Re: VoIP and VPN

sandman420 · ‎02-05-2009

Hello,

I have a question about some voip/vpn configuration. I've got two sites that have 1760 routers with fxo/fxs cards that are going to be tieing the two phone systems together with a couple of voip trunks. These are secondary devices on the network, but addressed with a 2nd wan ip. The only traffic going through these routers is voice/voip.

My question is about this voip setup with vpn. If I configure an easy vpn server on the router at site 1 and easy vpn client on the router at site 2, and have a site-to-site vpn connection, will the voip traffic pass over that? Is there a need to have a vpn? Any benefits to sending the voip data across vpn, other than the obvious encryption of the "call"?

Here's my voip configuration as it sits on the bench in testing:

SITE 1:

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname SITE 1

!

boot-start-marker

boot-end-marker

!

enable secret XXX

!

no aaa new-model

voice-card 2

!

voice-card 3

!

ip cef

!

interface FastEthernet0/0

ip address 192.168.254.30 255.255.255.0

speed auto

no shutdown

!

no ip http server

no ip http secure-server

!

control-plane

!

voice-port 2/0

connection plar opx 290

!

voice-port 2/1

connection plar opx 291

!

voice-port 2/2

!

voice-port 2/3

!

voice-port 3/0

connection plar 190

!

voice-port 3/1

connection plar 191

!

voice-port 3/2

!

voice-port 3/3

!

dial-peer voice 180 pots

destination-pattern 180

port 2/0

!

dial-peer voice 181 pots

destination-pattern 181

port 2/1

!

dial-peer voice 190 voip

destination-pattern 19

session target ipv4:192.168.254.40

!

line con 0

logging synchronous

line aux 0

line vty 0 4

password xxx

logging synchronous

login

transport input telnet

!

end

AND SITE 2:

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname SITE 2

!

boot-start-marker

boot-end-marker

!

enable secret XXX

!

no aaa new-model

voice-card 2

!

voice-card 3

!

ip cef

!

interface FastEthernet0/0

ip address 192.168.254.40 255.255.255.0

speed auto

!

no ip http server

no ip http secure-server

!

control-plane

!

voice-port 2/0

connection plar opx 280

!

voice-port 2/1

connection plar opx 281

!

voice-port 2/2

!

voice-port 2/3

!

voice-port 3/0

connection plar 180

!

voice-port 3/1

connection plar 181

!

voice-port 3/2

!

voice-port 3/3

!

dial-peer voice 190 pots

destination-pattern 190

port 2/0

!

dial-peer voice 191 pots

destination-pattern 191

port 2/1

!

dial-peer voice 180 voip

destination-pattern 18

session target ipv4:192.168.254.30

!

line con 0

logging synchronous

line aux 0

line vty 0 4

password xxx

logging synchronous

login

transport input telnet

!

end

paolo bevilacqua · ‎02-05-2009

Hi, not sure why you posted in video since it is a voip question, anyway to answer your question, is not that you have to use vpn all the time just because is crypted, if the routers are facing the internet they can do perfectly do without. That is the simplest and easier to diagnose configuration, with also the less overhead.

Eventually, again if yo don't care about encryption, you can setup a GRE tunnel to connect any subnet behing the routers. Again voip can normally work outside the tunnel as it is router-to-router communication after all.

In any case make sure you configure an ACL blocking H.323 and SIP coming from unknown addresses, because if you have a PSTN connection, it has become a common fraud with people making expensive calls.