Announcement

Collapse
No announcement yet.
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Excellent VPN Solution

    I have read many of the VPN issues that have been posted and experienced many of the same problems as I a remote site with users and a roaming sales force that are home office based. So I thought I would share my success and hopefully reduce some of the pain other folks are feeling.

    1. My firewall/VPN solution is Sonicwall LZ170. I am running voice across the internet via a site to site VPN between two LZ170's. One end has a 3Mbps Ethernet connection the other a 512Kbps DSL. The latency is in check and the dropped calls are minimal, one or two a month.

    2. The remote sales folks are all using the soft-phone client from their laptops using the Sonicwall VPN client. I also use this same setup regularly to ensure I am experiencing the same issues that come up in the field. I use a Logitech USB headset, nothing fancy ($30) with excellent results.

    3. The soft-phone client leaves a lot left to be desired in many areas but that is another discussion. The one single point I do want to make is, any other email or large file transfer DOES affect the voice quality OUTBOUND and the user on the other end will tell you that it is choppy. I suspect that this is related to QoS with Windows operating (XP SP2) on which application sends data first. The Shoretel soft-phone client loses every time.

    4. Some folks are willing to work with the soft-phone and others aren't...Since the VPN client is tied to the laptop, I needed another way to build a VPN tunnel for the IP-230 phone without making this complicated or expensive.

    5. The answer was the Zyxel Zwall P1 security appliance ($70) and a IP Sec tunnel to the Sonicwall. The Zwall P1 is not much bigger than two packs of cigarette's and easy to configure. It only supports (1) VPN tunnel which is perfect and has a host of options to troubleshoot. The current configuration has the Zwall P1 sitting behind a cable modem (Linksys WCG-200), the Zwall P1 does the NAT & NAT traversal etc. The key to the config is the Sonicwall uses the internet address on the Linksys WCG-200 Ethernet interface as the distant gateway and the Zwall P1 is still hidden. This will be an issue for users that do not have a static IP address. Luckily my IP address doesn't seem to change when DHCP lease expires (Comcast). I have seen others change every time their local router is rebooted, not good.

    I hard coded the IP address settings on the IP-230 phone to make life simple as the Zwall P1 does not support the required Option 156 for DHCP to work correctly. It probably would work if I enable routing and did DHCP forwarding to the proper subnet but too much complication.

    This is a IP Sec tunnel from the Zywall to the Sonicwall, no fire walling as it is not needed or other advanced security options. There are security other options available to use, I wanted to keep it simple.

    I hope this helps reduce the pain with voice over the VPN, although as several others have already stated, a bad internet connection will not solve the voice quality problem only magnify it. Also I do have a couple of folks running a wireless connection to their home office router and the voice seems to work fine with the added latency most of the time. I remind them of all of the potential issues of interference etc. when the call me with a problem. Having the Zywall P1 in place will remove this as they will not be using the Soft-phone any more.

    Chris

  • #2
    I was excited after reading this post because I'm trying to accomplish the same thing, and the Zywall P1 sounded perfect!

    Unfortunately the P1 seems to have been discontinued. :no:

    Now I'm looking at possibly deploying a Linksys BEFVP41 or Netgear FVS114 in order to connect an IP 230 phone to our corporate network.
    Last edited by LDS; 02-06-2009, 05:31 PM.

    Comment


    • #3
      You may want to look at the IP265, 560, and 565 on version 8.0 and above teamed with the ST VPN concentrator. Just a thought.

      Comment


      • #4
        At this time we only have one employee that works full time from home, so we can't yet justify the cost of the ShoreTel VPN concentrator.

        Comment


        • #5
          I requested a quote for 3 265 phones and a VPN concentrator and was shocked at what came back. The cost of the ShoreTel VPN solution is ridiculous, especially with budgets being cut and the economy being what it is.

          Comment


          • #6
            I have 5 remote teleworkers setup with IP230’s using hardware VPN based on Netgear and ZyXEL VPN router/firewalls.
            Deployed at headquarters are a ShoreGear-T1, ShoreGear-120, ST Server and a Netgear FVX538. Four of our remote locations have Netgear FVS338’s and one is setup with a ZyXEL ZyWALL P1.

            Phones are setup to DHCP and get their IP from the local router and I programmed the FTP, MGP and NTP manually.

