Dismiss Notice
We would like to remind you that we’re updating our login process for all 3CX forums whereby you will be able to login with the same credentials you use for the Partner or Customer Portal. Click here to read more.

Solved 3CX Site-To-Site VPN (IPSec)

Discussion in '3CX Phone System - General' started by Network Emad, Nov 30, 2017.

Thread Status:
Not open for further replies.
  1. Network Emad

    Joined:
    Oct 27, 2017
    Messages:
    33
    Likes Received:
    3
    Hello

    are there any steps to active the communication between the Remote IP Phones with 3CX in My Head Office?

    for more information all ports in both sites are configured and in my first site the IP Phones working properly without any issues. just i'm trying since yesterday to find any post explaining how to configure the 3CX Through VPN.
     
  2. sip.bg

    sip.bg Active Member

    Joined:
    Nov 7, 2016
    Messages:
    704
    Likes Received:
    220
    Configuration of VPN is a transparent and independent job from 3CX. For 3CX endpoints behind VPN belong to local network.
    You need either Layer 2 connectivity (more difficult to achieve) or Layer 3 routing without NAT between sites or MPLS.

    Creating VPN is a network task depending on your networking equipment (routers, switches) and eventually on your internet providers. I'm using for example mostly MikroTik routers, which makes the networking task very easy and cost effective, including IPsec tunneling and more.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 sip.bg, Nov 30, 2017
    Last edited: Nov 30, 2017
    Edi Kojsi likes this.
  3. Saqqara

    Saqqara Well-Known Member

    Joined:
    Mar 12, 2014
    Messages:
    1,255
    Likes Received:
    203
    Is the VPN up and running ? If so can you ping the IP address of the server and the FQDN of the server front the remote site ?

    For the remote phones, if supported you would setup DHCP 66 on the dhcp server on the remote site - https://www.3cx.com/sip-phones/dhcp-option-66. This way remote phones would appear in the 3CX console and then setup as local lan devices

    If you can not setup dhcp option, then you need to setup the phone within 3CX (setup as local lan) and copy the provisioning url into the phone

    What phones are you using ? - Info on setting up phones here https://www.3cx.com/support/
     
    #3 Saqqara, Nov 30, 2017
    Last edited: Nov 30, 2017
    Network Emad likes this.
  4. Network Emad

    Joined:
    Oct 27, 2017
    Messages:
    33
    Likes Received:
    3
    the VPN Up And running properly now the call its done just for one way. what I mean that when i make test call to remote extension the sound come with one way just what i mean that i can hear them but they can't hear my voice. for more information the firewall test it's ok and vpn site to site IP(Sec )link its up between two sites.

    i configured the SIP on Fanvil C600 it's working perfectly and i can make call to any one but with Fanvil X3S its working just with one way sound.


    thanks
     
  5. sip.bg

    sip.bg Active Member

    Joined:
    Nov 7, 2016
    Messages:
    704
    Likes Received:
    220
    Having one-way sound in VPN normally means that traffic is NAT-ted between the PBX site and remote (phone) site -- this should be avoided in router configuration.

    You can trace it with Wireshark or tcpdump (on Linux) or sngrep (if installed on linux). You should see only local IP addresses (from both sites involved, both for SIP and RTP traffic), if properly configured. The phones should register to local address of the PBX, as it was in the same LAN segment as the PBX.

    Try also forcing 'PBX delivers audio' for the extension, but if you NAT the traffic in one or both of your routers, you will continue experiencing the problem.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #5 sip.bg, Dec 3, 2017
    Last edited: Dec 3, 2017
    accentlogic and Network Emad like this.
  6. Network Emad

    Joined:
    Oct 27, 2017
    Messages:
    33
    Likes Received:
    3
    N
    do you mean
    hello mr. sip.bg
    now i can make call properly just with this model of Fanvil C600 and C400 but if i make call to this Model of Fanvil X3S i'll be able to hear their sound but they not able to hear me. i dont why its happening just with this model of fanvil.?
     
  7. sip.bg

    sip.bg Active Member

    Joined:
    Nov 7, 2016
    Messages:
    704
    Likes Received:
    220
    There could be different reasons, assuming VPN is configured properly (Layer 3 routing, no NAT), still there could be a difference in configuration of phones, check PBX from what address they are registering, whether phones register to local or public address of the PBX, is STUN involved in configuration, etc. Fanvil X3S could be provisioned automatically using STUN and public IP of the PBX, while C600 -- not.
    Typically one-way audio will happen when phone reaches the PBX via VPN (on local address), but sends in registration a public address, then return traffic to the phone will not reach the phone -- such or similar scenario. You can get an idea what's happening trying to capture traffic at the PBX site using Wireshark (if Windows installation), or tcpdump or sngrep (on Linux installation).
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    Edi Kojsi likes this.
  8. sip.bg

    sip.bg Active Member

    Joined:
    Nov 7, 2016
    Messages:
    704
    Likes Received:
    220
    You can also provision Fanvil X3S as local phone in the LAN segment of the PBX, after confirming its proper operation, bring it to remote location, without changing configuration. If VPN is working properly, the phone should also work properly in the remote location. Not the case if it is configured to use the public address of the PBX and STUN.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. sip.bg

    sip.bg Active Member

    Joined:
    Nov 7, 2016
    Messages:
    704
    Likes Received:
    220
    Case was resolved: The VPN between sites was configured using NAT and the phones were provisioned as remote ones, using STUN, not as local ones.
    Fixing configuration of routers and phones solved the issues.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    Network Emad likes this.
  10. YiannisH_3CX

    YiannisH_3CX Support Team
    Staff Member 3CX Support

    Joined:
    May 10, 2016
    Messages:
    7,445
    Likes Received:
    540
    Glad to hear the issue has been resolved and thank you for updating the post
     
    Network Emad likes this.
Thread Status:
Not open for further replies.