Skip to main content
Hector_Miranda
Hector_Miranda
New Member
July 6, 2022
Question

IP SoftPhone via IPSec VPN

  • July 6, 2022
  • 3 replies
  • 4336 views

Hello,
I am the networks administrator in a medium-sized company in Chile. We have a core of Cisco switches, a wired network and a wireless network, in addition to two Fortinet FortiGate 100E firewalls (FortiOS version v6.0.5 build0268 (GA)) and two dedicated Internet links.
We have an Alcatel-Lucent OmniPCX PBX, with software version 3EH30556DFAA ONECL030/058.001
Until a few months ago we had four Call Center operators working within the LAN, using the IPSoftPhone v12.1.1.0 software configured in HTTPS+TFTP mode for connection to the PBX.
Now, the company has decided that those four Call Center operators work remotely from their homes. For that, connectivity via VPN was defined in an IPSec tunnel through the FortiGate firewalls. With this, the remote users can connect to the LAN via VPN, but the IPSoftPhone is not able to complete the registration in the PBX. When running the application, it tries several times to register but finally aborts due to timeout.
I made a capture of the traffic with Wireshark and verified that there are repeated attempts by the PBX to send three files via TFTP, but they fail to reach their destination.

We have two policies defined, one for ingress and one for egress traffic and have tried with NAT enabled and with NAT disabled. No success.
Any help or advice you can give me to get to the solution of this problem will be welcome.

Hector

3 replies

Anthony_E
Staff
Anthony_E
Staff
July 8, 2022

Hola Hector,

 

Thank you for using the Community Forum.

I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

 

Regards,

Best Regards
Hector_Miranda
Hector_MirandaAuthor
New Member
July 8, 2022

I will be tremendously grateful...

    Debbie_FTNT
    Staff & Editor
    Debbie_FTNT
    Staff & Editor
    July 11, 2022

    Hey Hector,

     

    from your description, it sounds a bit as if the FortiGate IPSec may be interfering - perhaps there are fragmentation issues or something of the sort?

    I would suggest the following:

     

    - take a packet capture at both ends of the tunnel and compare what goes into the tunnel vs what comes out of it; is there any packet loss?

    - on the FortiGate, you can check if disabling the SIP session helper helps; it might interfere unexpectedly

    -> https://community.fortinet.com/t5/FortiGate/Technical-Tip-Disabling-VoIP-Inspection/ta-p/194131

    If you don't notice any obvious traffic issues, and testing various configuration with the SIP ALG/Session helper does not resolve your issue, I would suggest opening a ticket with Fortinet Technical Support for some more in-depth troubleshooting, in particular to verify if the issue is caused by FortiGate/IPSec tunnel or if something else is going on.

    MissEverly
    MissEverly
    New Member
    May 15, 2023

    Have you checked if the necessary ports for TFTP are allowed through the IPSec tunnel and firewalls? It's worth verifying the firewall rules and ensuring that TFTP traffic is permitted between the remote users and the PBX. Also, double-check the PBX's TFTP server settings and ensure they align with the remote users' configuration. If the issue persists, contacting Alcatel-Lucent support or consulting with a network specialist might provide further insights. Or you should try using a white label softphone and see how it works. Best of luck in resolving the problem!

    Terms & ConditionsAccessibility statement