            We do experience occasional dropouts mostly due to bandwidth issues. I’ve mapped them as Teleworkers in the ShoreWare Director and I’m wondering if it’s possible to choose a different codec that uses fewer resources for the remote phones?

            The most annoying problem is that teleworkers can’t communicate with each other by dialing extensions. The phone will ring but when the handset is lifted there is dead air… They have do dial the DID to get voice.

            This is clearly a routing problem. The only thing I have tried different is to set a Hub-and-Spoke VPN; it didn’t change anything. The Softphone works fine no matter what configuration. The main router is not doing DHCP; I have a 2K3 server doing it. Any ideas?

            Thanks,
            YMM
            Last edited by ymm; 02-13-2009, 07:46 PM.

            Comment


            • #7
              By default the remote routers probably don't know about the other remote sites' subnets. You probably need to set some static routes on the VPN routers so they know that they can reach the other remote sites through the route to the main site. The so=pokes need to know they can reach other spokes through the hub. At the moment it sounds like they only know about the hub.

              Call control is proxied through a SG switch but the media (voice) goes from handset to handset. That's why the call comes up but there is no sound.

              The Intersite codec is used by Teleworker extensions. I think G.729a is the lowest bandwidth codec available in ShoreTel.

              Originally posted by ymm View Post
              I have 5 remote teleworkers setup with IP230ís using hardware VPN based on Netgear and ZyXEL VPN router/firewalls.
              Deployed at headquarters are a ShoreGear-T1, ShoreGear-120, ST Server and a Netgear FVX538. Four of our remote locations have Netgear FVS338ís and one is setup with a ZyXEL ZyWALL P1.

              Phones are setup to DHCP and get their IP from the local router and I programmed the FTP, MGP and NTP manually.

              We do experience occasional dropouts mostly due to bandwidth issues. Iíve mapped them as Teleworkers in the ShoreWare Director and Iím wondering if itís possible to choose a different codec that uses fewer resources for the remote phones?

              The most annoying problem is that teleworkers canít communicate with each other by dialing extensions. The phone will ring but when the handset is lifted there is dead airÖ They have do dial the DID to get voice.

              This is clearly a routing problem. The only thing I have tried different is to set a Hub-and-Spoke VPN; it didnít change anything. The Softphone works fine no matter what configuration. The main router is not doing DHCP; I have a 2K3 server doing it. Any ideas?

              Thanks,
              YMM

              Comment


              • #8
                Originally posted by jlear View Post
                The Intersite codec is used by Teleworker extensions. I think G.729a is the lowest bandwidth codec available in ShoreTel.
                Thanks for your reply!

                Hub-and-Spoke VPN was the correct way to go and no routes are required. I had to update the firmware on the NetgearísÖ I guess that they didnít have the bugs worked out when they first shipped.

                Is the lowest available codec automatically selected when the extensions are mapped as Teleworkers or do I need to select something specific?

                Regards.

                Comment


                • #9
                  I can't recall the defaults, but you can have a look under Sites to see what codec is set. Glad it's working out.

                  Comment


                  • #10
                    I'm running ST 7.5 ... No codecs in Sites.

                    Comment


                    • #11
                      My VPN / Remote Experiences

                      All good ideas and points here. A few lessons I have learned for remote workers and best-practices:

                      1. Be very careful with the ShoreTel VPN Concentrator solution. See my (long) post here: http://www.shoretelforums.com/forums...html#post14933

                      2. Home users generally require some sort of QoS edge device at their house. People simply do too much with their internet connections at the same time (even if they have a lot of bandwidth) to gamble that their calls will perform at a "business-grade" level. We use a Linksys router with custom firmware to prioritize VoIP packets to and from the corporate network. This runs about $100/user, but it makes a BIG difference in consistent voice quality.

                      3. If you are using SonicWalls to set up VPN tunnels between offices and you are having audio issues, disable packet inspection and some of those other "features" on both routers. Older SonicWalls (ie TZ series) don't have the power to process real-time voice traffic and other network routing tasks fast enough with these features enabled, even with BWM and packet prioritization. This took me about 30 painful troubleshooting hours to figure out this fix that takes 30 seconds to do.

                      4. SIP extensions using SIP IP Phones or SIP softphones are great through a SIParator. The user can then use their VPN connection on their windows box to use call manager to control their extension. Also, the SIParator does wonders for NAT traversal assistance, meaning a user can pick up their phone and plug it in virtually anywhere and get two-way audio (QoS is of course a gamble).

                      5. Use g729 for remote "teleworkers", but you will have a hard time getting this to work on later versions of SBE without making all calls (read: intra-office) g729 as well.

                      6. The SIParator has an excellent QoS module. It does an amazing job at controlling inbound AND outbound QoS on an internet connection. We put a whole company "behind" a SIParator with the QoS module and they have full performance internet for their computers but never a single call quality problem with remote extensions nor SIP trunks. This means as long as they don't run out of bandwidth for calls, you can use a fast cable connection for a small company's phone calls.

                      7. Don't be afraid of Office Anywhere / External Assignment. Sometimes having a customer buy an extra bundle of LD minutes to forward calls out to a user's cell phone or home phone line is just the best and most reliable way to go call quality wise. The ShoreTel Mobile Call Manager is great for mobile users to control this, as is StreamLine for the iPhone (shameless promotion, I know!).

                      Long story short: there isn't really a silver bullet for remote sites and users, and the networking equipment and ISPs play a huge role in the ongoing success of your solution. Unless you have "control" of the network, ie guaranteed QoS (ie MPLS), be very careful to explain the usage of VoIP is "best-effort".

                      Comment


                      • #12
                        Truning off Packet Inspection

                        Matt,

                        We are using SonicWall's at all of our remote sites, but are experiencing issues at only one, and are trying to nail down exactly what the cause(s) is/are.

                        Would you mind telling me where I would find the Packet Inspection option, so that I can ensure that it is disabled?

                        Thank you,
                        Scott

                        Comment


                        • #13
                          >>> Long story short: there isn't really a silver bullet for remote sites and users, and the networking equipment and ISPs play a huge role in the ongoing success of your solution. Unless you have "control" of the network, ie guaranteed QoS (IE MPLS), be very careful to explain the usage of VOIP is "best-effort".

                          <<<Flame enable High>>>
                          That is the issue The lack of Standard COS (Class of Service, i.e. QOS) as "The Standard ISP Internet infrastructure" through-out the ISP network...

                          The ISP's build their networks to yesterday needs & can't keep up with the pace of current available off the shelf technology. VOIP, FOIP, Paging over IP, video over IP, IPTV you name it, it's ready to be implemented TODAY!!!!!!!

                          BUT the ISP's want to charge a premium price for COS. Because they are SOOOOOOOOOOOOOO bad at projected business technology trends. They build their networks to meet yesterday technology & then they BS everyone to cover their gaffe, that it's not really needed by a majority of business or home users... blah blah blah .... COVER-UP!!!!

                          If just one ISP or maybe Google (Help us pleasssssssssseeeeeee Google) offered a standard COS High speed broadband National ISP network... the business & home markets would jump so fast to embrace (fill in the blank over IP) technologies that it would super-clip by an enormous magnitude the I-Phone fad example.

                          Standard COS Internet, We need it, I want it.... Yesterday.... Damn IT!!!!!!!!
                          <<<Flame enable Low>>>
                          Last edited by markshowacre; 02-16-2010, 08:46 AM.

                          Comment


                          • #14
                            Hey Scott,

                            Unfortunately I don't have a SonicWall handy, but if I recall it is under the Security Services section, under Network>Zones (going off memory!). Under there, you will have check boxes that will allow you to enable/disable Content Filtering and/or Intrusion Protection, which I believe were the specific ones getting us.

                            Thanks!

                            Comment


                            • #15
                              We've been using the edgemarc 4500 series from Edgewater networks for a few years now. These devices connect to our Cisco ASA. They work perfectly and are very simple to install/configure. Edgewater has been great to work with and have even helped create customized firmware for our particular needs. Before these devices we tried the Linksys and Adtran Netvanta.

                              We have no hesitation setting up 2 and 3 person offices on a DSL line. On occasion we'll have reports of call quality, but they are typically caused by issues inside the ASA; not on the user's side. From what I understand, Edgewater hasworked rather close with Shoretel and has designed their CoS to work specifically with Shoretel's MGCP. We've also had great success with Asterisk and Edgewater setups. The edgemarcs have a few cool goodies specific to SIP. We probably have 50 or so remote offices setup with these devices using either Shoretel or Asterisk. Never tried the sonicwalls.
                              Last edited by spris; 06-29-2010, 09:59 AM. Reason: including additional information

                              Comment

                              Working...
                              X