Re: Universal Call Connector over VPN - Page 2

aapexisinc · ‎03-09-2009

I'm trying to get the UCC 1.5 to work at the remote end of a VPN (871 -> UC520, with one 7941 phone, which works perfectly). When I attempt to verify registration, etc., it can ping and find the CME router, but then times out and returns a message that it cannot read the expected reply. I expect that there is either a port-forwarding or ACL issue in play here. Can anyone point me in the right direction to get this to work?

John Platts · ‎09-23-2009

I have been able to use a single CallConnector Server with site-to-site VPNs, even with multiple UC520 units.

Here is one of the ways to do site-to-site VPNs, and I know that this configuration works on the UC500 and ISR platforms:

crypto keyring AtoB-Keyring

pre-shared-key address key

!

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!

crypto isakmp profile AtoB-KeyProfile
keyring AtoB-Keyring
match identity address 255.255.255.255

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!

crypto ipsec profile AtoB-Tunnel
set transform-set ESP-3DES-SHA
set isakmp-profile AtoB-KeyProfile
!
interface Tunnel0

description Site A to Site B tunnel
ip unnumbered BVI1
tunnel source FastEthernet0/0
tunnel destination
tunnel mode ipsec ipv4
tunnel protection ipsec profile AtoB-Tunnel

!

ip route Tunnel0

The following constraints apply to this setup:

Subnets connected through the VPN connection must be unique across all of the sites
You need to expose Data and Voice subnets for CallConnector and VPIM functionality
Difficult to set up without static IP addresses at the sites using site-to-site VPNs