cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1001
Views
13
Helpful
7
Replies

CME with remote site via VPN

d.bigerstaff
Level 1
Level 1

Good afternoon,

I have a cisco 2851 running IOS Version 12.4(11)T2 with CME 4.0(2).

I will be running a cisco 877w on the remote site.

What I am wondering is what are the best techniques to set this up?

Should I use a Remote access or a Site to Site type VPN solution?

What kind of tunnel setup should I configure? (PPTP, L2TP over IPSec, GRE, GRE over IPSec, pure IPSec)

I am assuming once the VPN is configured for IP connectivity between the remote site and main site that the phone setup will be the same as normal, as long as the phone has the correct TFTP ip address.

Can anyone help me with what methods are best?

7 Replies 7

paolo bevilacqua
Hall of Fame
Hall of Fame

Hi, if you don't have special security concerns, I would use GRE in first place. That is easy to encipher with a crypto profile if the need arise. With a proper VPN you don't need to worry about where devices are and everything works transparently. You don't need to make vlans or try to bring the remote phone into local voice vlan, as it will work anyway.

hope this helps, please rate post if it does!

At the moment my only security concerns are that the local network at one site can communicate with the local network at the other site without external people being able to...

And that's the point of VPNs isnt it?

What do you mean by special security concerns?

Just to make matters harder this is my setup at the main site.

2851router --> 3560switch --> 3560switch

The first 3560 switch has a lot of vlans on it and does l3 routing.

Ideally i'd like the VPN to connect to the 2851 and be able to connect to a vlan on the first 3560 switch.

Is that possible?

Hi, with a gre setup, the remote site would receive routing information for all the vlans and viceversa. So you have three (ospf or rip) routers, the 877, the 2851 where tunnel lands, and the 3560.

The security consideration is if you want the traffic to be encrypted or not, really from the router point of view doesn't make much of a difference, but encryption it's more overhead on the circuits, that's all.

Thanks for your advice so far p.bevilacqua!

Should I be looking at following this guide for my VPN?

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00800946b8.shtml

You can look at that, but you case there should be somewhat simpler (no nat and no firewall).

rseiler
Level 3
Level 3

Since 12.3(7)T (nearly 4 years ago) there is absolutely NO REASON to be using the legacy crypto map configuration, particularly with GRE tunnels.

You should be using the IPSec VTI (Virtual Tunnel Interface) construct which is much simpler and supports more features and is CEF switched. See the following URLs:

http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/hipsctm.html

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/prod_white_paper0900aecd803645b5.html

Thanks to both of you for your help.

This is what i've got so far for my config, which I have not quite implemented yet.

Central Router:

crypto ipsec profile p1

crypto transform set t1

int tunnel0

ip address 172.16.1.1 255.255.255.252

tunnel source 195.200.200.65

tunnel destination 78.50.50.3

tunnel mode ipsec ipv4

tunnel protection ipsec profile p1

Hub Router:

crypto ipsec profile p1

crypto transform set t1

int tunnel0

ip address 172.16.1.2 255.255.255.252

tunnel source 78.50.50.3

tunnel destination 195.200.200.65

tunnel mode ipsec ipv4

tunnel protection ipsec profile p1

Apart from the static routes is that all that is needed to get a tunnel up between the two routers?

Many thanks once again.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: