Skip to main content
odujua-gfit
odujua-gfit
New Member
March 6, 2026
Question

VoIP Paging over an IPSec tunnel

  • March 6, 2026
  • 5 replies
  • 369 views

Good day.

 

We have two FortiGate 40Fs and an IPSec tunnel between them. No issues accessing files across the tunnel. Tunnel Policies are set to allow ALL services. The customer has a VoIP system and they utilize the paging functionality. Paging is working locally per site but will not work over the tunnel, meaning, if Site A initiates a page, all phones in Site A can hear the page but none in Site B - and vice versa. We have multicast policies between the tunnel and can see byte counts. Has anyone done this setup successfully?

 

Appreciate any guidance.

 

Thank you.

OD

5 replies

Jean-Philippe_P
Staff & Editor
Jean-Philippe_P
Staff & Editor
March 9, 2026

Hello odujua-gfit, 

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

Jean-Philippe - Fortinet Community Team
Jean-Philippe_P
Staff & Editor
Jean-Philippe_P
Staff & Editor
March 10, 2026

Hello,

 

We are still looking for an answer to your question.

 

We will come back to you ASAP.

Jean-Philippe - Fortinet Community Team
odujua-gfit
odujua-gfitAuthor
New Member
March 10, 2026

Much appreciated!

Jean-Philippe_P
Staff & Editor
Jean-Philippe_P
Staff & Editor
March 12, 2026

Hello odujua-gfit,

 

I found this solution, can you tell us if it helps, please?

 

To successfully set up VoIP paging over an IPsec tunnel between two FortiGate devices, you need to ensure that multicast traffic is properly configured and allowed through the tunnel. Here are some steps and considerations to help troubleshoot and resolve the issue:

 

Configuration Steps

  1. Verify IPsec Tunnel Configuration: Ensure that the IPsec tunnel is correctly configured with the necessary phase1 and phase2 settings. The phase2 selectors should include the multicast address range used by the VoIP system.

  2. Multicast Configuration:

    • Enable Multicast Forwarding: Ensure that multicast forwarding is enabled on both FortiGates. This can be done by setting multicast-forward to enable.
    • Disable Multicast Routing: If not using PIM, ensure that multicast-router is disabled on both FortiGates.

  3. Firewall Policies: Verify that firewall policies are correctly configured to allow multicast traffic through the IPsec tunnel. Ensure that the policies are set to accept traffic from the source to the destination subnets and vice versa.

  4. TTL Considerations: Check the Time-To-Live (TTL) value of the multicast packets. If the TTL is too low, the packets may not traverse the tunnel. Consider enabling multicast-ttl-notchange or adjusting the TTL value on the VoIP server.

  5. Address Configuration: Ensure that the multicast address (e.g., 224.0.0.0/4) is included in the firewall address definitions and that these addresses are part of the phase2 selectors.

 

Troubleshooting Steps

  • Monitor Traffic: Use packet capture tools on the FortiGate to monitor multicast traffic and verify that packets are being sent and received correctly across the tunnel.

  • Check Logs: Review the FortiGate logs for any dropped packets or errors related to multicast traffic.

  • Test with Different TTL: Temporarily increase the TTL value on the VoIP server to see if it resolves the issue.

Follow-ups and Clarification Questions

  • Multicast Address: What specific multicast address range is being used by the VoIP system for paging?
  • TTL Value: What is the current TTL value set on the VoIP server for multicast packets?
  • Firmware Version: What firmware version are the FortiGate devices running? This can help determine if there are any known issues or updates related to multicast over IPsec.
  • Network Diagram: Can you provide a network diagram to better understand the topology and configuration?

If these steps do not resolve the issue, further investigation into the specific configuration and network environment may be necessary.

Jean-Philippe - Fortinet Community Team
odujua-gfit
odujua-gfitAuthor
New Member
March 12, 2026

Hello Jean-Philippe,

 

I will try this and provide feedback asap.

 

Thank you.

OD

odujua-gfit
odujua-gfitAuthor
New Member
March 17, 2026

Hello Jean-Philippe,

 

FGT-Remote-PacketCapture-1.png

 

It appears the packet captures show that traffic is passing through to the VPN tunnel. The screenshot is from the remote FortiGate. This was captured during a page test. However, the phone on the receiving end still could not hear any page.

 

Do you think setting up GRE would help?

 

Jean-Philippe_P
Staff & Editor
Jean-Philippe_P
Staff & Editor
March 18, 2026

Hello odujua-gfit,

 

Here is the answer I found, I hope it helps:

 

GRE over IPsec for VoIP Paging

Setting up a GRE (Generic Routing Encapsulation) tunnel over an IPsec tunnel can potentially help with VoIP paging issues, especially if multicast traffic is involved. Here’s why and how it might be beneficial:

 

Benefits of GRE over IPsec:

  1. Multicast Support: GRE natively supports multicast traffic, which is often used in VoIP paging systems. This can help ensure that multicast packets are properly encapsulated and transmitted across the tunnel.

  2. Simplified Configuration: By encapsulating multicast traffic within a GRE tunnel, you might simplify the configuration needed to handle multicast over IPsec, which can sometimes be complex.

  3. Flexibility: GRE provides a flexible way to encapsulate a wide variety of network layer protocols, which can be beneficial in complex network environments.

Configuration Considerations:

  • IP Addressing: Ensure that the GRE tunnel and the IPsec tunnel have distinct IP addressing spaces. This is crucial for proper routing and encapsulation.

  • Loopback Interface: Terminate the IPsec tunnel on a loopback interface to provide a stable endpoint for the tunnel.

  • Egress Point: Configure a static route to ensure that the loopback interface has an egress point to reach the peer device.

  • Tunnel Mode: Ensure that IPsec encapsulation is configured in Tunnel Mode, as Transport Mode is not supported for this setup.

  • System Settings: Enable allow-subnet-overlap in the system settings to accommodate overlapping subnets if necessary.

 

Steps to Implement:

  1. Configure GRE Tunnel: Set up the GRE tunnel on both FortiGate devices, ensuring proper IP addressing and routing.

  2. Configure IPsec Tunnel: Ensure the IPsec tunnel is correctly configured to encapsulate the GRE traffic.

  3. Firewall Policies: Update firewall policies to allow GRE traffic and any associated multicast traffic.

  4. Testing: Conduct thorough testing to ensure that VoIP paging works as expected across the tunnel.

 

Follow-ups and Clarification Questions:

  • Have you verified that multicast traffic is correctly configured and allowed through the IPsec tunnel?
  • Is there any specific error or log entry that indicates why the paging is not working?
  • Have you considered testing with different TTL values for multicast packets?
  • Would you like detailed steps on configuring GRE over IPsec on FortiGate devices?

 

If you need further assistance with the configuration or troubleshooting, feel free to ask!

Jean-Philippe - Fortinet Community Team
Terms & ConditionsAccessibility statement