Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense - IOS 6 (AT&T LTE) - Asterisk –

    Scheduled Pinned Locked Moved IPsec
    4 Posts 2 Posters 3.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      Phonebuff
      last edited by

      Good Evening,

      I am working on assisting a user with getting the 3CXPhone on a new iPhone5 (IOS 6) to connect to Asterisk 1.8.n

      The iPhone is linking to the pfSense 2.0.1 box via a Mobile IPSec definition.  So It's something like this –

      iPhone5 (IOS 6 /Cisco VPN) ---  AT&T LTE ----  Comcast Business  ----  pfSense 2.0.1 ---  Asterisk

      10.37.165.n / 172.21.11.1/30    -- IPV6  ----    IPV4 (Satic)  -------    IPSec  --------  2198 Nat=no / qualify=3500
                (166.147.114.n)

      The link comes up and from the iPhone we can ping the Asterisk box, and access other applications.

      But the 3cxPhone attempts to register with the iPhones 10 dot address not the IPSec assigned 172.21.11.1.

      From asterisk when I run MTR to 172.21.11.1 but not the 10 dot address ir just goes out a default WAN route.

      Anyone with any ideas here ???

      ====================================

      SAD -- looks good as does SPD with the assigned 172.21.11.1

      Phase 1 ---
                Interface - Comcast
                Authentication Method - Mutual PSK + Xauth
                Negotiation Mode - Aggressive
                My Identifier - My IP address
                Peer Identifier -  xxxxxx.dynalias.com
                PreShared Key -  xxxxxxxxxxxxxxxxxx
                Policy Generation - Unquie
                Proposal Checking - Strict
                Encryption Algorithm - AES / 128
                Hash Algorithm - SHA1
                DH Key Group - 2
                Lifetime - 8600
                Nat-T - Enable
                Enable DPD - Checked
                10 Seconds / 5 Retries
          Phase 2 ---
                Mode - Tunnel
                Local Network - Lan Subnet (172.21.10.0/24)
                Encryption Algorithm - AES 128
                Hash Algorithm - SHA1
                PFS Key Group - 2
                Lifetime  - 3600
                Automatically ping Host - 172.21.11.1
          Mobile Client ---
                User & Group Authentication Source  System
                Virtual Address Pool - Check Provide a Virtual Address Pool
                Network 172.21.11.0 / 24  ( Potential for Tethered Devices is why I changed this from 30 )
                Network List - Checked
                Save Xauth Password - Checked
                DNS Default Domain - Blank
                DNS Servers - Checked -
                          - Internal DNS 172.21.10.5
                          - Goggle - 8.8.8.8
                WINS Servers - Blank
                Phase 2 PFS Group - Checked Group 2
          Users -
                Name - xxxxxxxxxx
                Password - xxxxxxxxxxx
                Group Membership - IPSECUSERS -
                Effective Privileges - IPSecUsers - USER - VPN - IPSec xauth Dialin
          Group -
                Name - IPSECUsers
                Assigned Privileges - User - VPN - IPsec xauth Dialin

      =================================================================================

      1 Reply Last reply Reply Quote 0
      • B
        bman212121
        last edited by

        In 3CX there should be an option for "In Office" and "Out of Office". You might need to switch that in order to make the phone use the external IP.

        1 Reply Last reply Reply Quote 0
        • P
          Phonebuff
          last edited by

          @bman212121:

          In 3CX there should be an option for "In Office" and "Out of Office". You might need to switch that in order to make the phone use the external IP.

          Thank you for the response.

          But it appears the feature you are referencing is designed to allow a user to specify how to attach to the IPBX and does not appear to have the ability to allow you to select the source address for the phone, only the target data, STUN server info for the IPBX / Proxy.

          1 Reply Last reply Reply Quote 0
          • P
            Phonebuff
            last edited by

            Answer was two fold –

            First dump 3cxPhone to  Useragent    : Acrobits Softphone/5.2

            Then validate routing for the Route end of the Mobile IPSec which included moving it to a 172.23.0.0 sub net due to a conflict..

            ======================

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.