Description
This technical tip provides an example of how to deploy an IP PBX system between the Branch Offices and the Headquarters Office with VPN connection in a corporate network.
In this example, the "ABC" company has a Headquarters Office (Site_A) at Sunnyvale in the United States, a Branch Office (Site_B) at Beijing in China, and a Branch Office (Site_C) at San Jose in United States. When business is growing up, the telephone usage is getting heavier between the Branch Offices and the Headquarters Office. It is ideal solution for providing low cost communications between Branch Offices and Headquarter Office. "ABC" chooses FortiGate Voice-80C IP PBX to deploy IP telephony between the Branch Offices and the Headquarters Office. Through the VPN Connection, the FortiGate Voice-80C at the Branch offices can be connected to the FortiGate Voice-80C at the Headquarters office. Every employee can be reached via a 3-digit extension by a simple dialing plan configuration.
The FortiGate Voice-80C is a multi-function, multi-threat security platform that connects and protects remote and branch offices. It combines the functionality of a multi-threat UTM security gateway, VoIP gateway, IP PBX, VPN with strong encryption, router and switch into a single, integrated device.
FortiGate Voice-80C meets the needs of small, medium, or branch offices to do more without spending more. It delivers integrated data security, VoIP support, and a full-featured PBX, all managed by a single console. The IP PBX features include voicemail, message notification and unified messaging with interactive voice response (IVR). It provides support for SIP Trunking (Class 5 PSTN bypass) and supports standard SIP terminals, including hard- and softphones and SIP applications.
In this example, the "ABC" company has a Headquarters Office (Site_A) at Sunnyvale in the United States, a Branch Office (Site_B) at Beijing in China, and a Branch Office (Site_C) at San Jose in United States. When business is growing up, the telephone usage is getting heavier between the Branch Offices and the Headquarters Office. It is ideal solution for providing low cost communications between Branch Offices and Headquarter Office. "ABC" chooses FortiGate Voice-80C IP PBX to deploy IP telephony between the Branch Offices and the Headquarters Office. Through the VPN Connection, the FortiGate Voice-80C at the Branch offices can be connected to the FortiGate Voice-80C at the Headquarters office. Every employee can be reached via a 3-digit extension by a simple dialing plan configuration.
The FortiGate Voice-80C is a multi-function, multi-threat security platform that connects and protects remote and branch offices. It combines the functionality of a multi-threat UTM security gateway, VoIP gateway, IP PBX, VPN with strong encryption, router and switch into a single, integrated device.
FortiGate Voice-80C meets the needs of small, medium, or branch offices to do more without spending more. It delivers integrated data security, VoIP support, and a full-featured PBX, all managed by a single console. The IP PBX features include voicemail, message notification and unified messaging with interactive voice response (IVR). It provides support for SIP Trunking (Class 5 PSTN bypass) and supports standard SIP terminals, including hard- and softphones and SIP applications.
The setup is as follows:
Headquarter Office (Site_A) FortiGate Voice-80C (internal:192.168.10.99, wan2: 172.30.89.95).
Branch Office (Site_B) FortiGate Voice-80C (internal:192.168.20.99, wan2: 172.30.88.91).
Branch Office (Site_C) FortiGate Voice-80C (internal:192.168.30.99, wan2: 172.30.90.93).
Headquarter Office (Site_A) FortiGate Voice-80C (internal:192.168.10.99, wan2: 172.30.89.95).
Branch Office (Site_B) FortiGate Voice-80C (internal:192.168.20.99, wan2: 172.30.88.91).
Branch Office (Site_C) FortiGate Voice-80C (internal:192.168.30.99, wan2: 172.30.90.93).
Scope
FortiGate Voice-80C Devices, SIP Phones, Network Switch and Router
Solution
Headquarter Office (Site_A FortiGate Voice-80C) Configuration.
CLI Configuration of VPN Auto Key (IKE):
1. Go to VPN -> Auto Key (IKE):
(1) Phase 1:
Name – PBX_HUB1
Remote Gateway – Static IP Address
IP Address – 172.30.88.91
Local Interface – wan2
Mode – Main (ID Protection)
Authentication Method – Preshared Key
Pre-shared Key – test12345
Accept any Peer ID – Yes
Enable IPSec Interface Mode – Yes
IKE Version – 1
Local Gateway IP – Main Interface IP
DH Group – 5
XAUTH – Disabled
NAT Traversal – Enabled
Dead Peer Detection – Enabled
Keepalive Frequency – 10 seconds
(2) Phase 2:
Name – VPN_SPOKE1
Phase 1 – PBX_HUB1
Auto Key Keep Alive – Enabled
Quick Mode Selector – Source address: Specify 0.0.0.0/0
Destination address: Specify 0.0.0.0/0
CLI Configuration of VPN Auto Key (IKE):
1. Go to VPN -> Auto Key (IKE):
(1) Phase 1:
Name – PBX_HUB1
Remote Gateway – Static IP Address
IP Address – 172.30.88.91
Local Interface – wan2
Mode – Main (ID Protection)
Authentication Method – Preshared Key
Pre-shared Key – test12345
Accept any Peer ID – Yes
Enable IPSec Interface Mode – Yes
IKE Version – 1
Local Gateway IP – Main Interface IP
DH Group – 5
XAUTH – Disabled
NAT Traversal – Enabled
Dead Peer Detection – Enabled
Keepalive Frequency – 10 seconds
(2) Phase 2:
Name – VPN_SPOKE1
Phase 1 – PBX_HUB1
Auto Key Keep Alive – Enabled
Quick Mode Selector – Source address: Specify 0.0.0.0/0
Destination address: Specify 0.0.0.0/0
(3) Phase 1:
Name – PBX_HUB2
Remote Gateway – Static IP Address
IP Address – 172.30.90.93
Local Interface – wan2
Mode – Main (ID Protection)
Authentication Method – Preshared Key
Pre-shared Key – test12345
Accept any Peer ID – Yes
Enable IPSec Interface Mode – Yes
IKE Version – 1
Local Gateway IP – Main Interface IP
DH Group – 5
XAUTH – Disabled
NAT Traversal – Enabled
Dead Peer Detection – Enabled
Keepalive Frequency – 10 seconds
(4) Phase 2:
Name – VPN_SPOKE2
Phase 1 – PBX_HUB2
Auto Key Keep Alive – Enabled
Quick Mode Selector – Source address: Specify 0.0.0.0/0
Destination address: Specify 0.0.0.0/0
Name – PBX_HUB2
Remote Gateway – Static IP Address
IP Address – 172.30.90.93
Local Interface – wan2
Mode – Main (ID Protection)
Authentication Method – Preshared Key
Pre-shared Key – test12345
Accept any Peer ID – Yes
Enable IPSec Interface Mode – Yes
IKE Version – 1
Local Gateway IP – Main Interface IP
DH Group – 5
XAUTH – Disabled
NAT Traversal – Enabled
Dead Peer Detection – Enabled
Keepalive Frequency – 10 seconds
(4) Phase 2:
Name – VPN_SPOKE2
Phase 1 – PBX_HUB2
Auto Key Keep Alive – Enabled
Quick Mode Selector – Source address: Specify 0.0.0.0/0
Destination address: Specify 0.0.0.0/0
| config vpn ipsec phase1-interface edit "PBX_HUB1" set interface "wan2" set proposal 3des-sha1 aes128-sha1 set remote-gw 172.30.88.91 set psksecret test12345 next edit "PBX_HUB2" set interface "wan2" set proposal 3des-sha1 aes128-sha1 set remote-gw 172.30.90.93 set psksecret test12345 next end config vpn ipsec phase2-interface edit "VPN_SPOKE1" set keepalive enable set phase1name "PBX_HUB1" set proposal 3des-sha1 aes128-sha1 next edit "VPN_SPOKE2" set keepalive enable set phase1name "PBX_HUB2" set proposal 3des-sha1 aes128-sha1 next end |
2. Go to Firewall -> Address:
(1) Site_SPOKE1: 192.168.201.2/255.255.255.255
Interface – PBX_HUB1
(2) Destination1: 192.168.20.0/24
Interface – PBX_HUB1
(3) Site_SPOKE2: 192.168.202.2/255.255.255.255
Interface – PBX_HUB2
(4) Destination2: 192.168.30.0/24
Interface – PBX_HUB2
(5) Source: 192.168.10.0/24
Interface – Internal
(6) All: 0.0.0.0/0.0.0.0
Interface – Any
CLI Configuration of Firewall Address:
(1) Site_SPOKE1: 192.168.201.2/255.255.255.255
Interface – PBX_HUB1
(2) Destination1: 192.168.20.0/24
Interface – PBX_HUB1
(3) Site_SPOKE2: 192.168.202.2/255.255.255.255
Interface – PBX_HUB2
(4) Destination2: 192.168.30.0/24
Interface – PBX_HUB2
(5) Source: 192.168.10.0/24
Interface – Internal
(6) All: 0.0.0.0/0.0.0.0
Interface – Any
CLI Configuration of Firewall Address:
| config firewall address edit "all" next edit "Destination1" set associated-interface "PBX_HUB1" set subnet 192.168.20.0 255.255.255.0 next edit "Destination2" set associated-interface "PBX_HUB2" set subnet 192.168.30.0 255.255.255.0 next edit "Site_SPOKE1" set associated-interface "PBX_HUB1" set subnet 192.168.201.2 255.255.255.255 next edit "Site_SPOKE2" set associated-interface "PBX_HUB2" set subnet 192.168.202.2 255.255.255.255 next edit "Source" set associated-interface "internal" set subnet 192.168.10.0 255.255.255.0 next end |
3. Go to System -> Network -> Interface:
(1) Wan2: 172.30.89.95/24
(2) Internal: 192.168.10.99/24
SIP Traffic – Enabled
PBX User Portal – Enabled
Phone Auto-Provision – Enabled
(3) PBX_HUB1: 192.168.201.1/255.255.255.255
IP – 192.168.201.1
Remote IP – 192.168.201.2
SIP Traffic – Enabled
(4) PBX_HUB2: 192.168.202.1/255.255.255.255
IP – 192.168.202.1
Remote IP – 192.168.202.2
SIP Traffic – Enabled
CLI Configuration of System Network Interface:
(1) Wan2: 172.30.89.95/24
(2) Internal: 192.168.10.99/24
SIP Traffic – Enabled
PBX User Portal – Enabled
Phone Auto-Provision – Enabled
(3) PBX_HUB1: 192.168.201.1/255.255.255.255
IP – 192.168.201.1
Remote IP – 192.168.201.2
SIP Traffic – Enabled
(4) PBX_HUB2: 192.168.202.1/255.255.255.255
IP – 192.168.202.1
Remote IP – 192.168.202.2
SIP Traffic – Enabled
CLI Configuration of System Network Interface:
| config system interface edit "wan2" set vdom "root" set ip 172.30.89.95 255.255.255.0 set allowaccess ping ssh http set type physical next edit "internal" set vdom "root" set ip 192.168.10.99 255.255.255.0 set allowaccess ping https ssh snmp http telnet set type physical set voip enable set pbx-user-portal enable set phone-auto-provision enable next edit "PBX_HUB1" set vdom "root" set ip 192.168.201.1 255.255.255.255 set allowaccess ping https ssh snmp http telnet set type tunnel set remote-ip 192.168.201.2 set voip enable set pbx-user-portal enable set phone-auto-provision enable set interface "wan2" next edit "PBX_HUB2" set vdom "root" set ip 192.168.202.1 255.255.255.255 set allowaccess ping https ssh snmp http telnet set type tunnel set remote-ip 192.168.202.2 set voip enable set pbx-user-portal enable set phone-auto-provision enable set interface "wan2" next end |
4. Go to System -> DHCP Server:
(1) Internal Server: Enabled
(2) Type: Regular
(3) IP Range: 192.168.10.100 – 192.168.10.250
(4) Mask: 255.255.255.0
(5) Default Gateway: 192.168.10.99
CLI Configuration of System DHCP Server:
(1) Internal Server: Enabled
(2) Type: Regular
(3) IP Range: 192.168.10.100 – 192.168.10.250
(4) Mask: 255.255.255.0
(5) Default Gateway: 192.168.10.99
CLI Configuration of System DHCP Server:
| config system dhcp server edit 1 set default-gateway 192.168.10.99 set interface "internal" config ip-range edit 1 set end-ip 192.168.10.250 set start-ip 192.168.10.100 next end set netmask 255.255.255.0 set dns-server1 208.91.112.53 next end |
5. Go to Firewall -> Policy:
(1) PBX_HUB1 -> internal:
Source Interface – PBX_HUB1
Source Address (Multiple) – (Destination1 + Site_SPOKE1)
Destination Interface – internal
Destination Address – Source
Schedule – Always
Service – ANY
Action – ACCEPT
NAT – No NAT
(2) Internal -> PBX_HUB1:
Source Interface – internal
Source Address – Source
Destination Interface – PBX_HUB1
Destination Address (Multiple) – (Destination1 + Site_SPOKE1)
Schedule – Always
Service – ANY
Action – ACCEPT
NAT – No NAT
(3) PBX_HUB2 -> internal:
Source Interface – PBX_HUB2
Source Address (Multiple) – (Destination2 + Site_SPOKE2)
Destination Interface – internal
Destination Address – Source
Schedule – Always
Service – ANY
Action – ACCEPT
NAT – No NAT
(4) Internal -> PBX_HUB2:
Source Interface – internal
Source Address – Source
Destination Interface – PBX_HUB2
Destination Address (Multiple) – (Destination2 + Site_SPOKE2)
Schedule – Always
Service – ANY
Action – ACCEPT
NAT – No NAT
(5) PBX_HUB1 -> PBX_HUB2:
Source Interface – PBX_HUB1
Source Address – all
Destination Interface – PBX_HUB2
Destination Address – all
Schedule – Always
Service – ANY
Action – ACCEPT
NAT – No NAT
(6) PBX_HUB2 -> PBX_HUB1:
Source Interface – PBX_HUB2
Source Address – all
Destination Interface – PBX_HUB1
Destination Address – all
Schedule – Always
Service – ANY
Action – ACCEPT
NAT – No NAT
CLI Configuration of Firewall Policy:
(1) PBX_HUB1 -> internal:
Source Interface – PBX_HUB1
Source Address (Multiple) – (Destination1 + Site_SPOKE1)
Destination Interface – internal
Destination Address – Source
Schedule – Always
Service – ANY
Action – ACCEPT
NAT – No NAT
(2) Internal -> PBX_HUB1:
Source Interface – internal
Source Address – Source
Destination Interface – PBX_HUB1
Destination Address (Multiple) – (Destination1 + Site_SPOKE1)
Schedule – Always
Service – ANY
Action – ACCEPT
NAT – No NAT
(3) PBX_HUB2 -> internal:
Source Interface – PBX_HUB2
Source Address (Multiple) – (Destination2 + Site_SPOKE2)
