SRX Services Gateway
Reply
Visitor
tasiopoulos@pasok.gr
Posts: 9
Registered: ‎02-25-2011
0
Accepted Solution

VoIP through route-based VPN

[ Edited ]

Hello all.

 

We are setting up a remote callcenter and I need to use some short of VPN tunneling to route SIP-data to our IP-PBX (asterisk). Currently we are using openvpn installed in each of the agents machines but I am looking at a more streamlined solution.

 

Would a route-based VPN between the two sites (each has an SRX240) allow seamless communication between the clients and the PBX? Is NAT involved in anyway? I've had bad experience with NAT and SIP and I'd like to avoid it. Iplan to create one st0 in each site and put them at each side's trusted zones. 

 

Site A will only export the subnet of the PBX and site B will only export the subnet of the clients.

Gabriel
Distinguished Expert
MMcD
Posts: 637
Registered: ‎07-20-2010

Re: VoIP through route-based VPN

Hi,

 

A straight forward route based vpn should accomplish this for you,  NAT would not be required for a basic configuration.

 

Have a look at the following configuration guide.

 

http://kb.juniper.net/InfoCenter/index?page=content&id=TN108&actp=LIST

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Visitor
tasiopoulos@pasok.gr
Posts: 9
Registered: ‎02-25-2011
0

Re: VoIP through route-based VPN

I 've read the KB and I wonder if it would be necessary to create a new VPN zone.

 

On site A my PBX sits within 10.1.5.0/24

On site B my VOIP clients are within 10.85.86.0/24

 

There is no 10.1.5.0/24 in site B and no 10.85.86.0/24 in Site A

 

So I was thinking of adding a numbered st0 in each site's trusted zone (to avoid inter-zone policies) and route 10.85.86.0/24 through st0 in site A and 10.1.5.0/24 through st0 in site B.

Gabriel
Distinguished Expert
MMcD
Posts: 637
Registered: ‎07-20-2010
0

Re: VoIP through route-based VPN

Hi there,

 

There is no neccessity to create a seperate VPN zone, what you said is perfectly ok.

 

You can add the st0.x interface to each of the zones terminating each side of the VPN.

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Trusted Contributor
acooley
Posts: 117
Registered: ‎08-07-2010
0

Re: VoIP through route-based VPN

HI Gabriel

Technically you don't need to create a special zone, but I always do to create the security abstraction. You will also want to look at the ALGs on the SRX and make sure they are going to work for you. Most environments i've been in recently don't have any issues keeping the ALG on.

-Adam
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.