Filter
Top Products
VPNremote for 4600 Series IP Telephone Installation and Deployment
Avaya Inc. - Proprietary
Use pursuant to Company Instructions.
7
number of IPsec clients that can connect to a security gateway. See 4.10 for details
regarding Load Distribution and failover.
3.3 DNS server – All SGs
Security Gateways are capable of delivering IP address of the DNS server located on the
private (protected) side of the security gateway to the IPsec clients. If you are planning to
make use of DNS names for host on the private side of the security gateway, make sure
that the security gateway is configured to deliver DNS server IP addresses to the IPsec
clients.
Some security gateways are capable of delivering default domain prefix to the IPsec
clients, but the VPNremote phone ignores the default domain prefix sent by the
security gateway; therefore, the SG must always send use fully qualified domain
names.
3.4 Protected IP Subnets – All SGs
Security Gateways provide a mechanism to specify the IP subnets accessible to the IPsec
clients. It is highly recommended that you configure all zeros as the IP subnets accessible
to the IPsec clients. If you choose to ignore this advice make sure that you have covered
all the IP subnets required for proper functioning of IP telephone, failure to do so will
result in unexpected results.
3.4.1 Performance consideration
An IPsec SA is created for each protected IP subnets. Thus if you configure 5 protected
IP subnets and there are 200 VPNremote phones, Security Gateway will have to maintain
1000 IPsec SAs instead of just 200 in case if you had all zeros as IP subnets. Since the
table must be linearly searched, keeping the table small enhances performance
considerably.
Most security gateway manufacturer’s published performance numbers assume that each
IPsec client builds only 1 SA.
4.4.1.1 Alternative approach
Use firewall rules on the private side of the security gateway to prevent IPsec clients
from sending and receiving traffic to and from protected IP subnets.
4.4.1.2 Xauth with Preshared Key method
IPsec client must be manually configured with the list of IP subnets protected by Security
Gateway. By default VPNremote phone uses all zeros as the IP subnet protected by the
Security Gateway. Maximum number of protected IP subnets that can be configured on
VPNremote phones is limited to 5. Refer to the description of NVIPSECSUBNET in the
accompanying 46vpnsetting_readme.txt for more details.
4.4.1.3 Avaya proprietary method
VPNremote phone uses protected IP subnets list sent by security gateway hence
modifying 46vpnsetting.txt is not required even if you are not using all zero as protected
IP subnets. However it is still recommended to use all zero as the protected IP subnets.