Examples Example 1 Isdn with auto clock/uni-side settingsExample 2 Isdn with manual clock/uni-side settings Example 3 Multi-Link PPP over two B-Channels Isdn Overview Isdn reference points Isdn reference points Isdn UNI Signaling Possible SmartNode port conﬁgurations 215 Isdn Conﬁguration Concept Isdn Layering Isdn conﬁguration Isdn conﬁguration task list Enter Q.921 conﬁguration modeMode base-mode Conﬁguring Q.921 parameters Conﬁguring Q.921 encapsulation Mode q921Enter Q.931 conﬁguration mode Mode q931 Conﬁguring Q.931 parameters Etsi Nodeq931slot/port#signalling-ruleNodeq931slot/port#no signalling-rule Pss1old Face if-name Conﬁguring Q.931 encapsulationDebugging Isdn Control interface Node#show port isdn slot port detail level Isdn Conﬁguration ExamplesExample being clock slave on uni network interface Example PRI Example QsigAssume the scenario as illustrated in ﬁgure RBS conﬁguration Conﬁguring RBS protocol Enter RBS conﬁguration modeRBS conﬁguration task list Debugging RBS Mode rbsConﬁguring RBS encapsulation Noderbs#no encapsulation cc-rbs RBS Conﬁguration Examples Example Conﬁguring RBS Ground Start on a E1T1 port 229 DSL Port Conﬁguration Line Setup Conﬁguring PPPoE Conﬁguration Summary Profile napt WAN Using PVC channels with PPPoE Setting up permanent virtual circuits PVCUsing PVC channels in bridged Ethernet mode PPPoE access Troubleshooting DSL ConnectionsDiagnostics Link State Basic IP routing conﬁguration Static routing Basic IP routing conﬁguration task listRouting tables Policy routing Nodecfg#context ip router Enters the IP router Context Displaying IP route information seeConﬁguring static IP routes Adds a static route Deleting static IP routes Displaying IP route information Conﬁguring policy routing 0.0/0 172.16.32.2 Static Examples Basic static IP routing example Changing the default UDP port range for RTP and Rtcp RIP conﬁguration Routing protocol RIP conﬁguration task list Enabling send RIP Enabling an interface to receive RIP Specifying the send RIP version Enabling RIP learning Example Enabling RIP learn host and defaultSpecifying the receive RIP version Enabling RIP announcing Specifying the default route metric Enabling RIP auto summarization Enabling RIP split-horizon processing Enabling the poison reverse algorithm Enabling holding down aged routes Setting the RIP route expiry3600 Default 180 seconds Nodeif-ipname#rip route-expiry Displaying RIP conﬁguration of an IP interface Displaying global RIP information 252 Access control list conﬁguration Why you should conﬁgure access lists About access control listsWhat access lists do When to conﬁgure access lists Features of access control lists Access control list conﬁguration task list Mapping out the goals of the access control list Nodepf-acl name#permit ip src src-wildcard any Where the syntax is Nodepf-acl name#deny icmp src src-wildcard Nodepf-acl name#permit icmp src src-wildcard anyType type type type code code cos group Any host src dest dest-wildcard any host dest Type type Where the syntax is as followingMsg name Code code Port lt port range from to cos group cos-rtp group Nodepf-acl name#permit tcp udp sctp src src-wildCard any host src eq port gt port lt port range Nodepf-acl name#deny tcp udp sctp src src Gt port Eq portLt port Range from to Where the syntax is Debugging an access control list proﬁle Unbind an access control list proﬁle from an interfaceDisplaying an access control list proﬁle Control list profile shall be debugged Commands that have to be entered are listed below Denying a speciﬁc subnet Snmp conﬁguration Snmp basic components Snmp basic commandsSimple Network Management Protocol Snmp Network management framework Identiﬁcation of a SmartNode via SnmpSnmp management information base MIB Snmp conﬁguration task list Setting basic system informationSnmp tools 271 Setting access community information Example Setting the system group objects Ro rw Or read/write access Nodecfg#snmp host IP-address-of-SN security Setting allowed host informationSpecifying the default Snmp trap target Nodecfg#snmp target IP-address-of-SN Using the AdventNet Snmp utilities Displaying Snmp related information Using the MibBrowser AdventNet MibBrowser Settings Button