Destination Interface – internal
Destination Address – Source
Schedule – Always
Service – ANY
Action – ACCEPT
NAT – No NAT
(4) Internal -> PBX_HUB2:
Source Interface – internal
Source Address – Source
Destination Interface – PBX_HUB2
Destination Address (Multiple) – (Destination2 + Site_SPOKE2)
Schedule – Always
Service – ANY
Action – ACCEPT
NAT – No NAT
(5) PBX_HUB1 -> PBX_HUB2:
Source Interface – PBX_HUB1
Source Address – all
Destination Interface – PBX_HUB2
Destination Address – all
Schedule – Always
Service – ANY
Action – ACCEPT
NAT – No NAT
(6) PBX_HUB2 -> PBX_HUB1:
Source Interface – PBX_HUB2
Source Address – all
Destination Interface – PBX_HUB1
Destination Address – all
Schedule – Always
Service – ANY
Action – ACCEPT
NAT – No NAT
CLI Configuration of Firewall Policy:
| config firewall policy edit 1 set srcintf "PBX_HUB1" set dstintf "internal" set srcaddr "Destination1" "Site_SPOKE1" set dstaddr "Source" set action accept set schedule "always" set service "ANY" next edit 2 set srcintf "internal" set dstintf "PBX_HUB1" set srcaddr "Source" set dstaddr "Destination1" "Site_SPOKE1" set action accept set schedule "always" set service "ANY" next edit 3 set srcintf "PBX_HUB2" set dstintf "internal" set srcaddr "Destination2" "Site_SPOKE2" set dstaddr "Source" set action accept set schedule "always" set service "ANY" next edit 4 set srcintf "internal" set dstintf "PBX_HUB2" set srcaddr "Source" set dstaddr "Destination2" "Site_SPOKE2" set action accept set schedule "always" set service "ANY" next edit 5 set srcintf "PBX_HUB1" set dstintf "PBX_HUB2" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ANY" next edit 6 set srcintf "PBX_HUB2" set dstintf "PBX_HUB1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ANY" next end |
6. Go to Router -> Static -> Static Router:
(1) Destination IP: 192.168.20.0/255.255.255.0
Gateway – 0.0.0.0
Device – PBX_HUB1
Distance – 10
Priority – 0
(2) Destination IP: 192.168.30.0/255.255.255.0
Gateway – 0.0.0.0
Device – PBX_HUB2
Distance – 10
Priority – 0
(3) Destination IP: 0.0.0.0/0.0.0.0
Gateway – 172.30.89.1
Device – wan2
Distance – 10
Priority – 0
CLI Configuration of Router:
(1) Destination IP: 192.168.20.0/255.255.255.0
Gateway – 0.0.0.0
Device – PBX_HUB1
Distance – 10
Priority – 0
(2) Destination IP: 192.168.30.0/255.255.255.0
Gateway – 0.0.0.0
Device – PBX_HUB2
Distance – 10
Priority – 0
(3) Destination IP: 0.0.0.0/0.0.0.0
Gateway – 172.30.89.1
Device – wan2
Distance – 10
Priority – 0
CLI Configuration of Router:
| config router static edit 1 set device "wan2" set gateway 172.30.89.1 next edit 2 set device "PBX_HUB2" set dst 192.168.30.0 255.255.255.0 next edit 3 set device "PBX_HUB1" set dst 192.168.20.0 255.255.255.0 next end |
7. Go to PBX -> Service Providers -> SIP Trunk:
Name: _FtgdVoice_1
Domain: 208.91.115.145
User Name: 10021
Account Type: Dynamic
DTMF Method: RFG2833
Status: Request Sent
CLI Configuration of PBX SIP Trunk:
Name: _FtgdVoice_1
Domain: 208.91.115.145
User Name: 10021
Account Type: Dynamic
DTMF Method: RFG2833
Status: Request Sent
CLI Configuration of PBX SIP Trunk:
| config pbx sip-trunk edit "__FtgdVoice_1" set domain "208.91.115.145" set user "10021" set secret “test12345” set registration-interval 60 set dtmf-method rfc2833 set codec1 ulaw set codec2 ulaw next end |
8. Go to PBX -> Service Providers -> Branch Office:
Name: Site_B
Prefix:
Pattern: 2XX
IP Address: 192.168.201.2
Registration: No
Dial Plan: company-default
Name: Site_B
Prefix:
Pattern: 2XX
IP Address: 192.168.201.2
Registration: No
Dial Plan: company-default
Name: Site_C
Prefix:
Pattern: 3XX
IP Address: 192.168.202.2
Registration: No
Dial Plan: company-default
CLI Configuration of PBX Branch Office:
Prefix:
Pattern: 3XX
IP Address: 192.168.202.2
Registration: No
Dial Plan: company-default
CLI Configuration of PBX Branch Office:
| config pbx branch-office edit "Site_B" set domain "192.168.201.2" set extpattern "2XX" set dialplan "company-default" set registration no next edit "Site_C" set domain "192.168.202.2" set extpattern "3XX" set dialplan "company-default" set registration no next end |
9. Go to PBX -> Calling Rules -> Dial Plan -> company-default:
(1) Test:
Use Default Outgoing Prefix (“9”) – Yes
Phone Number Begin with – 1
Prepend –
Action – Allow
Outgoing - _FtgdVoice_1
(2) Others:
Use Default Outgoing Prefix (“9”) – Yes
Phone Number Begin with –
Prepend –
Action – Allow
