Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Remote H.323 Extension Problems

Status
Not open for further replies.

tylamb19

IS-IT--Management
Jul 10, 2017
57
US
Hi all,

Having trouble with setting up a basic remote extension for a single user, working from home due to an injury for the next few months.

IPO is running 9.1. There is no VPN licenses on the system, which is why I'm going down the standard H.323 port forward route. Forwarded TCP 1720, UDP 1719, 5005, & 46750-50750. Limited source to the user's IP address. Screenshots of my rules are below.
Screen_Shot_2023-02-24_at_9.44.09_PM_gh3dna.png


Screen_Shot_2023-02-24_at_9.43.00_PM_lnhoz3.png


I can get the phone to a login screen, but once you enter the extension and password, the phone goes to "Discover <firewall's WAN IP>" and just sits there. I looked in Monitor which returns the following text over and over as the phone is sitting on the Discover screen:
Code:
 21:31:16     351401mS RasRx: v=IFace=LAN1, Src=174.<obfuscated ip>.<obfuscated ip>.<obfuscated ip>, Dst=10.10.42.2:1719 peb=0
            RasMessage = gatekeeperRequest  
 21:31:16     351401mS H323Evt:    Recv GRQ from aecb6c8b
 21:31:16     351402mS H323Evt:    e_H225_AliasAddress_dialedDigits alias
 21:31:16     351402mS H323Evt:    found number <3019>
 21:31:16     351402mS RasTx: v=Src=10.10.42.2:1719, Dst=174.<obfuscated ip>.<obfuscated ip>.<obfuscated ip>:10272 peb=0
            RasMessage = gatekeeperConfirm

User is set to "Enable Remote Worker" checked and the H.323 Remote Extension Enable checkbox on LAN1 is checked. I have a 0.0.0.0 route set for LAN1 and the local network gateway. H.323 Helper/Conntrack is disabled in the firewall.

I am at a loss. Any ideas?
 
@tylamb19 - Yes, I can see the problem straight away I'm afraid as I've encountered this problem too. It looks like you're using Ubiquiti appliances which unfortunately aren't compatible with Avaya VPN Phones. Avaya phones need pure IPSec and the Ubiquiti appliances use L2TP over IPsec.

The only way I've managed to get around it is to set up a site to site VPN at each location (I used a SonicWall at the remote site) and set up the site to site VPN on the UDM pro, then the Avaya phones connect to the network this way.

If there's a way to get around this problem, I haven't been able to work it out sorry.

If you have managed to get this far, have you enabled 'H323 remote extn enable' under LAN1 | VoIP? I also had to add the remote sites IP Route. (EDIT- Sorry missed the last paragraph where you said you've done this. Have you tried setting an IP Route specific to the remote network instead of 0.0.0.0?)

Thanks, Tim
Adelaide, Australia
 
Hey Tim - thanks for the reply!

I'm not using VPN to connect this phone. It's just a port forward to the IPO directly which is locked down to only be accessible by the end user's external IP. This solution is documented in Avaya's literature here. The IPO doesn't have any VPN licenses so even if the Ubiquiti could set up an IKE tunnel, I can't use VPN phones with it. And since it's on R9.1 using ADI, I can't just buy a new license.

I know that site to site works great as I have a few clients with that exact setup. The problem here is that the phone is going to be on the end user's home network which we don't have control over, and more than likely is just a generic consumer or ISP provided router.

When you say to add the route to the specific remote network do you mean a route to the external IP of the end user (174.xxx.xxx.xxx/32)? I can give that a shot.
 
Ah ok I'm with you now.

I had to set the below in IPO Manager:

IP Address: 192.168.1.0 [Remote users network]
IP Mask: 255.255.255.0
Gateway IP Address: 10.10.10.1 [IPO Network]

Thanks, Tim
Adelaide, Australia
 
Nope - same responses still on the phone, just "Discover <External IP>" on the phone (only after logging in) and the repeating message of Recv GRQ in Monitor.
 
