CME with remote site via VPN

Unanswered Question
Apr 15th, 2008
User Badges:

Good afternoon,


I have a cisco 2851 running IOS Version 12.4(11)T2 with CME 4.0(2).


I will be running a cisco 877w on the remote site.


What I am wondering is what are the best techniques to set this up?


Should I use a Remote access or a Site to Site type VPN solution?


What kind of tunnel setup should I configure? (PPTP, L2TP over IPSec, GRE, GRE over IPSec, pure IPSec)


I am assuming once the VPN is configured for IP connectivity between the remote site and main site that the phone setup will be the same as normal, as long as the phone has the correct TFTP ip address.


Can anyone help me with what methods are best?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (3 ratings)
Loading.
paolo bevilacqua Tue, 04/15/2008 - 07:05
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Hi, if you don't have special security concerns, I would use GRE in first place. That is easy to encipher with a crypto profile if the need arise. With a proper VPN you don't need to worry about where devices are and everything works transparently. You don't need to make vlans or try to bring the remote phone into local voice vlan, as it will work anyway.


hope this helps, please rate post if it does!

d.bigerstaff Tue, 04/15/2008 - 07:13
User Badges:

At the moment my only security concerns are that the local network at one site can communicate with the local network at the other site without external people being able to...


And that's the point of VPNs isnt it?


What do you mean by special security concerns?


Just to make matters harder this is my setup at the main site.


2851router --> 3560switch --> 3560switch


The first 3560 switch has a lot of vlans on it and does l3 routing.


Ideally i'd like the VPN to connect to the 2851 and be able to connect to a vlan on the first 3560 switch.


Is that possible?

paolo bevilacqua Tue, 04/15/2008 - 07:22
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Hi, with a gre setup, the remote site would receive routing information for all the vlans and viceversa. So you have three (ospf or rip) routers, the 877, the 2851 where tunnel lands, and the 3560.


The security consideration is if you want the traffic to be encrypted or not, really from the router point of view doesn't make much of a difference, but encryption it's more overhead on the circuits, that's all.

paolo bevilacqua Thu, 04/17/2008 - 07:07
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

You can look at that, but you case there should be somewhat simpler (no nat and no firewall).

rseiler Thu, 04/17/2008 - 12:20
User Badges:
  • Silver, 250 points or more

Since 12.3(7)T (nearly 4 years ago) there is absolutely NO REASON to be using the legacy crypto map configuration, particularly with GRE tunnels.


You should be using the IPSec VTI (Virtual Tunnel Interface) construct which is much simpler and supports more features and is CEF switched. See the following URLs:


http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/hipsctm.html


http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/prod_white_paper0900aecd803645b5.html


d.bigerstaff Thu, 04/24/2008 - 06:02
User Badges:

Thanks to both of you for your help.


This is what i've got so far for my config, which I have not quite implemented yet.


Central Router:


crypto ipsec profile p1

crypto transform set t1


int tunnel0

ip address 172.16.1.1 255.255.255.252

tunnel source 195.200.200.65

tunnel destination 78.50.50.3

tunnel mode ipsec ipv4

tunnel protection ipsec profile p1


Hub Router:


crypto ipsec profile p1

crypto transform set t1


int tunnel0

ip address 172.16.1.2 255.255.255.252

tunnel source 78.50.50.3

tunnel destination 195.200.200.65

tunnel mode ipsec ipv4

tunnel protection ipsec profile p1


Apart from the static routes is that all that is needed to get a tunnel up between the two routers?


Many thanks once again.

Actions

This Discussion