Aristide Akaffou
asked on
VoIP over VPN problem
Hi,
I have a problem to establish call session between two sites over gre tunnel ipsec. The tunnel is up but I am Unable to set a call. I think the problem is Nat but I don't know how to fix it. It's seems like the traffic were blocked in the beginning of the tunnel.
You can see the configuration files in attached.
Best Regards,
Aristide
I have a problem to establish call session between two sites over gre tunnel ipsec. The tunnel is up but I am Unable to set a call. I think the problem is Nat but I don't know how to fix it. It's seems like the traffic were blocked in the beginning of the tunnel.
You can see the configuration files in attached.
Best Regards,
Aristide
There can be filters on the tunnel blocking some traffic. Check this by doing a tshark/tcpdump/wireshark dump on both side and see what gets accross.
It may very well be routing on the other side has trouble finding the way back...
Lots of if's...
Can you provide more info on the setup.
( left & right side address ranges, and all possible routing in view.).
The config files seem to be missing from the post.
It may very well be routing on the other side has trouble finding the way back...
Lots of if's...
Can you provide more info on the setup.
( left & right side address ranges, and all possible routing in view.).
The config files seem to be missing from the post.
If you are using GRE, it sounds like you are using a routed vpn with VTI's. Insure that the routing for your voice traffic is pointed to the tunnel interface or far end of the vpn's tunnel interface.
Please post the configuration file. I don't see one attached.
ASKER
Hi Soulja,
You can see the files in attached.
The network address you have to consider:
For CI:
192.168.30.0/24 : data vlan
10.2.2.0/24: Voice vlan
160.120.120.216: public IP address
For Lebanon:
131.107.0.0/16: data vlan
192.168.150.0/24: voice vlan
77.42.156.122 ; 212.40.132.22: Public IP address
Best Regards,
Aristide
architecture-voip.PNG
Sh-run-CI.txt
sh-run-lebanon.txt
You can see the files in attached.
The network address you have to consider:
For CI:
192.168.30.0/24 : data vlan
10.2.2.0/24: Voice vlan
160.120.120.216: public IP address
For Lebanon:
131.107.0.0/16: data vlan
192.168.150.0/24: voice vlan
77.42.156.122 ; 212.40.132.22: Public IP address
Best Regards,
Aristide
architecture-voip.PNG
Sh-run-CI.txt
sh-run-lebanon.txt
For your vpn, what is the status of your ipsec sa's.
sh crypto ipsec sa
Also what is your eigrp routing looking like
sh ip eigrp neighbors
sh ip route eigrp or sh ip route 192.168.150.0 from the CI router. sh ip route 10.2.2.0 from the Lebanon router.
sh crypto ipsec sa
Also what is your eigrp routing looking like
sh ip eigrp neighbors
sh ip route eigrp or sh ip route 192.168.150.0 from the CI router. sh ip route 10.2.2.0 from the Lebanon router.
ASKER
Hi Soulja,
The status of sh crypto ipsec sa is idle
EIGRP Adjacency is established I can ping each the two sites.
Best Regards,
Aristide
The status of sh crypto ipsec sa is idle
EIGRP Adjacency is established I can ping each the two sites.
Best Regards,
Aristide
I see the ASA in the diag. Is it allowing your VOIP traffic through. You have a lot of pieces in play in order to troubleshoot this in this forum. Please provide as much detail as possible. You provided the router configs, but there are many more points of failure for connectivity in this scenario.
ASKER
OK I can provide ASA configuration. I have permitted the traffic in ASA.
asa310818.txt
asa310818.txt
ASKER
Hi Guys,
Any update.
Best Regards,
Aristide
Any update.
Best Regards,
Aristide
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Turn off your VPN first + retry.
If this works, turn on your VPN. If you can look at Websites + not make calls, likely this means someone is blocking your VOIP call port from the outdrop (IP) your VPN is using.
You can always connect through another region to get another IP.
Switching regions or just doing a VPN reconnect will likely give you a new IP. If this helps at all, likely this will only help for a while + the block will occur again in the future.
If you're doing this to attempt creating a secure VOIP setup, likely best to switch to a secure VOIP client, where security is handled at the VOIP layer. If you use a secure VOIP client, then you can drop the VPN setup for better call quality, because your connection speed will be higher.