|
Wi-Fi calling lets a mobile device to send voice and SMS traffic over the internet instead of the cellular radio access network. To do this securely, the phone must first establish a persistent IPsec tunnel to the carrier's network. To prevent IPsec connections to untrusted destinations, the FortiGate should allow IKE traffic only between the client and the carrier’s ePDGs. IPsec is the standard for Wi-Fi calling; however, other services might be required for features like voicemail.
Based on AT&T support article, UDP/500, UDP/4500 and TCP/143 must be allowed to the following destinations:
- epdg.epc.att.net
- sentitlement2.mobile.att.net
- vvm.mobile.att.net
The listed services are part of the FortiOS built-in services IKE and IMAP. Refer to other ISPs documentation for more information about the required services and destinations. The firewall policy options port-preserve must be disabled to avoid session clash since multiple phones may use the same source port for IKE.
Configuration:
config firewall policy
edit 1
set name "Allow VoWiFi"
set srcintf "port1"
set dstintf "wan1"
set action accept
set srcaddr "WiFi_Subnet"
set dstaddr "epdg.epc.att.net" "sentitlement2.mobile.att.net" "vvm.mobile.att.net"
set schedule "always"
set service "IKE" "IMAP"
set nat enable
set port-preserve disable
next
end
Additional consideration:
The FortiGate's default UDP idle timer is three minutes. Reducing this value may cause the IPsec tunnel to the carrier to be torn down.
Related articles:
How does WIFI Calling Service (VoWIFI) wo... - Fortinet Community
AT&T Wi-Fi Calling LAN and VPN Configuration - AT&T Wireless Customer Support
|
