Connecting Mitel phones over a VPN

[Its_Me!]

Hi folks,
I am a newbie to this forum and relatively new to the world of Mitel!
I am endeavouring to extend the reach of my company's Mitel phone system to a remote location where I had hoped to install six 'minimalist' Mitel 5201 IP phones.
I have selected this phone because they'll be in guest accommodation rooms, and thus, there is a desire for them to look as 'non-business like' as possible.
I have successfully established a VPN between a Draytek Vigor 2920 at the remote site and a Draytek Vigor 3900 at the main site where the 3300 PABX is located.
The remote LAN will be purely for these phones and no other devices.
Using a Mitel 5215 as a test phone (so that I get some feedback from its LCD display), and with options 128-130 set in the remote router's DHCP server settings; the 5215 picks up a local IP from the pool, and gets as far as displaying 'TFTP: Main', followed a short while later by 'Contacting Server'.
I have tried setting options 125 and 43 but the phone will only use 128+ from the remote site, although the very same test phone uses 125 at the main site.
Unfortunately, the Vigor 2920 has a character limit for individual DHCP options, and I am unable to input the full string for option 125 or 43.
If I set a local static IP address on the 5215 at the remote site, and specify the TFTP port, TFTP Server and ICP address of the 3300 PABX, it completes boot up, assumes the assigned extension number, and works perfectly in both directions.
The issue is, I have now learned that the 5201 handsets (and some others) are purely DHCP only?
Is there any possible way, by configuring features on one or both Draytek routers and/or the PABX i.e. by binding MAC addesses to IPs; NAT config etc, that I can operate these phones via DHCP over the VPN?
Some Draytek routers, including the 3900, have a facility to have the same subnet at either end of the VPN; using an IP translation function. I would replace the 2920 with a newer 2925 model which also has this feature if this might make it work?
The alternative of course, is to use a different handset that permits the assigmnent of a static IP address?
I am aware that my issue is more of a networking one than Mitel specific, but, I wondered if anybody else had successfuly addressed a similar requirement?
BTW, the main site has multiple VLANs including a voice VLAN with the Vigor 3900 acting as gateway for each.
DHCP for the corporate data VLAN is provided by a Windows domain controller, DHCP for the phone system is from the 3300 PABX, and DHCP for all other VLANs is provided by the Vigor 3900.
Any help/tips would be much appreciated.
Cheers

[PC77375]

What kind of network switch do you have at the remote site? What we do for some of our remote VPN sites, using IP Helper on the voice vlan to point the phones to the PBX at the main site. In the PBX, we have built subnets for each remote site with the required options. Works like a charm for us. FWIW we use HP switches, and when phones boot up LLDP puts them automatically into the voice VLAN and this is where the DHCP request is made.  Just a thought....

[Its_Me!]

PC77375 - thanks.. that's certainly food for thought. I am pretty sure that what I want to achieve is possible, but my networking/Mitel skills are not quite up to it!
The remote switch currently in place is a Zyxel ES1100P - 8 PoE ports and 8 not. It's an unmanaged switch, but I don't have a need for a separate VLAN for computers etc.
I do have a newer Zyxel GS1900-10HP PoE switch I can replace it with, which is 'web managed' and supports VLANs. I also have a number of retired HP 2510-24s (100Mb) available, so I guess that I could connect the router to the HP switch and trunk the two switches together to retain PoE?
I was uncertain whether tagged packets would propagate across the VPN? Voice VLAN ID is '11' at the main site. I will experiment with a HP switch configured with VLAN 11 at the remote site, and see what happens. If that alone doesn't produce a result, I will setup another DHCP scope for the remote location on the 3300 as you suggest.
The remote subnet is 172.16.11.0 and the router set to dish out IPs from 172.16.11.10 - 100. Do I specify the same subnet on the PABX or will this introduce routing issues?
Cheers @;o)

[Dogbreath]

In this kind of scenario, with a site-site VPN in place and a minimal number of handsets, I would just put the handsets in teleworker mode and point them at the private IP of the Mitel rather than struggling with DHCP options. Alas, if the 5201 doesn't have a screen, I don't know how you're going to achieve this [ie, you probably aren't going to].

VLAN tags are a L2 thing, the only way they could be carried across a VPN would be if it was a L2 VPN tunnel. You almost certainly want a L3 VPN - L2 tunnels are harder to get right, less widely supported and are generally only used when you really, really need to use them.

[Its_Me!]

Attempting to work around the limitatations of the 5201 handset is clearly not worth the hassle and may not even be achievable?
If I shoud ever manage it, I will publish the solution here!
I have elected to acquire some 5304s for the task. The 5201s still work fine on the 3300 PABX's local subnet so I may find a use for them?
I anticipate that the 5304s can operate in Teleworker mode, but in any event, I have already established that by assigning a static IP to the handset, I have a working solution. @;o)
Thanks for your input folks - much appreciated!

[PC77375]

DogBreath- We are not concerned about keeping the VLAN tag once it leaves the remote site. We have other traffic management solutions in place to then prioritize the traffic coming from the remote voice VLAN subnet on each end. The original dilemma was a matter of getting DHCP to work and I suggested that we use IP helper to force remote DHCP requests to the host PBX- and this all functions well for us. 

[VinceWhirlwind]

I have remote sites on VPN links. I have the PCs and phones on different VLANs, but that isn't relevant.
The phones are patched into a switch which uses LLDP to tell the phones which VLAN to use, but you can just patch the phones into an untagged VLAN and leave it at that.
The broadcast segment the phones are in contains a router which has an IP-helper (DHCP forwarder) which passes DHCP requests back over the VPN to the central DHCP server cluster. That way all DHCP scopes are managed in one place, by a proper DHCP server.
The phones get their DHCP offer which includes the Option 125 which has all the details the phone needs to get up and running.

[Its_Me!]

VinceWhirlwind - the use of static IPs on the six remote handsets will obviate the requirement to set up DHCP.
However, your response gives me optimism that the use of DHCP 'in my particular setup' may still be possible, and I would still like to know how to achieve it.
The remote Draytek router has an option to disable DHCP, and specify the IP address of a 'DHCP Relay' which, I presume, is where I would insert the IP address of the DHCP server on the 3300 PABX... effectively, fulfilling the role of 'IP Helper'?

If, having configured an additional scope (and relevant unique options) for the subnet of the remote site on the 3300's DHCP settings, without using VLANs at the remote site, how does (or could) the Mitel DHCP server determine which of the two scopes to issue an IP address from, for requests from the remote site?

I ask because it seems that I cannot rely on LLDP? Extracts from the Mitel 3300 ICP documentation states;

If you intend to rely on LLDP VLAN Discovery in the network, you must first upgrade the 3300 ICP to Release 7.0 or later and upgrade the IP Phone
firmware to version 2.0.0.18 or later.
- I believe that my Mitel PABX is running release v6.0?

LLDP-MED non-compliant telephones cannot use LLDP for VLAN discovery. They must use DHCP VLAN discovery.
- The 5201 handset that I would prefer to deploy is amongst those that are non-compliant.

Many thanks!

[Dogbreath]

ICP Release 7.0 is not the same as MCD Rel 7. You may of course be still running ICP 6, if so, you have my condolences :-)

The way an IP helper works is that it sends the listening interface's IP address in the DHCP request along with the requesting client's MAC address. The DHCP server then knows it needs to be allocating an IP out of the matching DHCP pool.

[Its_Me!]

Ah.. thanks Dogbreath... that makes perfect sense. @;o)
So, taking stock of the above responses, I believe that I am on the brink of success, but not quite there yet...
I set up a new scope on the Mitel DHCP server to reflect the remote subnet, and added a new option 125 entry assigned to the remote 'range'. (the entry being 'identical' to the existing 125 entry which is set to 'Global')
I enabled DHCP Relay to the Mitel DHCP server address within the remote router's config; enabling 'Multicast via VPN' on routers at both ends as directed by Draytek.
Plugging in a laptop at the remote site, it successfully picks up an IP address from the newly added pool; confirmed by reference to the leases on the Mitel DHCP server, and I can access the Mitel system's Web interface from the remote site @;o)
When plugging in a Mitel 5215 phone, it only boots as far as 'TFTPerr Packet Send, Resetting Phone...', reboots and loops ad infinitum.

Viewing the Mitel DHCP leases shows that the phone has got as far as being issued with an IP address from the correct pool.
As VLAN 11 is the VOIP VLAN on the main site where the 3300 PABX resides, I added VLAN=11 and l2p=6 to the new option 125.
The TFTP err no longer appears, the initial IP is released and it commences the second DHCP phase ('VLAN 11 PRI 6 6' now shown), but, only gets as far as 'DHCP Discovery: Using Option 125' and hangs.
As they share the same info, would the two option 125s be conflicting, or, will the 'Global' entry be ignored once the one specific to the remote subnet is seen by the remote request?
Will establishing a VLAN 11 at the remote site help?
I thought about adding a 'non-Global, remote subnet specific' option 3 to insert a different router address to the new subnet? However, the system wouldn't allow me to, stating that it's a DHCP reserved option.
Assuming this is what is needed, I presume it can be added to option 125? If so, what IP do I specify? The IP in the existing option 3 is that of the router\gateway for VLAN11. Does the router value within the new option 125 need to be the IP address of the router at the remote site?
Cheers

I suspect it's a routing issue but don't know where to make the change.   

[Its_Me!]

WooHoo! I have answered my own question via trial and error!!
I was able to add new option 3 (applied only to the remote subnet) by ignoring the 'Standard option' drop down list, and merely specifying ID 3.
I set the router IP value in this new option 3 to that of the remote site.
This resulted in no change in symptoms.
Leaving the new option 3 in place, I deleted the VLAN=11 and l2p=6 from the new option 125, reset the phone and Voila!
With these elements removed, and the new option 125 once again identical to the existing Global one, I deleted the new one.
All still works a treat!
Every day's a school day they say. It has been a challenging and frustrating project, but, I am richer for the experience!
Much appreciate all the feedback given and hopefully, this thread will help somebody else?

[PC77375]

Good to hear it all worked out in the end! The DHCP options are also quite tricky when using Windows DHCP servers.