We have two offices. One is the main office and the other one is a side office. In the main office we have a FortiGate 60D and there is as well the VOIP server(Swyx). Our side office has an Edge Router Pro. These two routers have an IPSec tunnel.
The problem we have is, that the VOIP communication between users from the side office and users from the main office is not working. Most of the time the two users cant hear each other. The strange thing is, that sometimes it works. Its also that for exampel one user from the side office cant hear one explicit user from the main office, but if another user from the side office calls this explicit user from the main office, they can talk to each other. It is really unpredictable.
Here is the IPSec config from the FortiGate:
config vpn ipsec phase1-interface edit "SG" set interface "wan1" set nattraversal disable set keylife 28800 set proposal aes256-sha512 set dpd disable set dhgrp 16 set remote-gw PUBLIC-IP set psksecret dfjsvdsl next end config vpn ipsec phase2-interface edit "SG" set phase1name "SG" set proposal aes256-sha1 set dhgrp 16 set keylifeseconds 3600 set src-subnet 18.104.22.168 255.255.255.0 set dst-subnet 22.214.171.124 255.255.255.0 next end
And here is the firewall config:
config firewall policy edit 17 set uuid 05e77718-20b8-51e5-fca6-956d779eb92f set srcintf "SRC" set dstintf "IPSEC" set srcaddr "172....." set dstaddr "172....." set action accept set schedule "always" set service "RDP" "SMB" "ALL_ICMP" "VNC" "SIP" "Outlook Messenger LAN" "Swyx Anmeldung am Server" "DNS" "HTTPS" "HTTP" "Swyx! CallControl" "Swyx! Audio" "SSH" "iperf" set logtraffic all next end config firewall policy edit 15 set uuid f40a56c8-20b7-51e5-a4b5-a239a77c555a set srcintf "IPSEC" set dstintf "SRC" set srcaddr "172....." set dstaddr "172....." set action accept set schedule "always" set service "RDP" "SMB" "ALL_ICMP" "VNC" "SIP" "Outlook Messenger LAN" "Swyx Anmeldung am Server" "DNS" "HTTPS" "HTTP" "Swyx! CallControl" "Swyx! Audio" "SSH" "iperf" next end
Do you have any idea, where the issue could be? Do I need the Traffic Shaper and set the priority to high?
I have posted a similar question in the UBNT forum, where I am hoping to get some tips for the Edge router and here I am hoping to get some inputs for my FortiGate config.
There are several possibilities about the problem that you gave. Here are some of the possibilities:
There is no VoIP ALG active on your firewall.
Priorities are wrong (not likely because it works sometimes)
Did you try it with a allow any rule just to exclude problems with port conflicts
Measure time latency over the IPsec tunnel. When the latency is to high you can get this kind of strange behavior.
I see that you log all traffic. What does your logging say?
Did you do a packet capture. And what four kind of Fortigate do you use. Did you configure outbandwidth and inbandwidth on the internet interface. The same for your IPsec interface configure that with the available bandwidth of the lowest speed line.
I have troubleshot similar issues and the below commands have helped me in the past.
config system settings
set sip-helper disable
set sip-nat-trace disable
config voip profile
set rtp disable
config system session-helper
set name sip
set port 5060
set protocol 17
//then apply the 'default' VOIP profile to your LAN->IPsec policy, I would also open all ports for testing // lastly reboot your fortigate
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.