You are based in the UK, have Symantec Web Security Service (WSS) and want to use Apple Wifi-Calling feature on your iPhone. Your carrier is Vodafone and you have the feature enabled. Also your WSS access method is IPsec.
When Wifi-Calling is enabled and working you should see in the status bar a message:
However this message does not come up and when you run a packet capture (PCAP) on the edge device for the IP address of the iPhone you see Internet Control Message Protocol (ICMP) Type 3 Code 3 packet sent to the Wifi-Calling IP address.
Internet Control Message Protocol
Type: 3 (Destination unreachable)
Code: 3 (Port unreachable)
Checksum: 0xd978 [correct]
[Checksum Status: Good]
Internet Protocol Version 4, Src: x.x.x.x, Dst: x.x.x.x
User Datagram Protocol, Src Port: 4500, Dst Port: 4500
Source Port: 4500
Destination Port: 4500
[Checksum Status: Not present]
[Stream index: 0]
The iPhone's IP address is on your edge device, which is the IPsec peer to WSS, configured to be forwarded over the IPsec tunnel to WSS.
Apple Wifi-Calling uses IPsec and since your WSS access method is IPsec you have IPsec over IPsec. The inner IPsec is a subject to WSS Network Address Translation (NAT) and therefore during the tunnel negotiation NAT-Traversal (NAT-T) will de triggered and ports UDP 500 and UDP 4500 will be used.
UDP 500 is used by Internet Key Exchange (IKE) Internet Security Association and Key Management Protocol (ISAKMP) and UDP 4500 is used by IPSec.
It was observed that firewall or anti virus capable apps can block these ports.
To get the Wifi-Calling IP look for a Domain Name System (DNS) query sent from the iPhone to
By running a PCAP make sure that no iPhone security app such as Symantec SEP Mobile or any other 3rd party Antivirus Scanning solution / Firewall solution is blocking the ports. If you do find such solution on the iPhone allow these ports or remove the conflicting app.