|
Scenario :
- SIP-ALG is enabled:
config system settings
set default-voip-alg-mode proxy-based
end
-
Split Tunnel is enabled:
By default, SSL VPN will use the destination address on the SSL VPN firewall policy to determine the split tunnel address range.
-
Audio traffic is end-to-end, directly, not passing through via the internal PBX Server.
Topology:
External SIP Server (11.11.11.11) -- (22.22.22.22) FortiGate -- Internal PBX Server (192.168.0.241).
Remote Agent: 10.212.134.52 (over SSL VPN tunnel).
The SIP/RTP packet capture flow when the Remote Agent calls out.
From PBX to FortiGate:
Internet Protocol Version 4, Src: 192.168.0.241, Dst: 11.11.11.11
User Datagram Protocol, Src Port: 5060, Dst Port: 5060
Session Initiation Protocol (INVITE)
Request-Line: INVITE sip:+123456@11.11.11.11:5060 SIP/2.0
Message Header
Message Body
Session Description Protocol
Session Description Protocol Version (v): 0
Owner/Creator, Session Id (o): OXE 1767771150 1767771151 IN IP4 192.168.0.241
Session Name (s): abs
Connection Information (c): IN IP4 10.212.134.52
Time Description, active time (t): 0 0
Media Description, name and address (m): audio 32514 RTP/AVP 8 101
[Generated Call-ID: 69bf6572452ce571687e9b56395dc986@22.22.22.22]
This SIP Invite is coming from the internal PBX Server (192.168.0.241) and instructing the external SIP Server to initiate audio connection directly with the remote agent (10.212.134.52).
And the remote agent will listen to the RTP audio stream on port 32514.
From FortiGate to external SIP Server:
Internet Protocol Version 4, Src: 22.22.22.22, Dst: 11.11.11.11
User Datagram Protocol, Src Port: 5060, Dst Port: 5060
Session Initiation Protocol (INVITE)
Request-Line: INVITE sip:+123456@11.11.11.11:5060 SIP/2.0
Message Header
Message Body
Session Description Protocol
Session Description Protocol Version (v): 0
Owner/Creator, Session Id (o): OXE 1767771150 1767771151 IN IP4 22.22.22.22
Session Name (s): abs
Connection Information (c): IN IP4 22.22.22.22
Time Description, active time (t): 0 0
Media Description, name and address (m): audio 47278 RTP/AVP 8 101
[Generated Call-ID: 69bf6572452ce571687e9b56395dc986@22.22.22.22]
As SIP-ALG is enabled, FortiGate will translate the SDP (Session Description Protocol) content.
Instead of source 192.168.0.241, it's translated towards FortiGate public IP 22.22.22.22.
The audio connection IP and port is also translated, 22.22.22.22 on port 47278.
From External SIP Server to FortiGate:
Internet Protocol Version 4, Src: 11.11.11.11, Dst: 22.22.22.22
User Datagram Protocol, Src Port: 5060, Dst Port: 5060
Session Initiation Protocol (200)
Status-Line: SIP/2.0 200 OK
Message Header
Message Body
Session Description Protocol
Session Description Protocol Version (v): 0
Owner/Creator, Session Id (o): root 154540176 154540177 IN IP4 11.11.11.11
Session Name (s): Asterisk PBX certified/13.21
Connection Information (c): IN IP4 11.11.11.11
Time Description, active time (t): 0 0
Media Description, name and address (m): audio 18070 RTP/AVP 8 0 18 101
[Generated Call-ID: 69bf6572452ce571687e9b56395dc986@22.22.22.22]
The external SIP Server will acknowledge and listen to the RTP traffic on port 18070.
From FortiGate to PBX:
Internet Protocol Version 4, Src: 11.11.11.11, Dst: 192.168.0.241
User Datagram Protocol, Src Port: 5060, Dst Port: 5060
Session Initiation Protocol (200)
Status-Line: SIP/2.0 200 OK
Message Header
Message Body
Session Description Protocol
Session Description Protocol Version (v): 0
Owner/Creator, Session Id (o): root 154540176 154540177 IN IP4 11.11.11.11
Session Name (s): Asterisk PBX certified/13.21
Connection Information (c): IN IP4 11.11.11.11
Time Description, active time (t): 0 0
Media Description, name and address (m): audio 18070 RTP/AVP 8 0 18 101
[Generated Call-ID: 69bf6572452ce571687e9b56395dc986@22.22.22.22]
FortiGate will then forward the acknowledgement as is towards the internal PBX Server.
The RTP Flow from external SIP Server :
Internet Protocol Version 4, Src: 11.11.11.11, Dst: 22.22.22.22
User Datagram Protocol, Src Port: 18070, Dst Port: 47278
Real-Time Transport Protocol
Internet Protocol Version 4, Src: 11.11.11.11, Dst: 10.212.134.52
User Datagram Protocol, Src Port: 18070, Dst Port: 32514
Real-Time Transport Protocol
As negotiated, the external SIP Server will send RTP traffic with source port 18070 and destination port 47278.
FortiGate will then translate the destination IP towards the remote agent 10.212.134.52 with port 32514.
In this scenario, FortiGate was not receiving any RTP traffic from the remote agent.
Remote Agent is expected to send RTP with source port 32514 and destination port 18080 towards external SIP Server 11.11.11.11.
This is because with split tunnel enabled, the remote agent will route traffic of 11.11.11.11 towards its local connection, not through the SSL VPN tunnel.
The solution is to add a firewall policy to allow traffic from the SSL VPN IP pool range towards 11.11.11.11.
By adding this policy, the destination IP Address 11.11.11.11 will be installed on the remote agent machine, so the RTP traffic will be correctly routed.
|
