Full or partial site to site tunnel with non Meraki VPN

SOLVED
BLME
Here to help

Full or partial site to site tunnel with non Meraki VPN

Hi,

 

I have been trying to tackle this problem for few months now. Could someone have look and suggest  possible resolution?

 

We use hosted (Fortinet) main firewall in the UK   and  pair of MX80 in small Dubai office. We have site to site VPN configured and operational between sites. I can connect from LAN in Dubai to LAN in London and other way around.

 

My Problem:  SIP traffic is blocked by local ISP in Dubai - connection to our PBX is not possible. Only alternative is to route all the SIP traffic (or traffic to PBX IP) trough VPN. My multiple attempts to  route failed. do you have any ideas please please please? 

 

This is the idea: IP phone (Dubai) >MX80(Dubai)>site-to-site VPN>Fortinet (UK)>Internet>PBX

 

Many thanks.

1 ACCEPTED SOLUTION
kevinl
Getting noticed

Ooh wow, not cool.

The only thing I can think of at the moment is to try and send all traffic over the VPN to see if it works. Documentation says that if you add a 0.0.0.0/0 route to the 'private subnets' it will accomplish this feat. Perhaps you can try that to see whether the phone can reach the outside world, and then undo it after you've finished testing?

Also yes, you can try adding the PBX to the Fortigate's routing as you mentioned - the Fortigate must be able to reach both the PBX and your Dubai subnet (which you've mentioned it can).

View solution in original post

12 REPLIES 12
AStoddard
Getting noticed

Unfortunately I do not have a solution to share for this, but I have the same issue (or at least will, we only sent one phone to test to our Dubai office).

Hopefully someone has a solution, which I can then steal when I'm ready!


@AStoddard wrote:

Unfortunately I do not have a solution to share for this, but I have the same issue (or at least will, we only sent one phone to test to our Dubai office).

Hopefully someone has a solution, which I can then steal when I'm ready!


Hi, thanks, non dedicated vlan for now, as I wanted to make sure its working on data vlan first. 

jdsilva
Kind of a big deal

Do you have your phone on a dedicated VLAN? Is that VLAN specified in the "Private subnets" field of the non-meraki VPN peers config?

PhilipDAth
Kind of a big deal
Kind of a big deal

Just make sure the voice vlan is included in the VLAN and it should work fine.

kevinl
Getting noticed

What you've proposed definitely sounds possible, but us IT folk know that little details sometimes trip us up 🙂 Do you mind if we start with the essentials? I suspect a routing issue.

From the IP phone's port
- are you able to ping/traceroute the Fortigate in the UK?
- are you able to ping/traceroute the PBX?

The Fortigate needs to have routes back to your IP phone. The other community members have emphasized the importance of ensuring the phone's VLAN subnet is incorporated into the routing on the Meraki side as well.

The traceroute should show your traffic being routed over the site to site VPN, instead of going out through the direct Internet egress (I assume you have split tunnel where local Internet access goes out through Dubai).

Lastly, a packet capture from the Dashboard, capturing SIP traffic on the MX, may help aid in troubleshooting. Apply a wireshark filter to capture just the phone's traffic and you'll be able to see where the SIP session is failing to establish.

PS: Final solution: lobby Meraki really hard to quickly release a new-generation MC phone that works worldwide. 😄 😄 😄 


@kevinl wrote:

What you've proposed definitely sounds possible, but us IT folk know that little details sometimes trip us up 🙂 Do you mind if we start with the essentials? I suspect a routing issue.

From the IP phone's port
- are you able to ping/traceroute the Fortigate in the UK?
- are you able to ping/traceroute the PBX?

The Fortigate needs to have routes back to your IP phone. The other community members have emphasized the importance of ensuring the phone's VLAN subnet is incorporated into the routing on the Meraki side as well.

The traceroute should show your traffic being routed over the site to site VPN, instead of going out through the direct Internet egress (I assume you have split tunnel where local Internet access goes out through Dubai).

Lastly, a packet capture from the Dashboard, capturing SIP traffic on the MX, may help aid in troubleshooting. Apply a wireshark filter to capture just the phone's traffic and you'll be able to see where the SIP session is failing to establish.

PS: Final solution: lobby Meraki really hard to quickly release a new-generation MC phone that works worldwide. 😄 😄 😄 


Hi, Many thanks for your reply.

 

I am able to to trace root to UK from Dubai but only to Private network not public, any public traffic goes over local ISP, so it is split tunnel VPN. 

 

Phone is currently on data VLAN for proof of concept purpose, ones its working - I'll move it away from data vlan.

 

If i add  public IP of PBX to "Non-Meraki VPN peers" private subnet - it looks like routing to PBX from Dubai changes but its stoops onMeraki. Do i need to add PBX public IP to Fortigate suite of VPN as well to allow routing trough VPN (i am going to try this)?

 

image.png

kevinl
Getting noticed

That looks reasonable, although I think you might be able to leave the PBX network out of the Private Subnets since 88.2 IP addresses would be public ones. 

You mention "I am able to to trace root to UK from Dubai but only to Private network not public, any public traffic goes over local ISP, so it is split tunnel VPN. "

This might be the source of the issue - the phone is attempting to reach a public IP address SIP server, but the local MX in Dubai thinks it is on the Internet and thus routes it out of the WAN directly instead of over the IPSec tunnel. Dubai then blocks the SIP server, so you run into this issue. 

I believe you might need to add a static route to the the Dubai Meraki to say "All traffic destined for the PBX should go through the Fortigate" - I assume 88.2.0.0/16 is your PBX. The Fortigate already seems to know how to reach the world, and can reach the MX (as shown by your traceroute) so I doubt it needs any additional config.

For the Meraki it would be in Security Appliance > Addressing and VLANs, there is an option to add a static route. Remove 88.2 from the private subnets before you try this. 
Try it and let us know how you go 🙂

no go.I cannot add Fortigate IP as next hop 😞 

 

image.png

kevinl
Getting noticed

Ooh wow, not cool.

The only thing I can think of at the moment is to try and send all traffic over the VPN to see if it works. Documentation says that if you add a 0.0.0.0/0 route to the 'private subnets' it will accomplish this feat. Perhaps you can try that to see whether the phone can reach the outside world, and then undo it after you've finished testing?

Also yes, you can try adding the PBX to the Fortigate's routing as you mentioned - the Fortigate must be able to reach both the PBX and your Dubai subnet (which you've mentioned it can).

0.0.0.0/0 on both sides worked!!! Yeey!  Strangely only if it is first on the list for Phase 2. 

 

Many thanks for your help!

kevinl
Getting noticed

Oh wow, I did not expect that! Sometimes things don't work out the way we expect, but I am super glad it worked out 🙂

0.0.0.0/0 will send all the traffic (including non VoIP) to the UK, so all traffic coming out of Dubai will be routed through the VPN. A quick "what is my IP" on Google will help you check this.

But at least we now know that it works, so that is fantastic, and if you need to fine tune it to transport just voice traffic, you'd be able to adjust the route to be as specific or as broad as necessary.
Iman-Haghgoo
New here

This post is a bit old and ticked as solved, but I think if you make a vip on your fortigate at UK with a local ip mapping to the PBX ip that will work . All you need to do after that is to set pbx address on your phone as the uk ip you set for your vip.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels