Remote extension registers over VPN but breaks both site A and B


Office Site A - UCM6202 - GXP2170 - Sonicwall TZ600

Office Site B - no UCM - GXP2170 - Shared Sonicwall TZ600

Site A - UCM6202 functions 100% with local GXP2170 and makes outbound and receives inbound calls.
Site A - can register softphones to UCM or directly to SIP provider

Site B - GXP 2170 can not register with site A UCM and can not register directly with the sip provider over the current LAN to WAN settings.
Site B - softphones can register with SIP provider using WLAN
Site B - shares the TZ600 with another client that has a working Grandstream UCM and phones

Being new to VoIP PBX’s I did not want to risk messing up the shared clients VoIP system by making changes to the SonicWall to accommodate our remote extension. Their Grandstream UCM works 100% and they are an active busy business that I do not want to chance bringing down.

My solution was to create a site to site VPN with NAT.
Site A and Site B have overlapping LAN IP ranges adding to the complexity a little.

The VPN tunnel works and I can ping both directions site A to B and site B to A.
Site A 192.168.8.x is translated to 172.16.1.x and Site B 192.168.8.x is translated to 172.16.2.x
Site B now registers with the UCM at Site A but neither site can make a call now. I broke the system :frowning:

The packet captures indicate that Site B is attempting to register SIP calls and gets an error 401 Unauthorized from our UCM

The packet captures from Site A indicate error 401 Unauthorized from our GXP2170 to our UMC and we can not make calls.

I get lost in the packet captures and they only add to my confusion.
I am sure the NAT translation is the problem but I don’t know enough about NAT to fix it.

I know this is a super long detailed way of saying is there a document that tells you how to add a remote extension over VPN? I tried the following " " but this document does not use VPN between locations. I tried using the document before creating the VPN and that did not work either.

Newbie CVB


The first thing to consider is that if you are using a VPN, and assuming an IPSec VPN, there is no NAT between the locations. It is simply a tunnel from one subnet to another (routing).

In PBX settings, SIP setting, NAT, did you add the remote subnet to the UCM? If not, please do so (your local subnet should already be there). The issue is that the UCM does not know the other end is now considered local *due to teh VPN) and is telling the phones to use the UCM’s public IP rather than the private IP.

The 401 is a challenge and is normal. The phone needs to prove its identity to the PBX before the PBX will allow the phone to register.


I made the changes you suggested. It still is not working.The phone registers but still can not take calls. The phone web page shows it is ringing and the pcap verifies it but I’m not hearing anything from my phone when I call the remote office and my cell phone says I’m connected to the remote office.

I’m going to abandon the site to site vpn with translation to 172.16.1.x and 172.16.2.x I am using now. Looking at the pcap files it seems the routing is still getting confused. I run the UCM in switch mode if that makes any difference. I do appreciate your suggestion as I did omit the addition of the two new translated subnets so it would never had worked even if other setting where correct without those being added.

I’m going to change the remote offices IP scheme so the translation step will no longer be needed simplifying things for my troubleshooting.


You did input the local networks in the SIP, NAT settings in the UCM correct?