This solution applies to all Barracuda SSL VPNs.
When using an IP phone there is more external configuration required with your Barracuda SSL VPN.
When a client is connected to a network using Network Connector, machines on the target LAN can only communicate with that client machine and nothing else on the local network. An IP phone would be considered a separate device on the local network.
In order to use an IP phone, the following four things will need to set up:
- The default gateway on the client’s network needs a route adding for the target corporate LAN that directs packets via the Network Connector client’s local IP.
- The client that will run Network Connector needs to be configured with IP routing.
- The Network Connector client configuration needs to be configured with a static IP that this one client machine (and ONLY that machine) will use. This is needed for the next step to work.
- The default gateway on the target corporate network needs a route adding for the client’s local network to point to the client’s Network Connector assigned IP address.
Steps 1 and 2 are required to allow the phone to get its packets into the corporate LAN. Steps 3 and 4 are required to allow the corporate LAN to reply back to the phone.
See the below example:
Corporate network: 10.10.0.0/24
SSL VPN IP: 10.10.0.5
Corporate network gateway: 10.10.0.1
Corporate VoIP exchange IP: 10.10.0.254
Network Connector DHCP range: 10.10.0.100 – 10.10.0.150
Client network: 192.168.0.0/24
Client local IP: 192.168.0.50
Client local gateway: 192.168.0.1
Phone IP: 192.168.0.75
phone will be configured to use 192.168.0.1 as its default gateway and will
send all data through that gateway – even for its target address (10.10.0.254)
of the VoIP exchange. Therefore the local gateway needs to know where to
send packets destined for 10.10.0.0/24, so we will need to add a route on
this local gateway to send all 10.10.0.0/24 packets to the local IP of the
machine that will run Network Connector (192.168.0.50).
- If Network
Connector is not set up by default to route these incoming packets from
the default gateway through its virtual interface. You need to set up IP
routing on the box. On Windows, this is done as follows:
To enable routing the IPEnableRouter value in the registry must be set to ‘1’.
Locate the IPEnableRouter parameter from the registry. This should be located under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Change the value from ‘0’ to ‘1’.
- In the
Network Connector client configuration, you need to define an IP address
rather than the default method of leaving that field blank. Set this IP to
one of the addresses that would normally be given out in the DHCP range
(and then modify the DHCP scope accordingly in the server interface to
make sure it does not get assigned any other way), so we will have
10.10.0.100 defined. This configuration should only ever be launched by this
one client so make sure it is in a policy that only the user of this
machine can access. If you have multiple client machines that all have IP
phones, then you will need separate Network Connector configurations for
each client. This static address is required in order for the final step
to work and allow us to reliably get return packets to be sent back to the
- On the default gateway on the corporate LAN, you then need to define how to route back to the client’s own 192.168.0.0/24 network so that the VoIP exchange can get data back to the phone. You would do this by configuring the network 192.168.0.0/24 to go via the Network Connector IP address that the client has (10.10.0.100).
If you have multiple client networks with phones all on the same 192.168.0.0/24 range, you may have to further restrict the route on the gateway to point to the particular IP of the VoIP phone, something like 192.168.0.75/32 perhaps.
Link to this page: