VPN and SRST

ouhakheme · ‎03-07-2008

Hey everyone --

I have a customer with 15+ branches running in SRST mode. About half of the branches have a VPN tunnel through the internet, the other half are on directly on the MPLS (via a T1 or DSL/Net-VPN). I have a problem where each of the branches will randomly go into SRST mode, even though there is no evidence that the tunnel went down.

My keepalive on the gateway is set to 20 seconds, but the phones will take about 2 minutes to re-register with the CCM. This I can probably fix eventually, but I wanted to know if anyone else is running a gateway with SRST over a VPN to see if I need to modify my settings to prevent the site from entering SRST at all.

Thanks guys.

Ohamien

hadbou · ‎03-13-2008

There are different ways to display the RTP packets sent and received by the ephone. You can determine whether the ephone can receive RTP packets from Cisco CallManager Express in these ways:

Issue the show ephone command on Cisco CallManager Express.

Browse the ephone ip address in order to check the call stream statistics.

Press the help (i or ?) button twice in quick succession during an active call in order to show the call statistics on the screen.

Normally, GRE over IPSec is the recommended solution for this one-way voice issue. If the remote VPN client cannot support the GRE tunnel, as is the case with VPN 3002 client software, you can still use policy routing to achieve two-way audio.

You can use Policy-based Routing (PBR) in order to force the ephone traffic through the encryptor. In order to do this, apply a static route to the remote ephone pointing at a loopback interface. Then use PBR on the loopback in order to set the next hop downstream of the crypto map.

This is a sample configuration:

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group RemoteUsers

key emmanuel

!

crypto isakmp client configuration group cisco

key cisco

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set ESP-3DES-SHA

reverse-route

!

crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1

crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 !

!

!--- Create the loopback interface and apply the policy

route-map.

interface Loopback10

ip address 192.168.5.1 255.255.255.0

ip policy route-map 10

!

interface GigabitEthernet0/0

ip address 10.66.75.195 255.255.255.128

duplex auto

speed 100

crypto map SDM_CMAP_1

!

interface Service-Engine0/1

ip unnumbered GigabitEthernet0/0

service-module ip address 10.66.75.196 255.255.255.128

service-module ip default-gateway 10.66.75.195

!

interface GigabitEthernet0/1

ip address 192.168.10.1 255.255.255.0

duplex auto

speed auto

no keepalive

!

ip classless

ip route 0.0.0.0 0.0.0.0 10.66.75.129

!--- Route the ephone traffic to the loopback interface.

ip route 192.168.20.2 255.255.255.255 loopback10

ip route 10.66.75.196 255.255.255.255 Service-Engine0/1

!

ip http server

no ip http secure-server

ip http path flash:

!

!--- Define the access-list to match the traffic to ephone.

access-list 101 permit ip any host 192.168.20.2

!

!--- Configure the route-map for the policy routing and

issue the set ip next-hop or set interface command in the route-map

in order to force the ephone traffic to go through the encryptor.

route-map 10 permit 10

match ip address 101

set ip next-hop 10.66.75.167

ouhakheme · ‎03-13-2008

I'm not using CCME.

I'm also not having any issues with one-way voice. My phones are working without issue; however, they unregister periodically.