Voice over IPSec VPN

Unanswered Question

I just purchased a 871 router trying to connect a small office over a DSL internet connection using IPSec VPN tunnel to the Corporate office Cisco 3000 series VPN concentrator. The VPN tunnel will need to support both voice and data and possible video in the future. I am running CallManager at the Corporate office and there will be Cisco 796x phones at the remote office. I am not sure where to start as far as design and configure the tunnel.

Can someone share their success experience on this type of setup ?

Any documentation on this type of setup is greatly appreciated !!!


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (5 ratings)
Mark Turpin Tue, 05/22/2007 - 09:37

I'm doing an 851 over cable modem with a customer and the voice doesn't sound very good, but it works. EZVPN back to an ASA.

Just use the SDM to configure EZVPN, it only takes a few minutes.

Tommer Catlin Wed, 05/23/2007 - 15:48

But the trick is that you are using QOS at the router, limiting data bandwidth and saving it for voice calls. If you have no QOS at the router, all data packets look the same.

John is downloading 45meg file from the internet. He gets a voice call on his IP phone, sounds like a jumbled. If QOS was inplace, the 45meg download would have been slowed, and the packets prioritized for voice.

I could be preaching to the choir, but just wanted to make sure everyone understands that QOS-less internet is a given, but at least you can keep it clean as it comes and goes from the router with QOS.

johnnylingo Wed, 05/23/2007 - 15:54

I agree 100% with this post. The Internet backbone might not have QoS, but that's because it's a ton of bandwidth. Your connection, whether it's T3, T1, DSL, or Dialup can potentially be a bottleneck. You want to mark the traffic at the endpoint, then configure QoS at the bottleneck point.

johnnylingo Wed, 05/23/2007 - 08:48

The good news is the 870 does QoS (the 850 does not). With the Advanced IP Services feature set, you can take a few shortcuts rather than having to bang out ACLs for all your traffic types.

My ISP connection only has a 384K upload speed, so I give the VPN and minimum of 192K, then voice 32K (I use GSM). You'll want to adjust your values accordingly. Here is a good bandwidth calculator:


class-map match-any VoIP

match ip precedence 5

match ip dscp ef


class-map match-any VPN

match protocol gre

match protocol ipsec



policy-map WAN-OUT

class VPN

bandwidth 192

class VoIP

priority 32

class class-default




interface FastEthernet4

bandwidth 384

service-policy output WAN-OUT


interface Tunnel1

qos pre-classify


DRAGI RADOVANOVIC Wed, 05/23/2007 - 13:23

I have it running at a few sites for one of my customers. I use 871s and a 2800 as the hub, and g729 as the voice codec. I haven't heard any complaints so far.

BTW, if you run into a problem where your phones cannot get to the CallManager, yet you can ping back and forth, disable IP CEF on your 871. That will fix it.


DRAGI RADOVANOVIC Wed, 05/23/2007 - 16:02

here is ezvpn from an ios router to a vpn concentrator:


IOS router to a concentrator:


Yes, a 2800 is a hub and 871s are spokes. I suggest that you use SDM to configure VPN on your 871. SDM rules!



This Discussion