Announcement

Collapse
No announcement yet.
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Shoretel phones and client IPSEC VPNs?

    Hi everyone,
    I'm looking to have a couple users work from home using client-based IPSEC VPN connections to my Cisco ASA 5510. I have everything working except for the Shoretel230 phone; the phone finds the FTP server, downloads the config files and firmware but then gives a "no service" error and attempts to search for a switch to connect too.

    I've read a couple other post suggesting that the problem is that the client VPN creates a NAT tunnel instead of routing the traffic like a L2L VPN tunnel. I feel like this is indeed the problem because I have L2L tunnels to other sites and the phones work fine, but the client VPNs don't work.

    While they suggest the NAT might be the problem, there's no resolution given and I can't seem to find any literature on it. I've also combed through the configuration on the ASDM and nothing is jumping out at me.

    Any suggestions would be appreciated.
    -Dell

  • #2
    bump bump bump

    Comment


    • #3
      Trying to understand this.... You've deployed a smaller ASA at the remote users house to provide HW based IPSec tunnels, right?

      Comment


      • #4
        Yes - It's my house actually. I use a Sonicwall TZ190 and my dynamic cable modem IP address to create a L2L tunnel between my house and the ASA in my HQ offices. This works fine. The phone at my house connects to the Shoretel switches and I'm able to make calls.

        However, this isn't going to work for my nontechnical phone reps working out of their homes on their cable/DSL/tin-cans.
        Let me put this in another context; let's suppose you had a traveling salesperson who was in a new hotel every night and you wanted to give that sales rep a VPN router, a laptop and a Shoretel 230 phone. You instruct your sales person to plug in his/her laptop and phone into the router and then plug the router into the hotel's internet connection and everything should work (remember that this is all hypothetical, we're not concerned about captive portals and stuff like that on the hotel's network). Obviously you can't make a L2L VPN connection for the hotels since you don't know their public IP addresses, so you need to use a client vpn connection (call it "remote access" vpn if you want).

        Granted I'm not dealing with salesreps, but this is basically the situation I'm in.

        Comment


        • #5
          The bigger problem at the hotels is that they generally assign the RFC private range IPs (non-routable) and you'll be double nating. That causes all sorts of grief with voice generally.

          The better options are:

          - Install the Shoretel VPN Concentrator (tunnels the phone traffic only via SSL) and give them a 230G phone pre-configured for VPn
          - Use office anywhere and they assign their extension to their cell phone


          By the way, you can establish VPNs if you don't know the address. This is a dynamic VPN (also called aggressive) that initiates the connection back to the primary VPN gateway.

          Comment


          • #6
            I know that you aren't really asking, but is there a reason you aren't just using office anywhere with the users cell phone? I know this incurs minute charges, but to be honest, its far less hassle.

            Comment


            • #7
              cburgy:
              I was giving an alternate/similar example to convey the point better, but I fear that I've just made it more complicated. Anyways, there's no hotels - the reps will be in their homes.

              LanceB:
              Well mainly for cost reasons. We're already going to be subsidizing the reps' internet connections because they absolutely must use a computer for their jobs, so I figure it will be cheapest to piggyback the phone onto the VPN back to our Shoretel system. Having the office-anywhere to a cell phone or landline is a nice fallback and we're willing to pay for incidental costs if they have to use office-anywhere because the voice quality off of the VPN is bad, but we don't want to subsidize (or provide) cell phones or land lines for each rep.

              Comment


              • #8
                If your already spending the money for reps to be at home and their internet AND their cell phone minutes... might want to look at getting MCM installed.

                Thoughts?

                Comment


                • #9
                  How are you intending to piggyback the phones off of the employee's VPN Client (Software VPN)? Is this possible? Ive been wanting to do this with Windows 7 virtual wifi.

                  400Degreez.....

                  Comment


                  • #10
                    sean:
                    I'm JUST paying for the internet. I'm trying to avoid paying for phone costs as well which is why I'm trying to leverage the VPN for voice-traffic.

                    400degreez:
                    Yes - my coworker and I currently use Shoretel phones over an IPSEC VPN at our homes (standard cable internet connections, nothing special) and they work great. I use a Sonicwall TZ190 and my coworker has a Cisco ASA 5505. I'm not very familiar with the performance of the Windows 7 wifi hotspot but I can't think of a reason why a Shoretel phone wouldn't work over a VPN connection through a Windows 7 hotspot. Of course it all depends on how many people you have connecting and that sort of thing.

                    cburgy:
                    I think you may have uncovered the solution; the dynamic VPN using the DefaultL2LGroup on the ASA might be the key. Do you have any info on setting that up?

                    Comment


                    • #11
                      Digi, Does this happen on other phones or only the 230? Have you tried a softphone just to see if the same issue happens?

                      If it does- i would double check the ports needed for communications to work.

                      Comment


                      • #12
                        If your switch is on a different subnet than your firewall, you'll need to create a route in the firewall.

                        Comment


                        • #13
                          Well, I finally broke down and got a Cisco RVS4000 "SOHO" VPN router and after a bit of tweaking on the ASA got it to work.

                          I was originally trying to use a cheap Linksys WRT54GL router with a third-party firmware called DD-WRT. That firmware has a built-in cisco VPN client called VPNC. VPNC was able to connect to the VPN with XAUTH (user-based authentication) but where I was having a problem was getting it to establish a dynamic-to-static L2L tunnel using the DefaultL2LGroup on the ASA. I'm still convinced that this can work and would be a viable option (and a lot cheaper than a RVS4000 or ASA 5505), but I'm sort of running out of time for this project and needed to make sure the phone would work over a dynamic-to-static tunnel, so I've shelved the WRT54GL for right now.

                          If/when I get it to work I'll post back in case anyone is interested.

                          Comment


                          • #14
                            Thanks for the update digi. I am still interested on what you find.

                            Comment


                            • #15
                              Originally posted by DigiDT View Post
                              Well, I finally broke down and got a Cisco RVS4000 "SOHO" VPN router and after a bit of tweaking on the ASA got it to work.

                              I was originally trying to use a cheap Linksys WRT54GL router with a third-party firmware called DD-WRT. That firmware has a built-in cisco VPN client called VPNC. VPNC was able to connect to the VPN with XAUTH (user-based authentication) but where I was having a problem was getting it to establish a dynamic-to-static L2L tunnel using the DefaultL2LGroup on the ASA. I'm still convinced that this can work and would be a viable option (and a lot cheaper than a RVS4000 or ASA 5505), but I'm sort of running out of time for this project and needed to make sure the phone would work over a dynamic-to-static tunnel, so I've shelved the WRT54GL for right now.

                              If/when I get it to work I'll post back in case anyone is interested.
                              I know this is an old thread, but I'm trying to do the exact same thing as you. Did you ever get a chance to figure this out or do you have any ideas?

                              Comment

                              Working...
                              X