Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

Created on ‎09-15-2010 02:24 AM

Panasonic voip over Fortinet VPN

Hi, this forum has been very useful for me in the past but this is my first post as I am at my wit' s end! I have a hub and spoke setup to a Fortigate 80CM and all vpns are working fine. However I am having trouble getting a Panasonic IP phone to connect to the office PBX (KX-TDA200) over one of the tunnels. The phone works fine on the main office lan. Take it to the remote site and change its IP and I get ' bad lan' message on the phone. The PBX though, sees the phones new IP but reports a faulty connection. Pings work both ways and the latency is excellent (around 35ms) Is there some mystic trick that I need to learn here please? going bald and losing sleep Terry
7885
0 Kudos
7 REPLIES 7
Carl_Wallmark
Valued Contributor

Created on ‎09-15-2010 02:43 AM

you might want to disable sip session helper and sip trace, take a look at this: http://docs.fortinet.com/fgt/handbook/fortigate-voip-sip-40-mr2.pdf

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
3042
0 Kudos
Not applicable

Created on ‎09-15-2010 03:28 AM

Hi, many thanks for the quick response. I have disbled sip-helper and sip-nat-trace at both ends of the tunnel but still no luck. The Panasonic uses G711 and I can see sessions between the PBX and the handset on 9000/9001 but they just wont play! I can de-register the handset and then register it to the PBX but just cant get the handset online. Thanks again Terry
3042
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎09-15-2010 05:19 AM

Hi, it seems that NAT can be a problem with SIP if SIP is UDP based. The TCP based SIP would not exhibit these difficulties. I am not experienced with SIP but maybe you can benefit from this publication: http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf esp. pg. 50+ Also, other ports than those you mentioned are associated with RTP. Namely 5060 and others.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
3042
0 Kudos
rocampo
New Contributor

Created on ‎09-15-2010 07:18 AM

You might want to look at this. http://www.voicesonic.com/panasonic/manuals/KX-TDAxx/KX-TDA50_100_200_600_IP_Telephone_Guide.pdf page 6-7 Interesting is that even if the phone is on the remote office you need to input the VLAN ID of the local office. VPN over internet not recommended according to the document. the 35ms might not be fast enough :)
3042
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎09-15-2010 07:52 AM

Well, after reading a bit in the Panasonic Guide, I correct myself. The voice traffic is indeed using RTP over UDP, in your setup encapsulated in ESP/AH VPN packets. I don' t think NAT is an issue here because the payload will never be exposed to NAT. What is your setup regarding VLANs? VLAN tagged traffic will be untagged by the firewall ONLY if incoming to a VLAN interface. As VoIP traffic doesn' t need to be on a tagged VLAN you might circumvent this. What a hassle...
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
3042
0 Kudos
ede_pfau
SuperUser
SuperUser

Created on ‎09-15-2010 07:55 AM

of course, I guess the phones use static IPs...or did you set up DHCP over IPSec?
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
3042
0 Kudos
Not applicable

Created on ‎09-15-2010 11:57 AM

Thanks to everyone, what a warm welcome to the forum. I have read all the links, thanks, some of them I had already poured over for many nights this month! The setup is as follows Office with PBX 192.168.1.0/24 PBX 192.168.1.5 (no option to set gateway) ipsec vpn to remote (Int mode on both Fortigates with static routes) Remote 192.168.200.0/24 Phone 192.168.200.6/255.255.255.0 pings go both ways and the maintenance channel on ports 9000/9001 is up. I can deregister the handset and reregister easily. VLAN is disabled on the handset as we dont have managed switches in the office and before shipping I confirmed that the handset works perfectly on the Office LAN. I would add that although I know the guide says it shouldnt work on the internet, we have 4 other remote offices with the exact same setup and it works a treat. They link to another US office with a Fortigate. I have duplicated the setups as much as I can but cannot get it to work. Despite all your kind suggestions I feel the time coming to call in the guys who setup our US operation. I was hopefull that someone would pop up and say ' Hey, you' ve missed XXXXX' If I get a solution I will share right here.
3042
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.