Fortinet/Cisco IPSec VPN – Asterisk Peer Unreachable

Recently, i had to troubleshoot an Asterisk to Asterisk trunk which was running across a site to site IPSec VPN. (Fortinet to Cisco)
After running tcpdump “port 5060 and proto UDP” on either end, I discovered traffic from the Cisco end was not reaching the PBX behind the Fortinet. Packet capture on the Fortinet showed traffic being matched, and classified as SIP.
We had done the usual commands to stop the Fortigate from acting as a SIP ALG, but nothing was working. After a bit of tinkering, i found that the following command fixed our problem. (Basically fooled the Fortigate into thinking SIP traffic, was not SIP)

config system settings
 set sip-udp-port 5067

One thought on “Fortinet/Cisco IPSec VPN – Asterisk Peer Unreachable

  • Rohit
    16 September 2020 at 8:46 pm

    Following are the parameters to be set and steps to be followed on Fortigate to disable SIP ALG and any sip interference from the default voip profile. Ignore this if you’d already tried this and changing the default port was the only option that worked. I’ve noticed that steps #1 to #3 are well known, but #4 and #5 tend to be missed.
    1) Enable following:
    – voip profile
    – set default-voip-alg-mode = kernel-helper-based
    2) Disable following (reconfirm on CLI console)
    – sip-helper = disable
    – sip-nat-trace = disable
    3) Set following parameters in voip profile (in your case, to 5067 for sip-udp-port)
    – sip-tcp-port = 5060
    – sip-udp-port = 5060
    – sip-ssl-port = 5061
    config system session-helper
    delete 13
    config voip profile
    edit default
    config sip
    set status disable
    set rtp disable

Leave a Reply

Your email address will not be published. Required fields are marked *.

You may use these <abbr title="HyperText Markup Language">HTML</abbr> tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>