I have a Cisco VoIP phone that I use remotely and to do that, it of course needs to be able to boot up and interact with its mother Call Manager, I mean Cisco Unified Communications Manager, server. On a Cisco router this is easy; add a dhcp server and hand out option 150 ip-address x.x.x.x as part of the DHCP scope. With a Fortigate device, not so easy I learned.
For whatever reason, you cannot set DHCP options within the web interface, it requires the command line. Not a huge deal, their command line isn’t horrible, but it is tiresome if you’re trying to find something specific. Anyway, where it gets stupid is that Fortinet wants you to plug DHCP option parameters in using hexadecimal encoding of the parameter value. Huh?!
I’ll save you from the long story of figuring out just what I had to put in to make everyone happy, but the end result is that you do NOT turn your IP address string into a hexadecimal string like you might be thinking, and like you’d do for any other string you want passed as a DHCP parameter to an option. You need to turn your IP address into hexadecimal numerically. Why? Because that’s what IP (IPv4 of course) addresses are to begin with, just a single 32-bit number. You don’t want the periods as part of your string. For example, 192.0.2.100 as a string, in hex, is 3139322e302e322e313030. I tried setting that on my Fortigate and the phone tried talking to a server in Thailand because it started converting just enough characters to make a 32-bit number into its first TFTP server.
If you turn 192.0.2.100 into decimal, then to hex, your value is C0000264. An easy converter I found to do this is: http://www.kloth.net/services/iplocate.php
Thus, the correct setup on the Fortigate is:
config system dhcp server edit 1 set default-gateway 192.0.2.1 set interface "lan4" config ip-range edit 1 set end-ip 192.0.2.2 set start-ip 192.0.2.2 next end set netmask 255.255.255.252 set option1 150 'C0000264' set dns-server1 126.96.36.199 next end
You will of course need to change the “edit 1” to the correct number for the DHCP server instance you want to add the option to, and all the addresses, etc as necessary. With this change, and my Fortigate already configured for VPN to my Cisco Communications Manager install, my phone is able to boot up and load its image from wherever I am.
Thanks. Did you have a special configuration for the voice to come over the vpn.
Nothing special, just static routes in the relevant places. What I did most recently was carved out a large address space which all remote networks were contained within, and then every remote phone got a chunk of space within that supernet. Then, only one route was needed in each corporate location pointing that remote VoIP traffic to a specific firewall, and that firewall had static routes for all the remote users. This would get a lot more complicated if different firewalls were handling the VPN duties for different remote users.