- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It appears that the wi-fi calling feature that has finally rolled out for iPhones with iOS 9.3 will require some firewall changes for corporate firewalls.
It looks like the feature establishes a per app vpn for the calling feature. IPsec and ike protocols appear to be in use.
I'm hoping to find documentation from Verizon on what ports and addresses to enabled for this feature.
Can anyone point me in the right direction?
Solved! Go to Correct Answer
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you seen this Cisco document fo getting wifi calling working? IPSec using UDP ports 500 and 4500.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you seen this Cisco document fo getting wifi calling working? IPSec using UDP ports 500 and 4500.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Weth, thanks for the document, I had not seen it yet.
I see the line that states: "IPsec: The enterprise firewall policy needs to enable User Datagram Protocol (UDP) ports 500 and 4500 for IPsec to work properly."
I'm looking for a specific range of destination IP addresses to allow for the outbound rule. Just allowing the ports outbound without a specific destination won't work for use. We need to keep our outbound traffic limited to specific destinations.
Thanks,
-Jon
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Got it. Same reason I can't get it turned on in our hospital. Sure would be great for the far reaches of the basement with X-ray blocking walls near the radiology suite! Unless someone chimes in at a level of Verizon network technical knowledge that I have not seen in this forum, you'll need to get by the first 2 layers of CS so a third level can put in a request for a technical contact.
Did you see where it is connecting to from a less controlled network, I.e. Home?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
agreed. Not going to hold my breath.
I called CS today and they told me to call Apple Care Support number because CS had not been briefed on 9.3 calling feature yet, and since it's an Apple device, I needed to call Apple.
I think I'm going to try our business rep.
I also sent a tweet to @VZWSupport to see if they had any info, nothing yet. trying multiple channels to see if I can get a quick resolution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Still haven't found any official documentation yet but I did some sleuthing and found the following needs to be enabled.
As @Weth noted, the Cisco document recommends the following ports need to be allowed outbound
udp/4500
udp 500
Only 2 Verizon IP addresses appear in the destination list, but not sure if they are regional.
141.207.225.232 - 232.sub-141-207-225.myvzw.com (Appears to be West coast)
141.207.227.232 - 232.sub-141-207-227.myvzw.com (Appears to be East coast)
We've enabled outbound traffic to these addresses on these ports and it works.
YMMV
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This continues to work successfully for us. Still nothing back from Verizon support.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For what it's worth, I detected a connection to IP 141.207.175.232 when making a WiFi call in Ohio. Hopefully Verizon can chime in with an official, complete list of IPs.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am on the west coast and consistently link to 141.207.227.232 at home UDP 4500
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
studerje1, We always want your concerns to be addressed and solved properly. This is a community forum and we provide the community the initial opportunity to answer here. We do see here that @Weth was able to provide you with a great solution to your concern. Is everything working currently? Do you have any other concerns?
JoelR_VZW
Follow us on Twitter @VZWSupport
If my response answered your question please click the ๏ฟฝCorrect Answer๏ฟฝ button under my response. This ensures others can benefit from our conversation. Thanks in advance for your help with this!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
as you can see by my initial response to his post.
I acknowledged that it was helpful, but was only half of the answer I'm seeking.
"I'm looking for a specific range of destination IP addresses to allow for the outbound rule. Just allowing the ports outbound without a specific destination won't work for us. We need to keep our outbound traffic limited to specific destinations."
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
studerje1,
I can understand your frustration with this & appreciate you reaching out to us. Verizon Wireless unfortunately, wouldnโt have a way to troubleshoot firewall issues. We only have the capability to troubleshoot our own network. Contacting Apple Support or your work facilitator will be your best option at this point. Please let me know if you have any other questions or concerns besides this that we can help with.
AliciaS_VZW
Follow us on Twitter @VZWSupport
If my response answered your question please click the ๏ฟฝCorrect Answer๏ฟฝ button under my response. This ensures others can benefit from our conversation. Thanks in advance for your help with this!!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We still need info from Verizon. This is not a firewall issue. This is an issue with Verizon not having published documentation showing the IP addresses that we need to allow outbound connections to.
So far, it looks like we have crowd sourced the following information.
Enable UDP 500 & 4500 outbound to the following addresses:
141.207.225.232 - 232.sub-141-207-225.myvzw.com (IP Location shows US, California, San Jose)
141.207.227.232 - 232.sub-141-207-227.myvzw.com (IP Location shows US, Florida, Miami)
141.207.175.232 - 232.sub-141-207-175.myvzw.com (IP Location shows US, Missouri, Kansas City)
I used: http://www.ip2location.com to lookup locations, they may not be accurate.
You can start to see a bit of a pattern, as far as the IP addresses, but a true list from Verizon is really needed.
vortix thanks for the info you are seeing from Ohio.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No problem. I have a couple more IPs based on activity I've seen:
141.207.149.232 - 232.sub-141-207-149.myvzw.com (IP Location shows US, Florida, Miami)
141.207.199.232 - 232.sub-141-207-199.myvzw.com (IP Location shows US, Texas, Dallas)
The pattern continues....
But as you said, Verizon needs to clarify the complete list in an official document for IT admins that want to enable (or disable) support for Wifi calling in their organizations.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The IP ranges seem to be all over the 141.207.0.0/16 space.. We've recorded the following IP's:
141.207.131.232
141.207.175.232
141.207.227.232
141.207.225.233
The only thing that seems to be consistent is the last octet is either 232 or 233 ..
The other problem is the IP ranges don't really fit within a CIDR boundary either so creating a restrictive firewall ruleset looks to be a bit troublesome.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All,
On my firewall I see these sites:
232.sub-141-207-131.myvzw.com [141.207.131.232]
232.sub-141-207-129.myvzw.com [141.207.129.232]
Verizon folks,
Please let us know the names and/or IP addresses that the phone will need to communicate with so that we can add rules to our firewalls to allow this traffic.
Thanx!
-K
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's a complete list from our world wide firewall over the past few days..
Clearly they are not consistent and while adding 141.207.0.0/16 may be huge, I don't see any way to really narrow this down cleanly.
141.207.139.232
141.207.203.254
141.207.215.254
141.207.145.244
141.207.197.254
141.207.151.232
141.207.199.232
141.207.141.254
141.207.193.254
141.207.149.232
141.207.173.232
141.207.179.254
141.207.129.232
141.207.175.232
141.207.137.232
141.207.201.254
141.207.231.254
141.207.183.232
141.207.177.254
141.207.181.254
141.207.225.232
141.207.131.232
141.207.211.232
141.207.145.240
141.207.183.254
141.207.213.254
141.207.209.232
141.207.143.254
141.207.225.254
141.207.197.232
141.207.227.232
141.207.209.254
141.207.243.254
141.207.211.254
141.207.181.232
141.207.199.254
141.207.229.254
141.207.195.254
141.207.137.254
141.207.145.243
141.207.155.254
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great info, Haburi...thanks for sharing!
Verizon - I would suggest adding required IPs/ports to the Wi-Fi Calling FAQ at Wi Fi Calling FAQs | Verizon Wireless
Also, the question at the bottom of the FAQ ("Why can't I make or receive Wi-Fi calls?") should have a couple bullet points added:
- The Wi-Fi network you are connected to doesn't allow access to Verizon's Wi-Fi Calling servers
- The cellular signal is stronger than the Wi-Fi signal
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Haburi That is a large list. How did you come about getting all those? They definitely break the pattern that we have been seeing as far everything ending in .232.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This was pulled from our global firewall.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Haburi and all these addresses had outbound UDP 4500 connections to them?