Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bfakhriddi
New Contributor

ssl vpn and voice over ip

Hello,

 i have a users trying to use sip softphone remotely. When ssl vpn is not connected their calls are connect and no audio problem, BUT when ssl vpn is connected no audio between callers and callee. I found that ssl vpn by default uses TCP but audio uses udp. IS there way to push ssl vpn to allow and route  udp also ? 

6 REPLIES 6
Toshi_Esumi
SuperUser
SuperUser

No distinction between TCP or UDP for traffic the VPN itself handles. If it's split-tunnel set uip, you must have configured L3 routing with some subnets routed into the tunnel while others follow the local default route. The question is what is the destination/server IP(s) for the VoIP service and where it's routed to when the tunnel is up. If it's coming into the tunnel, it's likely the server/FGT side causing the problem that you need to troubleshoot.

bfakhriddi

thank you for response, its not split tunnel in our case. the sip server is in public  network othe service provider, so remote users has it  as public ip to register on their xlite.

I found that sip alg is not disabled on the fortigate , but not sure if disabling it would solve problem... 

Any ideas how to troubleshoot next ? 

 

thank you 

Toshi_Esumi

If the local public IP is the registered IP at the voip server side, and if it's the only IP what would work, if the traffic is routed through the VPN server/FGT, it obviously wouldn't work because the server side sees the FGT's outside/public IP for the source of traffic. For that case "split-tunneling-routing-negate" seems to be the solution. I haven't tired it (didn't have to so far) though.

https://forum.fortinet.com/tm.aspx?m=190576

 

bfakhriddi
New Contributor

I thought FGT will do NAT IP:port internal (in my case from ssl vpn subnet ) to IP:port external (of the FGT)  statefull NAT and this should keep session up and audio traffic also. But its not working, 

Toshi_Esumi

We often refer VPNs as tunnels because both sides can exchange packets with internal IPs without referring the public/outside IP of the tunnel. You must have configured a private subnet for SSL VPN, or by default 10.102.somthing, I don't remember. That's the source IP from the client for all traffic including VoIP. No public IP is attached to the packets when they come in the FGT. You can sniff them to see.

bfakhriddi

 

[user with vpn and phone] ---[vpn_with_private_ip:port#-----fortigate---NAT---public_ip:port#]---[Internet]--SIP Phone server

So Nat in FGT should keep NAT session open btw private_ip:port and public ip:port , in my case for voice calls also . even if they go to public. 

Its like I am connected to ssl vpn right now and still can browse internet google, msn, amazon with my company ip, here NAT FGT can keep my session open and send and receive for me for http and https properly, BUT when it comes to voice it cant. 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors