Configuring Secrets Management on the Avaya
Transcription
Configuring Secrets Management on the Avaya
Avaya Solution & Interoperability Test Lab Configuring Secrets Management on the Avaya G250 and G350 Media Gateways - Issue 1.0 Abstract Previous releases of the Avaya G250 and G350 Media Gateways maintained secret materials in local FLASH memory, and never output secrets to the management terminal or to the startup configuration file. These Application Notes present a mechanism in release 4.0 of Avaya Communication Manager that encrypts all secrets saved in the startup and running configuration files. This new approach prevents an unauthorized person from observing the device secrets and enables complete restore of the device configuration from the startup configuration saved in a USB flash drive or a remote file server. JZ; Reviewed: SPOC 4/7/2007 Solution & Interoperability Test Lab Application Notes ©2007 Avaya Inc. All Rights Reserved. 1 of 18 GW-Secrets.doc 1. Introduction Previous releases of the Avaya G250 and G350 Media Gateways maintained secret materials in local FLASH memory, and never output secrets to the management terminal or to the startup configuration file. The administrator can overwrite secrets but cannot read old secrets entered. This approach generates maximum security at the price of forcing a user to manually re-enter secret materials when a Media Gateway is replaced. The mechanism in release 4.0 of Avaya Communication Manager encrypts all secrets saved in the startup and running configuration files. This new approach prevents an unauthorized person from observing the device secrets and enables complete restore of the device configuration from the startup configuration saved in a USB flash drive or a remote file server. Figure 1 is the network diagram used for the verification of these Application Notes. Three offices shown in Figure 1 are connected via a Wide Area Network (WAN). T1/PPP is used in each office for the WAN connection. A full-mesh VPN (any-to-any), Generic Routing Encapsulation (GRE) tunnles and OSPF routing protocol are configured among the three offices. MD5 authentication is used for the OSPF routing protocol configuration. The “Main Office” contains an Avaya S8500 Media Server and an Avaya G650 Media Gateway. The “Branch Office 1” contains an Avaya G250L-DS1 Media Gateway and the “Branch Office 2” contains an Avaya G350L Media Gateway. Branch Office 1 Main Office Microsoft windows 2000 Server Microsoft DHCP Server Microsoft Information Server (FTP Server) Microsoft IAS Avaya G650 Avaya TFTP Server Media Gateway Apache HTTP Server USB Flash Drive Avaya G250L-DS1 Media Gateway (SLS) PH ONE /EXIT L3 Switch OPTIO NS HOLD T1/PPP 3 CONFE REN CE MN O DROP 6 WXY Z 8 0 DE F 2 JKL 5 TU V 7 9 RED IAL # Avaya 4610 IP Telephone Avaya 6210 Analog Phone WAN T1/PPP Ci sco 3725 Acce ss Router CO M PA CT PAGE RI GHT TRANSFER ABC 1 G HI 4 P QRS T1/PPP Avaya S8500 Media Server PA GE L EFT SPEAKER HEADSET MUTE * Branch Office 2 G350 1 SI 1 2 3 13 14 1 5 4 16 5 6 17 18 8 9 19 20 21 Rx 7 F DX 10 11 12 22 23 24 2 3 14 15 4 5 6 7 8 9 10 11 12 SI V6 LN K C OL A LM Tx F C H s pd L AG PoE 13 ALM 16 17 18 19 20 21 22 23 24 ALM AVAYA T ST V2 AVAYA T ST M M 72 2 AC T V5 BR I V1 AC T AN ALOG M OD ULE 1 2 1 R emove before removing or inserting S8300 module LI NE 3 4 5 6 T RUN K 7 8 6 7 8 AVAYA T ST V4 AVAYA T ST AC T O KTO 2 ALM ALM V1 M M 712 DC P AC T VH 3 1 ICC SH UT DO W N 2 3 4 5 M O DUL E US B 1 R EMO VE USB 2 ALM SE R VICE S SO EI SM EM SI EO AC T E1/T1 SIG L INE LI NE AL M V7 T ST A CT PAGE LEFT PA GE RI GHT Avaya 9620 IP Telephone M O DULE US B RS T A SB 3 CONFER ENC E M NO D ROP 6 W XY Z 8 0 A LM CPU 3 DE F 2 JK L 5 T UV 7 2 C ONS O LE TRANSFER ABC 1 GH I 4 P QR S MD M HOLD HEADSET * E T H L AN OPTI ONS SPEAKER MUTE E TH W A N P WR 1 PH O NE /EXIT CCA SYSTEM T RUNK AVAYA T ST V3 ET R 9 R EDI AL # Avaya 4610 IP Telephone Avaya G350L GRE/ VPN Tunnels OSPF (MD5 Authentication) Media Gateway (SLS) USB Flash Drive 9620 IP Telephone Avaya 6210 Analog Phone Figure 1: Configuration for Secrets Management JZ; Reviewed: SPOC 4/7/2007 Solution & Interoperability Test Lab Application Notes ©2007 Avaya Inc. All Rights Reserved. 2 of 18 GW-Secrets.doc The Avaya G250 and G350 Media Gateway are configured as the DHCP and TFTP servers for the Avaya IP telephones in the branch offices. The Microsoft DHCP server and Avaya TFTP server installed on the Microsoft Windows 2000 Server in the Main Office are used for the Avaya IP telephones in the Main Office. The Apache HTTP Server installed on the Microsoft Windows 2000 Server is used for the Avaya 9600 IP telephones. For the sample configuration, 802.1X is enabled on the Avaya G250 and G350 Media Gateways and the Avaya IP telephones in the branch offices. The Microsoft Internet Authentication Service (IAS) installed on the Microsoft Windows 2000 Server in the Main Office is used as a Radius Server. The Microsoft Information Server is used as a FTP server. 2. Equipment and Software Validated Table 1 below shows the versions verified in these Application Notes. Equipment Avaya Communication Manager Avaya S8500 Media Server Avaya G650 Media Gateway IPSI (TN2312AP) C-LAN (TN799DP) MEDPRO (TN2302AP) Avaya G250L-DS1 Media Gateway Avaya G350L Media Gateway Avaya 4610 Series IP Telephones (H.323) Avaya 9620 Series IP Telephone (H.323) Avaya TFTP Server Apache HTTP Server Microsoft Internet Authentication Service Microsoft DHCP Server Microsoft Information Server (FTP Server) Cisco 3725 Access Router Software 4.0 (load 727) HW12 FW031 HW01 FW017 HW11 FW107 26.27.0 26.27.0 2.60 1.20 3.6.1 2.0.54 Windows 2000 Server (SP 4) Windows 2000 Server (SP 4) Windows 2000 Server (SP 4) 12.4(10a) Table 1: Software Versions JZ; Reviewed: SPOC 4/7/2007 Solution & Interoperability Test Lab Application Notes ©2007 Avaya Inc. All Rights Reserved. 3 of 18 GW-Secrets.doc 3. Configuration of the Avaya Media Gateway The following secrets were verified in these Application Notes. • • • • • User Name and Password A user name and password is created in the Avaya G250 and G350 Media Gateway. Radius Secret The Radius Server in Main Office is used for 802.1X authentication of the Avaya IP telephones in Branch Office 1 and Branch Office 2. Refer to [1] for details. Station Passwords The Avaya G250-DS1 and G350 Media Gateways are configured with the Standard Local Survival Processor (SLS). IP station extensions and passwords are configured in the Branch Offices. VPN Shared Secret Pre-shared keys are configured for VPN tunnels. Refer to [2] for details. OSPF Shared Secrets Message Digest 5 (MD5) authentication is configured for the OSPF routing protocol. Refer to [2] for details. Encryption of secrets is performed using 128-bit user defined Master Configuration Key (MCK). The Media Gateway is shipped with an Avaya Default Master Config Key (ADMCK) as a default hardcode secret value common to all Gateways. The ADMCK can be used for decryption of a configuration file on initial installation or when customers are not interested in maintaining user defined MCK. Avaya recommends changing the ADMCK to a user defined MCK for greater security. Use the command key config-key password-encryption <master passphrase> to configure a MCK. The following screen shows a command to configure a MCK. Use the command copy running-config startup-config to commit the new MCK. The command will encrypt the startup configuration with the new MCK G350-SLS(super)# key config-key password-encryption GoodBye2005Welcom2006 Warning: Use copy running to startup config to commit new configuration master key The secret management engine in the Media Gateway reuses the startup-config concept by modeling existing CLI commands for secret configurations with new commands that accept encrypted secret parameters. For example, the Media Gateway will support the new command encrypted-pre-shared-key <encrypted-key-string> that extends functionality of existing preshared-key <key-string>. The startup or the running configuration can be copied to a file server or a USB flash drive. The USB flash drive can connect to the USB port on the media gateway. The file server can be a TFTP, HTTP or SCP server. To copy the configuration file back from the saved configuration, the current MCK on the Avaya Media Gateway must match the MCK in the saved configuration. JZ; Reviewed: SPOC 4/7/2007 Solution & Interoperability Test Lab Application Notes ©2007 Avaya Inc. All Rights Reserved. 4 of 18 GW-Secrets.doc The MCK must be saved in a secure place. If the Media Gateway needs to be replaced, the MCK must be configured on the new Media Gateway in order to restore the original configuration on the new media gateway. The following screen shows the command Syntax to copy the startup configuration to a file server or a USB flash drive. G250-DS1-011(super)# copy startup-config ? Copy startup-config commands: --------------------------------------------------------------------------copy startup-config ftp Upload startup configuration to a file (using ftp) copy startup-config scp Upload startup configuration to a file (using scp) copy startup-config tftp Upload startup configuration to a file (using tftp) copy startup-config usb Upload startup configuration to a file (using usb A similar command can be used to copy the configuration from a file server or a USB flash drive to the startup-config. Backup and Restore operation can also be used, Refer to [3] for details on the backup and restore operations. The following screen shows the annotated startup-config file on the Avaya G250 Media Gateway, which is encrypted with the user defined MCK. Note that all the encrypted secrets in the startup-config are shown with the encrypted prefix appended to the command user enters via the CLI. The configuration for the Avaya G350 Media Gateway is similar and is not shown. G250-DS1-011(super)# show startup-config ! version 26.27.0 ! The following line shows the information on the GW. Config info release 26.27.0 time "19:05:18 29 JAN 2007 " serial_number 03IS07814808 ! The following shows the encrypted usernames and passwords. encrypted-username zDEmQsJbbVUy/d1YogNZAg== password zV9LefjR7hocgF+btlqoSVnY7VE XN6LI4hgIZBNKRdw= access-type naxzRzkCk9S25x8jDCHJbQ== encrypted-username hkQ02CQfWoqYX1c5w3I1Kg== password qpApp/J4+MxXr3022TzKBAvNy/i z4oWT7pVo62rr82E= access-type TyJcVqMQcKlp9f83Wxs3FQ== ! The following lines show the radius server configuration and encrypted RADIUS ! authentication secret. set radius authentication enable set radius authentication server 192.168.88.31 primary set encrypted-radius authentication secret AAFaCBGLH0rYjScBoU9xHdqclJ2mXFcvpOmHb eSxPf0= set dot1x system-auth-control enable ! The following lines show the VPN configuration ip crypto-list 901 local-address Serial 2/1:1.0 ip-rule 1 protect crypto map 1 source-ip host 12.160.181.101 destination-ip host 12.160.180.101 exit ip-rule 2 JZ; Reviewed: SPOC 4/7/2007 Solution & Interoperability Test Lab Application Notes ©2007 Avaya Inc. All Rights Reserved. 5 of 18 GW-Secrets.doc protect crypto map 2 source-ip host 12.160.181.101 destination-ip host 12.160.182.101 exit exit crypto ipsec transform-set H2 esp-aes esp-sha-hmac mode transport set pfs group2 exit crypto isakmp policy 1 description "Phase 1 Proposal" encryption aes hash md5 group 2 authentication pre-share exit crypto isakmp peer address "12.160.180.101" ! The following line shows the encrypted VPN shared secret with the Main Office encrypted-pre-shared-key jLXkdHIGlPOTdg0DqFRj0A== isakmp-policy 1 initiate mode aggressive keepalive 10 retry 2 on-demand exit crypto isakmp peer address "12.160.182.101" ! The following line shows the encrypted VPN shared secret with the Branch Office 2 encrypted-pre-shared-key w/gm0LVsdn5QMjB3ai+M2Zw9Ak80CFuaJuB8PxWMvug= isakmp-policy 1 initiate mode aggressive keepalive 10 retry 2 on-demand exit crypto map 1 description "Phase 2 Proposal" set peer "12.160.180.101" set transform-set H2 exit crypto map 2 description "Phase 2 Proposal" set peer "12.160.182.101" set transform-set H2 exit interface Tunnel 1 tunnel source 12.160.181.101 tunnel destination 12.160.180.101 ip address 10.10.11.1 255.255.255.252 ! The following line shows the encrypted OSPF MD5 key configuration ip ospf authentication message-digest ip encrypted-ospf message-digest 1 md5 +eh75vDqXtI1K2RX83jMoQ== exit interface Tunnel 2 tunnel source 12.160.181.101 tunnel destination 12.160.182.101 ip address 10.10.11.9 255.255.255.252 ! The following line shows the encrypted OSPF MD5 key configuration ip ospf authentication message-digest ip encrypted-ospf message-digest 1 md5 meOQo1jOAm3KHI5KpUKblQ== exit interface Serial 2/1:1 encapsulation ppp ip crypto-group 901 JZ; Reviewed: SPOC 4/7/2007 Solution & Interoperability Test Lab Application Notes ©2007 Avaya Inc. All Rights Reserved. 6 of 18 GW-Secrets.doc ip address 12.160.181.101 255.255.255.0 exit router ospf network 10.1.181.0 0.0.0.255 area 0.0.0.0 network 10.10.11.0 0.0.0.3 area 0.0.0.0 network 10.10.11.8 0.0.0.3 area 0.0.0.0 exit survivable-call-engine ! The following line shows the encrypted password for an IP station. station 44620 ip set cor unrestricted set encrypted-password "6935CBjd+4pTpNg1LS7K5w==" exit ! The following line shows the SLS is enabled. set survivable-call-engine enable !# !# End of configuration file. Press Enter to continue. JZ; Reviewed: SPOC 4/7/2007 Solution & Interoperability Test Lab Application Notes ©2007 Avaya Inc. All Rights Reserved. 7 of 18 GW-Secrets.doc 4. Copy Configuration Files to/from the Media Gateway The CLI commands are the same for the Avaya G250 and G350 Media Gateways to copy the configuration files between the Avaya Media Gateway and a USB flash drive or a file server. Only the Avaya G250 Media Gateway is demonstrated in this Section. 4.1 Copy the Startup Configuration to a USB Flash Drive To back up the Avaya G250 Media Gateway, insert a USB flash drive into the USB port on the Avaya G250 Media Gateway. Use the command show usb all to verify that the Avaya G250 Media Gateway detects the USB flash drive. The Media Gateway supports FAT16 and FAT32 file systems on the USB flash drive. The flash drive needs to be formatted with one of these formats. The following shows the USB flash drive is formatted as FAT16 and the device name is usbdevice0. The device name will be used in the following configuration steps. G250-DS1-011(super)# show usb all USB Description Manufacturer Dev Id ------ -------------------- ------------------------1 Root Hub (OHCI) N/A 2 USB DRIVE SIMPTECH 257 Root Hub (EHCI) N/A USB Dev Id -----1 2 257 Vendor ID -----0x0 0x4e8 0x0 Product ID ------0x0 0x100 0x0 Device Ver -----0.0 0.0 0.0 Serial Number USB Ver --1.1 1.1 2.0 Power Mode ----Self Self Self FileSystem Max Power(mA) --------0 90 0 Storage (MB) ---------------- ----------- ------N/A N/A N/A 0158596281995 /usbdevice0 243 N/A N/A N/A Free (MB) ------N/A 112 N/A Speed ----Full Full High FS ----N/A FAT16 N/A Use the command copy running-config startup-config to copy the running-config to the startup-config using the current MCK. G250-DS1-011(super)# copy running-config startup-config Beginning copy operation ................... Done! Use the command copy startup-config usb <file name> usbdevice0 to copy the startup-config to the USB flash drive with the specified file name. G250-DS1-011(super)# copy startup-config usb G250-DS1-backup usbdevice0 Confirmation - do you want to continue (Y/N)? y Beginning upload operation ... This operation may take up to 20 seconds. Please refrain from any other operation during this time. For more information , use 'show upload status 10' command JZ; Reviewed: SPOC 4/7/2007 Solution & Interoperability Test Lab Application Notes ©2007 Avaya Inc. All Rights Reserved. 8 of 18 GW-Secrets.doc Use the command show upload status 10 to verify the upload status. The Running state idle means the upload is successfully. G250-DS1-011(super)# show upload status 10 Module #10 =========== Module : 10 Source file : startup-config Destination file : /usbdevice0/G250-DS1-backup Host : 192.168.88.31 Running state : Idle Failure display : (null) Last warning : No-warning Attach the USB flash drive to a PC, and open the configuration file on the USB flash drive with the notepad or wordpad application, verify that all secrets in the configuration file are still encrypted. 4.2 Copy the Configuration from a USB Flash Drive to the Startup Configuration Use the command copy usb startup-config usbdevice0 <file name> to copy (or download) the specified file on the USB flash drive to the startup configuration on the Avaya Media Gateway. The following screen shows that the configuration can be copied from the USB flash drive to the Startup-config when the same MCK is used. G250-DS1-011(super)# copy usb startup-config usbdevice0 G250-DS1-backup Confirmation - do you want to continue (Y/N)? y Beginning download operation ... This operation may take up to 20 seconds. Please refrain from any other operation during this time. For more information , use 'show download status 10' command JZ; Reviewed: SPOC 4/7/2007 Solution & Interoperability Test Lab Application Notes ©2007 Avaya Inc. All Rights Reserved. 9 of 18 GW-Secrets.doc The following screen shows that the download is successful. The Running state idle means the download is successfully. Reset the Media Gateway to use the startup configuration copied from the USB flash drive. G250-DS1-011(super)# show download status 10 Module #10 =========== Module : 10 Source file : /usbdevice0/G250-DS1-backup Destination file : startup-config Host : 0.0.0.0 Running state : Idle Failure display : (null) Last warning : No-warning Bytes Downloaded : 4267 Use the commands show startup-config and show running-config to verify that all secrets are still encrypted. If the MCK does not match the MCK in the configuration, the command copy usb startupconfig usbdevice0 <file name> will fail as shown in the following screen. G250-DS1-011(super)# copy usb startup-config usbdevice0 G250-DS1-backup Confirmation - do you want to continue (Y/N)? y Beginning download operation ... This operation may take up to 20 seconds. Please refrain from any other operation during this time. For more information , use 'show download status 10' command G250-DS1-011(super)# Failed Testing Line 4 in /usbdevice0/G250-DS1-backup file: "encrypted-username zDEmQsJbbVUy/d1YogNZAg== password zV9LefjR7hocgF+btlqoSVnY 7VEXN6LI4hgIZBNKRdw= access-type naxzRzkCk9S25x8jDCHJbQ==" Failed Testing Line 5 in /usbdevice0/G250-DS1-backup file: "encrypted-username hkQ02CQfWoqYX1c5w3I1Kg== password qpApp/J4+MxXr3022TzKBAvN y/iz4oWT7pVo62rr82E= access-type TyJcVqMQcKlp9f83Wxs3FQ==" Failed Testing Line 11 in /usbdevice0/G250-DS1-backup file: "set encrypted-radius authentication secret AAFaCBGLH0rYjScBoU9xHdqclJ2mXFcvpO JZ; Reviewed: SPOC 4/7/2007 Solution & Interoperability Test Lab Application Notes ©2007 Avaya Inc. All Rights Reserved. 10 of 18 GW-Secrets.doc 4.3 Copy the Startup Configuration to a File Server The startup configuration on the Avaya Media Gateway can be copied to a file server, which can be a TFTP, HTTP or SCP server. The following screen shows the command to copy the startup configuration to a FTP server. G250-DS1-011(super)# copy startup-config ftp G250-DS1 192.168.88.31 Confirmation - do you want to continue (Y/N)? y Username: anonymous Password: Beginning upload operation ... This operation may take up to 20 seconds. Please refrain from any other operation during this time. For more information , use 'show upload status 10' command The following screen shows that the upload is successful. The Running state idle means the upload is successfully. G250-DS1-011(super)# show upload status 10 Module #10 =========== Module : 10 Source file : startup-config Destination file : G250-DS1 Host : 192.168.88.31 Running state : Idle Failure display : (null) Last warning : No-warning Open the configuration file on the file server with the notepad or wordpad application. Verify that all secrets in the configuration file are still encrypted. JZ; Reviewed: SPOC 4/7/2007 Solution & Interoperability Test Lab Application Notes ©2007 Avaya Inc. All Rights Reserved. 11 of 18 GW-Secrets.doc 4.4 Copy the Configuration From a File Server to the Startup Configuration The following shows that the configuration can be copied from the FTP server to the Startupconfig when the same MCK is used. G250-DS1-011(super)# copy ftp startup-config G250-DS1 192.168.88.31 Confirmation - do you want to continue (Y/N)? y Username: anonymous Password: Beginning download operation ... This operation may take up to 20 seconds. Please refrain from any other operation during this time. For more information , use 'show download status 10' command The following screen shows that the upload is successful. The Running state idle means the download is successfully. Reset the Media Gateway to use the new startup configuration file. G250-DS1-011(super)# show download status 10 Module #10 =========== Module : 10 Source file : G250-DS1 Destination file : startup-config Host : 192.168.88.31 Running state : Idle Failure display : (null) Last warning : No-warning Bytes Downloaded : 4267 Use the commands show startup-config and show running-config to verify that all secrets are still encrypted. JZ; Reviewed: SPOC 4/7/2007 Solution & Interoperability Test Lab Application Notes ©2007 Avaya Inc. All Rights Reserved. 12 of 18 GW-Secrets.doc 4.5 Restore the Configuration after NVRAM Initiation When the Media Gateway is replaced because of RMA or the nvram initialization (the vram initialize command will initialize the configuration to the factory default), the license is lost. The following screen shows the nvram initialize operation. G250-DS1-011(super)# nvram initialize This command will restore factory defaults and can disconnect your telnet session *** Reset *** - do you want to continue (Y/N)? y Done! G250-DS1-011(super)# Image Banks Integrity self-test passed Device is booting from bank:A ----- Delete NVM ---NVRAM integrity power-up self test passed X9.31 DRNG Known Answer power-up self test passed AES Known Answer power-up self test passed RSA Known Answer power-up self test passed TDES Known Answer power-up self test passed SHA-1 Known Answer power-up self test passed HMAC-SHA1 Known Answer power-up self test passed Generating DSA key, This command may take a few minutes... .......... Key was created! Key version: SSH2, DSA Key Fingerprint: 57:b6:7b:87:67:78:dc:e2:fe:df:a3:7b:3b:74:3b:fc Product type: Avaya G250-DS1 Media Gateway Release 26.27.0 Login: root Password: **** Password accepted Enter new password: Confirm new password: The following shows that the license is lost after the nvram initialization. G250-DS1-???(super)# show license status No License installed. JZ; Reviewed: SPOC 4/7/2007 Solution & Interoperability Test Lab Application Notes ©2007 Avaya Inc. All Rights Reserved. 13 of 18 GW-Secrets.doc Since the VPN license is needed for the sample configuration, the license must be installed before the configuration can be copied back successfully. The following screen shows the license on the USB flash drive is copied to the Avaya G250 Media Gateway. G250-DS1-???(super)# copy usb license-file usbdevice0 G250-DS1-011/vpn_license.cfg Confirmation - do you want to continue (Y/N)? y Beginning download operation ... This operation may take a few minutes... Please refrain from any other operation during this time. For more information , use 'show download license-file status' command Use the command show download license-file status to verify the down status. G250-DS1-???(super)# show download license-file status Module #10 =========== Module : 10 Source file : /usbdevice0/G250-DS1-011/vpn_license.cfg Destination file : license-file Host : 0.0.0.0 Running state : Idle Failure display : (null) Last warning : No-warning Bytes Downloaded : 953 Reset the Media Gateway to activate the VPN license. Verify that the VPN license is installed after its reset. G250-DS1-???(super)# show license status License was installed. Use the command key config-key password-encryption <master passphrase> to change the MCK to match the MCK in the backup configuration. G250-DS1-???(super)# key config-key password-encryption <master passphrase> Warning: Use copy running to startup config to commit new configuration master key JZ; Reviewed: SPOC 4/7/2007 Solution & Interoperability Test Lab Application Notes ©2007 Avaya Inc. All Rights Reserved. 14 of 18 GW-Secrets.doc Copy the configuration to the startup configuration from the USB flash drive. If the backup configuration is on a file server, the Media Gateway must be configured to have network access to the file server before the configuration can be copied back to the Media Gateway. G250-DS1-???(super)# copy usb startup-config usbdevice0 G250-DS1-backup Confirmation - do you want to continue (Y/N)? y Beginning download operation ... This operation may take up to 20 seconds. Please refrain from any other operation during this time. For more information , use 'show download status 10' command The following screen shows that the download is successful. Reset the Media Gateway to use the new startup configuration. G250-DS1-???(super)# show download status Module #10 =========== Module : 10 Source file : /usbdevice0/G250-DS1-backup Destination file : startup-config Host : 0.0.0.0 Running state : Idle Failure display : (null) Last warning : No-warning Bytes Downloaded : 4267 Use the commands show startup-config and show running-config to verify that all secrets are still encrypted. JZ; Reviewed: SPOC 4/7/2007 Solution & Interoperability Test Lab Application Notes ©2007 Avaya Inc. All Rights Reserved. 15 of 18 GW-Secrets.doc 5. Verification Steps The administrator needs to make sure that the Media Gateway functions as expected with the new startup configuration copied from the USB flash drive or a file server. Based on the configuration in Figure 1, the following should be verified: • • • • • VPN is up. The Avaya G350 Media Gateway registers to Avaya Communication Manager. IP telephone registers to Avaya Communication Manager. Calls can be made successfully between all locations. The IP telephone in a branch office can register to the Standard Local Survival Processor of the Media Gateway in that branch office when the connection between the branch office and the main office is out of service. 6. Conclusion These Application Notes illustrate that the Avaya G250 and G350 Media Gateways can encrypt all secrets using the MCK in the startup and running configuration files, which can be copied to an external file server or a USB flash drive. The Avaya G250 and G350 Media Gateways can also decrypt the configuration copied back from an external file server or a USB flash drive when the same MCK is used. The backup configuration file cannot be copied back if a different MCK is used. JZ; Reviewed: SPOC 4/7/2007 Solution & Interoperability Test Lab Application Notes ©2007 Avaya Inc. All Rights Reserved. 16 of 18 GW-Secrets.doc 7. Additional References The following Applications Notes can be found at http://www.avaya.com/gcm/master-usa/enus/resource/filter.htm&Filter=Type:Application%20Notes: [1] Configuring 802.1X Protocol on Avaya G250 and G350 Media Gateways For an Avaya IP Telephone With an Attached PC [2] Configuring a Generic Routing Encapsulation (GRE) Tunnel Over IPSec VPN Using Transport Mode with Open Shortest Path First (OSPF) Routing Protocol between an Avaya G250 Media Gateway and a Cisco Access Router [3] Configuring Backup and Restore Operations on the Avaya G250 and G350 Media Gateway JZ; Reviewed: SPOC 4/7/2007 Solution & Interoperability Test Lab Application Notes ©2007 Avaya Inc. All Rights Reserved. 17 of 18 GW-Secrets.doc ©2007 Avaya Inc. All Rights Reserved. Avaya and the Avaya Logo are trademarks of Avaya Inc. All trademarks identified by ® and ™ are registered trademarks or trademarks, respectively, of Avaya Inc. All other trademarks are the property of their respective owners. The information provided in these Application Notes is subject to change without notice. The configurations, technical data, and recommendations provided in these Application Notes are believed to be accurate and dependable, but are presented without express or implied warranty. Users are responsible for their application of any products specified in these Application Notes. Please e-mail any questions or comments pertaining to these Application Notes along with the full title name and filename, located in the lower right corner, directly to the Avaya Solution & Interoperability Test Lab at [email protected] JZ; Reviewed: SPOC 4/7/2007 Solution & Interoperability Test Lab Application Notes ©2007 Avaya Inc. All Rights Reserved. 18 of 18 GW-Secrets.doc