I could reeeealy use some help here.....
I have a Site-to-Site L2TP/IPsec VPN that seems to working fine.
On the VPN server site there is a Grandstream UCM6200 (192.168.5.20) and some Grandstream IP phones (192.168.5.21-32)
On the VPN client site there are only 2 IP phones (192.168.6.50 & 192.168.6.51)
All the calls between IP phones that are located on the server site work without problems.
When calling from 1st IP phone (192.168.6.50) which is on the client site to an IP phone to the server site the phone is ringing as it should.
However the person that picks it up from the sever site hears no sound. The person on the client side (that makes the call) still hears a calling tone. Actually the session never opens.
Meanwhile, the Grandstream UCM6200 PBX displays an "Abnormal" status for the calling phone registration.
I took a capture that shows lots of RTP packets lost as expected and also a lot of "401 - Unauthorized" and "404 - Not Found".
I've attached an image of this capture.
-- There shouldn't be any NAT issues as all this traffic goes through the VPN right ?
-- I also think i don't drop any of the traffic with my firewalls :
server site:
Code: Select all
/ip firewall filter
add action=accept chain=input comment="Accept L2TP & IPsec" dst-port=\
4500,500,1701 protocol=udp \
src-address-list=L2TP_Katastimata
add action=accept chain=input comment=\
"Accept L2TP & IPsec" protocol=ipsec-esp src-address-list=L2TP_Katastimata
add action=accept chain=input comment=\
"Accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="Accept MNG Services" dst-port=\
xxxx-xxxx log=yes protocol=tcp
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=drop chain=input comment="Drop input invalid" \
connection-state=invalid
add action=drop chain=input comment="Drop all not coming from LAN" \
in-interface-list=!LAN log-prefix=###################
add action=accept chain=forward comment=\
"Accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="Drop foward invalid" \
connection-state=invalid
add action=drop chain=forward comment="Drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new \
in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface="ether1 - WAN"
Code: Select all
/ip firewall filter
add action=accept chain=input comment="Accept L2TP & IPsec" dst-port=\
4500,500,1701 protocol=udp src-address=x.x.x.x
add action=accept chain=input comment="Accept established,related,untracked" \
connection-state=established,related,untracked
add action=accept chain=input comment="Accept MNG Services" \
dst-port=xxx-xxx protocol=tcp
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=drop chain=input comment="Drop input invalid" connection-state=\
invalid
add action=drop chain=input comment="Drop all not coming from LAN" \
in-interface-list=!LAN log=yes log-prefix=###################
add action=accept chain=forward comment=\
"Accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="Drop foward invalid" connection-state=\
invalid
add action=drop chain=forward comment="Drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface="ether1 - WAN"-- Do you know or could you imagine what is wrong in my case ?
-- Any ideas that i could possibly try to implement ?