Hello All, I have a number of X-Lite users in countries where the incumbent Telco will do anything to block VOIP traffic. For some reason neither the X-Lite broadband or dialup clients would register with my server unless we configure them to use the Xten Xtunnels demo server. Once the Client has registered the call quality is great! The problem is the Xtunnels does not support other IP Hard phones as yet. I am aware that I could use an IAX2 based softphone instead but I am yet to find an IAX2 softphone that is stable! My question here is what I the most effective way to handle this situation? My Server Setup: ************** Asterisk Server on a Public IP Address X-Lite Clients Setup *************** X-Lite clients geographically dispersed There is a combination of dialup and broadband users but mainly dialup users (Yes there are still many people on dialup!!) Sip.conf ****** context=from-sip realm=mydomain.com port=5060 bindaddr=0.0.0.0 srvlookup=yes disallow=all allow=ilbc allow=gsm allow=ulaw tos=lowdelay [65908712] ;X-Lite Client type=friend secret=xxxxxxxx auth=md5 nat=yes host=dynamic reinvite=no canreinvite=no qualify=1000 dtmfmode=rfc2833 callerid="" <65908712> disallow=all allow=ilbc allow=gsm context=from-sip I look forward to your comments and suggestions. Kind regards, Errol Samuels
Benjamin on Asterisk Mailing Lists
2004-Sep-29 00:26 UTC
[Asterisk-Users] Nat Traversal help!
On Wed, 29 Sep 2004 07:18:57 +0100, E Samuels <support@biz4web.com> wrote:> I have a number of X-Lite users in countries where the incumbent Telco will > do anything to block VOIP traffic.Welcome to the club ;-) Having said that, it's not always deliberate actions by service providers which is the cause. In respect of NAT traversal, SIP is fundamentally broken and requires duct tape and other such kludges to work. In some cases even those utensils won't help. The proper solutions come down to: 1) Don't use NAT 2) If you have to use NAT, don't use SIP 3) If you have to use both NAT and SIP, use tunneling If you can't do any of the above there is no proper solution, you will have to fiddle until you find a workaround that does the trick for you. This is often rather time consuming and it may continue to be time consuming because it cannot always be assured that the duct tape won't come off. Also, be aware that many of those SIP/NAT traversal workarounds have bad side effects, most often security related. UPnP for example is a perfect way to make your firewall useless. Assuming that you can't avoid NAT, let's go through the list one by one ... #2 Don't use SIP This doesn't have to mean you can't use a SIP client. You could use a SIP client at the remote end, then let the SIP client talk to a local Asterisk server at the remote end which talks to your site via IAX. In other words, use a SIP/IAX gateway. This doesn't have to mean that you need a dedicated Linux box at the remote end. If the remote end is a Windoze notebook with X-Lite on it for example, you could install AstWind on that and configure X-Lite to talk to the Asterisk running inside of coLinux on the same notebook, which in turn would then talk IAX to you. If the remote end is a Mac running MacOSX, ie a Powerbook, then you can even run Asterisk on that natively and again configure X-Lite to talk to the local Asterisk to then pass the call via IAX to you. Anyway, I have put up a Wiki page how to run X-Lite alongside Asterisk for this particular scenario: http://www.voip-info.org/tiki-index.php?page=Localhost%20gateway #3 Use tunneling On non-Windoze systems you can configure a typically already installed IPsec on the remote machine to tunnel in to your network or your Asterisk server. On Linux you can use OpenSwan for that, on BSD and MacOSX you use KAME. Some more recent Windoze versions have limited IPsec support but I am not sure which ones -- it may be the server versions only. However, there are commercial IPsec clients for Windoze desktops. Type IPsec into Versiontracker and there should be at least two entries. If you have PPTP support on your network, you can of course use PPTP. If you don't have a VPN server yet, I recommend Wolverine. http://www.vortech.net This is a shrinkwrapped embedded Linux based VPN firewall package that runs on hardware as old as a Pentium 75MHz and it can boot off a 32MB Compact Flash card using a CF/IDE adapter. It's made configuration compatible with Cisco Pixes, so if you know how to configure a Cisco Pix, then you already know how to configure Wolverine. Wolverine uses the OpenSwan IPsec stack and it has PPTP support as well. It can be installed in as little as 3 minutes and configuration is very straightforward. The guy who is behind this, Joshua Jackson, is very committed and helpful. You will find it difficult to get support like that from Cisco no matter how many $$$$$ you paid for gear and maintenance. A single Wolverine license is 30 USD. #4 Fiddle with SIP You can of course try to make your X-Lite clients work through NAT. The key to that is turning on SIP debugging on both your Asterisk server and the X-Lite client, then watch what happens and try to make sense of the SIP messages. On the Asterisk console you enable SIP debugging by entering the command "sip debug", and you switch it off again by entering "SIP no debug". On X-lite the same feature is called Diagnostics Window and it can be enabled through the menu and keyboard shortcuts depending on the version of X-Lite (it appears to be changing all the time). As a starting point, take a working X-Lite client and record the SIP messages of a successful session. Then you can go about analysing the transcript of a failing session. The idea is to use the various parameters you have at your disposal to try and replicated the very same messages you find in the transcript of the successful session. For example, if the transcript of the successful session has a reply-to field with the public IP address of the NAT router and the transcript of the failing session has a local 192.168.x.x address there, try to convince X-Lite not to send the internal IP address. The challenge with this is often X-Lite's clumsy configuration menu. You never know if one setting alone will actually do what it says it does. Sometimes the same or a similar parameter is hidden somewhere else in the menu and it only accepts the setting if both these parameters are changed. Go figure. Sometimes, X-Lite seems to want to be restarted before it accepts a change. This can be a bit of a patience challenging exercise. Most likely you will need to adjust the settings only on the X-Lite side, but if you do need to change the settings on Asterisk, watch out for parameters such as externip, fromdomain, realm etc. And one more thing ... it sometimes helps to fix the media port (RTP) on which the audio traffic is sent between client and server. By default this port is determined at random which can complicate things even more than they already are. Good Luck! rgds benjk -- Sunrise Telephone Systems, 9F Shibuya Daikyo Bldg., 1-13-5 Shibuya, Tokyo, Japan. NB: Spam filters in place. Messages unrelated to the * mailing lists may get trashed.
I have been using the Firefly softphone with IAX for quite a while and it seems very stable. Paul Mahler pmahler@signate.com Signate, LLC 665 Third Street Suite 100 San Francisco, CA 94107-1901 Asterisk Services and Training> -----Original Message----- > From: asterisk-users-bounces@lists.digium.com > [mailto:asterisk-users-bounces@lists.digium.com] On Behalf Of > E Samuels > Sent: Tuesday, September 28, 2004 10:19 PM > To: asterisk-users@lists.digium.com > Subject: [Asterisk-Users] Nat Traversal help! > > Hello All, > > I have a number of X-Lite users in countries where the > incumbent Telco will do anything to block VOIP traffic. > > For some reason neither the X-Lite broadband or dialup > clients would register with my server unless we configure > them to use the Xten Xtunnels demo server. Once the Client > has registered the call quality is great! The problem is the > Xtunnels does not support other IP Hard phones as yet. > > I am aware that I could use an IAX2 based softphone instead > but I am yet to find an IAX2 softphone that is stable! > > My question here is what I the most effective way to handle > this situation? > > My Server Setup: > ************** > Asterisk Server on a Public IP Address > > > X-Lite Clients Setup > *************** > X-Lite clients geographically dispersed > There is a combination of dialup and broadband users but > mainly dialup users (Yes there are still many people on dialup!!) > > > > Sip.conf > ****** > context=from-sip > realm=mydomain.com > > > port=5060 > bindaddr=0.0.0.0 > srvlookup=yes > > > disallow=all > allow=ilbc > allow=gsm > allow=ulaw > > tos=lowdelay > > [65908712] ;X-Lite Client > type=friend > secret=xxxxxxxx > auth=md5 > nat=yes > host=dynamic > reinvite=no > canreinvite=no > qualify=1000 > dtmfmode=rfc2833 > callerid="" <65908712> > disallow=all > allow=ilbc > allow=gsm > context=from-sip > > I look forward to your comments and suggestions. > > > Kind regards, > > > Errol Samuels > > _______________________________________________ > Asterisk-Users mailing list > Asterisk-Users@lists.digium.com > http://lists.digium.com/mailman/listinfo/asterisk-users > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >