VPN’s and VoIP – Getting Connected!
We see a lot of VoIP deployments that come to us for trouble shooting. A common problem statement is that our HQ site can call both Chicago and Dallas, but Dallas and Chicago can’t call each other. Savvy network administrator will have figured out that there is a routing issue, but how so? Clearly HQ knows how to reach each remote site and the remote sites know how to reach HQ, so where is the break down! At about this time, we learn they have VPN’s that provide tunnel connections to each location and we go clear!
The standard “tunnel” solutions include IP Security (IPSec), GRE, Easy VPN and the new “tunneless” Group Encrypted Transport VPN (GET-VPN) VPN’s are the connectivity options we currently have available. Most folks make the mistake of picking IPSec for connectivity and being an inherently point-to-point technology, they end up with the problem statement summarized above. Even a “hub and spoke” solution is not ideal unless we make it possible for “spoke to spoke” connectivity. Ideally, we need to configure our VPN so Dallas can communicate with Chicago, without passing through HQ!
IPsec is really an encryption and authentication technology that enable secure communications through a public internet. It is generally used in a multiple vendor deployments. IPsec does not support any protocol other than IP, so it can not be used with the routing protocols that might otherwise be used to solve our issue. For this reason, many deployments will use GRE over IPsec. GRE to address the routing protocol issues and the IPsec to provide the security of authentication and encryption. We are still however, in a point to point mode, or in heavy manual administration mode to configure a simple mesh!
The smart money is on “next hop resolution protocol or NHRP” used in strategies like FlexVPN, GETVPN or DMVPN. These solutions provide a full mesh option while providing for encryption and data integrity. In the problem statement above, had we installed GET-VPN, a tunneless solution, the Chicago and Dallas sites could communicate directly without having to route through HQ at all