Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Voice over WiFi (VoWIFI) using UDP/IKE to specific destinations

Jump to solution

First Post here so forgive any misteps.

We have a challenge that is going around in circles the last week.

In Australia we the Telco's are now doing VoWIFI which is basically an IKE Tunnel to their servers to allow VoWIFI.

We are more than happy to allow this traffic on our Guest Wireless networks.

Unfortunately, Anon/PrivateVPN services also use UDP/500 to do their business which we block by policy.

I can create a specific rule and match those destinations which will work for a while, however the providers will change their server addresses so I will play 'Chase The Server' in the next 12 months.

My question, is it worth trying to get this recognized as a new Application? Do the packet capture and see if there is any SIP identifiers inside etc?

What is the best way to go about this - hoping it might result in a benefit to others not just us?

0 Kudos
1 Solution

Accepted Solutions
Highlighted
Admin
Admin

We might be able to better identify the traffic with some packet captures.

We probably need 2-3 captures per client and a few different clients.

This will help us fingerprint this traffic better and hopefully be able to distinguish between it and other IKE traffic.

Please open a TAC case: Contact Support | Check Point Software 

View solution in original post

3 Replies
Highlighted
Admin
Admin

First, this might be better in https://community.checkpoint.com/community/infinity-general?sr=search&searchId=614a3d78-07ff-4903-8b...‌.

Second, if you happen to know what SIP endpoint they are connecting to by DNS name, perhaps you can use a Dynamic and/or a Domain Object to allow SIP traffic to only those specific hostnames (depending on your gateway release).

I'll check with R&D and see if there are better options than this.

0 Kudos
Highlighted

Thanks Dameon,

The DNS name is a long server specific name which would probably change as well, not sure how the device seeks the other tunnel endpoint.

The FW (80.10 release) detects the traffic as UDP/IKE, not SIP - only after you inspect the traffic do you see any SIP headers. It is a tricky issue...

0 Kudos
Highlighted
Admin
Admin

We might be able to better identify the traffic with some packet captures.

We probably need 2-3 captures per client and a few different clients.

This will help us fingerprint this traffic better and hopefully be able to distinguish between it and other IKE traffic.

Please open a TAC case: Contact Support | Check Point Software 

View solution in original post