Announcement

We have one site off a PIX to SonicWall VPN and my opinion is that VoIP and VPN don't mix. Your QoS will only be valid on your devices, once it hits the Internet it goes out the window.

All our other sites use MPLS and it is rock-solid. I would suggest either using this or setting up something so that when you call site-to-site you use trunks instead of the WAN.

VPN tunnel encryption can add about 100kb overhead. you do the math.

-Charles

We've got 8 sites connected with Juniper Netscreen VPN's over the internet. After much pain here's what we found.....

IF a site has a shoretel switch and server in place - rock solid.
IF no switch and no server, still ok so long as there aren't more than about 4 users at the remote site. That's with a 3x2 cable connection. At 8 or so users sporadic problems, with 12+ users, hold doesn't work, queue managers doesn't work etc.

Moral of the story, a Shoretel / VPN can be very stable if you have enough bandwidth and the right equipment.

Have you setup QOS on your netscreens for shoretel traffic, if so what mechanism (they don't have DSCP policing support which sucks)? Are you doing policy based or route based VPNs?

Sorry for long delay - been on vacation!
In order to keep things simple, we did not implement any form of QoS as of now. Our plan is simply, we'll fix it if it needs it but in the meantime less complications are best. However if you have your phones isolated on separate VLANs or subnets you can do DSCP on the policy level. In our instance, it hasn't been needed.
We're using route-based VPNs with all 8 branches fully meshed and 3 of those ( the large sites) with redundant connections and auto failover.

Ok. DSCP at the policy level is just to mark the packets though (not policing). You'll like ScreenOS 6.0 that just came out. It includes an Auto VPN feature (like Cisco's) that will automatically create a mesh between the spoke sites dynamically instead of manually configuring it all.

You are right - there's not much in the way of enforcement on the DSCP, but then again we haven't really had need for it.
Yeah I've been peeking thru the manual for ScreenOS 6.0. Looks pretty good from waht I've gleaned.

Remote access to ftp server

I'm testing site to site thru vpn. Unfortunatly the remote ip phone can't find the ftp server. It works using the cached config.
Any thoughts?

Anyone can help?

Are you programming the phone manually with the IP Addresses, or are you using DHCP? If you are using DHCP, you need to include option 156. If this is a small site, it may be easier to assign them manually with static IP addresses. (option 156 includes the IP of the FTP/Shoretel server)

Site 2 Site

I am doing a VPN tunnel using a Sonicwall 2040 Pro with enhanced OS at the location the Shoretel switch and workgroup server are located. On the other end I'm using a Netgear FVS318 firewall. I paid a whole $18 on eBay. The phone is a IP230 and a Shoretel POE injector powering the phone. QOS is set on the Sonicwall. The Netgear doesn't support QOS. Voice quality has been excellent. My ISP is AT&T and my latency to the other site is 12ms. I recently switched from my local cable company. When I was on that connection my latency was 60ms. ++ and up to 380ms with dropped packets. To answer the previous question. You will want to make sure you assign a static IP on your local subnet with a mask of 255.255.255.0 gateway should be the same you use for internet access. FTP server should be a static on the other end of the VPN tunnel reserved for the workgroup server running FTP. The next item in the configuration is MPLS (I don't remember the acronym) but it should be the same as the FTP server. Just hit # for everything else unless you are doing VLAN's.

I think the biggest factor is the quality of your ISP and the latency between sites. No high priced firewall doing QOS on every packet can't make up for a Mom & Pop ISP selling you a crappy service.
Good Luck