10-10-2012 02:46 PM - edited 03-21-2019 06:25 AM
Good morning,
I explain the problem that i have and i am not able to find the solution.
In the central office i have a UC560, we want to connect from a remote office some SPA504 and 7962 phones directly to the UC560, we want that the remote office be as a part of the central office. I understand that we must use a Site to Site VPN.
For the Site to Site VPN we installed a SRP541W in the remote office. I understand that this device is right for this.
Well, the problem is that once installed and configured the SRP541W for the Site to Site VPN, the SRP541W indicates that the VLAN Data is connected, but the rest of VLANs and phones are not connect.
I've done a thousand tests IPSec policies and ACL but i can not find the solution.
Does anyone know or can tell me where i am failing or how i must to configure it?
Data and settings that i configured:
UC560
WAN Address xxx.xxx.xxx.1
VLAN DATA (1) 10.14.100.1/24
VLAN VOICE (100) 10.1.20.1/24
VLAN CUE (90) 10.1.10.2/30
SRP541W
WAN Address xxx.xxx.xxx.2
VLAN DATA (1) 10.24.10.1/24 DHCP Data 10.24.10.0/24
VLAN VOICE (100) 10.24.20.1/24 DHCP Voice 10.24.20.0/24 Manual TFTP 10.1.10.2
UC560 Site to Site
SITE1
WAN Address xxx.xxx.xxx.1
UC500 Data VLAN IP Address 10.14.100.1/24
VPN Only
SITE2
WAN Address xxx.xxx.xxx.2
UC500 Data VLAN IP Address 10.24.10.1/24
VPN Only
SRP541W
IPSec Policy
Policy DATA
Remote Endpoint xxx.xxx.xxx.1
Local IP Group 10.24.10.0/24
Remote IP Group 10.14.100.0/24
Policy VOICE
Remote Endpoint xxx.xxx.xxx.1
Local IP Group 10.24.20.0/24
Remote IP Group 10.1.20.0/24
Policy CUE
Remote Endpoint xxx.xxx.xxx.1
Local IP Group 10.24.20.0/24
Remote IP Group 10.1.10.0/30
Policy DATA status is connected, other are not connect
Thank you very much for all your help
Best Regards
Miguel
10-11-2012 11:19 AM
with my first glance, you better consolidate voice and cue into 1 policy
Policy VOICE
Remote Endpoint xxx.xxx.xxx.1
Local IP Group 10.24.20.0/24
Remote IP Group 10.1.20.0/24
Policy CUE
Remote Endpoint xxx.xxx.xxx.1
Local IP Group 10.24.20.0/24
Remote IP Group 10.1.10.0/30
change to
Policy voice/CUE
Remote Endpoint xxx.xxx.xxx.1
Local IP Group 10.24.20.0/24
Remote IP Group 10.1.0.0/16
please let me know the result.
10-14-2012 11:51 PM
Dear Bongsu,
Thanks for your help, same result, second policy doesnt connect, only connect the first policy (Policy DATA), i tried to put this policy in first place but in this case the vpn doesnt come up.
Regards
10-15-2012 10:46 AM
you have to consolidate UC560 side as well, both side should be matched for SA exchange.
crypto map multisite 1 YYY
match address XXX
access-list XXX permit ip 10.1.0 0.0.255.255 10.24.20.0 0.0.0.255
also ip nat acl should be adjust like...
access-list 105 deny ip 10.1.0 0.0.255.255 10.24.20.0 0.0.0.255
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide