Problems with VoIP/SIP Connection over IPsec VPN

FL_AT
FL_AT Posts: 1  Freshman Member
edited April 2021 in Security
Hello forum,

I have configured a working IPsec VPN connection between 2 sites (Ping, HTTP, ... everything works), but no SIP registration can be performed.

Short to my structure:
Location A:
USG 40W
IPsec server (fixed IP)
LAN: 192.168.1.0/24
CISCO VoIP Phone Adapter with IP 192.168.1.21

Location B:
USG 20W VPN
IPsec client (dynamic IP)
LAN: 192.168.11.0/24
Fritzbox as a SIP / VOIP server in "IP client mode" with IP 192.168.11.34

No. Time Source Destination Protocoll Length Info
170 2.821014 192.168.1.21 192.168.11.34 SIP 626 Request: REGISTER sip:192.168.11.34 (1 binding) | 
171 2.821217 ZyxelCom_1e:38:e7 Broadcast ARP 42 Who has 192.168.11.34? Tell 192.168.1.1
209 5.814228 192.168.1.1 192.168.1.21 ICMP 590 Destination unreachable (Host unreachable)

at the same time, the ping from the 192.168.1.0/24 network to the VOIP server works:
900 12.414553 192.168.1.10 192.168.11.34 ICMP 98 Echo (ping) request id=0x503e, seq=1/256, ttl=64 (reply in 903)
903 12.462777 192.168.11.34 192.168.1.10 ICMP 98 Echo (ping) reply id=0x503e, seq=1/256, ttl=60 (request in 900)


All SIP settings on the USG devices are disabled.
The routes are (in my view) configured correctly - otherwise the ping would not work either.
Why does the USG 40W (site A) not use the route to site B for the SIP request?

Thank you in advance for tips or hints.
regards

Comments

  • Zyxel_Charlie
    Zyxel_Charlie Posts: 1,034  Zyxel Employee
    50 Answers 500 Comments Friend Collector Fourth Anniversary
    edited December 2017
    Hello FL_AT,

    When the issue happens, can you capture the packet on

    1. lan interface which VOIP phone connected
    2. WAN interface of USG40W
    3. VOIP server.

    It helps to understand what packets were missing.

    As the packet message you shared, did you configure the IP/MAC binding on USG? Since the gateway interface cannot communicate with Voip phone, could you confirm VOIP phone's IP address and MAC address.

    Charlie 

  • Agor76
    Agor76 Posts: 44  Freshman Member
    First Comment Friend Collector Seventh Anniversary
    Hi FL_AT,

    you've probably solved but sip or iax registration failure is a common issue for me especially after a reboot due to a firmware upgrade, everything works except for those registrations, the only things that seems able to solve it's to reboot the device again.
    I've always wanted to open a ticket for this issue but it's really hard to reproduce and the fact that a simple reboot is able to solve, makes me believe that this could also be the Zyxel's answer.

    Fabio

Categories

Security Help Center

EnglishTiếng ViệtРусскийไทย中文(台灣)