love IT
asked on
3CX with ext. registration over the IPSecVPN
I am using PFsense2.4.4 with 3CX 16 and Everything (inbound and outbound calls) are working fine but I am not able to register the phones over the VPN ( other end firewall is fortigate) I have done everything as https://www.3cx.com/docs/fortigate-firewall-configuration/ . The interesting part is I am able to work with softphone but not with IP phones( tested with yealink,polycom).
ASKER
Thanks for reply ccomley, I have already make changes and tried with manual provisioning as well. in 3CX firewall checker is passed. but as i observed ip phone is sending account registrations packets to 3cx server but there are no packets received from the 3cx server .
10:32:52.757463 (authentic,confidential): SPI 0xc0859513: IP IP phone ip.5060 > 3cx server : UDP, length 568
10:32:53.274921 (authentic,confidential): SPI 0xc0859513: IP IP phone ip.5060 > 3cx server.5060: UDP, length 568
10:32:54.295058 (authentic,confidential): SPI 0xc0859513: IP IP phone.5060 > 3cx server.5060: UDP, length 568
10:32:52.757463 (authentic,confidential): SPI 0xc0859513: IP IP phone ip.5060 > 3cx server : UDP, length 568
10:32:53.274921 (authentic,confidential): SPI 0xc0859513: IP IP phone ip.5060 > 3cx server.5060: UDP, length 568
10:32:54.295058 (authentic,confidential): SPI 0xc0859513: IP IP phone.5060 > 3cx server.5060: UDP, length 568
The IPSEC VPN policies do allow for these networks to pass? And the firewall does allow for the ports? (And the Phone does have a route to the VPN device?)
(IPSEC Phase 1 = key exchange, Phase 2 = Tunnel. The tunnel needs to include the addresses used for VOIP as well. It should be possible to have multiple Phase2 definitions with one Phase 1 definition).
(IPSEC Phase 1 = key exchange, Phase 2 = Tunnel. The tunnel needs to include the addresses used for VOIP as well. It should be possible to have multiple Phase2 definitions with one Phase 1 definition).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
How far away is the remote site?
If it's convenient, I would suggest you register the new phones on the lan at the 3CX end, then send them over to the other office.
If not, I'm guessing what would work is, initially set up as "STUN (Direct SIP)", using the TPS setup method, they'll register remotely, then once they're active, change them to "LAN". When setting up the TPS, you'll need to either use the LAN IP of the 3CX server, or if you leave it defaulting to the WAN IP, you'll need your firewall at the 3CX end to admit 5060 and 5001 requests from the remote end.
Or, set up the autoprivision manually, in which case, you can edit the server-url string to have the 3CX LAN IP in it. e.g.
https://your-id.3cx.com:5001/provisioning/oiuahlst becomes https://192.168.1.200:5001/provisioning/oiuahlst.
Now I come to think of it - that will be the string it offers you if you set the phone up for "LAN", so if you're pasting the URL into te phone setup manally, just set it all to LAN.
REMEMBER that the phone NETWORK setting will need a Default Gateway to find the router doing the VPN. I have seen some devices configured by 3CX not being given a default gateway.