Skip to main content
jompsi
jompsi
New Member
September 22, 2015
Question

VOIP doesnt work correct over IPSec

  • September 22, 2015
  • 4 replies
  • 17370 views

Hello

 

We have two offices. One is the main office and the other one is a side office. In the main office we have a FortiGate 60D and there is as well the VOIP server(Swyx). Our side office has an Edge Router Pro. These two routers have an IPSec tunnel.

 

The problem we have is, that the VOIP communication between users from the side office and users from the main office is not working. Most of the time the two users cant hear each other. The strange thing is, that sometimes it works. Its also that for exampel one user from the side office cant hear one explicit user from the main office, but if another user from the side office calls this explicit user from the main office, they can talk to each other. It is really unpredictable.

 

Here is the IPSec config from the FortiGate:

config vpn ipsec phase1-interface
    edit "SG"
        set interface "wan1"
        set nattraversal disable
        set keylife 28800
        set proposal aes256-sha512
        set dpd disable
        set dhgrp 16
        set remote-gw PUBLIC-IP
        set psksecret dfjsvdsl
    next
end
config vpn ipsec phase2-interface
    edit "SG"
        set phase1name "SG"
        set proposal aes256-sha1
        set dhgrp 16
        set keylifeseconds 3600
        set src-subnet 172.200.1.0 255.255.255.0
        set dst-subnet 172.190.1.0 255.255.255.0
    next
end

 

And here is the firewall config:

config firewall policy
    edit 17
        set uuid 05e77718-20b8-51e5-fca6-956d779eb92f
        set srcintf "SRC"
        set dstintf "IPSEC"
        set srcaddr "172....."
        set dstaddr "172....."
        set action accept
        set schedule "always"
        set service "RDP" "SMB" "ALL_ICMP" "VNC" "SIP" "Outlook Messenger LAN" "Swyx Anmeldung am Server" "DNS" "HTTPS" "HTTP" "Swyx! CallControl" "Swyx! Audio" "SSH" "iperf"
        set logtraffic all
    next
end
config firewall policy
    edit 15
        set uuid f40a56c8-20b7-51e5-a4b5-a239a77c555a
        set srcintf "IPSEC"
        set dstintf "SRC"
        set srcaddr "172....."
        set dstaddr "172....."
        set action accept
        set schedule "always"
        set service "RDP" "SMB" "ALL_ICMP" "VNC" "SIP" "Outlook Messenger LAN" "Swyx Anmeldung am Server" "DNS" "HTTPS" "HTTP" "Swyx! CallControl" "Swyx! Audio" "SSH" "iperf"
    next
end

 

Do you have any idea, where the issue could be? Do I need the Traffic Shaper and set the priority to high?

 

I have posted a similar question in the UBNT forum, where I am hoping to get some tips for the Edge router and here I am hoping to get some inputs for my FortiGate config.

 

Kind regards

Joel

    4 replies

    Jeroen
    Jeroen
    New Member
    September 24, 2015

    There are several possibilities about the problem that you gave. Here are some of the possibilities:

    [ol]
  • There is no VoIP ALG active on your firewall.
  • Priorities are wrong (not likely because it works sometimes)
  • Did you try it with a allow any rule just to exclude problems with port conflicts
  • Measure time latency over the IPsec tunnel. When the latency is to high you can get this kind of strange behavior.
  • I see that you log all traffic. What does your logging say?
  • [/ol]

    Did you do a packet capture. And what four kind of Fortigate do you use. Did you configure outbandwidth and inbandwidth on the internet interface. The same for your IPsec interface configure that with the available bandwidth of the lowest speed line.

    • jompsi
    jompsiAuthor
    New Member
    September 28, 2015

    Hi @Jeroen

     

    1. I didn't activate something special here.

    3. I tried this once with no success.

    5. In the log I see nothing special. Just a question. I look at log from the shell with the command "show log tail". How do you look at it?

     

    I assume now, that it is a VOIP problem, because from our second office I can call 3 persons from the main office with no problems but one person from the main office doesnt work.

     

    Thanks and regards

    Joel

    discoscott
    discoscott
    New Member
    September 27, 2015

    This is usually only an issue when you NAT traffic and ALG or something is interfering.

     

    Can you confirm you have the right RTP ports allowed through?

     

    If you add another rule temporarily to allow all UDP traffic each is it any better? If so, enable logging and track down the ports #s

    jompsi
    jompsiAuthor
    New Member
    September 28, 2015

    Hi @discoscott

     

    NAT is disabled in the IPSec.

     

    Yes, I can confirm that the right RTP prots are open. From the side office I can call 3 persons from the main office and one person doesn't work. I assume now, it is a VOIP problem.

     

    Kind regards

    Joel

    howardsinc
    howardsinc
    New Member
    September 28, 2015

    I have troubleshot similar issues and the below commands have helped me in the past.

     

    =================================

    config system settings   set sip-helper disable   set sip-nat-trace disable end  config voip profile  edit default  config sip  set rtp disable  end    config system session-helper  show  .  .  edit 13 set name sip set port 5060 set protocol 17 . . delete 13 end  //then apply the 'default' VOIP profile to your LAN->IPsec policy, I would also open all ports for testing // lastly reboot your fortigate

     

    ========

     

    I hope this helps

    good luck :)

    jompsi
    jompsiAuthor
    New Member
    September 29, 2015

    Morning @howardsinc

     

    Thanks a lot for your inputs. On my fortigate is nothing configured like your examples. I will have a look at this.

     

    One question, how do I set the VOIP default profile to the policy?

     

    I have only these points in my policy:

     

    Firewall / Network Options

    NAT

    Security Profiles

    AntiVirus

    Web Filter

    Application Control

    IPS

    Email Filter

    DLP Sensor

    SSL Inspection

    Traffic Shaping

    Shared Shaper

    Reverse Shaper

    Per-IP Shaper

     

    Where do I assign the VOIP default profile?

     

    It will take a while, until I can try this. I will write a feedback, but this can take up to 3 weeks. Before that, I dont have th epossibility to test this.

     

    Thanks a lot and regards

    Joel

     

    vjoshi_FTNT
    Staff
    vjoshi_FTNT
    Staff
    September 29, 2015

    Hi,

    Try the below command:

     

    config system global     set gui-voip-profile enable end

    This will enable the VOIP profile on the GUI and you should be able to select the VOIP profile on the respective Firewall policy.

     

    Terms & ConditionsAccessibility statement