Outgoing - _FtgdVoice_1
CLI Configuration of PBX Dial Plan:
(1) Test:
Use Default Outgoing Prefix (“9”) – Yes
Phone Number Begin with – 1
Prepend –
Action – Allow
Outgoing - _FtgdVoice_1
(2) Others:
Use Default Outgoing Prefix (“9”) – Yes
Phone Number Begin with –
Prepend –
Action – Allow
Outgoing - _FtgdVoice_1
CLI Configuration of PBX Dial Plan:
| config pbx dialplan edit "company-default" set comments "default dial plan" config rule edit "test" set action allow set callthrough "__FtgdVoice_1" set phone-no-beginwith "1" next edit "Others" set action allow set callthrough "__FtgdVoice_1" next end next end |
10. Go to PBX -> Service Providers -> FortiGuard Voice Service:
Account Status: Active
DIDs: 1604XXXXXXX
FortiFAX: 1604XXXXXXX
Toll Frees: 1866XXXXXXX
SIP Status: OK
11. Go to PBX -> Extension -> Extension:
Create some extension numbers (for example, 101, 102, 103, and so on):
CLI Configuration of PBX Extension:
Account Status: Active
DIDs: 1604XXXXXXX
FortiFAX: 1604XXXXXXX
Toll Frees: 1866XXXXXXX
SIP Status: OK
11. Go to PBX -> Extension -> Extension:
Create some extension numbers (for example, 101, 102, 103, and so on):
CLI Configuration of PBX Extension:
| config pbx extension edit "101" set dialplan "company-default" set first-name "w401" set last-name "q401" set secret Ab123456 set vm-secret 1111 next edit "102" set dialplan "company-default" set first-name "w101" set last-name "q101" set secret Ab123456 set vm-secret 1111 next end |
12. Go to Log&Report -> Log Config -> Alert E-mail:
SMTP Server: mail.fortinet.com
Email from: email@fortinet.com
Email to: email@fortinet.com
Authentication: Disabled
CLI Configuration of System Alert Email:
SMTP Server: mail.fortinet.com
Email from: email@fortinet.com
Email to: email@fortinet.com
Authentication: Disabled
CLI Configuration of System Alert Email:
|
config system alertemail config alertemail setting |
Branch Office (Site_B FortiGate Voice-80C) Configuration
1. Go to VPN -> Auto Key (IKE):
(1) Phase 1:
Name – PBX_SPOKE1
Remote Gateway – Static IP Address
IP Address – 172.30.89.95
Local Interface – wan2
Mode – Main (ID Protection)
Authentication Method – Preshared Key
Pre-shared Key – test12345
Accept any Peer ID – Yes
Enable IPSec Interface Mode – Yes
IKE Version – 1
Local Gateway IP – Main Interface IP
DH Group – 5
XAUTH – Disabled
NAT Traversal – Enabled
Dead Peer Detection – Enabled
Keepalive Frequency – 10 seconds
(2) Phase 2:
Name – VPN_SPOKE1
Phase 1 – PBX_SPOKE1
Auto Key Keep Alive – Enabled
Quick Mode Selector – Source address: Specify 0.0.0.0/0
Destination address: Specify 0.0.0.0/0
CLI Configuration of VPN Auto Key (IKE):
| config vpn ipsec phase1-interface edit "PBX_SPOKE1" set interface "wan2" set proposal 3des-sha1 aes128-sha1 set remote-gw 172.30.89.95 set psksecret test12345 next end config vpn ipsec phase2-interface edit "VPN_SPOKE1" set keepalive enable set phase1name "PBX_SPOKE1" set proposal 3des-sha1 aes128-sha1 next end |
2. Go to Firewall -> Address:
(1) Site_HUB: 192.168.201.1/255.255.255.255
Interface – any
(2) Destination: 192.168.0.0/16
Interface – PBX_SPOKE1
(3) Source: 192.168.20.0/24
Interface – Internal
(4) All: 0.0.0.0/0.0.0.0
Interface – Any
CLI Configuration of Firewall Address:
(1) Site_HUB: 192.168.201.1/255.255.255.255
Interface – any
(2) Destination: 192.168.0.0/16
Interface – PBX_SPOKE1
(3) Source: 192.168.20.0/24
Interface – Internal
(4) All: 0.0.0.0/0.0.0.0
Interface – Any
CLI Configuration of Firewall Address:
| config firewall address edit "all" next edit "Site_HUB" set subnet 192.168.201.1 255.255.255.255 next edit "Destination" set associated-interface "PBX_SPOKE1" set subnet 192.168.0.0 255.255.0.0 next edit "Source" set associated-interface "internal" set subnet 192.168.20.0 255.255.255.0 next end |
3. Go to System -> Network -> Interface:
(1) Wan2: 172.30.88.91/24
(2) Internal: 192.168.20.99/24
SIP Traffic – Enabled
PBX User Portal – Enabled
Phone Auto-Provision – Enabled
(3) PBX_SPOKE1: 192.168.201.2/255.255.255.255
IP – 192.168.201.2
Remote IP – 192.168.201.1
SIP Traffic – Enabled
CLI Configuration of System Network Interface:
(1) Wan2: 172.30.88.91/24
(2) Internal: 192.168.20.99/24
SIP Traffic – Enabled
PBX User Portal – Enabled
Phone Auto-Provision – Enabled
(3) PBX_SPOKE1: 192.168.201.2/255.255.255.255
IP – 192.168.201.2
Remote IP – 192.168.201.1
SIP Traffic – Enabled
CLI Configuration of System Network Interface:
