voice over vpn problem

Unanswered Question
May 11th, 2010

Help required i have setup a small home network to practice routing ip phone calls over a ipsec vpn between a cisco router and a cisco uc520 with mixed success to help with my question i have attached a network diagram. i am able to create a site to site vpn between the uc520 and Router-1 a remote access vpn between remote access pc-1 and Router-1 and a remote access vpn between remote access pc-2 and the uc520 WHAT WORKS CME END phones behind the cme/cue router can ring and leave voicemail for each other remote access pc-1 can establish a remote access vpn to Router-1 and use a cisco softphone to call and leave voicemail for phones behind the cme/cue router pc behind cme/cue router can access external web server and shared resources on the pc attached to the uc520 UC520 END phones attached to the uc520 can ring and leave voicemail for each other remote access pc-2 can establish a remote access vpn to the uc520 and use a cisco softphone to call and leave voicemail for phones attached to the uc520 pc attached to the uc520 can access external web server and shared resources on the pc behind the cme/cue router PROBLEMS!!! whist the tunnel can be brought up from either end ie the pc behind the cme/cue router ping's the pc attached to the uc520 and vice versa no voice traffic is going across the site to site tunnel all i get when the phones behind the cme/cue router try to ring the phones attached to the uc520 and vice versa is a slight delay of about 5-10 seconds followed by the phone displaying no such number i am fairly familiar with vpns both remote access and site to site but i am fairly new to voice over ip, so could someone please take a look at the configs below and give me some pointers as to where the problem lies. Regrards Melvyn Brown cme/cue router ip dhcp excluded-address 192.168.20.1 192.168.20.5 ip dhcp excluded-address 10.1.2.1 10.1.2.5 ip route 0.0.0.0 0.0.0.0 fastethernet0/0 clock timezone GMT 0 clock summer-time GMT recurring ntp master ip dhcp pool VOICE network 10.1.2.0 255.255.255.0 default-router 10.1.2.1 option 150 ip 10.1.2.1 service dhcp ip dhcp pool DATA network 192.168.20.0 255.255.255.0 default-router 192.168.20.1 service dhcp interface Loopback0 ip address 100.1.1.1 255.255.255.255 interface fastethernet0/0 ip address 192.168.1.1 255.255.255.0 no shut interface FastEthernet0/1 no shut interface FastEthernet0/1.10 encapsulation dot1q 10 ip address 192.168.20.1 255.255.255.0 interface FastEthernet0/1.100 encapsulation dot1q 100 ip address 10.1.2.1 255.255.255.0 tftp-server flash:P0030702T023.bin tftp-server flash:P0030702T023.loads tftp-server flash:P0030702T023.sb2 tftp-server flash:P0030702T023.sbn telephony-service max-ephones 50 max-dn 50 load 7960-7940 P0030702T023 ip source-address 100.1.1.1 date-format dd-mm-yy create cnf-files ephone-dn 1  dual-line number 1001 ephone-dn 2  dual-line number 1002 ephone-dn 3 dual-line number 1003 ephone-dn 4  dual-line number 1004 ephone 1 mac-address 0014.1CAA.4E48 button 1:1 ephone 2 mac-address 0013.C465.04C2 button 1:2 ephone 3 mac-address 001B.B9B8.8F97 button 1:3 ephone 4 mac-address 0050.DA47.F027 button 1:4 dial-peer voice 2000 voip destination-pattern 2... session target ipv4:192.168.4.1 dtmf-relay h245-alphanumeric codec g711ulaw no vad interface service-Engine 0/0 ip address 192.168.30.1 255.255.255.252 no shut service-module ip address 192.168.30.2 255.255.255.252 service-module ip default-gateway 192.168.30.1 ip http server ip http path flash: ip http authentication local telephony-service web admin system name fred password flintstone dn-webedit time-webedit dial-peer voice 1010 voip description voicemail destination-pattern 1010 session protocol sipv2 session target ipv4:192.168.30.2 dtmf-relay sip-notify codec g711ulaw no vad ephone-dn 20 number #40.... mwi on ephone-dn 21 number #41.... mwi off ephone 1 username melvyn password brown ephone 2 username terry password smith ephone 3 username david password gilbert ephone 4 username richard password morgan Router-1 (this router is one end of the ipsec tunnel) access-list 101 permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 access-list 101 permit ip 192.168.20.0 0.0.0.255 10.1.1.0 0.0.0.255 access-list 101 permit ip 192.168.20.0 0.0.0.255 10.1.10.0 0.0.0.3 access-list 101 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255 access-list 101 permit ip 10.1.2.0 0.0.0.255 10.1.10.0 0.0.0.3 access-list 101 permit ip 192.168.30.0 0.0.0.3 10.1.1.0 0.0.0.255 access-list 101 permit ip 192.168.30.0 0.0.0.3 192.168.10.0 0.0.0.255 access-list 102 deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255 access-list 102 deny ip 192.168.20.0 0.0.0.255 10.1.1.0 0.0.0.255 access-list 102 deny ip 192.168.20.0 0.0.0.255 10.1.10.0 0.0.0.3 access-list 102 deny ip 192.168.20.0 0.0.0.255 192.168.15.0 0.0.0.255 access-list 102 deny ip 100.1.1.1 0.0.0.0 192.168.15.0 0.0.0.255 access-list 102 deny ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255 access-list 102 deny ip 10.1.2.0 0.0.0.255 10.1.10.0 0.0.0.3 access-list 102 deny ip 192.168.30.0 0.0.0.3 10.1.1.0 0.0.0.255 access-list 102 deny ip 192.168.30.0 0.0.0.3 192.168.10.0 0.0.0.255 access-list 102 permit ip 192.168.20.0 0.0.0.255 any access-list 103 permit ip 192.168.20.0 0.0.0.255 192.168.15.0 0.0.0.255 access-list 103 permit ip 100.1.1.1 255.255.255.255 192.168.15.0 0.0.0.255 crypto ipsec transform-set BOSTON esp-3des esp-md5-hmac crypto isakmp key cisco123 address 192.168.4.1 no-xauth crypto isakmp enable crypto isakmp identity address crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 crypto map VPN 10 ipsec-isakmp set peer 192.168.4.1 set transform-set BOSTON match address 101 ip local pool remote-pool 192.168.15.1 192.168.15.10 aaa new-model aaa authentication login user1 local aaa authorization network group1 local username barney password rubble crypto isakmp client configuration group London key cisco domain cisco.com pool remote-pool acl 103 crypto dynamic-map dynmap 10 set transform-set BOSTON reverse-route crypto map VPN client authentication list user1 crypto map VPN isakmp authorization list group1 crypto map VPN client configuration address respond crypto map VPN 15 ipsec-isakmp dynamic dynmap interface fastethernet0/0 ip address 192.168.2.1 255.255.255.0 ip nat outside crypto map VPN no shut interface fastethernet0/1 ip address 192.168.1.2 255.255.255.0 ip nat inside no shut route-map nonat permit 10 match ip address 102 ip nat inside source route-map nonat interface fastethernet0/0 overload ip route 0.0.0.0 0.0.0.0 192.168.2.2 ip route 192.168.20.0 255.255.255.0 192.168.1.1 ip route 10.1.2.0 255.255.255.0 192.168.1.1 ip route 192.168.30.0 255.255.255.252 192.168.1.1 ip route 100.1.1.1 255.255.255.255 192.168.1.1 uc520 (the other end of the ipsec tunnel) after resetting back to default these are the changes i made to the configuration the phones were configured using the configuration assistant clock timezone GMT 0 clock summer-time GMT recurring no access-list 1 no access-list 104 no ip nat inside source list 1 interface FastEthernet0/0 overload access-list 104 deny  ip 10.1.10.0 0.0.0.3 any access-list 104 deny  ip 192.168.10.0 0.0.0.255 any access-list 104 deny  ip 10.1.1.0 0.0.0.255 any access-list 104 permit udp any host 192.168.4.1 eq 500 access-list 104 permit udp any host 192.168.4.1 eq 4500 access-list 104 permit esp any host 192.168.4.1 access-list 104 permit udp any eq bootps any eq bootpc access-list 104 permit icmp any any echo-reply access-list 104 permit icmp any any time-exceeded access-list 104 permit icmp any any unreachable access-list 104 deny  ip 10.0.0.0 0.255.255.255 any access-list 104 deny  ip 172.16.0.0 0.15.255.255 any access-list 104 deny  ip 192.168.0.0 0.0.255.255 any access-list 104 deny  ip 127.0.0.0 0.255.255.255 any access-list 104 deny  ip host 255.255.255.255 any access-list 104 deny  ip any any access-list 106 permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 access-list 106 permit ip 192.168.10.0 0.0.0.255 10.1.2.0 0.0.0.255 access-list 106 permit ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.3 access-list 106 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 access-list 106 permit ip 10.1.1.0 0.0.0.255 192.168.30.0 0.0.0.3 access-list 106 permit ip 10.1.10.0 0.0.0.3 10.1.2.0 0.0.0.255 access-list 106 permit ip 10.1.10.0 0.0.0.3 192.168.20.0 0.0.0.255 access-list 107 deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255 access-list 107 deny ip 192.168.10.0 0.0.0.255 10.1.2.0 0.0.0.255 access-list 107 deny ip 192.168.10.0 0.0.0.255 192.168.30.0 0.0.0.3 access-list 107 deny ip 192.168.10.0 0.0.0.255 192.168.25.0 0.0.0.255 access-list 107 deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 access-list 107 deny ip 10.1.1.0 0.0.0.255 192.168.30.0 0.0.0.3 access-list 107 deny ip 10.1.10.0 0.0.0.3 10.1.2.0 0.0.0.255 access-list 107 deny ip 10.1.10.0 0.0.0.3 192.168.20.0 0.0.0.255 access-list 107 permit ip 192.168.10.0 0.0.0.255 any access-list 108 permit ip 192.168.10.0 0.0.0.255 192.168.25.0 0.0.0.255 access-list 108 permit ip 10.1.1.1 0.0.0.0 192.168.25.0 0.0.0.255 crypto ipsec transform-set BOSTON esp-3des esp-md5-hmac crypto isakmp key cisco123 address 192.168.2.1 no-xauth crypto isakmp enable crypto isakmp identity address crypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400 crypto map VPN 10 ipsec-isakmp set peer 192.168.2.1 set transform-set BOSTON match address 106 ip local pool remote-pool 192.168.25.1 192.168.25.10 crypto isakmp client configuration group Birmingham key cisco domain cisco.com pool remote-pool acl 108 crypto dynamic-map dynmap 10 set transform-set BOSTON reverse-route crypto map VPN client authentication list user1 crypto map VPN isakmp authorization list group1 username fred password flintstone crypto map VPN client configuration address respond crypto map VPN 15 ipsec-isakmp dynamic dynmap interface fastethernet0/0 ip address 192.168.4.1 255.255.255.0 ip access-group 104 in ip nat outside crypto map VPN no shut route-map nonat permit 10 match ip address 107 ip nat inside source route-map nonat interface fastethernet0/0 overload ip route 0.0.0.0 0.0.0.0 192.168.4.2 dial-peer voice 1000 voip destination-pattern 1... session target ipv4:192.168.1.1 dtmf-relay h245-alphanumeric codec g711ulaw no vad

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
David Hailey Tue, 05/11/2010 - 14:49

Melvyn,

I'm sorry man, but this post is almost impossible to read as formatted.  Please repost but format things out so we can follow your issue and then the configs separately.

Thanks,

Hailey

Actions

This Discussion