iPhone Wi-fi calling firewall rules
studerje1
Enthusiast - Level 3

It appears that the wi-fi calling feature that has finally rolled out for iPhones with iOS 9.3 will require some firewall changes for corporate firewalls.

It looks like the feature establishes a per app vpn for the calling feature. IPsec and ike protocols appear to be in use.

I'm hoping to find documentation from Verizon on what ports and addresses to enabled for this feature.

Can anyone point me in the right direction?

Labels (1)
1 Solution
Weth
Legend

Have you seen this Cisco document fo getting wifi calling working?  IPSec using UDP ports 500 and 4500. 

Wi-Fi Calling White Paper - Cisco

View solution in original post

0 Likes
25 Replies
Weth
Legend

Have you seen this Cisco document fo getting wifi calling working?  IPSec using UDP ports 500 and 4500. 

Wi-Fi Calling White Paper - Cisco

0 Likes
studerje1
Enthusiast - Level 3

@Weth, thanks for the document, I had not seen it yet.

I see the line that states: "IPsec: The enterprise firewall policy needs to enable User Datagram Protocol (UDP) ports 500 and 4500 for IPsec to work properly."

I'm looking for a specific range of destination IP addresses to allow for the outbound rule. Just allowing the ports outbound without a specific destination won't work for use. We need to keep our outbound traffic limited to specific destinations.

Thanks,

-Jon

0 Likes
Weth
Legend

Got it.  Same reason I can't get it turned on in our hospital.  Sure would be great for the far reaches of the basement with X-ray blocking walls near the radiology suite!  Unless someone chimes in at a level of Verizon network technical knowledge that I have not seen in this forum, you'll need to get by the first 2 layers of CS so a third level can put in a request for a technical contact.  

Did you see where it is connecting to from a less controlled network, I.e. Home? 

0 Likes
studerje1
Enthusiast - Level 3

agreed. Not going to hold my breath.

I called CS today and they told me to call Apple Care Support number because CS had not been briefed on 9.3 calling feature yet, and since it's an Apple device, I needed to call Apple.

I think I'm going to try our business rep.

I also sent a tweet to @VZWSupport to see if they had any info, nothing yet. trying multiple channels to see if I can get a quick resolution.

0 Likes
studerje1
Enthusiast - Level 3

Still haven't found any official documentation yet but I did some sleuthing and found the following needs to be enabled.

As @Weth noted, the Cisco document recommends the following ports need to be allowed outbound

udp/4500

udp 500

Only 2 Verizon IP addresses appear in the destination list, but not sure if they are regional.

141.207.225.232 - 232.sub-141-207-225.myvzw.com (Appears to be West coast)

141.207.227.232 - 232.sub-141-207-227.myvzw.com (Appears to be East coast)

We've enabled outbound traffic to these addresses on these ports and it works.

YMMV

studerje1
Enthusiast - Level 3

This continues to work successfully for us. Still nothing back from Verizon support.

0 Likes
vortix
Enthusiast - Level 2

For what it's worth, I detected a connection to IP 141.207.175.232 when making a WiFi call in Ohio.  Hopefully Verizon can chime in with an official, complete list of IPs.

0 Likes
Weth
Legend

I am on the west coast and consistently link to 141.207.227.232 at home UDP 4500

0 Likes
vzw_customer_support
Customer Service Rep

studerje1, We always want your concerns to be addressed and solved properly. This is a community forum and we provide the community the initial opportunity to answer here. We do see here that @Weth was able to provide you with a great solution to your concern. Is everything working currently? Do you have any other concerns?
JoelR_VZW
Follow us on Twitter @VZWSupport
If my response answered your question please click the �Correct Answer� button under my response. This ensures others can benefit from our conversation. Thanks in advance for your help with this!!

0 Likes
studerje1
Enthusiast - Level 3

as you can see by my initial response to his post.

I acknowledged that it was helpful, but was only half of the answer I'm seeking.

"I'm looking for a specific range of destination IP addresses to allow for the outbound rule. Just allowing the ports outbound without a specific destination won't work for us. We need to keep our outbound traffic limited to specific destinations."

0 Likes
vzw_customer_support
Customer Service Rep

studerje1,


I can understand your frustration with this & appreciate you reaching out to us. Verizon Wireless unfortunately, wouldn’t have a way to troubleshoot firewall issues. We only have the capability to troubleshoot our own network. Contacting Apple Support or your work facilitator will be your best option at this point. Please let me know if you have any other questions or concerns besides this that we can help with.