| config system interface edit "wan2" set vdom "root" set ip 172.30.88.91 255.255.255.0 set allowaccess ping https ssh snmp http telnet set type physical set voip enable set pbx-user-portal enable set phone-auto-provision enable next edit "internal" set vdom "root" set ip 192.168.20.99 255.255.255.0 set allowaccess ping https ssh snmp http telnet set type physical set voip enable set pbx-user-portal enable set phone-auto-provision enable next edit "PBX_SPOKE1" set vdom "root" set ip 192.168.201.2 255.255.255.255 set allowaccess ping https ssh snmp http telnet set type tunnel set remote-ip 192.168.201.1 set voip enable set pbx-user-portal enable set phone-auto-provision enable set interface "wan2" next end |
4. Go to System -> DHCP Server:
(1) Internal Server: Enabled
(2) Type: Regular
(3) IP Range: 192.168.20.100 – 192.168.20.250
(4) Mask: 255.255.255.0
(5) Default Gateway: 192.168.20.99
CLI Configuration of System DHCP Server:
(1) Internal Server: Enabled
(2) Type: Regular
(3) IP Range: 192.168.20.100 – 192.168.20.250
(4) Mask: 255.255.255.0
(5) Default Gateway: 192.168.20.99
CLI Configuration of System DHCP Server:
| config system dhcp server edit 1 set default-gateway 192.168.20.99 set interface "internal" config ip-range edit 1 set end-ip 192.168.20.250 set start-ip 192.168.20.100 next end set netmask 255.255.255.0 set dns-server1 208.91.112.53 next end |
5. Go to Firewall -> Policy:
(1) PBX_SPOKE1 -> internal:
Source Interface – PBX_SPOKE1
Source Address (Multiple) – (Destination + Site_HUB)
Destination Interface – internal
Destination Address – Source
Schedule – Always
Service – ANY
Action – ACCEPT
NAT – No NAT
(2) Internal -> PBX_SPOKE1:
Source Interface – internal
Source Address – Source
Destination Interface – PBX_SPOKE1
Destination Address (Multiple) – (Destination + Site_HUB)
Schedule – Always
Service – ANY
Action – ACCEPT
NAT – No NAT
CLI Configuration of Firewall Policy:
(1) PBX_SPOKE1 -> internal:
Source Interface – PBX_SPOKE1
Source Address (Multiple) – (Destination + Site_HUB)
Destination Interface – internal
Destination Address – Source
Schedule – Always
Service – ANY
Action – ACCEPT
NAT – No NAT
(2) Internal -> PBX_SPOKE1:
Source Interface – internal
Source Address – Source
Destination Interface – PBX_SPOKE1
Destination Address (Multiple) – (Destination + Site_HUB)
Schedule – Always
Service – ANY
Action – ACCEPT
NAT – No NAT
CLI Configuration of Firewall Policy:
| config firewall policy edit 5 set srcintf "PBX_SPOKE1" set dstintf "internal" set srcaddr "Site_HUB" "Destination" set dstaddr "Source" set action accept set schedule "always" set service "ANY" next edit 6 set srcintf "internal" set dstintf "PBX_SPOKE1" set srcaddr "Source" set dstaddr "Site_HUB" "Destination" set action accept set schedule "always" set service "ANY" next end |
6. Go to Router -> Static -> Static Router:
(1) Destination IP: 192.168.0.0/255.255.0.0
Gateway – 0.0.0.0
Device – PBX_SPOKE1
Distance – 10
Priority – 0
(2) Destination IP: 0.0.0.0/0.0.0.0
Gateway – 172.30.88.1
Device – wan2
Distance – 10
Priority – 0
CLI Configuration of Router:
(1) Destination IP: 192.168.0.0/255.255.0.0
Gateway – 0.0.0.0
Device – PBX_SPOKE1
Distance – 10
Priority – 0
(2) Destination IP: 0.0.0.0/0.0.0.0
Gateway – 172.30.88.1
Device – wan2
Distance – 10
Priority – 0
CLI Configuration of Router:
| config router static edit 1 set device "wan2" set gateway 172.30.88.1 next edit 2 set device "PBX_SPOKE1" set dst 192.168.0.0 255.255.0.0 next end |
7. Go to PBX -> Service Providers -> Branch Office:
Name: Site_A
Prefix:
Pattern: [1,3]XX
IP Address: 192.168.201.1
Registration: No
Dial Plan: qtest
CLI Configuration of PBX Branch Office:
Name: Site_A
Prefix:
Pattern: [1,3]XX
IP Address: 192.168.201.1
Registration: No
Dial Plan: qtest
CLI Configuration of PBX Branch Office:
|
config pbx branch-office
edit "Site_A"
set domain "192.168.201.1"
set extpattern "[1,3]XX"
set dialplan "qtest"
set registration no
next
end
|
8. Go to PBX -> Calling Rules -> Dial Plan -> qtest:
(1) wtest:
Use Default Outgoing Prefix (“9”) – Yes
Phone Number Begin with –
Prepend –
Action – Allow
Outgoing -
CLI Configuration of PBX Dial Plan:
(1) wtest:
Use Default Outgoing Prefix (“9”) – Yes
Phone Number Begin with –
Prepend –
Action – Allow
Outgoing -
CLI Configuration of PBX Dial Plan:
|
config pbx dialplan
edit "qtest"
config rule
edit "wtest"
set action allow
next
end
next
end |