Did you set up the Network Topology tab in the LAN settings?
 
Yep - STUN as of Friday was coming back with "Full Cone NAT" but for whatever reason as of today comes back with "Unknown" but I know for a fact the firewall is open from the destination IP. It might just be the STUN server I'm using, if anyone has any recommendations on one to try I'd be happy to give it a shot. I have tried all of the combinations of the NAT settings and none seem to change the behavior.
 
Yes the public IP is populated when I run STUN.
 
Since you know your Public IP, try blanking out the STUN Server address, unchecking Run Stun on Startup, and setting the Firewall/NAT Type to Unknown. You can always put it back if it doesn't make a difference, but I always run SIP trunks this way, finding that STUN interferes in odd ways.
 
Just gave that a try and no luck. It still gets a login screen but after logging into the extension, nothing.

Another solution I’m thinking of is to put the phone behind a router with an always-on VPN. The UniFi VPN server is L2TP over IPSec. Anyone out there know a router or other device that could do this?

We’d put that router at the employee’s house, it would connect to the firewall’s built in VPN server, then the phone would act like it’s sitting right on a he network at the office.
 
Make sure you have any H.323/transformations/helpers/ALG disabled in the firewall as well as on the users firewall. I've even run across a cable modem (acting as the users router) that had that feature enabled.

New England Communications
 
Yep, all H.323 and SIP helpers are disabled in the UniFi firewall. The end user's router is a really dumb cellular modem. They have no normal cable or fiber internet. No options to change, no way to log into it. Even if I could log in, I can't imagine that it has the ability to do NAT transformation.

Either way, I think we are going to end up putting an old, small Cisco router behind her connection, I was able to configure OpenWRT on that router to connect an always-on VPN to the main office firewall via the L2TP/IPsec remote access VPN.

Tested this with my cellular hotspot and it works perfectly. The phone believes it's on the voice VLAN at the office. I even tested it with rate limited service (128Kb/s) and even about 1 bar of LTE signal and calls are still clear enough. The cellular service at the user's house is around 10Mbps/4Mbps so this solution should work perfectly.
 
Was not IPv6 only - definitely had an IPv4 address, just something along the path was not working. The VPN solution should work fine.

Since we're still behind the user's cellular modem/router providing NAT, I couldn't do a normal IPSec site to site VPN, which is why I had to find a solution to connect to the L2TP server on the UniFi firewall at the office.

Theoretically we could have put the cellular modem into bridge mode (if that was even possible with the unit that the user has, which it might not be) and install a firewall/router capable of a site to site tunnel at the user's house, but no one wants to take on the responsibility of an end user's home network. Having a simple device that makes it a self contained solution behind the user's own network router means that her home network doesn't become the issue of the IT department, just the stuff behind the little Cisco EA4500 running OpenWRT I'm using. Aruba actually makes devices that do the same thing I am doing and markets them as RAPs (remote access points), but they only work with an Aruba firewall. If anyone knows an off-the-shelf solution to do this with any generic L2TP over IPSec remote access VPN, I'd love to know about it!

I figured there had to be a way to do it myself, and it seems I was right. I'm glad I found this solution as well as I didn't want to increase our attack surface more than absolutely necessary, so not needing port forwarding and just using the pre-existing L2TP server means no extra attack surface. So all around I think it should be a good solution.
 
L2TP alone is insecure. It's why not even Ubiquiti recommends it any longer.

IPSEC is absolutely possible behind a NAT device.

Your cellular connection is using CGNAT (basically 1 IP4 address to hundreds of devices) unless you're paying for a static IP.

tylamb19 said:
If anyone knows an off-the-shelf solution to do this with any generic L2TP over IPSec remote access VPN, I'd love to know about it!

Any modern UTM or business-class firewall. (Unifi gateways/UDMs do not fall in this category)
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top