In the Cisco Unity Express 2.3 and Cisco CallManager Express 3.3, local phones can call voicemail and the auto attendant, but phones connected over the VPN receive no audio. They connect to voicemail, and the connected time increments, but there is no sound. These VPN phones can make calls to other phones. Also, IP Phones can be pinged from Cisco Unity Express.
If an ephone is attached to Cisco CallManager Express over IPsec, the ephone is able to transmit Real-Time Protocol (RTP) over the dialpeer. But, traffic that comes from the dialpeer to the ephone is not encrypted. As a result, the downstream router discards the clear rtp packets. This problem is most commonly seen if encrypted ephones and a Cisco Unity Express module are used together. The problem was found during testing of a teleworker solution.
There are two workarounds:
Use encrypted Generic Routing Encapsulation (GRE) tunnels. If the remote router is attached with a GRE/IPsec tunnel, the ephone routes through the tunnel and the GRE interface passes through encryption properly.
Use policy based routing (PBR) in order to force the ephone traffic through the encryptor. In order to do this, place a static route to the home ephone that points at a loopback interface. Then, use PBR on the loopback in order to set the next hop downstream of the crypto map. This is an example:
interface loopback 2 ip address x.x.x.x 255.255.255.0 !--- This is the Loopback Interface. ip policy route-map policymap exit
ip route x.x.x.x 0.0.0.0 loop 2 !--- This is the IP Phone Address.
route-map policymap permit 10 set ip next-hop y.y.y.y !--- This is the Next Hop - Public IP Address. exit