Hello, I have the following situation: A firewall is blocking all SIP and RTP traffic in the side of some of my clients. My clients cannot change settings of the firewall. I need to solve this problem and I need some help from you. I have this idea: implement a SIP user agent which does not use well known SIP ports (uses http port 80 for example) and use other ports that are not blocked by the firewall for RTP (FTP, https, ssh, ...ports). Then, configure Asterisk to use the same ports to interact with the client. Is this idea feasible? if not what are the problems? please give me your opinions about the situation? Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20100211/d70c0ecb/attachment.htm
Hello, I have the following situation: A firewall is blocking all SIP and RTP traffic in the side of some of my clients. My clients cannot change settings of the firewall. I need to solve this problem and I need some help from you. I have this idea: implement a SIP user agent which does not use well known SIP ports (uses http port 80 for example) and use other ports that are not blocked by the firewall for RTP (FTP, https, ssh, ...ports). Then, configure Asterisk to use the same ports to interact with the client. Is this idea feasible? if not what are the problems? please give me your opinions about the situation? Thank you. *-- Please discover scientific miracles of CORAN http://www.55a.net/* -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20100211/48e7c16d/attachment.htm
Have you considered using IAX instead of SIP? IAX2 is a VoIP protocol that carries both signaling and media on the same port: http://en.wikipedia.org/wiki/Inter-Asterisk_eXchange From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of mosbah.abdelkader Sent: Thursday, February 11, 2010 8:37 AM To: asterisk-users at lists.digium.com Subject: [asterisk-users] SIP tunnel Hello, I have the following situation: A firewall is blocking all SIP and RTP traffic in the side of some of my clients. My clients cannot change settings of the firewall. I need to solve this problem and I need some help from you. I have this idea: implement a SIP user agent which does not use well known SIP ports (uses http port 80 for example) and use other ports that are not blocked by the firewall for RTP (FTP, https, ssh, ...ports). Then, configure Asterisk to use the same ports to interact with the client. Is this idea feasible? if not what are the problems? please give me your opinions about the situation? Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20100211/d23c1588/attachment.htm
See at: 1) openvpn / ipsec tunnels 2) IAX protocol Firewall defines the report not on ports, and traffic contents. Change of ports will not help hope it helps.. On Thu, 2010-02-11 at 14:37 +0100, mosbah.abdelkader wrote:> Hello, > > > > I have the following situation: A firewall is blocking all SIP and RTP > traffic in the side of some of my clients. My clients cannot change > settings of the firewall. > > > > I need to solve this problem and I need some help from you. > > > > I have this idea: implement a SIP user agent which does not use well > known SIP ports (uses http port 80 for example) and use other ports > that are not blocked by the firewall for RTP (FTP, https, > ssh, ...ports). Then, configure Asterisk to use the same ports to > interact with the client. > > > > Is this idea feasible? if not what are the problems? please give me > your opinions about the situation? > > > > Thank you. > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users-- Best regards, Vince Mallow xmpp: wins at jabber.slan.ru web: http://gentoo-way.blogspot.com
On Thu, Feb 11, 2010 at 6:37 AM, mosbah.abdelkader <mosbah.abdelkader at gmail.com> wrote:> Hello, > > I have the following situation: A firewall is blocking all SIP and RTP > traffic in the side of some of my clients. My clients cannot change settings > of the firewall. > > I need to solve this problem and I need some help from you. >I would definitely say use a VPN. All you need is one UDP port accessible on the server side (and no outgoing connection blocks on the firewalled side, which is usually the case - at least something has to be open somewhere), and then you can run any protocol you want, that uses any ports, and no problem at all. Check out OpenVPN. It's free, easy to setup, and has clients for all platforms. Andrew
Thank you Jamie for your good reply. It is a very good idea to hava the media and control transported over the same port with IAX protocol. The difficulty is in that the port is not well known by the network admins. It is usually blocked. My idea is to use a well know port like port 80 (that is not blocked). Skype for example uses this port. I need recommendations and help. Thanks. *-- Please discover scientific miracles of CORAN http://www.55a.net/* -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20100211/92658901/attachment.htm
Problem is that the port 80 you are talking about is a TCP port. Voip (iax and rtp) use UDP On 2/11/10, mosbah.abdelkader <mosbah.abdelkader at gmail.com> wrote:> Thank you Jamie for your good reply. > > > It is a very good idea to hava the media and control transported over the > same port with IAX protocol. > > > The difficulty is in that the port is not well known by the network admins. > It is usually blocked. > > > My idea is to use a well know port like port 80 (that is not blocked). Skype > for example uses this port. > > > I need recommendations and help. > > Thanks. > > *-- > Please discover scientific miracles of CORAN > > http://www.55a.net/* >-- Sent from my mobile device
[This email is either empty or too large to be displayed at this time]
