Solved: Re: UC540 VPN to SA520

sweaver · ‎09-06-2012

I am needing to vpn the UC540 to a SA520. I got the data vpn working through CCA but the remote phones will not come up because the voice traffic is not passing. Anyone that could give me a step by step how to do this would be appreciated.

Thanks,

janickle · ‎09-15-2012

Hi,

I’m sorry that you have been having a hard time with the configuration of your VPN. I think that the issue you are running into is the interesting traffic crossing the VPN or lack thereof. You should be able to edit the VPN traffic rules via CCA under the new ACL editor. But first you will need to identify which ACL goes with what. First lets address the NAT on the UC. You will need to put some deny statements to stop the traffic destined for the SA520 from being affected by NAT. The NAT rules are usually associated with a route map called SDM_RMAP. It will look something like this in the config:

route-map SDM_RMAP_1 permit 1

match ip address 106

So based on this statement we are going to look at ACL 106. Right now yours probably looks like this:

access-list 106 remark SDM_ACL Category=2

access-list 106 deny ip 192.168.10.0 0.0.0.255 192.168.75.0 0.0.0.255

access-list 106 permit ip 10.1.10.0 0.0.0.3 any

access-list 106 permit ip 192.168.10.0 0.0.0.255 any

access-list 106 permit ip 10.1.1.0 0.0.0.255 any

In order to stop the NAT across the VPN we will need to edit this ACL to look like this:

access-list 106 remark SDM_ACL Category=2

access-list 106 deny ip 192.168.10.0 0.0.0.255 192.168.75.0 0.0.0.255

access-list 106 deny ip 10.1.1.0 0.0.0.255 192.168.75.0 0.0.0.255

access-list 106 deny ip 10.1.10.0 0.0.0.3 192.168.75.0 0.0.0.255

access-list 106 permit ip 10.1.10.0 0.0.0.3 any

access-list 106 permit ip 192.168.10.0 0.0.0.255 any

access-list 106 permit ip 10.1.1.0 0.0.0.255 any

We are basically just adding the Voice and CUE networks to the ACL.

Next its time to allow the Voice and CUE to cross the tunnel. To find this ACL look for the crypto map created by CCA. This should like similar to this in the configuration:

crypto map multisite 1 ipsec-isakmp

description SA520

set peer 65.0.0.0

set transform-set ESP-3DES-SHA

match address 105

qos pre-classify

Here the crypto map is pointing to ACL 105. So in the configuration we find the ACL 105 which should look something like this:

access-list 105 remark CryptoACL for SA520

access-list 105 remark SDM_ACL Category=4

access-list 105 permit ip 192.168.10.0 0.0.0.255 192.168.75.0 0.0.0.255

Now we just need to edit this rule to allow the Voice and CUE networks to pass to the SA520:

access-list 105 remark CryptoACL for SA520

access-list 105 remark SDM_ACL Category=4

access-list 105 permit ip 192.168.10.0 0.0.0.255 192.168.75.0 0.0.0.255

access-list 105 permit ip 10.1.1.0 0.0.0.255 192.168.75.0 0.0.0.255

access-list 105 permit ip 10.1.10.0 0.0.0.3 192.168.75.0 0.0.0.255

That’s it for the UC.

Next we just need to repeat the process on the SA520 under the IPSec Section of the VPN configuration. I have included a picture for this portion.

You can see that the policies are all very similar. The only real difference from the original statement that you already have is the local network of the UC. Notice that the Voice and CUE VLAN information is now allowed across the tunnel. Inside the configuration just references your original IKE policy.

Finaly on the SA520 make sure that you are passing you TFTP information via DHCP. This should be the 10.1.10.2 address and con be configured under the LAN settings on the SA520.

That should do it. Reboot your phones and watch them register. If you have any further questions please let me know.

Thank you,

Jason Nickle

View solution in original post

johschaf · ‎09-06-2012

Hello,

How did you configure the multisite in CCA for voice and data, voice only or data only? If voice and data, can you ping any of the voice interfaces from the SA520? What type of phones and where do the phones get their IP addresses from? The phones need to have a TFTP server set in the DHCP scope, usually option 150. If the DHCP scope is not from the UC then the phones are not receiving their TFTP server information. You can add the TFTP information into the phones manually if needed.

Hope this helps. Let me know if you have further questions regarding this.

Thanks,

-john

sweaver · ‎09-06-2012

John,

Thanks for the response. I setup the multisite in CCA as Data only because that is how Tech support had told me to do it but they weren't sure if it would work. I don't have to have data just voice to work.

Phones 7940s

Phones on the UC540 network get there ips from the uc540. On the remote sites they get dhcp from the sa520. I do have the sa520 set with the tftp server set to the ip of the uc540. It seems like the phones are communication partially because it says retreiving cmlist but then goes to contacting 10.1.1.1 and then doesn't go any farther.

I think i need to make a couple small changes in CLI but would like to know for sure what to change.

Thanks,

sweaver · ‎09-06-2012

I can ping from the remote site to the Data side of the UC540 but not the voice side. (10.1.1.1)

All i need to work is the voice traffic throught the vpn and i think the phones will come up.

johschaf · ‎09-06-2012

Hello,

Please reconfigure the VPN to access the voice vlan of the UC. Please let me know if that doesn't resolve your issue.

Thanks,

-john

sweaver · ‎09-07-2012

The way i configured the VPN was using CCA and the mulit site manager. How can i reconfigure the vpn to access the Voice vlan. Can i do it from CLI?

johschaf · ‎09-07-2012

Hello,

In the CCA multisite wizard when adding a site you have an Intersite-Option that defines the VPN connectivity. Please use either dialing-only or both.

Thanks,

-john

sweaver · ‎09-07-2012

John

Ok then how do i set the SA520 on the remote side?

Thanks,

johschaf · ‎09-07-2012

Hello,

You will need to reconfigure the SA's VPN profile to connect to the voice network.

Thanks,

-john

sweaver · ‎09-07-2012

Ok but here is the message i get for Phase 2?

Fri Sep 07 15:38:17 2012 (GMT -0400): [Cisco] [IKE] INFO: Initiating new phase 2 negotiation: 173.167.68.1[500]<=>50.77.110.153[0]

Fri Sep 07 15:38:18 2012 (GMT -0400): [Cisco] [IKE] ERROR: Unknown notify message from 50.77.110.153[500].No phase2 handle found.

Any ideas?

Thanks,

johschaf · ‎09-07-2012

Hello,

Where are you getting that error? Can you try completely rebuilding the VPN?

Thanks,

-john

sweaver · ‎09-10-2012

I am getting the error on the SA520. I have already deleted out the multi site settings in the UC and totally rebuilt them.

I think i am setting up something wrong on the SA520. I am creating a Site to Site Vpn on the sa520 and here are the settings i'm using.

VPN Wizard

About VPN Wizard

The Wizard sets most parameters to defaults as proposed by the VPN Consortium (VPNC), and assumes a pre-shared key, which greatly simplifies setup. After creating the policies through the VPN Wizard, you can always update the parameters through the Policies menu.


Select VPN Type:
Enable Cisco VPN Client:

Connection Name and Remote IP Type


What is the new Connection Name?
What is the pre-shared key?	**********
Local WAN Interface:

Remote & Local WAN Addresses


Remote Gateway Type:
Remote WAN's IP Address / FQDN:
Local Gateway Type:
Local WAN's IP Address / FQDN:	0.0.0.0

Secure Connection Remote Accessibility


Remote LAN IP Address:	172.21.21.0
Remote LAN Subnet Mask:

I am using the wizard and then going in and modifingy after this.

Thanks,

johschaf · ‎09-10-2012

Hello,

How did you reconfigure the multisite? What are the vlans on the UC?

Thanks,

-john

sweaver · ‎09-13-2012

On the UC is set Data Vlan as 172.21.21.0 and Voice Vlan is default at 10.1.1.0 I tried to set the SA 520 as the remote ip as 10.1.1.0 but the Vpn won't come up then.

Thanks for all your help,

sweaver · ‎09-14-2012

Anybody have any ideas or thoughts on how to set this up in CCA. If i have to use CLI if you could tell me what to do that would be great.

Thanks,