Provisioning over VPN

My FreePBX server is in a datacentre and I am able to connect to it and administer it just fine over an IPSEC VPN.

Is it possible to provision new handsets over the VPN or any other remote method as I haven’t had any luck so far.

My understanding it that FreePBX discovers and configures handset by MAC address which is layer 2 traffic and I’m not sure if that traffic is sent through the VPN tunnel.

Am I wasting my time looking for a method?

Any tips would be much appreciated.



Openvpn in bridged mode will pass layer 2 traffic.

Thanks for the information, but after looking at OpenVPN I don’t think it will do what I am wanting in my scenario.

OK, to end this thread - what I am trying to do is impossible - as this thread definitivly tells me:


You can’t discover phones as the discovery method uses ARP.

ARP discovery won’t work over a routing boundary so this is why End Point Manager won’t discover phones in a different subnet.

Get yourself a couple of Microtik router boards (less than $100 each) and either of the above VPN technologies will support L2 over a L3 network!

Give it a try, very cool!

Discovering phones and provisioning them are two separate things. It is possible to provision phones over a VPN connection or on a separate subnet. The provisioning does use a MAC address but this is nothing to do with ARP. It’s to do with the protocol used for provisioning (e.g. tftp, ftp, http). For remotely provisioning phones across something like a VPN I would use http provisioning. I’ve done it and it works fine.

Just enter the http provisioning details into the phone and the phone will load the provisioning file (which is based on the MAC address of the phone), but that’s just the file name and nothing to do with layer 2 protocols.

Setup your DHCP server to send the phones the boot server (option 66) and you will not need to use discovery.

Alan - You speak blasphemy. He needs the new hardware. Extend a layer 2 tunnel and make sure all local broadcast traffic is forwarded. Multicast too if he has any. Every ARP, WHOAMI, WHOHAS etc. needlessly traversing a point to point link.

Please not that was total sarcasm as I was shocked someone would recommend a L2 VPN as a solution. I guess inventorying MAC addresses is too hard. If you notice they are bar coded on the phones. You can use your smart phone to scan them to a file then bulk import the MAC’s to CEPM.

Exactly Scott. Use the existing L3 VPN tunnel and configure the DHCP on the local network to point the phones at the provisioning server. You will know the MAC address so just configure the extension with the MAC of the phone and BAM.

1 Like

This takes me back to when we used to use DECbridges to connect networks across 64Kb leased lines so that LAT broadcasting would work over Layer 2.

You can still scan the remote subnet using EMP to get the IP and MAC of the remote phones at the other end of the VPN and map them to extensions.