You are based in the UK, have Symantec Web Security Service (WSS) and want to use Apple Wifi-Calling feature on your iPhone. Your carrier is Vodafone and you have the feature enabled. Also your WSS access method is IPsec.
The iPhone's IP address is on your edge device, which is the IPsec peer to WSS, configured to be forwarded over the IPsec tunnel to WSS.
When Wifi-Calling is enabled and working you should see in the status bar a message:
However this message does not come up and when you run a packet capture (PCAP) on the edge device for the IP address of the iPhone you see Internet Control Message Protocol (ICMP) Type 3 Code 3 packet sent to the Wifi-Calling IP address.
Internet Control Message Protocol
Type: 3 (Destination unreachable)
Code: 3 (Port unreachable)
Checksum: 0xd978 [correct]
[Checksum Status: Good]
Internet Protocol Version 4, Src: x.x.x.x, Dst: x.x.x.x
User Datagram Protocol, Src Port: 4500, Dst Port: 4500
Source Port: 4500
Destination Port: 4500
[Checksum Status: Not present]
[Stream index: 0]
Apple Wifi-Calling uses IPsec and since your WSS access method is IPsec you have IPsec over IPsec. The inner IPsec is a subject to WSS Network Address Translation (NAT) and therefore during the tunnel negotiation NAT-Traversal (NAT-T) will de triggered and ports UDP 500 and UDP 4500 will be used.
UDP 500 is used by Internet Key Exchange (IKE) Internet Security Association and Key Management Protocol (ISAKMP) and UDP 4500 is used by IPSec.
It was observed that firewall or anti virus capable apps can block these ports.
To get the Wifi-Calling IP look for a Domain Name System (DNS) query sent from the iPhone to epdg.epc.mnc015.mcc234.pub.3gppnetwork.org.
By running a PCAP make sure that no iPhone security app such as Symantec SEP Mobile or any other 3rd party Antivirus Scanning solution / Firewall solution is blocking the ports. If you do find such solution on the iPhone allow these ports or remove the conflicting app.
Subscribing will provide email updates when this Article is updated. Login is required.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
Subscribed to the Article.
Unable to subscribe
Thanks for your additional feedback !!!
Enterprise Support Virtual Agent
Rate Me :
Tell us more:
Welcome! My name is Sami, the Enterprise Support Virtual Agent answering technical support questions.