Fortinet/Cisco IPSec VPN – Asterisk Peer Unreachable
Recently, i had to troubleshoot an Asterisk to Asterisk trunk which was running across a site to site IPSec VPN. (Fortinet to Cisco)
After running tcpdump “port 5060 and proto UDP” on either end, I discovered traffic from the Cisco end was not reaching the PBX behind the Fortinet. Packet capture on the Fortinet showed traffic being matched, and classified as SIP.
We had done the usual commands to stop the Fortigate from acting as a SIP ALG, but nothing was working. After a bit of tinkering, i found that the following command fixed our problem. (Basically fooled the Fortigate into thinking SIP traffic, was not SIP)
config system settings set sip-udp-port 5067
Rohit
Following are the parameters to be set and steps to be followed on Fortigate to disable SIP ALG and any sip interference from the default voip profile. Ignore this if you’d already tried this and changing the default port was the only option that worked. I’ve noticed that steps #1 to #3 are well known, but #4 and #5 tend to be missed.
1) Enable following:
– voip profile
– set default-voip-alg-mode = kernel-helper-based
2) Disable following (reconfirm on CLI console)
– sip-helper = disable
– sip-nat-trace = disable
3) Set following parameters in voip profile (in your case, to 5067 for sip-udp-port)
– sip-tcp-port = 5060
– sip-udp-port = 5060
– sip-ssl-port = 5061
4)
config system session-helper
delete 13
end
5)
config voip profile
edit default
config sip
set status disable
set rtp disable
end
end