on the Toolbar Using the TrapViewer AdventNet TrapViewer displaying received traps Generic Type TimeStampEnterprise Speciﬁc Type Standard Snmp version 1 traps Snmp interface traps 281 Sntp client conﬁguration Sntp client conﬁguration task list Unicast anycast multicast Deﬁning Sntp client operating modeSelecting Sntp time servers Deﬁning Sntp local UDP port Example Disabling the Sntp client operation Enabling and disabling the Sntp clientExample Enabling the Sntp client operation Deﬁning Sntp client poll interval Name #show clock local Deﬁning Sntp client constant offset to GMTDeﬁning the Sntp client anycast address Displays the local time, UTC and the offset of the local Nodecfg#sntp-client anycast-address ip Example Enabling the Sntp client root delay compensationEnabling and disabling local clock offset compensation Example Showing Sntp client related information Example Disabling the Sntp client root delay compensationShowing Sntp client related information Debugging Sntp client operation Nist Internet time service Recommended public Sntp time servers 291 Dhcp conﬁguration Dhcp configuration DHCP-server and DHCP-client are illustrated in ﬁgure Enable DHCP-client on an IP interfaceDHCP-client conﬁguration tasks Example Enable DHCP-client on an IP interface ‘conﬁgure’ conﬁguration mode Release or renew a Dhcp lease manually advanced Mode AnyExample Enable Dhcp debug monitor Get debug output from DHCP-client DHCP-server conﬁguration tasks Conﬁgure DHCP-server proﬁles Nodecfg#proﬁle dhcp-server name Nodepf-dhcpsname#no defaultNodepf-dhcpsname#no netbios Nodepf-dhcpsname#network ip Nodepf-dhcpsname#no next-server Use DHCP-server proﬁles and enable the DHCP-serverNodepf-dhcpsname#no bootﬁle boot All ip-address Check DHCP-server conﬁguration and status Deﬁne the bootﬁle Option 67 for the DHCP-serverDeﬁne the Tftp server Option 66 for the DHCP-server Get debug output from the DHCP-server Conﬁgure DHCP-relay Create/Modify DHCP-Relay proﬁle Enable/Disable DHCP-Relay Agent DNS conﬁguration Server-ip-address DNS conﬁguration task listEnabling the DNS resolver DNS relay diagram Enabling the DNS relay 307 DynDNS conﬁguration DynDNS conﬁguration task list Creating a DynDNS account Conﬁguring the DNS resolver Word Conﬁguring basic DynDNS settingsConﬁguring the DynDNS server Troubleshooting Conﬁguring advanced DynDNS settings optionalMode DynDNS Deﬁning a mail exchanger for your hostname 312 PPP conﬁguration 314 Nodeif-ipname#point-to-point PPP conﬁguration task listCreating an IP interface for PPP Nodeif-ipname#ipaddress dhcp Nodeif-ipname# no tcp adjust-mssNodeif-ipname#ipaddress Nodeif-ipname# ipaddress ip-address Nodeif-ipname#use proﬁle napt name Disable interface IP address auto-conﬁguration from PPPCreating a PPP subscriber Nodecfg # subscriber ppp name Chap pap chappap Optional outboundinbound user passwordNodesubscrname# dial inout Nodesubscrname# no identiﬁcation Trigger forced reconnect of PPP sessions using a timer Conﬁguring a PPPoE session Tor AC-Name Creating a PPP proﬁle Case authentication is requiredConﬁguring PPP over a Hdlc Link Optional ﬁle Nodepf-pppname#mtu min min max DefaultNodecfg #no proﬁle ppp name Nodepf-pppname#mru min min max Conﬁguring the local and remote PPP Mrru Min max max defaultDefault Name pf-ppp proﬁle# mrru min Displaying PPP conﬁguration information Example Display PPP subscriber conﬁguration information Example Display a PPP proﬁle Debugging PPP Nodecfg #show pppoe name Nodecfg #show ppp links levelNodecfg #show ppp networks level Nodecfg #show port interface name Example Display PPP link information LCP Example Display PPP network protocol information Example Display PPPoE information Sample conﬁgurations Without authentication, encapsulation multi, with NaptWith authentication, encapsulation PPPoE PPP over Ethernet PPPoE PPP over a Hdlc Link Serial Port Without authentication, numbered interfaceWith authentication, unnumbered interface PPP over a Hdlc Link E1T1 Port PPP Dial-up over Isdn PPP Dialer Create a dialer Following command creates a new PPP dialer Mode context csDial-up and login information for a certain Create outbound destinations Conﬁgure recovery strategy Create inbound destinations Case E164 Name