Hi all,
I'm looking for some advice. I've got two locations, a main location and a remote one, connected via an IPSec VPN tunnel. The remote location has about 6 SIP phone handsets, which should be communicating back to the PBX at the main location over the VPN tunnel. It also happens to be where the calls come into for customer support, so the phones NOT working is really noticeable.
Once a month on the 1st Sunday, I reboot both OPNSense firewalls, do firmware updates, etc. The following Monday (today in this case), some of the phones come up in the SIP Status interface of the phone server as being "unavailable." This appears to be due to SIP QUALIFY and SIP OPTIONS traffic not flowing between the two locations appropriately. So I've been chasing this for about 4 months now and I'm banging my head against a wall. I'm wondering if you all would look at my IPSec VPN configuration and see if you see something I'm doing incorrectly...
Phase 1
Setting | Local | Remote |
Phase | 1 | 1 |
Disabled | Unchecked | Unchecked |
Connection Method | Start Immediate | Start Immediate |
Key Exchange Version | V2 | V2 |
Internet Protocol | IPv4 | IPv4 |
Interface | WAN | WAN |
Remote gateway | (Remote Bldg IP) | (Main Bldg IP) |
Dynamic Gateway | Unchecked | Unchecked |
Description | Remote Bldg | Main Bldg |
Phase 1 Auth Method | Mutual PSK | Mutual PSK |
My identifier | My IP Address | My IP Address |
Peer identifier | Peer IP Address | Peer IP Address |
Pre-Shared Key | (The Key - They Match) | (The Key - They Match) |
Encryption Algorithm | AES-256 | AES-256 |
Hash Algoritm | SHA1 | SHA1 |
DH Key Group | 5 (1536 bits) | 5 (1536 bits) |
Lifetime | 86400 | 86400 |
Install Policy | Checked | Checked |
Disable Rekey | Unchecked | Unchecked |
Disable Reauth | Unchecked | Unchecked |
Tunnel Isolation | Unchecked | Unchecked |
SHA256 96 Bit Truncation | Unchecked | Unchecked |
NAT Traversal | Enable | Enable |
Disable MOBIKE | Unchecked | Unchecked |
Close Action | None | None |
Dead Peer Detection | Unchecked | Unchecked |
Inactivity Timeout | (Blank) | (Blank) |
Keyingtries | (Blank) | (Blank) |
Margintime | 300 | 300 |
Rekeyfuzz | 50 | 50 |
Phase 2
Disabled | Unchecked | Unchecked |
Mode | Tunnel IPv4 | Tunnel IPv4 |
Description | Local to Remote | Remote to Local |
Local LAN Type | LAN Subnet | LAN Subnet |
Local LAN Address | (Blank) | (Blank) |
Remote LAN Type | Network | Network |
Remote LAN Address | 192.168.20.0/24 | 192.168.1.0/24 |
Protocol | ESP | ESP |
Encryption Algorithm | AES256 | AES256 |
Hash Algorithms | SHA1 | SHA1 |
PFS key group | off | off |
Lifetime | 3600 | 3600 |
Automatically ping host | 192.168.20.1 | 192.168.1.1 |
Manual SPD entries | (Blank) | (Blank) |
Under Firewall >> Rules >> IPSec on both firewalls I have an Allow IPv4 Any-Any-Any rule with a description of "Allow IPSec Traffic."
Under Firewall >> Settings >> Advanced I have the Firewall Optimization set to Conservative
Can anyone see something I'm doing wrong here? In talking with the PBX vendor, they advised that I needed to turn off DPD on my Phase 1, which I did. This did resolve some problems, but not all of them.
Thanks in advance for any advice!