AliciaS_VZW
Follow us on Twitter @VZWSupport
If my response answered your question please click the �Correct Answer� button under my response. This ensures others can benefit from our conversation. Thanks in advance for your help with this!!

0 Likes
studerje1
Enthusiast - Level 3

We still need info from Verizon. This is not a firewall issue. This is an issue with Verizon not having published documentation showing the IP addresses that we need to allow outbound connections to.


So far, it looks like we have crowd sourced the following information.

Enable UDP 500 & 4500 outbound to the following addresses:

141.207.225.232 - 232.sub-141-207-225.myvzw.com (IP Location shows US, California, San Jose)
141.207.227.232 - 232.sub-141-207-227.myvzw.com (IP Location shows US, Florida, Miami)
141.207.175.232 - 232.sub-141-207-175.myvzw.com (IP Location shows US, Missouri, Kansas City)

I used: http://www.ip2location.com to lookup locations, they may not be accurate.

You can start to see a bit of a pattern, as far as the IP addresses, but a true list from Verizon is really needed.

vortix thanks for the info you are seeing from Ohio.

vortix
Enthusiast - Level 2

No problem.  I have a couple more IPs based on activity I've seen:

141.207.149.232 - 232.sub-141-207-149.myvzw.com (IP Location shows US, Florida, Miami)

141.207.199.232 - 232.sub-141-207-199.myvzw.com (IP Location shows US, Texas, Dallas)


The pattern continues....


But as you said, Verizon needs to clarify the complete list in an official document for IT admins that want to enable (or disable) support for Wifi calling in their organizations.

0 Likes
Haburi
Enthusiast - Level 2

The IP ranges seem to be all over the 141.207.0.0/16 space..  We've recorded the following IP's:

141.207.131.232

141.207.175.232

141.207.227.232

141.207.225.233

The only thing that seems to be consistent is the last octet is either 232 or 233 ..

The other problem is the IP ranges don't really fit within a CIDR boundary either so creating a restrictive firewall ruleset looks to be a bit troublesome.

0 Likes
Kokadjo
Newbie

All,


On my firewall I see these sites:

232.sub-141-207-131.myvzw.com [141.207.131.232]

232.sub-141-207-129.myvzw.com [141.207.129.232]


Verizon folks,


Please let us know the names and/or IP addresses that the phone will need to communicate with so that we can add rules to our firewalls to allow this traffic.


Thanx!

-K

0 Likes
Haburi
Enthusiast - Level 2

Here's a complete list from our world wide firewall over the past few days..

Clearly they are not consistent and while adding 141.207.0.0/16 may be huge, I don't see any way to really narrow this down cleanly.

141.207.139.232

141.207.203.254

141.207.215.254

141.207.145.244

141.207.197.254

141.207.151.232

141.207.199.232

141.207.141.254

141.207.193.254

141.207.149.232

141.207.173.232

141.207.179.254

141.207.129.232

141.207.175.232

141.207.137.232

141.207.201.254

141.207.231.254

141.207.183.232

141.207.177.254

141.207.181.254

141.207.225.232

141.207.131.232

141.207.211.232

141.207.145.240

141.207.183.254

141.207.213.254

141.207.209.232

141.207.143.254

141.207.225.254

141.207.197.232

141.207.227.232

141.207.209.254

141.207.243.254

141.207.211.254

141.207.181.232

141.207.199.254

141.207.229.254

141.207.195.254

141.207.137.254

141.207.145.243

141.207.155.254

vortix
Enthusiast - Level 2

Great info, Haburi...thanks for sharing!

Verizon - I would suggest adding required IPs/ports to the Wi-Fi Calling FAQ at Wi Fi Calling FAQs | Verizon Wireless

Also, the question at the bottom of the FAQ ("Why can't I make or receive Wi-Fi calls?") should have a couple bullet points added:

- The Wi-Fi network you are connected to doesn't allow access to Verizon's Wi-Fi Calling servers

- The cellular signal is stronger than the Wi-Fi signal

studerje1
Enthusiast - Level 3

Haburi That is a large list. How did you come about getting all those? They definitely break the pattern that we have been seeing as far everything ending in .232.

0 Likes
Haburi
Enthusiast - Level 2

This was pulled from our global firewall.

0 Likes
studerje1
Enthusiast - Level 3

Haburi and all these addresses had outbound UDP 4500 connections to them?

0 Likes