Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CME with remote site via VPN

Good afternoon,

I have a cisco 2851 running IOS Version 12.4(11)T2 with CME 4.0(2).

I will be running a cisco 877w on the remote site.

What I am wondering is what are the best techniques to set this up?

Should I use a Remote access or a Site to Site type VPN solution?

What kind of tunnel setup should I configure? (PPTP, L2TP over IPSec, GRE, GRE over IPSec, pure IPSec)

I am assuming once the VPN is configured for IP connectivity between the remote site and main site that the phone setup will be the same as normal, as long as the phone has the correct TFTP ip address.

Can anyone help me with what methods are best?

7 REPLIES
Hall of Fame Super Gold

Re: CME with remote site via VPN

Hi, if you don't have special security concerns, I would use GRE in first place. That is easy to encipher with a crypto profile if the need arise. With a proper VPN you don't need to worry about where devices are and everything works transparently. You don't need to make vlans or try to bring the remote phone into local voice vlan, as it will work anyway.

hope this helps, please rate post if it does!

New Member

Re: CME with remote site via VPN

At the moment my only security concerns are that the local network at one site can communicate with the local network at the other site without external people being able to...

And that's the point of VPNs isnt it?

What do you mean by special security concerns?

Just to make matters harder this is my setup at the main site.

2851router --> 3560switch --> 3560switch

The first 3560 switch has a lot of vlans on it and does l3 routing.

Ideally i'd like the VPN to connect to the 2851 and be able to connect to a vlan on the first 3560 switch.

Is that possible?

Hall of Fame Super Gold

Re: CME with remote site via VPN

Hi, with a gre setup, the remote site would receive routing information for all the vlans and viceversa. So you have three (ospf or rip) routers, the 877, the 2851 where tunnel lands, and the 3560.

The security consideration is if you want the traffic to be encrypted or not, really from the router point of view doesn't make much of a difference, but encryption it's more overhead on the circuits, that's all.

New Member

Re: CME with remote site via VPN

Thanks for your advice so far p.bevilacqua!

Should I be looking at following this guide for my VPN?

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00800946b8.shtml

Hall of Fame Super Gold

Re: CME with remote site via VPN

You can look at that, but you case there should be somewhat simpler (no nat and no firewall).

Silver

Re: CME with remote site via VPN

Since 12.3(7)T (nearly 4 years ago) there is absolutely NO REASON to be using the legacy crypto map configuration, particularly with GRE tunnels.

You should be using the IPSec VTI (Virtual Tunnel Interface) construct which is much simpler and supports more features and is CEF switched. See the following URLs:

http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/hipsctm.html

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/prod_white_paper0900aecd803645b5.html

New Member

Re: CME with remote site via VPN

Thanks to both of you for your help.

This is what i've got so far for my config, which I have not quite implemented yet.

Central Router:

crypto ipsec profile p1

crypto transform set t1

int tunnel0

ip address 172.16.1.1 255.255.255.252

tunnel source 195.200.200.65

tunnel destination 78.50.50.3

tunnel mode ipsec ipv4

tunnel protection ipsec profile p1

Hub Router:

crypto ipsec profile p1

crypto transform set t1

int tunnel0

ip address 172.16.1.2 255.255.255.252

tunnel source 78.50.50.3

tunnel destination 195.200.200.65

tunnel mode ipsec ipv4

tunnel protection ipsec profile p1

Apart from the static routes is that all that is needed to get a tunnel up between the two routers?

Many thanks once again.

365
Views
13
Helpful
7
Replies
CreatePlease login to create content