sundance-communications.com/forum Forums Computers & Programming Computers, Software, Accessories SIP over VPN

I know this should maybe go in the Comdial forum, but at this point the question is more data-related. I currently am trying to setup a customer with a Comdial MP5000 SIP server, with Comdial's SIP hardware phones and software phones at multiple branch offices. Comdial requires VPN between each branch office and the main office. Because SIP protocol has the MP5000 building the call and then handing it off to the endpoints (in this case, phones at two different branch offices), the router at the main office is what is bridging the VPN tunnel going to Branch A and the VPN tunnel going to Branch B.

Now for the problem. The customer is using Linksys' newer VPN routers. The main office has the 16-port VPN router that supports something like 50 tunnels. The branch offices each have the 4-port VPN router that support up to 30 tunnels. Calls between the branch office and the main office work great, as do calls from the branch, going thru the MP5000 to the outside world. The problem is when one branch tries calling another branch. The phone will ring, because the MP5000 is still involved. When it tries to hand off to the endpoints, the call is dropped. Linksys says their router won't allow one VPN to see the other VPN, even though they both terminate at the same router. They say I must build a third VPN tunnel between the branch offices. This is complex, since there are 8 branch offices, each of which would have to have tunnels to each of the other location. That's not my question. My question is whether or not the SIP protocol will hand off the call established on the original two tunnels over to the 3rd, separate tunnel. I also wonder if anyone knows of a work-around. I would think creating a route at the main office's router would correct this, but Linksys is saying there is NO other way to set this up besides the additional tunnel. Any ideas?

Because they have already made the investment in the Linksys products, I'm trying to stick with them. Comdial only supports a Microsoft VPN solution and a Cisco VPN solution. Any suggestions are greatly appreciated!

Wow! Still no replies. Well, we tried the multiple VPN tunnels (each site connected to all other sites), and so far it seems to work. That was in a lab setup. We're gonna be trying some real-world stuff tomorrow. I also found out that a Cisco VPN Concentrator will work with the Linksys VPN Routers. In case anyone is interested...

It should they are the same company.

You are dealing with the limitations of NAT my friend.

At the 'hub' location, you need to move up from the Linksys to a small Cisdo router. This will let you bridge multiple VPN's. An alternative is to move to a small Cisco PIX (like a 501). This will also let you bridge multiple VPN's.

I have not tried doing this with the Linksys product, but I have done your scenario with the Zyxel and fewer branch office locations (3) for an Avaya IP office. You are right, it gets very, very messy. Then Avaya took out external connectivy not done 100% through their product.

PIX's aren't too expense, and only somewhat difficult to configure. You can buy as many VPN server/clients as you need. It's just time consuming to setup until you get proficient. The Linksys client works great with the PIX or a full Cisco router.

good luck.

I guess I forgot to update our progress. We ended up going with a Cisco VPN Concentrator at the main office where the MP5000 is located, and kept the Linksys VPN routers at the remote locations. This works very well. I think one of the biggest problems with the Linksys products was and is that they are still very buggy, and the support for them is terrible. The customer ended up purchasing a service agreement with Cisco that gives them support over the phone, and quick replacement of all of their Cisco products as needed, if and when something fails. They are happy, and the SIP stuff is working pretty well.