PfSense - IOS 6 (AT&T LTE) - Asterisk –



  • Good Evening,

    I am working on assisting a user with getting the 3CXPhone on a new iPhone5 (IOS 6) to connect to Asterisk 1.8.n

    The iPhone is linking to the pfSense 2.0.1 box via a Mobile IPSec definition.  So It's something like this –

    iPhone5 (IOS 6 /Cisco VPN) ---  AT&T LTE ----  Comcast Business  ----  pfSense 2.0.1 ---  Asterisk

    10.37.165.n / 172.21.11.1/30    -- IPV6  ----    IPV4 (Satic)  -------    IPSec  --------  2198 Nat=no / qualify=3500
              (166.147.114.n)

    The link comes up and from the iPhone we can ping the Asterisk box, and access other applications.

    But the 3cxPhone attempts to register with the iPhones 10 dot address not the IPSec assigned 172.21.11.1.

    From asterisk when I run MTR to 172.21.11.1 but not the 10 dot address ir just goes out a default WAN route.

    Anyone with any ideas here ???

    ====================================

    SAD -- looks good as does SPD with the assigned 172.21.11.1

    Phase 1 ---
              Interface - Comcast
              Authentication Method - Mutual PSK + Xauth
              Negotiation Mode - Aggressive
              My Identifier - My IP address
              Peer Identifier -  xxxxxx.dynalias.com
              PreShared Key -  xxxxxxxxxxxxxxxxxx
              Policy Generation - Unquie
              Proposal Checking - Strict
              Encryption Algorithm - AES / 128
              Hash Algorithm - SHA1
              DH Key Group - 2
              Lifetime - 8600
              Nat-T - Enable
              Enable DPD - Checked
              10 Seconds / 5 Retries
        Phase 2 ---
              Mode - Tunnel
              Local Network - Lan Subnet (172.21.10.0/24)
              Encryption Algorithm - AES 128
              Hash Algorithm - SHA1
              PFS Key Group - 2
              Lifetime  - 3600
              Automatically ping Host - 172.21.11.1
        Mobile Client ---
              User & Group Authentication Source  System
              Virtual Address Pool - Check Provide a Virtual Address Pool
              Network 172.21.11.0 / 24  ( Potential for Tethered Devices is why I changed this from 30 )
              Network List - Checked
              Save Xauth Password - Checked
              DNS Default Domain - Blank
              DNS Servers - Checked -
                        - Internal DNS 172.21.10.5
                        - Goggle - 8.8.8.8
              WINS Servers - Blank
              Phase 2 PFS Group - Checked Group 2
        Users -
              Name - xxxxxxxxxx
              Password - xxxxxxxxxxx
              Group Membership - IPSECUSERS -
              Effective Privileges - IPSecUsers - USER - VPN - IPSec xauth Dialin
        Group -
              Name - IPSECUsers
              Assigned Privileges - User - VPN - IPsec xauth Dialin

    =================================================================================



  • In 3CX there should be an option for "In Office" and "Out of Office". You might need to switch that in order to make the phone use the external IP.



  • @bman212121:

    In 3CX there should be an option for "In Office" and "Out of Office". You might need to switch that in order to make the phone use the external IP.

    Thank you for the response.

    But it appears the feature you are referencing is designed to allow a user to specify how to attach to the IPBX and does not appear to have the ability to allow you to select the source address for the phone, only the target data, STUN server info for the IPBX / Proxy.



  • Answer was two fold –

    First dump 3cxPhone to  Useragent    : Acrobits Softphone/5.2

    Then validate routing for the Route end of the Mobile IPSec which included moving it to a 172.23.0.0 sub net due to a conflict..

    ======================


Log in to reply