Hello
We have two offices. One is the main office and the other one is a side office. In the main office we have a FortiGate 60D and there is as well the VOIP server(Swyx). Our side office has an Edge Router Pro. These two routers have an IPSec tunnel.
The problem we have is, that the VOIP communication between users from the side office and users from the main office is not working. Most of the time the two users cant hear each other. The strange thing is, that sometimes it works. Its also that for exampel one user from the side office cant hear one explicit user from the main office, but if another user from the side office calls this explicit user from the main office, they can talk to each other. It is really unpredictable.
Here is the IPSec config from the FortiGate:
config vpn ipsec phase1-interface
edit "SG"
set interface "wan1"
set nattraversal disable
set keylife 28800
set proposal aes256-sha512
set dpd disable
set dhgrp 16
set remote-gw PUBLIC-IP
set psksecret dfjsvdsl
next
end
config vpn ipsec phase2-interface
edit "SG"
set phase1name "SG"
set proposal aes256-sha1
set dhgrp 16
set keylifeseconds 3600
set src-subnet 172.200.1.0 255.255.255.0
set dst-subnet 172.190.1.0 255.255.255.0
next
end
And here is the firewall config:
config firewall policy
edit 17
set uuid 05e77718-20b8-51e5-fca6-956d779eb92f
set srcintf "SRC"
set dstintf "IPSEC"
set srcaddr "172....."
set dstaddr "172....."
set action accept
set schedule "always"
set service "RDP" "SMB" "ALL_ICMP" "VNC" "SIP" "Outlook Messenger LAN" "Swyx Anmeldung am Server" "DNS" "HTTPS" "HTTP" "Swyx! CallControl" "Swyx! Audio" "SSH" "iperf"
set logtraffic all
next
end
config firewall policy
edit 15
set uuid f40a56c8-20b7-51e5-a4b5-a239a77c555a
set srcintf "IPSEC"
set dstintf "SRC"
set srcaddr "172....."
set dstaddr "172....."
set action accept
set schedule "always"
set service "RDP" "SMB" "ALL_ICMP" "VNC" "SIP" "Outlook Messenger LAN" "Swyx Anmeldung am Server" "DNS" "HTTPS" "HTTP" "Swyx! CallControl" "Swyx! Audio" "SSH" "iperf"
next
end
Do you have any idea, where the issue could be? Do I need the Traffic Shaper and set the priority to high?
I have posted a similar question in the UBNT forum, where I am hoping to get some tips for the Edge router and here I am hoping to get some inputs for my FortiGate config.
Kind regards
Joel
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
There are several possibilities about the problem that you gave. Here are some of the possibilities:
[ol]Did you do a packet capture. And what four kind of Fortigate do you use. Did you configure outbandwidth and inbandwidth on the internet interface. The same for your IPsec interface configure that with the available bandwidth of the lowest speed line.
Hi @Jeroen
1. I didn't activate something special here.
3. I tried this once with no success.
5. In the log I see nothing special. Just a question. I look at log from the shell with the command "show log tail". How do you look at it?
I assume now, that it is a VOIP problem, because from our second office I can call 3 persons from the main office with no problems but one person from the main office doesnt work.
Thanks and regards
Joel
This is usually only an issue when you NAT traffic and ALG or something is interfering.
Can you confirm you have the right RTP ports allowed through?
If you add another rule temporarily to allow all UDP traffic each is it any better? If so, enable logging and track down the ports #s
Hi @discoscott
NAT is disabled in the IPSec.
Yes, I can confirm that the right RTP prots are open. From the side office I can call 3 persons from the main office and one person doesn't work. I assume now, it is a VOIP problem.
Kind regards
Joel
I have troubleshot similar issues and the below commands have helped me in the past.
=================================
config system settings set sip-helper disable set sip-nat-trace disable end config voip profile edit default config sip set rtp disable end config system session-helper show . . edit 13 set name sip set port 5060 set protocol 17 . . delete 13 end //then apply the 'default' VOIP profile to your LAN->IPsec policy, I would also open all ports for testing // lastly reboot your fortigate
========
I hope this helps
good luck :)
JNCIA, CCNP R/S, NSE4 , NSE7, Associate of (ISC)²
Morning @howardsinc
Thanks a lot for your inputs. On my fortigate is nothing configured like your examples. I will have a look at this.
One question, how do I set the VOIP default profile to the policy?
I have only these points in my policy:
Firewall / Network Options
NAT
Security Profiles
AntiVirus
Web Filter
Application Control
IPS
Email Filter
DLP Sensor
SSL Inspection
Traffic Shaping
Shared Shaper
Reverse Shaper
Per-IP Shaper
Where do I assign the VOIP default profile?
It will take a while, until I can try this. I will write a feedback, but this can take up to 3 weeks. Before that, I dont have th epossibility to test this.
Thanks a lot and regards
Joel
Hi,
Try the below command:
config system global set gui-voip-profile enable end
This will enable the VOIP profile on the GUI and you should be able to select the VOIP profile on the respective Firewall policy.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1692 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.