VoIP over VPN problem

Hi,

I have a problem to establish call session between two sites over gre tunnel ipsec. The tunnel is up but I am Unable to set a call. I think the problem is Nat but I don't know how to fix it.  It's seems like the traffic were blocked in the beginning of the tunnel.

You can see the configuration files in attached.

 

Best Regards,

 

Aristide
Aristide AkaffouAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Or somewhere along the line of your VPN is blocking either ports or IPs.

Turn off your VPN first + retry.

If this works, turn on your VPN. If you can look at Websites + not make calls, likely this means someone is blocking your VOIP call port from the outdrop (IP) your VPN is using.

You can always connect through another region to get another IP.

Switching regions or just doing a VPN reconnect will likely give you a new IP. If this helps at all, likely this will only help for a while + the block will occur again in the future.

If you're doing this to attempt creating a secure VOIP setup, likely best to switch to a secure VOIP client, where security is handled at the VOIP layer. If you use a secure VOIP client, then you can drop the VPN setup for better call quality, because your connection speed will be higher.
nociSoftware EngineerCommented:
There can be filters on the tunnel blocking some traffic. Check this by doing a tshark/tcpdump/wireshark dump on both side and see what gets accross.
It may very well be routing on the other side has trouble finding the way back...

Lots of if's...
Can you provide  more info on the setup.
( left & right side address ranges, and all possible routing in view.).
The config files seem to be missing from the post.
N. SpearsSr.Net.EngCommented:
If you are using GRE, it sounds like you are using a routed vpn with VTI's. Insure that the routing for your voice traffic is pointed to the tunnel interface or far end of the vpn's tunnel interface.
Price Your IT Services for Profit

Managed service contracts are great - when they're making you money. Yes, you’re getting paid monthly, but is it actually profitable? Learn to calculate your hourly overhead burden so you can master your IT services pricing strategy.

N. SpearsSr.Net.EngCommented:
Please post the configuration file. I don't see one attached.
Aristide AkaffouAuthor Commented:
Hi Soulja,
You can see the files in attached.
The network address you have to consider:

For CI:

192.168.30.0/24 : data vlan
10.2.2.0/24: Voice vlan
160.120.120.216: public IP address

For Lebanon:

131.107.0.0/16: data vlan
192.168.150.0/24: voice vlan
77.42.156.122 ; 212.40.132.22: Public IP address


Best Regards,

Aristide
architecture-voip.PNG
Sh-run-CI.txt
sh-run-lebanon.txt
N. SpearsSr.Net.EngCommented:
For your vpn, what is the status of your ipsec sa's.


sh crypto ipsec sa

Also what is your eigrp routing looking like

sh ip eigrp neighbors
sh ip route eigrp or sh ip route 192.168.150.0 from the CI router. sh ip route 10.2.2.0 from the  Lebanon router.
Aristide AkaffouAuthor Commented:
Hi Soulja,
The status of sh crypto ipsec sa is idle

EIGRP Adjacency is established I can ping each the two sites.


Best Regards,

Aristide
N. SpearsSr.Net.EngCommented:
I see the ASA in the diag. Is it allowing your VOIP traffic through. You have a lot of pieces in play in order to troubleshoot this in this forum. Please provide as much detail as possible. You provided the router configs, but there are many more points of failure for connectivity in this scenario.
Aristide AkaffouAuthor Commented:
OK I can provide ASA configuration. I have permitted the traffic in ASA.
asa310818.txt
Aristide AkaffouAuthor Commented:
Hi Guys,
Any update.

Best Regards,

Aristide
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet Protocol Security

From novice to tech pro — start learning today.