search cancel

Apple Wifi-Calling and WSS

book

Article ID: 173642

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

You are based in the UK, have Symantec Web Security Service (WSS) and want to use Apple Wifi-Calling feature on your iPhone. Your carrier is Vodafone and you have the feature enabled. Also your WSS access method is IPsec.

When Wifi-Calling is enabled and working you should see in the status bar a message:


However this message does not come up and when you run a packet capture (PCAP) on the edge device for the IP address of the iPhone you see Internet Control Message Protocol (ICMP) Type 3 Code 3 packet sent to the Wifi-Calling IP address.

 

Internet Control Message Protocol

    Type: 3 (Destination unreachable)

       Code: 3 (Port unreachable)

    Checksum: 0xd978 [correct]

    [Checksum Status: Good]

    Unused: 00000000

    Internet Protocol Version 4, Src: x.x.x.x, Dst: x.x.x.x

    User Datagram Protocol, Src Port: 4500, Dst Port: 4500

        Source Port: 4500

        Destination Port: 4500

        Length: 92

        [Checksum: [missing]]

        [Checksum Status: Not present]

        [Stream index: 0]

 

Environment

The iPhone's IP address is on your edge device, which is the IPsec peer to WSS, configured to be forwarded over the IPsec tunnel to WSS.

Cause

Apple Wifi-Calling uses IPsec and since your WSS access method is IPsec you have IPsec over IPsec. The inner IPsec is a subject to WSS Network Address Translation (NAT) and therefore during the tunnel negotiation NAT-Traversal (NAT-T) will de triggered and ports UDP 500 and UDP 4500 will be used.

UDP 500 is used by Internet Key Exchange (IKE) Internet Security Association and Key Management Protocol (ISAKMP) and UDP 4500 is used by IPSec.

It was observed that firewall or anti virus capable apps can block these ports.

To get the Wifi-Calling IP look for a Domain Name System (DNS) query sent from the iPhone to epdg.epc.mnc015.mcc234.pub.3gppnetwork.org.

Resolution

By running a PCAP make sure that no iPhone security app such as Symantec SEP Mobile or any other 3rd party Antivirus Scanning solution / Firewall solution is blocking the ports. If you do find such solution on the iPhone allow these ports or remove the conflicting app.

Attachments