Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ewhiteway
New Contributor

Fortivoice with Twilio - quick guide

I just got my FV 6.4.0 working with Twilio sip trunks - was not easy so I thought I'd post the details here before I forget them:

 

Few notes: 

1. twilio treats a SIP trunk in and out as 2 separate items - takes a bit to get used to.

2. Twilio is very strict on number format (+1xxxxxxxx)

3. Demo accounts are not allowed to call from or to numbers that are not added to the system (real pain for testing - just pay the $20 to make the account real)

4. There is a debug section of the website that shows you any calling errors

 

 

My basic setup steps: (from memory  - please post updates and we can get this to a real instruction set)

 

1. setup twilio account - load $20 of real money (demo account has too many restrictions)

2. Setup twilio sip trunk (in twilio web site) - you'll get a URL    yourname.pstn.twilio.com

3. add new SIP trunk in FV - sip server is URL above, name a username and password up (put name in both user and Auth).

4. sip_trunk_default worked for me

5. Caller ID option - for testing use specified  +1area+number  (twilio only accepts +1 format)

6. standard reg and no outbound proxy

7. in twilio setup origination -  the URI should be  sip:username:password@IP:port   - the username and PW is from your FV sip trunk

8. you should now be able to make a test call in.  

9.  note numbers come in as 1area_number - so make sure your DID routing includes the 1

 

 

 

5 REPLIES 5
nosinski
New Contributor

Is this still working for you? I have set it up and it works 100% of the time for outgoing. Incoming is a problem. On the twilio origination page the "Make a test call" works but calling the number from any other phone to the trunk phone number does not. I have a ticket open with support but after a few back and forths we are still working on it.

ewhiteway

I got it to work, but went with voip.ms as they are more standard, and easier to secure.

 

If your firewall is locked down, it could be blocking an inbound call from an IP that is not already connected.

 

You can also do a PCAP at the phone system and see if the call is even making to your system.

 

I'm doing some testing with Fortigate ALG and Fortivoice - so far Trunks are working (sherweb and voip.ms) - but phones are not.   I was thinking of testing with my Twilio account too.  If I get some time, I'll put in the test tmrw.

ewhiteway

I just added twilio to my test system.

 

It's working fine on my test system (calling in and out).

 

Check your FV that you have an inbound rule for that trunk and it takes the +1 format. ( I setup a default route for testing)

nosinski

Trunk -> VoIP -> Sip

-Enabled: Yes

-Name: Twilio

-Display Name: <insert company name>

-Main Number: <Twilio # Here +1XXXXXXXXXX>

-SECTION Sip Setting

--Sip server: <your sip subdomain>.pstn.twilio.com

--Sip port: 5060

--Using SRV record: No

--Username: <Twilio Sip Credential Username>

--Password: <Twilio Sip Credential Password>

--Auth. User name: <Twilio Sip Credential Username>

--Realm/Domain: <your sip subdomain>.pstn.twilio.com

--Sip settings: sip_trunk_default

--Max channel: 8, Overflow check: No

--Max outgoing channel: 0

--User=Phone in SIP URI: No

--Inband ringtone (Early media): No

--SECTION Caller ID Option

---From header: Specified, <Twilio # Here +1XXXXXXXXXX>

---P-Asserted-Identigy header: No PAI header

--SECTION Registration

---Type: Standard

---Registration interval: 10

--Outbound Proxy: No

-SECTION Fax

--Automatic fax detection: No

-SECTION Phone Number

--Phone Number List: Non specified

 

For testing I have created an outbound dialing rule where you dial 81<XXXXXXXXXX> to dial out using the twilio sip trunk.

Call Routing -> Outbound

-Name: outgoing_twilio_test

-Emergency Call: No

-Caller ID Match: <Empty>

-SECTION Dialed Number Match

--Match Pattern: 81NX.

--Strip: 1

--Prefix: +

--Postfix: <Empty>

-SECTION Call Handling

--Schedule: any_time

--Trunk: twilio

--Caller ID modification: <Empty>

--Warning Message: <Empty>

--Account Code: <Empty>

 

Outgoing works 100% of the time.

 

For incoming I just added twilio to the incoming default. All calls go to the auto attendant.

Call Routing -> Inbound

-Name: incoming_default

-From Trunk: Twilio

-Dialed Number Match: <Empty>

-Caller ID Match: <Empty>

-Caller ID Modification: <Empty>

-SECTION Call Handling

--Schedule: any_time

--Action: Auto Attendant

--Target: auto_attendant_default

 

On the twilio side:

General Page

-Call Recording: Disabled

-Secure Trunking: Disabled

-Call Transfer: Disabled

-Symmetric RTP: Disabled

Origination URIs Page

-Origination URIs: sip:<Twilio Sip Credential Username>:<Twilio Sip Credential Password>@<Public Phone System Ip>:5060 --Priority: 10

--Weight: 10

--Enabled: Yes

-CNAM Lookup: No

-Disaster Recovery: <Empty>

If I use the test call button on the origination page the incoming call works 100% of the time. If I call the twilio number from a phone it fails 100% of the time. On twilio pcap the working one from clicking the test button shows the request coming in and getting a status 100 response and it keeps going. On the failed request calling the number from a phone shows the incoming request and a response of 401 unauthorized. I am seeing the same on the Fortivoice side but i am not sure what exact part of the request is causing the denial.

 

The only thing support has had be do so far is go to Security -> Intrusion Detection and add exempt ips for twilio ip ranges. I have the intrusion detection disabled so I don't think this is the issue.

 

When you say incoming is working, it is working by dialing from an outside phone? If so can you review my settings and see if any differences are noticed?

jwsi
New Contributor

I had the exact same behaviour as you and I'm pleased to report that I found a way to fix this. Twilio only uses authentication when terminating calls and you have to treat origination and termination as two separate entities when working with Twilio. Furthermore, the presence of a 401 Unauthorised message basically alerts Twilio to give up. So the FortiVoice needs to be configured to blindly accept any incoming calls from Twilio's SIP signalling IP ranges.

 

In order to do this you need to setup 4 or more "Office Peers" on FortiVoice for the region you call from based on the relevant Twilio Signalling IPs. Simply create a new custom office peer, set auth to disabled and ensure that the IP is one from the signalling IP range in Twilio. Unfortunately on FortiVoice you can't enter CIDR ranges so you have to go through all IPs sequentially (which means up to 32 peers if you want to receive calls from all Twilio regions).

 

Once this is done, set your inbound call routing rule to use all of the Office Peers you setup. Once this is done, inbound calls should work :)

 

Hope this helps!

 

James.

Labels
Top Kudoed Authors