Phone not registering via mikrotik-fortigate IPSec tunnel?

M

MrDZ2021-06-28 10:52:31

SIP

MrDZ, 2021-06-28 10:52:31

Good afternoon, telephones are often not registered at remote sites. Networks are available, roughly speaking there is a ping. Communication between the central office and remote branches is organized through ipip tunnet + ipsec. On Mikrotiks
I found in connection tracking at this moment I see the following picture : address=external ip:5060 timeout=2m28s orig-packets=6 orig-bytes=2 955 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=6 repl-bytes=3 489 repl-fasttrack-packets =0 repl-fasttrack-bytes=0 orig-rate=0bps repl-rate=0bps where 10.5.0.100 is the remote sip phone

172.1.0.15 - telephony server in the branch

reply-dst-address= expected response for some reason external ip of the router. Resetting the session on Mikrotik temporarily helps.
There is something like sip helper on Mikrotik, as I understand it. enable or disable this function did not help either.
Separately, in the firewall or nat, I did not configure the rules for the phone in any way.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

M

MrDZ, 2021-07-07
@MrDZ

Apparently nat is busy here. Do I understand correctly:
When Mikrotik is turned on, the telephone gateway starts looking for a telephony server, but cannot find it. while vpn rises, while dynamic routing is built. And therefore, the reply-dst-address in the session has an external ip of Mikrotik (why this session remains the same is another question). I made a route type blackhole to that network, I'm watching - so far so good.

K

Keffer, 2021-06-28
@Keffer

With telephony over L3, Mikrotik is bad. And not only in Mikrotik, by the way. For telephony, the most orthodox thing is to create a separate vlan and drive it between points via MPLS \ VPLS, and on the end devices where the phones are connected, create access ports to this wealan.