Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1567
Views
0
Helpful
5
Replies

SRP527W & SPA508g Remote teleworker

Go to solution
Damian Halloran
Level 1
Level 1

‎02-23-2012 05:43 PM

Hi,

Am trying to set up a site to site VPN connection with an SRP527W & a UC520 for a remote teleworker with a SPA508G.

The VPN is coming up but no traffic is being routed over it.  I've verified the config on the 520 against others I've done that are working but of course I may have missed something.

Can I please have some suggestions as to what to check, and troubleshoot?

Also should this type of set up work?

Thanks,

Damian Halloran

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Andrew Hickman
Cisco Employee
Cisco Employee
In response to Damian Halloran

‎02-29-2012 03:40 AM

Hi Damian,

Only one set of routes can be specified for an IPSec  policy.  Either create an additional policy for the voice VLAN, or  renumber the VLANs so that they can both be covered by a common  address/mask.

You can't add a static route via a tunnel.

Regards,

Andy

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Andrew Hickman
Cisco Employee
Cisco Employee

‎02-24-2012 03:24 AM

Hi,

Just to be clear...

You are using manually configured crypto maps on the UC520 - not the EZVPN remote access server that CCA configures?  The SRP520 does not have an EZVPN client.

Have you had a look at the following?

https://supportforums.cisco.com/docs/DOC-16927

For the phones, you will need to manually configure the TFTP server to point at the UC520 (192.168.10.1 by default) and ensure that that subnet is configured to route across the VPN - if you haven't already done that.

Regards,

Andy

0 Helpful

Go to solution
Damian Halloran
Level 1
Level 1
In response to Andrew Hickman

‎02-28-2012 04:03 PM

Hi Andy,

Thanks for the response.

Yes I am using manually configured crypto maps as per the document you've linked to.

I've checked the routes on the SRP and it points to the tunnel (ipsec0) for 192.168.10.0/24.

What appears to be happening however is that when I try a traceroute from an internal host on the 192.168.10.0 network (the UC520 end) to an internal host on the 192.168.15.0 network (the SRP520 end) the route heads off to the internet, not the VPN tunnel? Also the counters aren't increasing on the ACL in place as per the instructions.

Thanks again.

Damian Halloran

0 Helpful

Go to solution
Damian Halloran
Level 1
Level 1
In response to Damian Halloran

‎02-28-2012 11:09 PM

Update to my earlier message...

I think the config document mentioned earlier is missing a section on excluding the VPN traffic from the NAT process?

So I've now got the VPN running and traffic is happily traversing between both sides however the handset isn't registering.  I think this is because the SRP doesn't know the route to the 10.1.1.0 or the 10.1.10.0 networks, and it doesn't seem possible to add these routes manually.  Is this correct or can I add these routes manually and select the ipsec0 interface as the next hop?

Thanks.

0 Helpful

Go to solution
Andrew Hickman
Cisco Employee
Cisco Employee
In response to Damian Halloran

‎02-29-2012 03:40 AM

Hi Damian,

Only one set of routes can be specified for an IPSec  policy.  Either create an additional policy for the voice VLAN, or  renumber the VLANs so that they can both be covered by a common  address/mask.

You can't add a static route via a tunnel.

Regards,

Andy

0 Helpful

Go to solution
Damian Halloran
Level 1
Level 1
In response to Andrew Hickman

‎02-29-2012 03:38 PM

Thanks Andrew works a treat now!!!

0 Helpful
Customers Also Viewed These Support Documents