Android gw wave with vpn tunnel


#1

Dear all,
I have ucm 6208 and gs wave worked successfully, but i want the gs wave to work on van tunnel, in which firstly a vpn connection is made to the UCM 6208 from the android device then open the gs wave application and make a sip call,
Is that possible???

regards,


#2

Please clarify, are you looking to register the Android phone (GS Wave) to the UCM via VPN tunnel?


#3

Hi,
Exactly, can it be directly to the UCM,???
or connect the Android phone (GS Wave) to the firewall before the UCM then register the gw wave??

I see the UCM support OpenVPN, this feature can make the Android phone (GS Wave) register to it directly using openvpn app in the android phone or other application???

thanks for your replay.


#4

First and foremost, the OpenVPN option in the UCM is a client only. Not a server. You would need a firewall that supports OpenVPN Server or something like pfSense.

Then, the GSWave would register through the VPN but the VPN is configured on the OS-level, whether it’s iOS or Android.

Once the VPN is connected, the app will register. BUT, if the VPN is disabled, then calls won’t get in since it won’t register to the UCM. I would recommend registering directly to the UCM on secure ports to allow the Android to operate without an always-on VPN.


#5

And you would accomplish this how?


#6
  • External IP or DDNS if dynamic IP.
  • Register to the UCM directly via firewall NAT rules.
  • Change ports on firewall to redirect (for example) port 50061 onto 5060 locally. This is a good way of hiding ports from external sources. You can go more random if you will.

That’s what I do to prevent using a VPN which (on mobile) is a pain to manage.


#7

Ok. Security by obscurity.

If only we could get a static IP on our cell phones…


#8

What I mean is static or dynamic IP on the UCM side.

So, instead of registering through VPN, it goes through the internet directly but with unsual ports to prevent people from spamming the port with auth request.


#9

Right. And I mean security by obscurity in that as long as I don’t know the port I can’t get in. IMHO not secure. That is why I only use VPNs at this point.

Your mileage may vary.


#10

How does directed port translation/redirection work with SIP?

The SIP messaging sent to the remote device will be telling the device to use port 5060 (or the port bound to SIP at the UCM). As such, the subsequent SIP messaging from the remote will be directed to 5060 which will not be open at the UCM site as you have 50061 (your example) open.

SIP expects full cone NAT.


#11

Firstly, thanks all for replays,

can the below be done???
1- HQ local network is protected by Sophos XG firewall in which UCM 6208 is in voice zone/subnet in the local network.
2- Sophos firewall is configured to accept remote access vpn from android or laptops and then to reach the UCM subnet with needed policies.
3- Using the android device, connect to the Sophos firewall.
4- after connection is successful, open the gs wave application and enjoy calls
???

thanks again.


#12

Yes, a VPN from the phone to a firewall is possible, This is done quite frequently.