if-dialerdialer#inboundName inboundprovider#local-e164 Name inboundprovider#remote-e164 Example Dial-on demand feature Debug dialer functionality Dial-up Dial-up on demand Dial-up nailed Dial if possible, and never drop Mode context ip/interfaceDial-up on monitor CS context overview CS context conﬁguration components CS context conﬁguration task list Planning the CS conﬁguration Remote ofﬁce in an Enterprise network Conﬁguring general CS settings Conﬁguring the clock source Mode Operator execution Debugging the clock source Node sys#clock-sourceslot-number port-number Conﬁguring call routingSelecting PCM law compression Reference clock Creating and conﬁguring CS interfaces Specify call routing Conﬁguring dial tones Conﬁguring voice over IP parameters Conﬁguring an H.323 VoIP connection Conﬁguring Isdn portsConﬁguring FXS ports Conﬁguring a SIP VoIP connection Activating CS context conﬁguration Nodectx-csswitch#show call-router status detail Nodectx-csswitch#show call-router config detailNode ctx-csswitch#debug call-router detail level Level SmartNode in an Enterprise network Planning the CS context CS Conﬁguration Conﬁguring call routing Conﬁguring general CS settingsFirst we set clock-source to Isdn port 2/3 354 We want to use this proﬁle on our H.323 interfaces Conﬁguring VoIP settingsBecause we need G.723 as codec we enable Dtmf relay Conﬁguring BRI ports Activating the CS context conﬁguration Next we conﬁgure call signalingConﬁguring an H.323 VoIP connection Finally, activate the gateway and CS context TAB-CALLED-NUMBER Showing the running conﬁguration Conﬁguration script for our application looks as follows 359 360 361 VPN conﬁguration Authentication Encryption Key management Transport and tunnel modesPermanent IKE Tunnels Example Create an IPsec transformation proﬁle VPN conﬁguration task listCreating an IPsec transformation proﬁle Creating an IPsec policy proﬁle Procedure To create an IPsec policy proﬁle Mode Conﬁgure Creating/modifying an outgoing ACL proﬁle for IPsec Conﬁguration of an IP interface and the IP router for IPsec Displaying IPsec conﬁguration information Debugging IPsec Example Display IPsec transformation proﬁlesExample Display IPsec policy proﬁles Example IPsec Debug Output Creating an Ipsec transform proﬁle Key management IKEMain differences between manual & IKE Ipsec conﬁgurations Creating an Isakmp transform proﬁle Icy shall be used for multiple peers in transport Creating an Isakmp Ipsec policy proﬁleShould be used. Do not specify a peer, if this pol Mode. The peer can either be an IP address or a Policy matching Creating/modifying an outgoing ACL proﬁle for IpsecConﬁguration of an IP interface and the IP router for Ipsec Sample conﬁguration snippet Debug ike event Debug ike errorUse proﬁle acl WANOut out Performance considerations Encrypted Voice Performance considerationsEnabling RTP encryption support Mode Context ip /interface if-name IPsec tunnel, DES encryption SmartNode conﬁguration Cisco router conﬁguration 379 380 CS interface conﬁguration CS interface conﬁguration task list CS interfaces on the CS context Nodeif-typeif-name#exit Examples Create CS interfaces and delete anotherNodeif-typeif-name#… 384 Table table-name Service service-name Nodeif- typeif-name #exitConﬁguring the interface mapping tables And/or Table in table-nameThat shall be applied to all call properties Speciﬁed direction Incoming call passing an interface mapping table Conﬁguring the precall service tables Call passing an input and an output mapping table Supplementary service invocation command Supplementary service invocation commandsNumber to command Repeat to add other special number map Isdn interface conﬁguration Isdn interface conﬁguration task list Isdn interfaces on the CS context Nodeif-isdn if-name#no use proﬁle Conﬁguring Dtmf dialing optionalConﬁguring an alternate Pstn proﬁle optional Deﬁnes an alternate Pstn proﬁle to be used for Conﬁguring call waiting optional Name if-isdn if-name# no call-waiting Disable call-waitingConﬁguring ringback tone on Isdn user-side interfaces Disabling call-waiting on Isdn DSS1 network interfaces Conﬁguring date/time publishing to terminals optional Conﬁguring Call-Hold on Isdn interfacesEnabling Display Information Elements on Isdn Ports Sending the connected party number Colp optional Deﬁning the ‘network-type’ in Isdn interfaces Home Office Isdn Advice of Charge support 398 Nodeif-isdnif- name# aoc-d automatic If there is no tariff information from the network forAll calls If there is not charge information from the network Isdn Network Interface connected to phones Isdn User Interface Connected to a PBX switch etcFollowing table shows an overview of the AOC variants NoChargeAvailable Transmit Direction Mode interface isdn interfaceIsdn DivertingLegInformation2 Facility Receive Direction 500 Nodeif-isdn#caller-nameNodeif-isdn#caller-name early-alerting Nodeif-isdn#caller-name ignore Outgoing Isdn call. This feature is disabledBy default Absence FXS interface conﬁguration FXS interface conﬁguration task list Conﬁguring a subscriber number recommended Conﬁguring ﬂash hook processing optional Mode Interface FXSConﬁguring caller-ID presentation optional Nameif-fxsname#no subscriber Conﬁguring ringing-cadence optional Conﬁguring the Message Waiting Indication feature for FXS Ing-indication stutter-dial-tone Through Stuttered Dial Tone Mat bell Frequency-shift keyingMat etsi FXS supplementary services description Call hold Call transfer Call waiting Default enabledCall hold Tern Drop active call Call waiting reminder ringDrop passive call Call toggle Nameif-fxsname#no drop-passive ConferencingCall park Pattern FXO interface conﬁguration FXO interfaces on the CS context FXO services description Creating an FXO interface Nodeif-fxo name # Nodectx-csswitch#interface fxo nameDeleting an FXO interface FXO interface conﬁguration task list FXO off-hook on caller ID Nodeif-fxoif-name# Conﬁguring when the digits are dialed optionalNodectx-csswitch#interface fxo if-name Nodeif-fxo if-name# Figuration mode Nodeif-fxoif-name#dial-after dial-tone timeout seconds Nodeif-fxo if-name# Nodeif-fxo if-name #ring-number count Conﬁguring how to detect a call has disconnected optional Min min-time max max-time Nodeif-fxo if-name#no connect-signal Battery-reversal tax-pulse Conﬁguring the destination of the call FXO Mute dialing FXO interface examples RBS interface conﬁguration Conﬁguring an alternate Pstn proﬁle RBS interface conﬁguration task listCreating/Deleting a RBS interface Name Face, the ‘no’ form deletes an existing one Conﬁguring an alternate Tone-Set proﬁle Mode Interface RBSConﬁguring additional disconnect signals Conﬁguring B-Channel allocation strategy Conﬁguring number of Rings before Off-Hook Nodeif-rbsif-name#no dial-after dial- tone timeout secondsNode#no debug ccrbs datapath error signaling Conﬁguring ready to dial strategy Selected interface Node#show ccrbs call if-name detail levelPrints information about ongoing calls on Node#show ccrbs interface if-name detail Interface conﬁguration Interface conﬁguration task list Binding the interface to an H.323 gateway Examples Deﬁne the IP address of the remote H.323 entity Conﬁguring an alternate VoIP proﬁle optional Speciﬁes the information transfer capability to Conﬁguring CLIP/CLIR support optionalNode if- h323 if-name #itc rx 3k1 Node if- h323 if-name #itc tx 3k1 Nameif-h323if-name#early-proceeding Enabling ‘early-proceeding’ on H.323 interfacesEnabling the early call connect optional Nameif-h323name#early-connect Enabling the early call disconnect optional Enabling the via address support optional Ing connection should be established Conﬁguring status inquiry settings optionalNodeif-h323if-name# remoteport port AOC-D Support for H.323 Nodeif-h323if-name# no aoc-d emit Mode context cs/interfce h.323 interface-nameNodeif-h323if-name# no aoc-d SIP interface conﬁguration SIP SIP interface conﬁguration task list Nodeif-sipif-name# no bind context Binding the interface to a SIP gatewayConﬁgure a remote host Sip-gateway gw-name Nodeif-sipif-name# no remote host Using an alternate VoIP proﬁle OptionalConﬁguring a local host Optional Nodeif-sipif-name# no local host Nodeif-sipif-name#use proﬁle voip Using an alternate SIP proﬁle OptionalUsing an alternate Tone-Set proﬁle Optional Nodeif-sipif-name#use proﬁle sip pro Mapping call-control properties in SIP headers Conﬁguring early call connect / disconnect