OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • Virtual private networks »
  • IPSec VPN + SIP Phones Advice
« previous next »
  • Print
Pages: [1]

Author Topic: IPSec VPN + SIP Phones Advice  (Read 1040 times)

anomaly0617

  • Jr. Member
  • **
  • Posts: 50
  • Karma: 0
    • View Profile
IPSec VPN + SIP Phones Advice
« on: November 07, 2022, 06:14:35 pm »
Hi all,

I'm looking for some advice. I've got two locations, a main location and a remote one, connected via an IPSec VPN tunnel. The remote location has about 6 SIP phone handsets, which should be communicating back to the PBX at the main location over the VPN tunnel. It also happens to be where the calls come into for customer support, so the phones NOT working is really noticeable.

Once a month on the 1st Sunday, I reboot both OPNSense firewalls, do firmware updates, etc. The following Monday (today in this case), some of the phones come up in the SIP Status interface of the phone server as being "unavailable." This appears to be due to SIP QUALIFY and SIP OPTIONS traffic not flowing between the two locations appropriately. So I've been chasing this for about 4 months now and I'm banging my head against a wall. I'm wondering if you all would look at my IPSec VPN configuration and see if you see something I'm doing incorrectly...

Phase 1
SettingLocalRemote
Phase11
DisabledUncheckedUnchecked
Connection MethodStart ImmediateStart Immediate
Key Exchange VersionV2V2
Internet ProtocolIPv4IPv4
InterfaceWANWAN
Remote gateway(Remote Bldg IP)(Main Bldg IP)
Dynamic GatewayUncheckedUnchecked
DescriptionRemote BldgMain Bldg
Phase 1 Auth MethodMutual PSKMutual PSK
My identifierMy IP AddressMy IP Address
Peer identifierPeer IP AddressPeer IP Address
Pre-Shared Key(The Key - They Match)(The Key - They Match)
Encryption AlgorithmAES-256AES-256
Hash AlgoritmSHA1SHA1
DH Key Group5 (1536 bits)5 (1536 bits)
Lifetime8640086400
Install PolicyCheckedChecked
Disable RekeyUncheckedUnchecked
Disable ReauthUncheckedUnchecked
Tunnel IsolationUncheckedUnchecked
SHA256 96 Bit TruncationUncheckedUnchecked
NAT TraversalEnableEnable
Disable MOBIKEUncheckedUnchecked
Close ActionNoneNone
Dead Peer DetectionUncheckedUnchecked
Inactivity Timeout(Blank)(Blank)
Keyingtries(Blank)(Blank)
Margintime300300
Rekeyfuzz5050

Phase 2
DisabledUncheckedUnchecked
ModeTunnel IPv4Tunnel IPv4
DescriptionLocal to RemoteRemote to Local
Local LAN TypeLAN SubnetLAN Subnet
Local LAN Address(Blank)(Blank)
Remote LAN TypeNetworkNetwork
Remote LAN Address192.168.20.0/24192.168.1.0/24
ProtocolESPESP
Encryption AlgorithmAES256AES256
Hash AlgorithmsSHA1SHA1
PFS key groupoffoff
Lifetime36003600
Automatically ping host192.168.20.1192.168.1.1
Manual SPD entries(Blank)(Blank)

Under Firewall >> Rules >> IPSec on both firewalls I have an Allow IPv4 Any-Any-Any rule with a description of "Allow IPSec Traffic."

Under Firewall >> Settings >> Advanced I have the Firewall Optimization set to Conservative

Can anyone see something I'm doing wrong here? In talking with the PBX vendor, they advised that I needed to turn off DPD on my Phase 1, which I did. This did resolve some problems, but not all of them.

Thanks in advance for any advice!
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • Virtual private networks »
  • IPSec VPN + SIP Phones Advice
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2