VoIP Over IPSEC VPN

cybrsage · ‎04-08-2005

HELP!

I can setup the VPN portion properly, my problem is in what I need to define as interesting traffic. Here is what I have so far:

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key ThisIsMyKey address 1.2.3.4

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to Site 1

set peer 1.2.3.4

set transform-set ESP-3DES-SHA

match address 110

!

access-list 110 remark VPN

access-list 110 remark SDM_ACL Category=4

access-list 110 permit ip 10.20.10.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 110 permit ip 10.20.1.0 0.0.0.255 10.10.1.0 0.0.0.255

Any help is appreciated. I do not know enough to know what I do not know. ;)

aacole · ‎04-08-2005

The interesting traffic is defined by the ACL 110 entries, so this would produce 2 tunnels between the 2 endpoints.

If you run the command `sh crypto ipsec sa' you will see two tunnels, one encrypting traffic between 10.20.10.0 and 10.10.10.0, the other encrypting traffic between 10.20.1.0 and 10.10.1.0.

If the router sees a packet with say the following IP addresses it will encrypt it, SRC 10.20.10.1 to DEST 10.10.10.1

If the packet does not have both SRC and DEST addresses that match either ACL entry the packet is not encrypted.

So, your post title indicates a VoIP issue, does your VoIP traffic IP source and destination addresses fall into either of these IP ranges ?

If not you need to add another ACL entry to cover the VoIP IP addresses.

cybrsage · ‎04-15-2005

I also found out I must use GRE to allow the voice to travel properly. As you mentioned, I do not have enough tunnels made.

I did not know it actually makes one tunnel for each line, thank you!