i have a users trying to use sip softphone remotely. When ssl vpn is not connected their calls are connect and no audio problem, BUT when ssl vpn is connected no audio between callers and callee. I found that ssl vpn by default uses TCP but audio uses udp. IS there way to push ssl vpn to allow and route udp also ?
No distinction between TCP or UDP for traffic the VPN itself handles. If it's split-tunnel set uip, you must have configured L3 routing with some subnets routed into the tunnel while others follow the local default route. The question is what is the destination/server IP(s) for the VoIP service and where it's routed to when the tunnel is up. If it's coming into the tunnel, it's likely the server/FGT side causing the problem that you need to troubleshoot.
If the local public IP is the registered IP at the voip server side, and if it's the only IP what would work, if the traffic is routed through the VPN server/FGT, it obviously wouldn't work because the server side sees the FGT's outside/public IP for the source of traffic. For that case "split-tunneling-routing-negate" seems to be the solution. I haven't tired it (didn't have to so far) though.
We often refer VPNs as tunnels because both sides can exchange packets with internal IPs without referring the public/outside IP of the tunnel. You must have configured a private subnet for SSL VPN, or by default 10.102.somthing, I don't remember. That's the source IP from the client for all traffic including VoIP. No public IP is attached to the packets when they come in the FGT. You can sniff them to see.
[user with vpn and phone] ---[vpn_with_private_ip:port#-----fortigate---NAT---public_ip:port#]---[Internet]--SIP Phone server
So Nat in FGT should keep NAT session open btw private_ip:port and public ip:port , in my case for voice calls also . even if they go to public.
Its like I am connected to ssl vpn right now and still can browse internet google, msn, amazon with my company ip, here NAT FGT can keep my session open and send and receive for me for http and https properly, BUT when it comes to voice it cant.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.