Site-to-site VPN, all works but Voice…

  • hi,

    I have two sites that are connected by the site-to-site VPN with auto-IKE.

    The VPN works fine, with all HTTP, FTP, database traffic goes through the VPN between two sites.  However some Voice over IP traffic (from UDP port 28xxx to UDP port 28xxx) between the PBX servers are escaping the VPN tunnels.

    The PBX servers are behind the Netscreen firewalls (5gt) as

    phone – pbx – 5GT ===( VPN )=== 5GT – pbx – phone

    The policies are already set to “all traffic from site 1 to site 2 are goes into the VPN tunnel”.  Is there any hints I can look into to force all UDP traffic also goes into VPN?

    thanks a lot for this!

  • thanks much.

    eventually I added another policy to capture the specific traffic into the VPN before the general tunneling policy.

    I’ve found another problem that the PBX server sometimes sending packets to the destination with the real IP address, and I need to ‘clamp’ it into the VPN tunnel and performing the destination NAT in the same time, however the netscreen doesn’t allow me to do that.

    in specifics,

    from the PBX, it sends a packet
    from (IP of pbx server) to (the public IP of pbx server of another site)

    I wish to make the destination NAT to (the IP of pbx server of another site)

    and force it goes into the VPN.

    There exists another policy that forcing all traffic from 192.168.3.x to 192.168.1.x goes into the VPN tunnel.

    Is that possible?  It looks that I need something like chaining two policies together?

    I’ve been driven crazy for this…

  • If the service in your policy says ‘any’ also UDP traffic should be tunneled without a problem (if udp ‘hits’ that policy, i mean that you don’t have a policy above that catches your UDP traffic.

    Are you sure the gateways (PBX) have their routing setup right ?