[cisco-voip] SEP.cnf.xml with VPN phone/config

Jared Mauch jared at puck.nether.net
Mon Mar 7 15:27:46 EST 2011


On Mar 7, 2011, at 2:56 PM, Ryan Ratliff wrote:

> One challenge you'll face is that the 40s and 60s were designed specifically for interoperability.  The later phones were not designed nor tested for the same interoperability that the earlier phones were and as such are not supported with 3rd party PBXs at all.

Yes.  We have noticed :)

Still has not prevented us from using this excellent hardware with our 3rd party solutions, but also creates barriers when the XML parser rejects strictly valid XML, or when it sees an unknown object from a newer/older firmware revision stops parsing the config...

> To that end they don't support the same NAT features that the earlier phones did (coincidentally I didn't know those were there until you mentioned them, so thanks!) and I don't imagine they ever will unless interop with 3rd party PBXs is deemed a requirement by the PTB.

Can you (or someone) share the VPN config bits so I can work on this solution while I'm waiting for the rest of my CCM bundle to ship?

As a secondary question, when the phones do their TFTP for image upgrade, if the server is not on the local lan, the TFTP is very slow, is there a good workaround for this for our home users, or will they be required to wait ~20-30 minutes to have upgraded firmware delivered?  (ie: can we put this on a HTTP/FTP/HTTPS solution)?

Also, are you aware if the NSSTG team fixed the SIP-ALG implementation that would break non-cisco SIP traversal (eg: apple iChat A/V)?

- Jared

> 
> -Ryan
> 
> On Mar 7, 2011, at 1:27 PM, Jared Mauch wrote:
> 
> I've had good luck with it without NAT.
> 
> - Jared
> 
> On Mar 7, 2011, at 12:41 PM, Peter Slow wrote:
> 
>> SIP on those phones is basically proprietary in the first place -
>> Forgive my ignorance, but has there been any decent amount of success
>> getting newer phones to work with your 3rd party SIP solution
>> _without_ there being a VPN involved in the first place?
>> 
>> On Mon, Mar 7, 2011 at 12:21 PM, Jared Mauch <jared at puck.nether.net> wrote:
>>> The 7970, 7965, 7975 lack the natreceivedprocessing support that exist in the 7940/7960 firmware.
>>> 
>>> I can share some pcaps with you, but what happens is the phone does not see the replies from the SIP proxy, or does not associate them during the SIP register replies.
>>> 
>>> - Jared
>>> 
>>> On Mar 7, 2011, at 12:19 PM, Ryan Ratliff wrote:
>>> 
>>>> I'm curious what makes you feel the phones are horrible at nat traversal.  Is there a particular behavior they do or are not doing that could improve behavior with NAT?
>>>> 
>>>> The built-in VPN for the phones is very much tied into the provisioning they get from CUCM.  I don't believe you are going to get very far trying to do it without one, but I'm sure the community would be interested in seeing how you do.
>>>> 
>>>> -Ryan
>>>> 
>>>> On Mar 7, 2011, at 10:16 AM, Jared Mauch wrote:
>>>> 
>>>> I'm looking to use a 3rd party SIP solution and VPN system and wanted to try to make it work while we wait for our CM to ship.
>>>> 
>>>> The java/cnu based phones are horrible at nat traversal and I want to run a PPTP or other vpn solution actually on the IP PBX so the phones can work around the broken nat.  If someone from Cisco wants to contact me off-list (we have TAC support, so I can open a case as well) I'd be happy to work with you to help solve these defects.
>>>> 
>>>> I'm working with the 7965 and 7975 phones.  To have VPN support one needs to run the 9.X firmware.
>>>> 
>>>> (Still waiting on my CM to ship -- send me ~30 phones and no CM and i'll make it work with our existing IP PBX :).
>>>> 
>>>> - Jared
>>>> 
>>>> On Mar 7, 2011, at 10:12 AM, Scott Voll wrote:
>>>> 
>>>>> What version of ASA / CM are you using?
>>>>> 
>>>>> I think this is only supported if you have at least ASA FOS 8.2 or 8.3 (I can't remember) AND CM 8.X
>>>>> 
>>>>> In the past, I have used a ASA 5505 with a Site to Site VPN and used the PoE ports to power the Phone.  Worked very well and with the cost of a ASA 5505 as low as it is..... It might be a good option.
>>>>> 
>>>>> YMMV
>>>>> 
>>>>> Scott
>>>>> 
>>>>> On Fri, Mar 4, 2011 at 4:18 PM, Jared Mauch <jared at puck.nether.net> wrote:
>>>>> Can someone please send me a copy of your config file that is using the VPN for a home user?  I'd like to compare these settings to what I am trying to do here.
>>>>> 
>>>>> I would really appreciate it.  You can obfuscate any IP/Name/password configs you want.
>>>>> 
>>>>> Bonus if you are using something like PPTP with a 7965 or 7975 and SIP.
>>>>> 
>>>>> Much appreciated!
>>>>> 
>>>>> - Jared Mauch
>>>>> _______________________________________________
>>>>> cisco-voip mailing list
>>>>> cisco-voip at puck.nether.net
>>>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>>> 
>>>> 
>>>> 
>>>> _______________________________________________
>>>> cisco-voip mailing list
>>>> cisco-voip at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>> 
>>> 
>>> 
>>> _______________________________________________
>>> cisco-voip mailing list
>>> cisco-voip at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>> 
> 
> 




More information about the cisco-voip mailing list