OptionalConﬁguring address translation Optional Header Mapping SIP headers to call-control propertiesConﬁguring Isdn Redirecting Number Tunneling Over SIP Updating caller address parameters SIP Diversion Header 450 SIP Refer Transmission & Isdn Explicit Call Transfer support 452 Accept AOC Over SIP OptionalName if-sip interface#no aoc-d Name if-sip interface#no aoc-d emit Enabling the session timer Optional Enabling the SIP penalty-box feature Optional Default zero-ip Conﬁgure the SIP hold method Optional Call router conﬁguration Call router configuration 458 Direct call routing vs. advanced call routing Call router conﬁguration task list Map out the goals for the call router Conﬁgure general call router behavior Enable advanced call routing on circuit interfacesConﬁgure address completion timeout Digit-collection timeout timeout Example Conﬁgure address completion timeoutAddress-completion timeout timeout Digit-collection terminating-char char Example Conﬁgure number preﬁx Procedure To conﬁgure number preﬁx Mode Context CSConﬁgure number preﬁx for Isdn number types National-preﬁx preﬁx Conﬁgure call routing tables Create a routing table Calling-e164 Regular Expressions Example Called party number routing tableCalled party number routing table Symbol Description Digit Collection Digit Collection Variants Example Digit collection of any number Dialed Selected Description Number Entry Calling party number routing table Number type routing table Numbering plan routing table Name routing table IP address routing table Smith must be escaped with a backslash \, because Presentation Indicator Routing TableURI routing table Dot . means ‘any character’ in a regular expression Screening Indicator Routing Table Information transfer capability routing table 478 Day of Week Routing Table Default Any other unhandled case Mode context csTime of day routing table Example Day of week routing table Deleting routing tables Procedure To delete an entire routing tableNode ctx-cs switch #routing-table Resulting running-conﬁg is Conﬁgure mapping tables Node ctx-cs switch #no routing-tableExample Remove an entire routing table Delete the routing table table-name Type Description Input-Type Description Output-Type Sets the display name of the called Mapping table examples Input-type to output-type table-name Example Called and calling party manipulation mapping tableTo E.164 Mapping Tables Away the input-type and output-type 486 487 Custom SIP URIs from called-/calling-e164 properties Other mapping tables Enter the mapping table from which you want to remove an Node ctx-cs switch #mapping-tableDeleting mapping tables Creating complex functions Procedure To delete an entire mapping table Mode Context CSExample Remove an entire mapping table Example Create a complex function Deleting complex functions Sending-Complete Example Remove an entire complex functionDigit collection & sending-complete behavior Ingress interface Call-Router 323 123# YesTrue Egress Interface Mode context cs / interface sip Complete-indication clear Creating call services Creating a hunt group service Hunt group service Cause cause Node ctx-cs switch #service huntCall dest-service service-name Call dest-interface interface-name Default Behavior Class Cause Hunt Description Group Service Normal Event No-user-responding Drop original call Unavailable Service orResource Option Not Implemented Invalid Message Protocol Error Interworking Creating a distribution group service Distribution group service Dest-service service-name Node ctx-cs switch #service distribuNodesvc-huntservice-name# route call With the ﬁrst conﬁgured destinations Distribution-Group Min-Concurrent setting Call-router ‘limiter’ service Priority service ‘Limiter’ service diagram Priority service diagram CS Bridge service-‘VoIP Leased Line’ Bridge Bridge services diagram Conﬁguring the service second-dialtone Conﬁguration Example Deleting call services Activate the call router conﬁguration Test the call router conﬁguration Example Create and test a routing table 516 Call routing example network 518 CS context and call router elements 520 Conﬁgure partial rerouting Mode context cs/service aaa Mode context cs/interface sipEnable push-back