Re: CME traffic over VPN IPSec Router-to-Router Hub and spoke

nicanor00 · ‎01-29-2009

hello

I have on central and 3 remote site with VPN IPSec Router-to-Router Hub and spoke

CME ---> central router--->remote router

all ip address is private

central and remotes sites are connected by 3 wireless link

I configued ipsec vpn betweencentral router and 3 remote router

VoIp communication between user conected direcly on CME on central site is working fine

But on remote site 7940 voip phone is nots connscted on CME

I have this message on 7040 screen

- configuration IP

- opening 192.168.1.1

- configuration liste

But the phone is still trying to connect on cme and download configuration

How can I solve this probleme and make call between central and remote site ?

192.168.1.1 is CME ip address

ivillegas · ‎02-04-2009

Run "debug ephone reg" and "debug ephone det" and see what happens to the registration request from the remote IP Phones. Also enable the "debug tftp eve" to see if those phones send any tftp requests to the CME.

Troubleshooting Phone Registration in Cisco Unified CME:

http://www.cisco.com/en/US/docs/voice_ip_comm/cucme/troubleshooting/guide/ts_phreg.html

Nicholas Matthews · ‎02-04-2009

I would advise against running 'debug ephone detail'. This is a highly verbose command and can cripple a router with even just a few phones on it. Plus, it doesn't really help much at all.

Get L3 pings to work before you worry too much about debugs. The configuration required will be on your VPNs anyway, more than likely.

-nick

exonetinf1nity · ‎02-04-2009

Can you post the relevant portion of your vpn config?

Are you using both voice and data vlans at each site?

Have you got your NAT and Encryption ACL's correct at each endpoint?

Example Router to Router VPN Config:

Router 1:

access-list 100 remark ****** Link to Router2 ******

access-list 100 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255

!

access-list 101 remark ****** NAT ACL ******

access-list 101 deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255

access-list 101 permit ip 10.1.1.0 0.0.0.255 any

!

ip nat inside source route-map nonat interface FastEthernet 0/1 overload

!

route-map nonat permit 10

match ip address 101

!

crypto isakmp policy 10

hash md5

authentication pre-share

encryption 3des

group 2

lifetime 86400

!

crypto isakmp key cisco123 address 2.2.2.2

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

mode tunnel

!

crypto map mymap 1 ipsec-isakmp

description ****** Link to Router2 ******

set peer 2.2.2.2

set transform-set myset

set pfs group2

match address 100

set security-association lifetime seconds 86400

set security-association lifetime kilobytes 4608000

!

interface FastEthernet 0/1

crypto map mymap

ip nat outside

!

interface FastEthernet 0/0

ip nat inside

Router 2:

access-list 100 remark ****** Link to Router1 ******

access-list 100 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255

!

access-list 101 remark ****** NAT ACL ******

access-list 101 deny ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 101 permit ip 10.1.2.0 0.0.0.255 any

!

ip nat inside source route-map nonat interface FastEthernet 0/2 overload

!