Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

UC5XX with IPSEC VPN Remote Cisco Phones

Hello, we have been testing a deployment as follows:

1. We have IPSEC VPN´s with third party equipments

2. We put the UC5XX in the central site and phisical or softphones work well

3. We test a ping from the remotes site 1 to the central site and could achieve the management IP address of the UC5XX (in our case 192.168.10.1)

4. But we can´t ping the Voice Vlan interface in the UC and the softphones or phisical phones can´t register to de UC5XX.

5. We have been trying with DHCP from the remote site and static but the result is the same:softphones or phisical phones that was registered in the central site can´t register to de UC5XX remotely.

The questions please:

1. The UC5XX need only an SSL Vpn´s to work as we need or IPSEC VPN´s must also work?

2. If the answer is SSL Vpn´s, can we use the third party equipments?

3. If the answer is only Cisco router in the remote site, wich model could you recommend us only for 5 phones in the remote site? We know about SR-520-T1 but it´s EOL, wath is another option (the most simple and cheapest)?

Thanks!!

Everyone's tags (3)
6 REPLIES
Community Member

UC5XX with IPSEC VPN Remote Cisco Phones

I have remote phones working on the UC500.

In the CCA, go to VPN Server. Allow split tunneling, add the networks you need to reach. I always add 10.1.1.0/24, 10.1.10.1/24 and 192.168.10.0/24.

Then your computer must have the Cisco VPN Client installed.

Connect with the VPN Client and make sure your IP Communicatior is configured to use 10.1.1.1 as it's tftp server.

I think the maximum IP-Sec VPN sessions allowed is 10, but I could be wriong about that???

To use the SPA525G2 remotely, you will need to configure the SSL VPN Server. You can have both working. Configure the secondary IP address on the Gig 0/0 interface. You will need to do this in CLI. You need to do this especially if you have port 443 forwarded to the inside network. The SPA phones will use port 443 on the secondary IP address.

Clear as mud???

Community Member

UC5XX with IPSEC VPN Remote Cisco Phones

Hello,

My name is Miguel, I work with Rodrigo (rnoboa1977), about this case we have done the following tests and static routes configurations on the routers, agree with the screen showed below:

1) On the Cisco UC540 we add the route:

destination IP : 192.168.70.0

mask: 255.255.255.0

gateway: 192.168.10.3

2) On the 3Com X5 router, we add the routes:

destination IP : 10.1.1.0

mask: 255.255.255.0

gateway: 192.168.10.1

destination IP : 192.168.70.0

mask: 255.255.255.0

gateway: 192.168.10.1

3) On the 3Com Office Connect router, we add the routes:

destination IP : 10.1.1.0

mask: 255.255.255.0

gateway: 182.47.39.68  (router public IP)

destination IP : 192.168.70.0

mask: 255.255.255.0

gateway: 192.168.10.3

but we don't have connectivity from a PC on the remote site to the voice VLAN interface on the UC540 (10.1.1.1), prerequisite I think to register a Cisco 303 Phone on the remote site.

However we have connectivity from a PC on the remote site to the data VLAN interface on the UC540 (192.168.10.1)

Please could you suggest something more about this case to achieve connectivity between these two sites

Cisco Employee

UC5XX with IPSEC VPN Remote Cisco Phones

Hi Miguel,

It looks like you are doing the VPN between the 3Com devices.  What networks are defined as 'interesting traffic' for the VPN?  It sounds like from 192.168.70.0 to 192.168.10.0 is working.  Do you have IPSec SAs for 192.168.70.0 to 10.1.1.0 (Voice) and 10.1.10.0 (CUE) networks?  If so, are the IPSec SAs up and passing traffic?

As long as you have setup the VPN to allow traffic from 192.168.70.0 network to 192.168.10.0, 10.1.1.0 and 10.1.10.0 networks, then you would just need the following routes on these devices:

UC540: 

192.168.70.0 pointing to 192.168.10.3 (sounds like this is there as this traffic is working)

3Com X5 router:

192.168.70.0 pointing to its gateway (sounds like this is there as this traffic is working)

10.1.1.0 pointing to 192.168.10.1

10.1.10.0 pointing to 192.168.10.1

Router Office:

192.168.10.0 pointing to its gateway (sounds like this is there as this traffic is working)

10.1.1.0 pointing to its gateway

10.1.10.0 pointing to its gateway

Also, according to your diagram, the phones are not acquiring TFTP server.  Make sure that whatever is providing DHCP for the remote office has option 150 configured to provide 10.1.1.1 for the TFTP server for the phones.

Thanks,

Brandon

Community Member

UC5XX with IPSEC VPN Remote Cisco Phones

Brandon,

thanks so much for your answer,

the UC540 is working as DHCP Server,

the option 150 is not configured on the UC540 DHCP Server, could you send us some tips to achieve this configuration on the UC540?

on the question about to have IPSec SA:

we have only an IPSec SA tunnel association between the subnet 192.168.70.0 to 192.168.10.0 on the X5 router, as you can see on the next screen capture:

maybe you suggest I must create another IPSec SA tunnel association on the X5 router, between subnet 10.1.1.0 to the subnet 192.168.70.0 with its corresponding configuration on the office connect router on the remote site?

I cannot create another IPSec Association using the subnet 192.168.70.0 because it causes conflict with the other tunnel already created.

Greeetings,

Miguel

Cisco Employee

UC5XX with IPSEC VPN Remote Cisco Phones

Hi Miguel,

What is the DHCP Server at the remote office?  That is the device that needs to provide Option 150 for the phones at the remote office.

I'm not familiar with the 3Com X5, but looking at your screenshot, it looks like there is an option for an IP Address Group for Local Networks.  Does the remote site's 3Com device have this option?  If so, it looks like you may be able to create an IP Address Group with the 192.168.10.0, 10.1.1.0 and 10.1.10.0 networks.  You would use that as the Local Networks on the X5 (closest to the UC540) and create one for the Remote Networks on the remote site's 3Com device.

Hope that helps.

Thanks,

Brandon

Community Member

UC5XX with IPSEC VPN Remote Cisco Phones

Hi Brandon,

Happy new year for you.

Thanks so much for your answer and suggestions.

you suggest us to create an IP Address Group respectively with the networks 192.168.10.0, 10.1.1.0  and  10.1.10.0, that is  should we create these Local Network options both on the X5 router (central site) as on the office connect router on remote site? We must to make a functionality of IP Address Group on both equipments, the router of central site as the router on remote site?

I am not sure that the remote router (office connect) have this feature of create IP Address Groups or even to be possible to implement the option 150 on it. If I would wish to achieve a connection between the UC540 on central site and a router Cisco on remote site, wich model of router cisco could you recommend us only for 5 phones in the remote site? Taking into account that SR-520-T1 is EOL, wath would be another option (the most simple and cheapest)?

We appreciate your comments about this case, thanks.

Miguel

2262
Views
0
Helpful
6
Replies
CreatePlease to create content