aaa service Call reroute Enable push-back hunt group service Enable push-back bridge serviceEnable push-back distribution-group service Enable push-back limiter service SIP call-router services Entering conference-service conﬁguration mode SIP conference-serviceSIP conference-service conﬁguration task list Name ctx-csswitch#no service sip Conﬁguring the conference server SIP location-serviceMode Service SIP conference Ference-server host-name port SIP location-service conﬁguration task list Entering SIP location-service conﬁguration mode Conﬁguring multi-contact behavior Binding a location serviceConﬁguring the hunt timeout Seconds Tone conﬁguration Tone-set proﬁles Tone conﬁguration task list Conﬁguring call-progress-tone proﬁles Procedure To conﬁgure a tone-set proﬁle Mode Conﬁgure Conﬁgure tone-set proﬁles For which a tone indication can be provided Enable tone-set proﬁleProcedure To assign a tone-set proﬁle to a Pstn interface Node#show proﬁle call-progress-tone Show call-progress-tone and tone-set proﬁlesExample Show tone-set proﬁle Name Ciﬁc with name name Following example shows how to display the tone-set proﬁle 536 FXS port conﬁguration Shutdown and enable FXS ports Netherlands Bind FXS ports to higher layer applicationsConﬁgure country-speciﬁc FXS port parameters Other FXS port parameters Mode IC voice in systemEnter FXS port conﬁguration mode Nodeconﬁg#port fxs slot port Example FXO port conﬁguration Shutdown and enable FXO ports Bind FXO ports to higher layer applications Nodeconﬁg#port fxo slot port Conﬁgure country speciﬁc FXO port parametersOther FXO port parameters Nodeprt-fxo slot/ port#use Enter FXO port conﬁguration mode Gateway conﬁguration Gateway between IP and CS contexts Gateway conﬁguration task list Mode Gateway H.323Enable the gateway Binding the gateway to an IP interface Conﬁgure registration authentication service RAS Optional Ery auto gkid Conﬁgure H.235 Security optionalNode gw-h323h323#gatekeeper-discov Procedure To enable H.235 security on H.323 gateway 235 conﬁguration Node gw-h323h323#h235security master \getcryptopassword h235-password masWord h235-password encrypted Node gw-h323h323#h235security pass Signaling message Default setting isCommand show h235-securityshows the current setting Detail debug-level Advanced conﬁguration options optional Enabling H.245 Tunneling Nodegw-h323h323#h245-tunneling Enables H.245 tunneling Enabling the fastconnect procedureEnabling the early H.245 procedure Nodegw-h323h323#faststart Enables the fastconnect procedure Nodegw-h323h323#call-signaling-port Conﬁguring the trafﬁc class for H.323 signalingSetting the response timeout Port Naling connections Istration Setting the connect timeoutNal gateway H323 status detail level Nodecfg#debug gateway h323 errorNodecfg#debug gateway h323 signaling Nodecfg#debug gateway h323 tpktchan Context SIP gateway overview Routing Architecture From-URI-Host equal Remote Request-URI-Host equal Local Enter conﬁguration modeContext SIP Gateway conﬁguration task list Creating a context SIP gateway Creating a transport interface Mode Context SIP GatewayMode Transport Interface Conﬁguring the IP binding Enabling/disabling the context SIP gateway Binding location servicesConﬁguring a spoofed contact address Show status information TroubleshootingDebug commands Node#show context sip-gateway gw Conﬁguration Examples Example Outbound Authentication Inbound Authentication Outbound Registration 569 Inbound Registration B2B User Agent with Registered Clients 572 VoIP proﬁle conﬁguration VoIP profile configuration Nodecfg#profile voip name VoIP proﬁle conﬁguration task listCreating a VoIP proﬁle Nodepf-voip name# Conﬁgure codecs Procedure Insert a codec at a speciﬁc position in the list Mode Proﬁle VoIPProcedure Remove a codec from the list Mode Proﬁle VoIP Conﬁguring the Cisco versions of the G.726 codecs Mode VoIP nameConﬁguring the transparent-clearmode codec Conﬁguring RTP payload types DefaultrtpsignalingConﬁguring Dtmf relay Nodepf-voip pf-name#dtmf-relay Conﬁguring Cisco NSE for Fax Conﬁguring RTP payload type for transparent-clearmodeConﬁguring RTP payload type for Cisco NSE Nodepf-voip name#rtp payload-type nse Conﬁguring the dejitter buffer advanced Jitter and dejitter buffer Procedure Conﬁgure the dejitter buffer Adaptive Enabling/disabling ﬁlters advanced Max-delayDejitter buffer is allowed to introduce. This setting Is valid for all modes Conﬁguring Fax transmission Illustrates the difference between Fax relay and Fax bypass Fax relay and Fax bypass Nodepf-voipname#fax dejitter Nodepf-voipname#fax transmisSion bypass g711alaw64k Nodepf-voipname# fax transmis CED retransmission Mode proﬁle voip proﬁle-nameVolume Retransmission number Method default v150-vbdnse Default default No-Signal RetransmissionMode proﬁle voip pf-name Fax bypass method Nodepf-voip name#modem trans Modem bypass methodConﬁguring modem transmission Mission bypass g711alaw64k Conﬁguring the trafﬁc class for Voice and Fax data Conﬁguring IP-IP codec negotiation Home ofﬁce in an enterprise network Home ofﬁce in an enterprise network Description Show the conﬁgured proﬁle Home ofﬁce with fax Soft phone client gateway 595 Disable Dtmf relay Show the conﬁgured proﬁle Pstn proﬁle conﬁguration Pstn proﬁle conﬁguration task list Creating a Pstn proﬁle Procedure Conﬁgure voice output gain Conﬁguring the echo cancellerProcedure Disable echo cancellation Mode Proﬁle Pstn Conﬁguring output gain 600 SIP proﬁle conﬁguration Mapping from a SIP disconnect cause Entering the conﬁguration mode for a SIP proﬁleSIP proﬁle conﬁguration task list Namecfg#no profile name name Mapping to a SIP redirection code Mapping to a SIP causeMapping from a SIP redirection reason Q931-cause to sip-cause Authentication Service Authentication Service conﬁguration task list Creating an Authentication Service Creating credentials Conﬁguring the authentication protocolConﬁguring a Realm Location Service Adding a domain Location Service conﬁguration task listCreating a Location Service Domain Examples Mode Identity Creating an identity Bound Authentication outbound faceAlias Nodeauthout#authenticate authentica Mode Authentication outboundAuthentication inbound face Nodeauthout#authenticate index Nodeauthin#authenticate index Mode Authentication inboundNodeauthin#authenticate authentica Nodeauthin#no authenticate index Mode Registration outbound Registration outbound face Port strict-route Noderegout#proxy host portStrict-route Noderegout#proxy index down posi Nodeidentityname# no registration Noderegin# no lifetime default secRegistration inbound face Inbound Nodecallout#proxy host port Mode Call outboundCall outbound face Nodecallout#proxy index host Call inbound face Mode Call outboundMode Call inbound Creating an identity group Inheriting from an identity group to an identity Conﬁguring the Message Waiting Indication feature for SIP Subscription Mode Message inbound Notiﬁcation Mode Message inbound Message Waiting Indication through Call-Control This conﬁguration example, inheritance is used VoIP debugging Debugging strategy Verifying IP connectivity Following command will disable the ﬁlter completelyFiltering debug monitor output Example Verify IP connectivity Unit#debug ccisdn signaling Debugging call signalingDebugging Isdn signaling Overview Isdn debug monitors Verify an incoming call Line Verify an outgoing call 630 Debug isdn event slot port all layer2 layer3 Isdn layer 2 and 3 can be veriﬁed using a show commandVerify Isdn layer 2 and 3 status Stops Debugging FXS SignalingOverview FXS debug monitors For most verbose output State to RINGING, that means it has accepted the call Debugging H.323 Signaling Overview H.323 debug monitors 635 636 637 Debugging SIP signaling Using SmartWare’s internal call generator Way dejitter Debugging voice dataNo debug media-gate Way control detail level Way rtp Way switchWay error Way dsp How to submit trouble reports to Patton Check system logs 643 Appendix a Terms and deﬁnitions SmartWare architecture terms and deﬁnitions Also release Pression Ory Buffer Pots Tftp Appendix B Mode summary Mode overview, 1 Mode Overview, 2 Mode Overview, 3 Appendix C Command summary Ebnf syntax Other New Conﬁguration CommandsShow command history Show help Appendix D Internetworking terms & acronyms Abbreviations Numeric DSS1 MSN SAR Appendix E Used IP ports & available voice Codecs Webserver Used IP portsTelnet Available voice codecs