Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Chris_W23
Participant

VOIP over site to site VPN not working

Good day,

I am trying to implement VOIP over H323  at a branch office that is connected to my main office via a site to site VPN. The branch office is an 1100 series appliance (77.20.30) while the main office is an open server running Gaia 77.30.

The site to site VPN seems to work fine, but the VOIP phone is not connecting properly to the server in the main office and the phone cannot make or take calls. My tracker logs show H323_RAS_ONLY traffic being encrypted and decrypted between the gateways with no errors. I did read in the Checkpoint VOIP documentation that you cannot make calls with H323_RAS_ONLY, which seems to match the problem I am having.

The VPN is in simplified mode and has the "accept all encrypted traffic" option set. 

I am wondering how I can get the gateway to treat the H323 traffic as H323 or H323_RAS? I assume its because the H323_RAS_ONLY is used due to the "match any" option on that service, and the accept all traffic option treats everything as an ANY rule?

Is there a way around this? Do I have to take off the accept all encrypted traffic option and create individual rules in the rulebase?

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

You should be able to uncheck the "Match Any" for H323_RAS_ONLY service.

0 Kudos
Chris_W23
Participant

Hi Dameon,

I unchecked the "Match Any" as you suggested, and I am still having issues. The logs are showing it as H323_RAS now at least.

I noticed this morning when doing an "fw ctl zdebug drop" that H323 (TCP 1720) packets are being dropped outbound at the remote site, with the error "dropped by vpn_encrypt_chain reason: no reason"

Do you have any ideas why that could be? Its kind of a vague error message.

Thanks!

0 Kudos
PhoneBoy
Admin
Admin

This may require troubleshooting by the TAC...

Contact Support | Check Point Software 

0 Kudos
Hugo_vd_Kooij
Advisor

Getting VOIP to work requires a good schematic of the VOIP traffic and the exact details about which version is in use. Wether or not Check Point can handle you H323 traffic correctly is version and implementation dependent.

VOIP is definitly a reason to make sure you  have the Latest HFA on the units. R77.20.30 is not the latest versions I think there are some VOIP related fixes in higher versions. I think we are about R77.20.61 at the moment. And I strongly recommand to use update everything before you proceed further troubleshooting.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events