01-29-2009 12:40 AM - edited 03-15-2019 03:50 PM
hello
I have on central and 3 remote site with VPN IPSec Router-to-Router Hub and spoke
CME ---> central router--->remote router
all ip address is private
central and remotes sites are connected by 3 wireless link
I configued ipsec vpn betweencentral router and 3 remote router
VoIp communication between user conected direcly on CME on central site is working fine
But on remote site 7940 voip phone is nots connscted on CME
I have this message on 7040 screen
- configuration IP
- opening 192.168.1.1
- configuration liste
But the phone is still trying to connect on cme and download configuration
How can I solve this probleme and make call between central and remote site ?
192.168.1.1 is CME ip address
02-04-2009 12:39 PM
Run "debug ephone reg" and "debug ephone det" and see what happens to the registration request from the remote IP Phones. Also enable the "debug tftp eve" to see if those phones send any tftp requests to the CME.
Troubleshooting Phone Registration in Cisco Unified CME:
http://www.cisco.com/en/US/docs/voice_ip_comm/cucme/troubleshooting/guide/ts_phreg.html
02-04-2009 01:12 PM
I would advise against running 'debug ephone detail'. This is a highly verbose command and can cripple a router with even just a few phones on it. Plus, it doesn't really help much at all.
Get L3 pings to work before you worry too much about debugs. The configuration required will be on your VPNs anyway, more than likely.
-nick
02-04-2009 02:34 PM
Can you post the relevant portion of your vpn config?
Are you using both voice and data vlans at each site?
Have you got your NAT and Encryption ACL's correct at each endpoint?
Example Router to Router VPN Config:
Router 1:
access-list 100 remark ****** Link to Router2 ******
access-list 100 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
!
access-list 101 remark ****** NAT ACL ******
access-list 101 deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 101 permit ip 10.1.1.0 0.0.0.255 any
!
ip nat inside source route-map nonat interface FastEthernet 0/1 overload
!
route-map nonat permit 10
match ip address 101
!
crypto isakmp policy 10
hash md5
authentication pre-share
encryption 3des
group 2
lifetime 86400
!
crypto isakmp key cisco123 address 2.2.2.2
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
mode tunnel
!
crypto map mymap 1 ipsec-isakmp
description ****** Link to Router2 ******
set peer 2.2.2.2
set transform-set myset
set pfs group2
match address 100
set security-association lifetime seconds 86400
set security-association lifetime kilobytes 4608000
!
interface FastEthernet 0/1
crypto map mymap
ip nat outside
!
interface FastEthernet 0/0
ip nat inside
Router 2:
access-list 100 remark ****** Link to Router1 ******
access-list 100 permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255
!
access-list 101 remark ****** NAT ACL ******
access-list 101 deny ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 101 permit ip 10.1.2.0 0.0.0.255 any
!
ip nat inside source route-map nonat interface FastEthernet 0/2 overload
!
route-map nonat permit 10
match ip address 101
!
crypto isakmp policy 10
hash md5
authentication pre-share
encryption 3des
group 2
lifetime 86400
!
crypto isakmp key cisco123 address 1.1.1.1
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
mode tunnel
!
crypto map mymap 2 ipsec-isakmp
description ****** Link to Router1 ******
set peer 1.1.1.1
set transform-set myset
set pfs group2
match address 100
set security-association lifetime seconds 86400
set security-association lifetime kilobytes 4608000
!
interface FastEthernet 0/2
crypto map mymap
ip nat outside
!
interface FastEthernet 0/0
ip nat inside
Regards
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: