VPN Teleworker Options and Configurations

Unanswered Question

Hi,


I searched the discussions and docs but didn't find exactly what I was looking for. I am looking at documents/best practices for setting up remote offices/teleworkers over a VPN that will NOT terminate on the UC520. The VPN will be from a 5505 to a 5505 or a 871.


I would like to have a phone at the client site and a PC that accesses everything over the tunnel to the head office (where the UC520 lives)


On top of this I would also like the option for the Softphone client, and video on a PC that will VPN (IPSEC and SSL) into the 5505 and access the UC520 as well.


To add more fun to the mix I would like both types of clients to be able to use the Presence server (Call Connector for windows) as well.


I know these are multiple solutions but hey it never hurts to ask... ;)



Thanks in advance, and keep this community going.


Bob James

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Steven DiStefano Sat, 08/22/2009 - 14:56
User Badges:
  • Blue, 1500 points or more

Hi Bob,

ASA is not a best practice remote teleworker which may explain why there is not design recommendation for that, but SR520 and 871W ISR (are and were, respectively).


I put together an 871W ISR guide a few quarters ago, and a staff member in Japan recently validated it on current UC500 and CCA.

https://www.myciscocommunity.com/docs/DOC-1335


I later found that the tunnel would expire every 24 hours (max lifetime of the tunnel) and a fellow TME (Andy Hickman) offered the following solution...


To keep the tunnel up you can use the auto connect feature of EZVPN.  This is pretty straight forward, just do the following:


Starting from a standard configuration built by CCA1.9 for remote access, use the following to allow the remote router to connect automatically to the UC500 VPN server.


On the UC500, add the following configuration via CLI:


crypto isakmp client configuration group EZVPN_GROUP_1
  save-password


On the remote device (870 or SR520), add the following configuration via CLI:


crypto ipsec client ezvpn EZVPN_REMOTE_CONNECTION_1
  username password


It is also strongly recommended that password encryption is configured on the remote device:


password encryption aes
key config-key password-encrypt



Hope this helps,


Steve DiStefano

Systems Engineer

U.S. Field Channel Sales Team

Thanks for the quick reply Steve,


I guess I should have said branch; we prefer the 5505 over the 871 for branch deployments.


If you are saying the 5505 will not work at the branch then I guess I have to try out the 871. Can I not just build an IPSEC tunnel s2s between the 5505 and 5510 and have this work for what I am trying to do? I would prefer not to use EZVPN, but if I have to I have to.


Currently I am testing the 5505, but obviously I am missing something and I assume it's an option in DHCP to have the phone to go the US520, do you know what option it is in DHCP to tell the phone where to get it's configs?


Anyway, if you could provide me answers to the above questions as well as why the 871 using EZVPN is the preferred method I would appreciate it,


Thanks,


Bob James

Steven DiStefano Sun, 08/23/2009 - 09:48
User Badges:
  • Blue, 1500 points or more

Hi Bob,

I didnt say it wouldnt work.   Just limited support.   The preferred supported remote teleworker is the SR520.  It supports up to 4 phones withour a switch but requires power bricks (no PoE like the 871W, where you can buy that power injector for the 4 switch ports).

But this is not a branch as you say, more a remote teleworker solution...


I searched around a little on this community and found some links for you to check out:

https://supportforums.cisco.com/message/3080105#3080105#1579

https://supportforums.cisco.com/message/3099259#3099259

https://supportforums.cisco.com/message/3092090#3092090

https://supportforums.cisco.com/message/3089522#3089522


Steve

Update,


I got the VPN tunnel over the 5505 working and the phones now register and complete. The problem I had was I did not define the 10.1.10.0/24 address to be allowed over the tunnel. Even though I thought this was just for voicemail, I needed it and the tftp update to the phone worked after this was put in.


My next step is to test the softphone, video and the call connector over this vpn.


Just for reference this is a pure IPSEC tunnel configured by CLI and not using EZVPN (this is the configuration I prefer) and not terminating on the UC520.



Another note is CCA does not support the 5505 but can see and setup the phones at the end of the tunnel. Also I don't think MOH (multicast) is supported over the tunnel (I have yet to see if I can get this going)


Thanks Steve for your input.


Bob James

Actions

This Discussion