Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ncaridi
New Contributor

Created on ‎09-08-2016 08:18 AM

VOIP over IPSEC

Hello 

I'm running site to site vpn with 2 fgt. 90d -> 60c 

we're occasionally experiencing bad line quality .

from reading online I understand that the IPSEC has different configurations affecting the overhead used due to encryption etc etc. 

 

Is there a recommended setting for IPSEC tunnel being used for voice only ? 

 

Thank you ,

 

NC.

 

7500
0 Kudos
3 REPLIES 3
emnoc
Esteemed Contributor III

Created on ‎09-08-2016 08:25 AM

Your overhead with IPSEC is not going to make a difference. The traffic egressing the firewall and prioritization of traffic both via the WAN and tunnel-interface is going to be the issue.

 

let's step back and collect data/statistics

 

1: Are you seeing any  high plos or jitter

 

2: have you captured any RTP streams for analysis 

 

3: is the problem one-way or two-way

 

4: Do you have other traffic over the tunnel

 

5: have you tried and traffic QoS guanrantee with bw guarantee ( disc tagging is useless over the internet btw )

 

6: have you graph monitor both WAN uplink and tunnel utilization % and are your high  ploss/jitter during periods of high utilization

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
2783
0 Kudos
ncaridi
New Contributor
In response to emnoc

Created on ‎09-08-2016 03:02 PM

Hi , 

Thank you for your fast reply. 

 

1. what is plos ? 

I'll try to use tcpdump + callstats to figure out the jitter and capture some rtp streams. 

 

3. usually the problem is one way e.g. 90d expriences bad call quality but the 60c hears fine. 

maybe 60c isn't pushing fast enough and usually when more then 3 persons on the phone on the 60c side. 

 

4. 90d has data + voice with traffic shaping .

60c handles only voice.

 

5. 90d traffic shaping .

60c is handling voice only so I figured theres no point,

altough I'm using QOS on switch level now to prioritize the voip traffic.

 

6. could you kindly explain how to go about this ? 

 

Thank you kindly.

 

NC.

 

2783
0 Kudos
emnoc
Esteemed Contributor III
In response to ncaridi

Created on ‎09-08-2016 07:30 PM

 

1. what is plos ?  I'll try to use tcpdump + callstats to figure out the jitter and capture some rtp streams. 

 

 

plos  = packet lost

 

3. usually the problem is one way e.g. 90d expriences bad call quality but the 60c hears fine.  maybe 60c isn't pushing fast enough and usually when more then 3 persons on the phone on the 60c side.   

 

 

could be anything from  bad paths, no scheduler for EF tagged voice packets, interface drops,etc...

 

6. could you kindly explain how to go about this ?   

 

tshark/wireshark with the telephony analysis would be a start,

 

use the dig command to look for interface related issues on both firewalls & all interfaces that VoIP packets crosses

 

e.g

 

diag hardware  deviceinfo  nic wan1 | grep Error

diag hardware  deviceinfo  nic wan1 | grep Dropp

 

set a link monitor to monitor the path from FGT90<---> 60 would be a start.

 

 

ensure you have no duplex issues

 

ken

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
2783
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.