Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Rhinorhino on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

IP Phones over IPSec VPN

Status
Not open for further replies.
davea2

davea2

Technical User
Joined
Mar 14, 2005
Messages
742
Location
GB
Hi
I have deployed 1616 handsets over an IPSec VPN to a remote server edition.

This all works fine however when the IKE Phase 2 SA expires the phones drop and do not necessarily reconnect.
The default for most routers/firewalls on Phase 2 expiry is 3600 seconds so I have increased this to 86400 seconds (maximum)
however this still means that the Phones will drop every 24 hours and possible not automatically reconnect.

Has anyone else come across similar issues and a workaround?

Cheers

Dave

 
Sort by date Sort by votes
Renegotiating the VPN tunnel should not cause the tunnel to drop

therefore as with all VoIP issues I would say you need to investigate your data network , in this case concentrating on your VPN


Do things on the cheap & it will cost you dear
 
Upvote 0 Downvote
What VPN routers are you using?
I've had this issue with Cisco.

You need to configure the VPN to not drop during rekey, probably it's finding some issues with the rekey forcing it to rebuild the VPN.

"Trying is the first step to failure..." - Homer
 
Upvote 0 Downvote
IPGuru you may well be right about SA expiry, the VPN has had a drop since it set the expiry to 24 hours.

I have a Draytek at one end and an Opnsense Linux VM at the other
 
Upvote 0 Downvote
The VPN doesn't have to drop, it's probably dropping since you have different appliances on each end and they don't get along during rekey.

If you would have for example Draytek (not that I personally like them but =) on each end it wouldn't be an issue.

"Trying is the first step to failure..." - Homer
 
Upvote 0 Downvote
Yeah, the Draytek implementation of IPSec is a little restricted!
 
Upvote 0 Downvote
Maybe the same issue me (and Daken) had before.

Make sure you disabled 'media security' on all 16xx extensions, since the 16xx does not support this, and randomly disconnects.
 
Upvote 0 Downvote
Hmm. the VPN drops regularly about every 47 minutes....
 
Upvote 0 Downvote
You still have the Phase 1 timer.

The easiest way out is to have the same brand of VPN router on each end.
You can get it to work if you lucky if they have the exact same settings on both ends, that can be difficult since their settings differ.
But you'll probably spend hours (read days) trying to get this to work.

Had the same issue with a Juniper SRX once, it would play nice with most brands of FWs but not with Cisco. Although Cisco is a bit picky so it doesn't always wanna play with others.


"Trying is the first step to failure..." - Homer
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Tripoth
  • Question Question
Move IP Office server edition over to Nutanix
Replies
4
Views
296
derfloh
derfloh
phoneguy427
  • Locked
  • Question Question
Networked IP office ringing over amplifier
Replies
4
Views
699
phoneguy427
phoneguy427
pontim
  • Locked
  • Question Question
Avaya SBC delivering Certificate to j129 phones over port 443
Replies
5
Views
722
derfloh
derfloh
pontim
  • Locked
  • Question Question
Certificate warning on 9641 phones
Replies
2
Views
438
pontim
pontim
TnPtech
  • Locked
  • Question Question
Avaya IP Office -IP phone issue.
Replies
17
Views
2K
MikeeOK
MikeeOK

Part and Inventory Search

Sponsor

Back
Top