VoIP and VPN

[Bill32179]

We have a WatchGuard Firebox Core x750 at our main office with about 20 WatchGuard Firebox Edge x10e’s connected into it via VPN. The Edge’s create a VPN for our phone system which allow the 20 at-home agents to connect into our call center via VoIP.

All of the VPN’s work great as well as the VoIP phones. The problem we’re having is that one at-home agent cannot call another. The at-home agents can call into the office and speak with anyone but cannot reach anyone at home (they get a busy signal).

The design of our phone system is to drop out and let the two phones talk directly when it senses both phones are IP. We spoke with our phone vendor and they informed us that this cannot be changed. Our main office is on the 10.182.1.x subnet and our remotes are on the 10.183.x.x subnet. WatchGuard told us that we needed to create a tunnel for each BOVPN to allow both 10.182.1.0/24 and 10.183.0.0/16 which we did.

After we did this the at-home agents could now talk to one another. The issue we’re being faced with now is that if they don’t call each other about every 10 – 15 minutes the tunnel seems to die out which pretty much brings us back to our first problem.

I was wondering if anyone knew of a way to keep the tunnels active indefinitely? At first we were using the VPN Keep Alive within the Firebox Edge however it appears to only allow up to six entries.

 

[Helenp1983]

Phase 1 advanced settings:

Sa life 24 hour

IKE keep avlie enabled

Phase 2 proposal:

diabled force key expiration.



On my old watchguard i set a continunous ping from one of my servers across my vpn.

But i haven't need to do this with my x750 are you using fireware?

 

[PeterHurst]

One dirty way is to make sure something talks over the network with a shorter periodicity than the expiry.

In the worst case a ping but if you have ad controllers why not allow them to replicate from branch to branch too.

HelenP's suggest is the best though!