Voip over ipsec

[FortKnox]

I have a Definity behind a WatchGuard firwall, and I am at home connected to the Definity's lan via vpn endpoint.

I am trying to register a 4602 phone to the Definity.

My lan at home is 192.168.223.0/24 and I have a 'ANY/ANY' rule on the WatchGuard.

Below I will paste the transmission logs from the WatchGuard's traffic monitor, but everything looks good and is allowed. Because it is over vpn, there is no natting, so that area is good.

The phone asks for an extension number and password, I give it both then I get a 2011 - Register / No Signalling, it reboots, then I get 'Extension Error' message.

Any ideas where I should start?

08/13/05 14:23 firewalld[163]: allow in ipsec0 116 udp 20 63 192.168.223.105 192.168.0.40 3000 1719 (Cisco_All)
08/13/05 14:23 firewalld[163]: allow out eth1 40 udp 20 30 192.168.0.40 192.168.223.105 1719 1148 (Cisco_All)
08/13/05 14:24 firewalld[163]: allow out eth1 97 udp 20 30 192.168.0.40 192.168.223.105 1719 1149 (Cisco_All)
08/13/05 14:24 firewalld[163]: allow out eth1 142 udp 20 30 192.168.0.40 192.168.223.105 1719 1150 (Cisco_All)
08/13/05 14:24 firewalld[163]: allow in ipsec0 60 tcp 20 63 192.168.223.105 192.168.0.40 4039 1720 syn (Cisco_All)
08/13/05 14:24 firewalld[163]: allow out eth1 40 tcp 20 30 192.168.0.40 192.168.223.105 1720 4039 syn ack (Cisco_All)
08/13/05 14:24 firewalld[163]: allow out eth1 110 udp 20 30 192.168.0.40 192.168.223.105 1719 1150 (Cisco_All)

The Cisco_All is the alias name for the any/any rule that I created.

 

[NX01]

First off, you will need to open ports 1719 udp and 1720 tcp for signalling. Then the UDP range in the ip-network region for your vpn ip subnet. The clitcher is to then port forward the above ports to the ip of the 4602...BAM you are in business.

In the future everything will work...

 

[FortKnox]

Thanks for the reply. Please hang in here with me, I have got to get this working, or there will be some very upset people at me.

If you look at the log I attached, you can see that the phone (192.168.223.105) is communicating with the phone switch (192.168.0.40) and uses port 1719 and 1720, and uses both UDP and TCP.

When I type in the extension and the password on the phone this is exactly what appears in my firewall log:

08/14/05 08:48 firewalld[163]: allow in ipsec0 116 udp 20 63 192.168.223.105 192.168.0.40 3000 1719 (Cisco_All)
08/14/05 08:48 firewalld[163]: allow out eth1 97 udp 20 30 192.168.0.40 192.168.223.105 1719 1152 (Cisco_All)
08/14/05 08:48 firewalld[163]: allow out eth1 142 udp 20 30 192.168.0.40 192.168.223.105 1719 1153 (Cisco_All)
08/14/05 08:48 firewalld[163]: allow in ipsec0 60 tcp 20 63 192.168.223.105 192.168.0.40 4039 1720 syn (Cisco_All)

All ports are open in the firewall with my ANY/ANY rule. Is that where you are referring to open them up at?

What should be the UDP range in the ip-network-region? I set it to 2-65535, but still no go.

This may be a hint to my problem, my IP Softphone will not login when I am connected through my vpn endpoint, but it will when I use the Microsoft pptp client. Of course, I cant login using the MS pptp client when using a hardphone.

 

[FortKnox]

Mmmm....I got the RoadWarrior softphone to work using the Microsoft pptp vpn client, I changed the codec option on the switch from the default of G.711 to G.729. That still doesnt fix why my vpn endpoint (Linksys WRV54G) wont work.

 

[NX01]

I have a network appliance that runs my pptp client...I wrote a custom firmware for my wrt54g linksys and now have a ip hardphone via vpn. Did you port forward on the wrv54g to the ip softphone ip? A ip-network region should be assigned to the ip subnet 192.168.223.1 to 224 in your ip-network mapping. In the region assigned, try setting the udp range to the default. I cant recall but I think it is 2000 to 4000. Now is this for a softphone or hard phone? Make sure you set a password for the ext. Also make sure IP Softphone is set to Y on the station form...also make the station a 4620. The softphone should be set to LAN. Make sure you list g.711 in your ip-codecs for the above region.

In the future everything will work...

 

[FortKnox]

My IP Softphone (Telecomuter & RoadWarrior) will register fine using the Microsoft vpn connector, but not when using my WRV54G. My IP hardphone also will not register when using my WRV54G.

When I use the WRV54G Linksys router as my vpn endpoint, why do I need forward ports, if I am connected via vpn? If I am connected via vpn, shouldnt it be just like being on the lan? I'll try that, and creating a new subnet on the switch.

Please dont give up on me yet...

 

[FortKnox]

OK, I added 192.168.223.0-192.168.223.255 to the ip-network-map, and I set it to region 2.

On region 2, I set the UDP port range to the default and I changed it around to 2000-4001.

I am still having the same 2011-register, no signally issue.

What codec does the 4602 hardphone use? The thing that drives me crazy is that in my firewall monitor I can see the traffic going back and forth.

Like you said, it must be an issue with the Call Manager not liking my 192.168.223.0 subnet.

 

[NX01]

Signally issues usually mean no 1719 or 1720. Try turnig off the firewall on the Linksys. Even if the subnet was not listed, it would still allow you to login just not have any sound. Do you have enough bandwidth? The Linksys may be throttling down the ipsec tunnel...

In the future everything will work...

 

[FortKnox]

Yah, I turned off all the firewalling. Bandwidth is superb.

Yah, but cant get the IP Softphone to register either when using the vpn appliance.

When I do a list-trace-ras ip-station 899 I get:

11:15:13 denial event 2011: IP FURQ-No Q931 msg rcvd endpt 192.168.223.2 data9

 

[FortKnox]

Well, I thought maybe I didnt have the ip-network-region setup correctly.

OK, can we start from the beginning?

In 'change ip-interface' the clan and the medpro are assigned to region 1.

In 'change ip-network-map' my vpn appliance 192.168.223.0-255 is set to region 1.

With that said, does that inherently mean that the ip's behind the vpn appliance are allowed to interconnect with the clan and medpro boards?

 

[NX01]

Add them to the ip-network-map allows the subnet to be manipulated via the ip-network-region. You should give the vpn subnet it's own region. I had to turn shuffling off and changed some codecs for my vpn subnet. The signalling is the issue though, not the region or map. Either the Linksys is not allowing the login or it doesn't support h.323.

In the future everything will work...

 

[FortKnox]

Can you recommend a vpn endpoint that definately works?

 

[NX01]

I believe the wrv54g requires a client to be running. Since the hardphone cant run the client, ( I have already put the reguest in to a few Avaya engineers)you will need an appliance such as a Cisco PIX or Nokia router. They are of the higher end routers costing $500 and up each. OR you can do what I did and find a coder to right a vpn firmware for you and the wrt54g. That is if you want to go over a VPN. If not you can give you pbx a public ip and take your chances....

I went to rentacoder.com and put in a request...

In the future everything will work...

 

[FortKnox]

The wrv54g is a vpn endpoint/appliance.

 

[NX01]

But does it require you to run a client? The linksys site says you do. Not sure if it is a one time setup or continuous. There are already some firmwares out there that will run a ipsec or pptp client for the wrt54g. You just need to know how to ssh in and the commands. Try openwrt.org. What you need is the appliance to run the client. Everything plugged into the lan ports will have access to the vpn tunnel. Including wireless users...so you may want to turn off the the wireless aspect.

In the future everything will work...