9. Go to PBX -> Extension -> Extension:
Create some extension numbers (for example, 201, 202, 203, and so on):
CLI Configuration of PBX Extension:
Create some extension numbers (for example, 201, 202, 203, and so on):
CLI Configuration of PBX Extension:
| config pbx extension edit "201" set dialplan "qtest" set first-name "w201" set last-name "q201" set secret Ab123456 set vm-secret 1111 next end |
Branch Office (Site_C FortiGate Voice-80C) Configuration
1. Go to VPN -> Auto Key (IKE):
(1) Phase 1:
Name – PBX_SPOKE2
Remote Gateway – Static IP Address
IP Address – 172.30.89.95
Local Interface – wan2
Mode – Main (ID Protection)
Authentication Method – Preshared Key
Pre-shared Key – test12345
Accept any Peer ID – Yes
Enable IPSec Interface Mode – Yes
IKE Version – 1
Local Gateway IP – Main Interface IP
DH Group – 5
XAUTH – Disabled
NAT Traversal – Enabled
Dead Peer Detection – Enabled
Keepalive Frequency – 10 seconds
(2) Phase 2:
Name – VPN_SPOKE2
Phase 1 – PBX_SPOKE2
Auto Key Keep Alive – Enabled
Quick Mode Selector – Source address: Specify 0.0.0.0/0
Destination address: Specify 0.0.0.0/0
CLI Configuration of VPN Auto Key (IKE):
|
config vpn ipsec phase1-interface
edit "PBX_SPOKE2"
set interface "wan2"
set proposal 3des-sha1 aes128-sha1
set remote-gw 172.30.89.95
set psksecret test12345
next
end
config vpn ipsec phase2-interface
edit "VPN_SPOKE2"
set keepalive enable
set phase1name "PBX_SPOKE2"
set proposal 3des-sha1 aes128-sha1
next
end |
2. Go to Firewall -> Address:
(1) Site_HUB: 192.168.202.1/255.255.255.255
Interface – any
(2) Destination: 192.168.0.0/16
Interface – PBX_SPOKE2
(3) Source: 192.168.30.0/24
Interface – Internal
(4) All: 0.0.0.0/0.0.0.0
Interface – Any
CLI Configuration of Firewall Address:
(1) Site_HUB: 192.168.202.1/255.255.255.255
Interface – any
(2) Destination: 192.168.0.0/16
Interface – PBX_SPOKE2
(3) Source: 192.168.30.0/24
Interface – Internal
(4) All: 0.0.0.0/0.0.0.0
Interface – Any
CLI Configuration of Firewall Address:
|
config firewall address
edit "all"
next
edit "Site_HUB"
set subnet 192.168.202.1 255.255.255.255
next
edit "Destination"
set associated-interface "PBX_SPOKE2"
set subnet 192.168.0.0 255.255.0.0
next
edit "Source"
set associated-interface "internal"
set subnet 192.168.30.0 255.255.255.0
next
end |
3. Go to System -> Network -> Interface:
(1) Wan2: 172.30.90.93/24
(2) Internal: 192.168.30.99/24
SIP Traffic – Enabled
PBX User Portal – Enabled
Phone Auto-Provision – Enabled
(3) PBX_SPOKE2: 192.168.202.2/255.255.255.255
IP – 192.168.202.2
Remote IP – 192.168.202.1
SIP Traffic – Enabled
CLI Configuration of System Network Interface:
(1) Wan2: 172.30.90.93/24
(2) Internal: 192.168.30.99/24
SIP Traffic – Enabled
PBX User Portal – Enabled
Phone Auto-Provision – Enabled
(3) PBX_SPOKE2: 192.168.202.2/255.255.255.255
IP – 192.168.202.2
Remote IP – 192.168.202.1
SIP Traffic – Enabled
CLI Configuration of System Network Interface:
|
config system interface
edit "wan2"
set vdom "root"
set ip 172.30.90.93 255.255.255.0
set allowaccess ping https ssh snmp http telnet
set type physical
set voip enable
set pbx-user-portal enable
set phone-auto-provision enable
next
edit "internal"
set vdom "root"
set ip 192.168.30.99 255.255.255.0
set allowaccess ping https ssh snmp http telnet
set type physical
set voip enable
set pbx-user-portal enable
set phone-auto-provision enable
next
edit "PBX_SPOKE2"
set vdom "root"
set ip 192.168.202.2 255.255.255.255
set allowaccess ping https ssh snmp http telnet
set type tunnel
set remote-ip 192.168.202.1
set voip enable
set pbx-user-portal enable
set phone-auto-provision enable
set interface "wan2"
next
end |
4. Go to System -> DHCP Server:
(1) Internal Server: Enabled
(2) Type: Regular
(3) IP Range: 192.168.30.100 – 192.168.30.250
(4) Mask: 255.255.255.0
(5) Default Gateway: 192.168.30.99
CLI Configuration of System DHCP Server:
(1) Internal Server: Enabled
(2) Type: Regular
(3) IP Range: 192.168.30.100 – 192.168.30.250
(4) Mask: 255.255.255.0
(5) Default Gateway: 192.168.30.99
CLI Configuration of System DHCP Server:
|
config system dhcp server
edit 1
set default-gateway 192.168.30.99
set interface "internal"
config ip-range
edit 1
set end-ip 192.168.30.250
set start-ip 192.168.30.100
next
end
set netmask 255.255.255.0
set dns-server1 208.91.112.52
next
end |
5. Go to Firewall -> Policy:
(1) PBX_SPOKE2 -> internal:
Source Interface – PBX_SPOKE2
Source Address (Multiple) – (Destination + Site_HUB)
