PfSense - IOS 6 (AT&T LTE) - Asterisk –

Phonebuff

Good Evening,

I am working on assisting a user with getting the 3CXPhone on a new iPhone5 (IOS 6) to connect to Asterisk 1.8.n

The iPhone is linking to the pfSense 2.0.1 box via a Mobile IPSec definition.  So It's something like this –

iPhone5 (IOS 6 /Cisco VPN) ---  AT&T LTE ----  Comcast Business  ----  pfSense 2.0.1 ---  Asterisk

10.37.165.n / 172.21.11.1/30    -- IPV6  ----    IPV4 (Satic)  -------    IPSec  --------  2198 Nat=no / qualify=3500
          (166.147.114.n)

The link comes up and from the iPhone we can ping the Asterisk box, and access other applications.

But the 3cxPhone attempts to register with the iPhones 10 dot address not the IPSec assigned 172.21.11.1.

From asterisk when I run MTR to 172.21.11.1 but not the 10 dot address ir just goes out a default WAN route.

Anyone with any ideas here ???

====================================

SAD -- looks good as does SPD with the assigned 172.21.11.1

Phase 1 ---
          Interface - Comcast
          Authentication Method - Mutual PSK + Xauth
          Negotiation Mode - Aggressive
          My Identifier - My IP address
          Peer Identifier -  xxxxxx.dynalias.com
          PreShared Key -  xxxxxxxxxxxxxxxxxx
          Policy Generation - Unquie
          Proposal Checking - Strict
          Encryption Algorithm - AES / 128
          Hash Algorithm - SHA1
          DH Key Group - 2
          Lifetime - 8600
          Nat-T - Enable
          Enable DPD - Checked
          10 Seconds / 5 Retries
    Phase 2 ---
          Mode - Tunnel
          Local Network - Lan Subnet (172.21.10.0/24)
          Encryption Algorithm - AES 128
          Hash Algorithm - SHA1
          PFS Key Group - 2
          Lifetime  - 3600
          Automatically ping Host - 172.21.11.1
    Mobile Client ---
          User & Group Authentication Source  System
          Virtual Address Pool - Check Provide a Virtual Address Pool
          Network 172.21.11.0 / 24  ( Potential for Tethered Devices is why I changed this from 30 )
          Network List - Checked
          Save Xauth Password - Checked
          DNS Default Domain - Blank
          DNS Servers - Checked -
                    - Internal DNS 172.21.10.5
                    - Goggle - 8.8.8.8
          WINS Servers - Blank
          Phase 2 PFS Group - Checked Group 2
    Users -
          Name - xxxxxxxxxx
          Password - xxxxxxxxxxx
          Group Membership - IPSECUSERS -
          Effective Privileges - IPSecUsers - USER - VPN - IPSec xauth Dialin
    Group -
          Name - IPSECUsers
          Assigned Privileges - User - VPN - IPsec xauth Dialin

=================================================================================

bman212121

In 3CX there should be an option for "In Office" and "Out of Office". You might need to switch that in order to make the phone use the external IP.

Phonebuff

@bman212121:

In 3CX there should be an option for "In Office" and "Out of Office". You might need to switch that in order to make the phone use the external IP.

Thank you for the response.

But it appears the feature you are referencing is designed to allow a user to specify how to attach to the IPBX and does not appear to have the ability to allow you to select the source address for the phone, only the target data, STUN server info for the IPBX / Proxy.

Phonebuff

Answer was two fold –

First dump 3cxPhone to  Useragent    : Acrobits Softphone/5.2

Then validate routing for the Route end of the Mobile IPSec which included moving it to a 172.23.0.0 sub net due to a conflict..

======================