Android gw wave with vpn tunnel


#1

Dear all,
I have ucm 6208 and gs wave worked successfully, but i want the gs wave to work on van tunnel, in which firstly a vpn connection is made to the UCM 6208 from the android device then open the gs wave application and make a sip call,
Is that possible???

regards,


#2

Please clarify, are you looking to register the Android phone (GS Wave) to the UCM via VPN tunnel?


#3

Hi,
Exactly, can it be directly to the UCM,???
or connect the Android phone (GS Wave) to the firewall before the UCM then register the gw wave??

I see the UCM support OpenVPN, this feature can make the Android phone (GS Wave) register to it directly using openvpn app in the android phone or other application???

thanks for your replay.


#4

First and foremost, the OpenVPN option in the UCM is a client only. Not a server. You would need a firewall that supports OpenVPN Server or something like pfSense.

Then, the GSWave would register through the VPN but the VPN is configured on the OS-level, whether it’s iOS or Android.

Once the VPN is connected, the app will register. BUT, if the VPN is disabled, then calls won’t get in since it won’t register to the UCM. I would recommend registering directly to the UCM on secure ports to allow the Android to operate without an always-on VPN.


#5

And you would accomplish this how?


#6
  • External IP or DDNS if dynamic IP.
  • Register to the UCM directly via firewall NAT rules.
  • Change ports on firewall to redirect (for example) port 50061 onto 5060 locally. This is a good way of hiding ports from external sources. You can go more random if you will.

That’s what I do to prevent using a VPN which (on mobile) is a pain to manage.


#7

Ok. Security by obscurity.

If only we could get a static IP on our cell phones…


#8

What I mean is static or dynamic IP on the UCM side.

So, instead of registering through VPN, it goes through the internet directly but with unsual ports to prevent people from spamming the port with auth request.


#9

Right. And I mean security by obscurity in that as long as I don’t know the port I can’t get in. IMHO not secure. That is why I only use VPNs at this point.

Your mileage may vary.


#10

How does directed port translation/redirection work with SIP?

The SIP messaging sent to the remote device will be telling the device to use port 5060 (or the port bound to SIP at the UCM). As such, the subsequent SIP messaging from the remote will be directed to 5060 which will not be open at the UCM site as you have 50061 (your example) open.

SIP expects full cone NAT.


#11

Firstly, thanks all for replays,

can the below be done???
1- HQ local network is protected by Sophos XG firewall in which UCM 6208 is in voice zone/subnet in the local network.
2- Sophos firewall is configured to accept remote access vpn from android or laptops and then to reach the UCM subnet with needed policies.
3- Using the android device, connect to the Sophos firewall.
4- after connection is successful, open the gs wave application and enjoy calls
???

thanks again.


#12

Yes, a VPN from the phone to a firewall is possible, This is done quite frequently.


#13

Hi again to all of you,
It works by firstly connect to the firewall using my android, then registering in the UCM, the strange thing that the gs wave stops working after 5:00pm and returns back to red icon. Is this possible? i tried to change the office hours to 11:0pm by no worthy.
Please take into consideration that the extension number registered in the ucm doesn’t have a specefic time configuration or other.

regards,


#14

Does the firewall has a schedule on the NAT ?


#15

HI ,
NO, the sophos firewall has no schedule, the strange thing that the SSL VPN status shows connected but the gs wave shows red icon, in the morning gs wave works normally.

regards,


#16

Is the app always opened? GSWave doesn’t support Push so it must be opened to work.


#17

of course open,


#18

Can you packet capture the app trying to register via the VPN? Your router should allow packet capture. Also, try a Capture at the same time from the UCM to see if register packets are received.


#19

in ucm, from where to get capture packets???


#20

Maintenance network troublseshooting.

Does your cell provider have data limits?