3CX with ext. registration over the IPSecVPN

love IT
love IT used Ask the Experts™
I am using PFsense2.4.4 with 3CX 16 and Everything (inbound and outbound calls) are  working fine but I am not able to register the phones over the VPN ( other end firewall is fortigate) I have done everything as https://www.3cx.com/docs/fortigate-firewall-configuration/  . The interesting part is I am able to work with softphone but not with IP phones( tested with yealink,polycom).
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

The method the phones use to say "hi, I'm a phone, does anyone have a config for me?" which 3cx spots and puts them on the list of unallocated phones, doesn't work other than on the same network range.

How far away is the remote site?

If it's convenient, I would suggest you register the new phones on the lan at the 3CX end, then send them over to the other office.

If not, I'm guessing what would work is, initially set up as "STUN (Direct SIP)",  using the TPS setup method, they'll register remotely, then once they're active, change them to "LAN".  When setting up the TPS, you'll need to either use the LAN IP of the 3CX server, or if you leave it defaulting to the WAN IP, you'll need your firewall at the 3CX end to admit 5060 and 5001 requests from the remote end.

Or, set up the autoprivision manually, in which case, you can edit the server-url string to have the 3CX LAN IP in it.  e.g.

https://your-id.3cx.com:5001/provisioning/oiuahlst becomes

Now I come to think of it - that will be the string it offers you if you set the phone up for "LAN", so if you're pasting the URL into te phone setup manally, just set it all to LAN.

REMEMBER that the phone NETWORK setting will need a Default Gateway to find the router doing the VPN. I have seen some devices configured by 3CX not being given a default gateway.


Thanks  for reply ccomley, I have already make changes and tried with manual provisioning as well. in 3CX firewall checker is passed. but as i observed ip phone is sending account registrations packets to 3cx server but there are no packets received from the 3cx server .

10:32:52.757463 (authentic,confidential): SPI 0xc0859513: IP IP phone ip.5060  > 3cx server : UDP, length 568
10:32:53.274921 (authentic,confidential): SPI 0xc0859513: IP IP phone ip.5060  > 3cx server.5060: UDP, length 568
10:32:54.295058 (authentic,confidential): SPI 0xc0859513: IP IP phone.5060 > 3cx server.5060: UDP, length 568
nociSoftware Engineer
Distinguished Expert 2018

The IPSEC VPN policies do allow for these networks to pass?  And the firewall does allow for the ports?  (And the Phone does have a route to the VPN device?)
(IPSEC Phase 1 = key exchange, Phase 2 = Tunnel. The tunnel needs to include the addresses used for VOIP as well. It should be possible to have multiple Phase2 definitions with one Phase 1 definition).
implementing SBC has resolved the issue....

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial