Suggestions for Site to Site VPN using IOS with VOIP w/ NAT

Unanswered Question
Sep 2nd, 2007

Hi all,

Thanks in advance for your help. I've been tasked do the following and wanted your suggestions:

We have 2 locations, New York and Florida. We have 2811 routers with a T1 data connection from ATT for both sites. We will be installing a Call manager at the New York site and having the 2811 perform SRST at the Florida site.

We are doing NAT for both sites, so I wanted to ask what would be the best VPN method for Site to Site connection for VOIP and data, while also allowing the users to connect to the internet via the ATT T1. I will also need the ability to have remote workers connect via software VPN clients to both sites and be able to run IP Communicator. Would a regular Site to Site VPN tunnel with IPSEC work, or will I have to look into setting it up with GRE for the VOIP to work properly?

Thanks again for your help!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mattiaseriksson Mon, 09/03/2007 - 08:15


If you don't need any other networking features such as support for routing protocols and multicast, a normal site to site IPSEC will work fine.

tomtom001 Tue, 09/04/2007 - 18:14

Thank you for the reply. Not sure if the VOIP features will require mutlicast. Don't I have to advertise a routing protocol to be able to pass info between the two sites? Do I have to think about split tunnelling if I want both sites to be able to use the internet for other activities?

Thanks again for helping out a newbie.

mattiaseriksson Wed, 09/05/2007 - 00:24

If you need a dynamic routing protocol you should use a GRE-based VPN. But if you only have two sites you could probably rely on static routing anyway, and use standard IPSec.

Split tunnel is only something that you have to consider if you use easy vpn for remote vpn users. Normal ipsec and gre-tunnels normally define interesting traffic using ACLs anyway.

tomtom001 Wed, 09/05/2007 - 05:18

Ah ok. We only have 2 sites, so I will stick with the standard IPSEC VPN as you suggested.

Regarding the remote users who will connect to the Main site for IP Communicator usage, how will I integrate them with the site to site VPN I already have up? Is Easy VPN the best choice? Or can I set up another Ipsec VPN policy for remote users?

Thanks again for the help

mattiaseriksson Wed, 09/05/2007 - 05:21

You can and should use Easy VPN together with the site-to-site tunnel, it all goes into the same crypto map.


This Discussion