Destination Interface – internal
Destination Address – Source
Schedule – Always
Service – ANY
Action – ACCEPT
NAT – No NAT
(3) Internal -> PBX_SPOKE2:
Source Interface – internal
Source Address – Source
Destination Interface – PBX_SPOKE2
Destination Address (Multiple) – (Destination + Site_HUB)
Schedule – Always
Service – ANY
Action – ACCEPT
NAT – No NAT
CLI Configuration of Firewall Policy:
(1) PBX_SPOKE2 -> internal:
Source Interface – PBX_SPOKE2
Source Address (Multiple) – (Destination + Site_HUB)
Destination Interface – internal
Destination Address – Source
Schedule – Always
Service – ANY
Action – ACCEPT
NAT – No NAT
(3) Internal -> PBX_SPOKE2:
Source Interface – internal
Source Address – Source
Destination Interface – PBX_SPOKE2
Destination Address (Multiple) – (Destination + Site_HUB)
Schedule – Always
Service – ANY
Action – ACCEPT
NAT – No NAT
CLI Configuration of Firewall Policy:
|
config firewall policy
edit 3
set srcintf "PBX_SPOKE2"
set dstintf "internal"
set srcaddr "Destination" "Site_HUB"
set dstaddr "Source"
set action accept
set schedule "always"
set service "ANY"
next
edit 4
set srcintf "internal"
set dstintf "PBX_SPOKE2"
set srcaddr "Source"
set dstaddr "Destination" "Site_HUB"
set action accept
set schedule "always"
set service "ANY"
next
end |
6. Go to Router -> Static -> Static Router:
(1) Destination IP: 192.168.0.0/255.255.0.0
Gateway – 0.0.0.0
Device – PBX_SPOKE2
Distance – 10
Priority – 0
(2) Destination IP: 0.0.0.0/0.0.0.0
Gateway – 172.30.90.1
Device – wan2
Distance – 10
Priority – 0
CLI Configuration of Router:
(1) Destination IP: 192.168.0.0/255.255.0.0
Gateway – 0.0.0.0
Device – PBX_SPOKE2
Distance – 10
Priority – 0
(2) Destination IP: 0.0.0.0/0.0.0.0
Gateway – 172.30.90.1
Device – wan2
Distance – 10
Priority – 0
CLI Configuration of Router:
|
config router static
edit 1
set device "wan2"
set gateway 172.30.90.1
next
edit 2
set device "PBX_SPOKE2"
set dst 192.168.0.0 255.255.0.0
next
end |
7. Go to PBX -> Service Providers -> Branch Office:
Name: Site_A
Prefix:
Pattern: [1,2]XX
IP Address: 192.168.202.1
Registration: No
Dial Plan: qtest
CLI Configuration of PBX Branch Office:
Name: Site_A
Prefix:
Pattern: [1,2]XX
IP Address: 192.168.202.1
Registration: No
Dial Plan: qtest
CLI Configuration of PBX Branch Office:
|
config pbx branch-office
edit "Site_A"
set domain "192.168.202.1"
set extpattern "[1,2]XX"
set dialplan "qtest"
set registration no
next
end |
8. Go to PBX -> Calling Rules -> Dial Plan -> qtest:
(1) wtest:
Use Default Outgoing Prefix (“9”) – Yes
Phone Number Begin with –
Prepend –
Action – Allow
Outgoing -
CLI Configuration of PBX Dial Plan:
(1) wtest:
Use Default Outgoing Prefix (“9”) – Yes
Phone Number Begin with –
Prepend –
Action – Allow
Outgoing -
CLI Configuration of PBX Dial Plan:
|
config pbx dialplan
edit "qtest"
config rule
edit "wtest"
set action allow
next
end
next
end |
9. Go to PBX -> Extension -> Extension:
Create some extension numbers (for example, 301, 302, 303, and so on):
CLI Configuration of PBX Extension:
Create some extension numbers (for example, 301, 302, 303, and so on):
CLI Configuration of PBX Extension:
|
config pbx extension
edit "301"
set dialplan "qtest"
set first-name "w301"
set last-name "q301"
set secret Ab123456
set vm-secret 1111
next
end |
Testing Results
-
SIP Phone extension 101 registered to Headquarter Office (Site_A) IP PBX with local connection (192.168.10.0/24).
-
SIP Phone extension 201 registered to Branch Office (Site_B) IP PBX with local connection (192.168.20.0/24).
-
SIP Phone extension 301 registered to Branch Office (Site_C) IP PBX with local connection (192.168.30.0/24).
-
SIP Phone extension 301 was able to make call to SIP Phone extension 101 with the VPN connection.
-
SIP Phone extension 301 was able to make call to SIP Phone extension 201 with the VPN connection.
-
SIP Phone extension 101 was able to make call to SIP Phone extension 201 with the VPN connection.
-
SIP Phone extension 101 was able to make call to SIP Phone extension 301 with the VPN connection.
-
SIP Phone extension 201 was able to make call to SIP Phone extension 101 with the VPN connection.
-
SIP Phone extension 201 was able to make call to SIP Phone extension 301 with the VPN connection.
-
Any one SIP Phone was able to make call to any other one SIP Phone and was able to talk each other by using VPN connection (Hub-and Spoke Configuration).
