- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ssl vpn and voice over ip
Hello,
i have a users trying to use sip softphone remotely. When ssl vpn is not connected their calls are connect and no audio problem, BUT when ssl vpn is connected no audio between callers and callee. I found that ssl vpn by default uses TCP but audio uses udp. IS there way to push ssl vpn to allow and route udp also ?
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No distinction between TCP or UDP for traffic the VPN itself handles. If it's split-tunnel set uip, you must have configured L3 routing with some subnets routed into the tunnel while others follow the local default route. The question is what is the destination/server IP(s) for the VoIP service and where it's routed to when the tunnel is up. If it's coming into the tunnel, it's likely the server/FGT side causing the problem that you need to troubleshoot.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you for response, its not split tunnel in our case. the sip server is in public network othe service provider, so remote users has it as public ip to register on their xlite.
I found that sip alg is not disabled on the fortigate , but not sure if disabling it would solve problem...
Any ideas how to troubleshoot next ?
thank you
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the local public IP is the registered IP at the voip server side, and if it's the only IP what would work, if the traffic is routed through the VPN server/FGT, it obviously wouldn't work because the server side sees the FGT's outside/public IP for the source of traffic. For that case "split-tunneling-routing-negate" seems to be the solution. I haven't tired it (didn't have to so far) though.
https://forum.fortinet.com/tm.aspx?m=190576
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I thought FGT will do NAT IP:port internal (in my case from ssl vpn subnet ) to IP:port external (of the FGT) statefull NAT and this should keep session up and audio traffic also. But its not working,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We often refer VPNs as tunnels because both sides can exchange packets with internal IPs without referring the public/outside IP of the tunnel. You must have configured a private subnet for SSL VPN, or by default 10.102.somthing, I don't remember. That's the source IP from the client for all traffic including VoIP. No public IP is attached to the packets when they come in the FGT. You can sniff them to see.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[user with vpn and phone] ---[vpn_with_private_ip:port#-----fortigate---NAT---public_ip:port#]---[Internet]--SIP Phone server
So Nat in FGT should keep NAT session open btw private_ip:port and public ip:port , in my case for voice calls also . even if they go to public.
Its like I am connected to ssl vpn right now and still can browse internet google, msn, amazon with my company ip, here NAT FGT can keep my session open and send and receive for me for http and https properly, BUT when it comes to voice it cant.