> My idea is to use a well know port like port 80 (that is not blocked).Skype for example uses this port. If you are in a situation where the ISP/government is blocking VoIP you are probably going to have to encrypt it to get it through, and that may not even work. I have a client who has facilities in Belize where BTL apparently employs quite sophisticated deep packet inspection... SIP or IAX on any port combination would drop about half a second after the media starts. IPSec over UDP/IKE were completely blocked as well. I ended up using IPSEC over TCP as it was not interfered with. If the ISP or government are not the problem, only firewalls... IIRC in a typical NAT setup you could have the client register to you using IAX - This will keep the port open through the NAT device so you can send calls to them without them having to map ports in their firewall. sl
Hello Scott, First, I want to thank you for your good help. I need to handle all the failure situations of voip calls. Sometimes, the source of failure are the ISP and the government theirselves who inspects traffic with powerful firewalls and sometimes the problem comes from the client who does not have a sufficient knowledge to allow voip traffic in his network. For all that reasons, I need to implement a generic user agent to have it working after its launch in all the situations.. -- Please discover scientific miracles of CORAN http://www.55a.net/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20100214/eb5cc94a/attachment.htm
Thank you. Good tip. -- Please discover scientific miracles of CORAN http://www.55a.net/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20100214/2b169da0/attachment.htm
> Problem is that the port 80 you are talking about is a TCP port. Voip(iax and rtp) use UDP < Yes true. HTTP uses 80 TCP port. I mentioned port 80 as example (even if it can be used for SIP signaling: SIP supports also TCP). For RTP, UDP must be used. We can use another well known UDP port. But, from other replies from the asterisk community, the use of well known ports does not solve thye problem in all cases. Because in some scenarios the firewall inspects the traffic and cuts it off if it discovers that it is corresponding to a voip traffic. Some users have recommended to me the use of the VPn technology through the use of openvpn open source tool. I will try to use it and give the results of the work to the asterisk community. I thank a lot all the community for its very good and professional help. I am really pleased by that. -- *Please discover scientific miracles of CORAN* http://www.55a.net/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20100214/f4459f18/attachment.htm
>From a technical point UDP and TCP ports are separate, a serverlistening for TCP requests on port 80 wont see any UDP traffic on that port unless it explicitly opens a UDP socket. Tunneling in on UDP port 80 might be possible if the routing rules that are in place dont specify to allow only TCP on port 80. < Yes UDP on port 80 must be allowed in that case. Thanks for help. -- *Please discover scientific miracles of CORAN* http://www.55a.net/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20100214/952cb76b/attachment.htm
Hello Scott, Thank you for your kind support. All your ideas are helpful. I will check the OpenVPN solution first. then, I will see if Skype and IAX may help. Best Regards. Abdelkader Mosbah. ? *Please discover scientific miracles of CORAN:* http://www.55a.net/ On Sun, Feb 14, 2010 at 2:57 PM, Scott L. Lykens < slykens at verimedservices.com> wrote:> Mosbah ? > > > > I apologize that I only have limited help to offer. I do not work with user > agents other than hard phones in my regular course of business. In the case > of aggressive blocking I use Cisco VPN hardware to encrypt the traffic. This > is probably not a solution for you as it will add $100-$300 per location to > your set up cost. (Plus your central VPN hardware cost) Best case money-wise > here would be to use OpenVPN and OpenWRT on Linksys hardware but you?re > still talking about extra hardware and $100 per location. > > > > Perhaps you could pay for someone to integrate an OpenVPN client with a > softphone? Set up the client so that it tries regular SIP and if it fails it > then establishes a VPN to you using OpenVPN to pass the SIP traffic. > > > > Another option that comes to mind that may have the potential to do as you > desire would be an encrypted IAX softphone. As you know, IAX is a simple UDP > protocol and with ?registration? enabled should pass through most firewalls > properly. You may have to make multiple ports available for use in case > udp/4569 is outright blocked. Using simple encryption may be sufficient to > overcome DPI by aggressive ISPs and governments. > > > > I am sure there are many papers available on how Skype manages to work in > many unfavorable network situations and would recommend them as a start to > understanding the whys and hows. > > > > Best wishes. > > > > sl > > > > > > *From:* mosbah.abdelkader [mailto:mosbah.abdelkader at gmail.com] > *Sent:* Sunday, February 14, 2010 7:37 AM > *To:* Scott L. Lykens > *Cc:* asterisk-users > *Subject:* RE: SIP tunnel > > > > Hello Scott, > > First, I want to thank you for your good help. > > I need to handle all the failure situations of voip calls. Sometimes, the > source of failure are the ISP and the government theirselves who inspects > traffic with powerful firewalls and sometimes the problem comes from the > client who does not have a sufficient knowledge to allow voip traffic in his > network. > > For all that reasons, I need to implement a generic user agent to have it > working after its launch in all the situations.. > > -- > Please discover scientific miracles of CORAN > > http://www.55a.net/ >-- Please discover scientific miracles of CORAN http://www.55a.net/ -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20100214/a85033e1/attachment.htm