Cart
CCIE Voice Candidates (Mainly those ever renting Voice vRacks from Proctor Labs)
UPDATE FOR ALL VPNs – PLEASE READ IF YOU USE Proctor Labs vRacks
Four things have been changed to give everyone a much better experience when renting Voice vRacks from Proctor Labs. I’ll list each of them briefly here, and then go into more detail on each one of them regarding what each enhancement means for you as well as what you need to do to take advantage of the new changes.
- There is only ONE vpn group that is still functional.
- You can now connect your VPN (Hardware or Software) over TCP port 80 or 443.
- Network Extension Mode (NEM) is now supported for every Voice vRack.
- ASA5505 Users VPN’s *should* now work.
Details:
1) There is only ONE vpn group that is still functional
Everyone that connects to Proctor Labs Voice vRacks and thus our VPNs, should by now, have downloaded the latest VPN configuration file (either hardware or software) from your Voice vRack VPN webpage. This is the page you come to after you login to ProctorLabs.com, and before you get to your actual vRack webpage (the page where you Load Lab Configs, Telnet to routers, Link to CUCM servers, etc).
This configuration file hasn’t changed for a long number of months now – but just to be sure – you might want to check it.
This does two things for our clients:
- Gives you a much simpler configuration. There is only 1 VPN configuration file that you will ever need to connect to our Voice vRacks – regardless of which Pod you are assigned from session to session.
- This gives every client of ours peace of mine that when they rent a vRack session from us, that they not only will they be guaranteed to connect to the correct Pod#, but there is no chance that someone else could possibly also connect to your pod and accidentally overwrite your configuration. We do this by checking each login UserID against the timeslot and pod# rented, and then place you dynamically in the proper VRF where traffic from another vRack Pod can never route to yours.
Most of you (99%) will still be able to connect to VPN just fine – as you always have. However, if for some reason you cannot connect to your VPN session, take 2 minutes to simply check the “VPN Group Authentication Name” in your Software client to make sure the name and password are exactly as follows (respectively):
vpodgroup
proctorvoice
For you hardware VPN users – I have provided the configuration below:
crypto ipsec client ezvpn IPx-Voice-vRack
group vpodgroup key proctorvoice
2) You can now connect your VPN (Hardware or Software) over TCP port 80 or 443.
Many people have reported not being able to connect their software or hardware client VPN to Proctor Labs. This most normally occurs due to a over-restrictive corporate or hotel firewall that stands in their way, not allowing UDP 500 or UDP 4500 to pass through.
We have fixed this issue from our side and have now allowed users with Software (or Hardware) VPN clients to “Tunnel” all traffic (both the IKE Phase 1 and the ESP Phase 2) over You can now connect to your Voice vRack VPN using TCP port 80 or TCP port 443 – either of these ports should allow you to connect with us.
For software VPN users, see somewhere about 3/4 of the way down on this page for a screenshot of “Tunneling” your VPN connection over TCP Port 80 or 443.
(This link shows TCP port 10001. Just change that to 80 or 443. Almost all firewalls allow web traffic – so unless they are doing DPI – you should connect).
http://tinyurl.com/VPN-Port-80-443
For hardware IOS VPN users, make the following change:
crypto ipsec client ezvpn IPx-Voice-vRack
ctcp port 80
3) Network Extension Mode (NEM) is now supported for every Voice vRack.
I have now enabled (and tested thoroughly today) NEM for those of you using hardware-based VPN to connect your hardware IP phones to our Proctor Labs Voice vRacks. This will not work with software based VPNs.
This means that none of your traffic will have to NAT or PAT any longer to reach us – and all of these issues with phones not registering correctly, or registering and then when a call is made – potentially unregistering the phone from the cluster.
For hardware VPN users, make the following change:
crypto ipsec client ezvpn IPx-Voice-vRack
mode network-extension
In order to use the Network Extension Mode, and also not to override any of the internal subnets for the Voice vRack Pod you are on, I have enabled a small set of subnets that you may use for your *inside* interface on your IOS Router or ASA.
They are:
192.168.X.0/24 Where X can equal any number 0 – 16.
so 192.168.0.0 , 192.168.1.0 , you get the picture.
Any other network on your inside – and we don’t redistribute it through the vRack (i.e. – No route back to you :)
If anyone “needs” any other networks – email support and let us know about them.
4) ASA5505 Users VPN’s *should* now work.
After having troubleshot people’s ASA 5505 connection problems multiple times – we always came back to the issue being a bug – since it was the ASA that was failing to PAT the traffic – since the ASA packet tracer would always tell us it was at that step that the ASA would drop the traffic. However with the previous announcement that NEM is supported, this means no more NATing/PATing! Thus it *should* work fine with NEM enabled. (Read the “NOTE ABOUT SUBNETS FOR INSIDE INTERFACES” above!)
We say *should* because we don’t have an ASA5505 to test out the client side with. (anyone care to donate one?)
Also – every hardware VPN user – PLEASE CHECK your config to make sure that this line is in there:
crypto ipsec client ezvpn IPx-Voice-vRack
connect manual
If you don’t have “connect manual” in there, then your router constantly tries to connect its VPN with us – but will always fail because its not always your time to rent a rack, and in effect, performs a sort of mild DoS on our router.
As soon as we notice that type of repetitive traffic over a long period of time (not one or two or three failures when you are testing) – we have no choice but to block your source IP.
So all together – hardware IOS VPN users should have this config:
crypto ipsec client ezvpn IPx-Voice-vRack
connect manual
ctcp port 80
group vpodgroup key proctorvoice
mode network-extension
peer 74.126.20.247
xauth userid mode interactive
So all together – hardware ASA5505 VPN users should have this config:
vpnclient enable
vpnclient ipsec-over-tcp port 80
vpnclient mode network-extension-mode
vpnclient server 74.126.20.247
vpnclient vpodgroup password proctorvoice
In the (slightly modified) words of Napolean Dynamite:
I hope your wildest [CCIE studying] dreams come true,
Mark Snow
Tags: ccie voice, hardware, IP Phones, Proctor Labs, VPN
