asterisk users - Sep 2010 - OpenVPN tunnel and one-way audio - Do I still need a SIP proxy?

Hi Everyone,

I have setup an OpenVPN tunnel between Server A (running Asterisk) and
Server B suppling it's SIP Phones with DHCP pool of IPs.

So, the tunnel is established nicely and everyone can ping others. "sip
show
peers" shows the local subnet of the SIP Phones registered
(192.168.100.0/24
).

But there is the old bad one-way audio. Calls also drop after few seconds.
In the SIP debug I can see that asterisk uses it's external public IP
address to communicate to endpoints that are known to it as the
192.168.100.0/24 endpoints and the endpoints identify themselves with the
OpenVPN tunnel IP address scheme in one part of the sip handshake. How can
this be fixed? After all, with the OpenVPN this should all look like an
internal network to Asterisk.

I have added my comments followed by # to lines below that are problematic.

<--- SIP read from UDP:192.168.100.5:5060 --->    #This line is good as it
uses the local DHCP supplied network address scheme
INVITE sip:203 at 172.16.0.1:5060 SIP/2.0 #This line is BAD. Why are we
inviting Ext. 203 with it's OpenVPN IP while it's on the same network of
192.168.50.0/24 as 202?
Via: SIP/2.0/UDP
192.168.100.5:5060;branch=z9hG4bK695f8c1cfc7cdee96.1c65dc2eb25a46fc6
Max-Forwards:
70
From: "SIP Phone - Ext. 202" <sip:202 at
172.16.0.1:5060>;tag=6d6f8c4226
 #BAD line again. Should be SIP:202 at 192.168.100.6 <SIP%3A202 at
192.168.100.6>
To: "203" <sip:203 at 172.16.0.1:5060> #Bad again....
Call-ID: 43af67a634e06e75
CSeq: 32058 INVITE
Allow:  INVITE, ACK, CANCEL, BYE, NOTIFY, REFER, OPTIONS, UPDATE, PRACK,
SUBSCRIBE, INFO
Allow-Events: talk, hold, conference, LocalModeStatus
Contact: "SIP Phone - Ext. 202" <sip:202 at 192.168.50.5:5060
;transport=udp>;+sip.instance="<urn:uuid:00000000-0000-1000-8000-00085D25B72F>"
Supported: gruu, path, timer, 100rel, replaces
User-Agent: Aastra 55i/2.5.2.1500
Content-Type: application/sdp
Content-Length: 594

Basically the phones should only send with FROM their local
192.168.100.0/24address and Asterisk should only send ANSWER and ACK
back to
192.168.100.0/24 rather than sending it to 172.16.0.0/24 (which is the
openvpn client ip).

Once above is fixed, I think all the audio and call cut will go away. I hate
to use a sip proxy in this situation since I already have an openvpn
connection.

Any feed back is appreciated.

Thanks,
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20100922/d77c8271/attachment.htm

On Wed, Sep 22, 2010 at 01:27:07AM -0400, bruce bruce
wrote:
>I have setup an OpenVPN tunnel between Server A (running Asterisk) and
>Server B suppling it's SIP Phones with DHCP pool of IPs.
Have you considered running Asterisk on Server B as well, and using IAX
to trunk between them? This is working well for me.

Roger

On Wed, Sep 22, 2010 at 1:27 AM, bruce bruce <bruceb444 at gmail.com>
wrote:
> Any feed back is appreciated.
>
Then configure you endpoints to use the 192.168.100.0/24 network.
This is not an Asterisk issue, since your Aastra 55i/2.5.2.1500 is
sending the INVITE message.

-- 
Paul Belanger | dCAP
Polybeacon | Consultant
Jabber: paul.belanger at polybeacon.com | IRC: pabelanger (Freenode)
blog.polybeacon.com

Do you have a localnet statement in your sip.conf?  That and using
nat=no will make sure Asterisk does not replace the IP address in the
Invite.

On Wed, 2010-09-22 at 01:27 -0400, bruce bruce wrote:
> Hi Everyone,
> 
> 
> I have setup an OpenVPN tunnel between Server A (running Asterisk) and
> Server B suppling it's SIP Phones with DHCP pool of IPs.
> 
> 
> So, the tunnel is established nicely and everyone can ping others.
> "sip show peers" shows the local subnet of the SIP Phones
registered
> (192.168.100.0/24).
> 
> 
> But there is the old bad one-way audio. Calls also drop after few
> seconds. In the SIP debug I can see that asterisk uses it's external
> public IP address to communicate to endpoints that are known to it as
> the 192.168.100.0/24 endpoints and the endpoints identify themselves
> with the OpenVPN tunnel IP address scheme in one part of the sip
> handshake. How can this be fixed? After all, with the OpenVPN this
> should all look like an internal network to Asterisk.
> 
> 
> I have added my comments followed by # to lines below that are
> problematic.
> 
> 
> <--- SIP read from UDP:192.168.100.5:5060 --->    #This line is good
> as it uses the local DHCP supplied network address scheme
> INVITE sip:203 at 172.16.0.1:5060 SIP/2.0 #This line is BAD. Why are we
> inviting Ext. 203 with it's OpenVPN IP while it's on the same
network
> of 192.168.50.0/24 as 202?
> Via: SIP/2.0/UDP
> 192.168.100.5:5060;branch=z9hG4bK695f8c1cfc7cdee96.1c65dc2eb25a46fc6
Max-Forwards: 70
> From: "SIP Phone - Ext. 202" <sip:202 at
172.16.0.1:5060>;tag=6d6f8c4226
>    #BAD line again. Should be SIP:202 at 192.168.100.6
> To: "203" <sip:203 at 172.16.0.1:5060> #Bad again....
> Call-ID: 43af67a634e06e75
> CSeq: 32058 INVITE
> Allow:  INVITE, ACK, CANCEL, BYE, NOTIFY, REFER, OPTIONS, UPDATE,
> PRACK, SUBSCRIBE, INFO
> Allow-Events: talk, hold, conference, LocalModeStatus
> Contact: "SIP Phone - Ext. 202"
> <sip:202 at 192.168.50.5:5060;transport=udp>;
>
+sip.instance="<urn:uuid:00000000-0000-1000-8000-00085D25B72F>"
> Supported: gruu, path, timer, 100rel, replaces
> User-Agent: Aastra 55i/2.5.2.1500
> Content-Type: application/sdp
> Content-Length: 594
> 
> 
> Basically the phones should only send with FROM their local
> 192.168.100.0/24 address and Asterisk should only send ANSWER and ACK
> back to 192.168.100.0/24 rather than sending it to 172.16.0.0/24
> (which is the openvpn client ip).
> 
> 
> Once above is fixed, I think all the audio and call cut will go away.
> I hate to use a sip proxy in this situation since I already have an
> openvpn connection.
> 
> 
> Any feed back is appreciated.
> 
> 
> Thanks,
> -- 
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>                http://www.asterisk.org/hello
> 
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
-- 
Carlos Chavez
Director de Tecnolog?a
Telecomunicaciones Abiertas de M?xico S.A. de C.V.
Tel: +52-55-91169161 Ext 2001

Calls are not going outside of the network. I had to setup up the subnet of
the other side (openvpn client) as the localnet of the Asterisk server for
Asterisk to not handle it with NAT or hand shake it with external IP.

Thanks,
-Bruce

On Wed, Sep 22, 2010 at 1:58 PM, Paul Belanger <paul.belanger at
polybeacon.com
> wrote:
> On Wed, Sep 22, 2010 at 1:46 PM, bruce bruce <bruceb444 at gmail.com>
wrote:
> > Thanks, but Carlos Chavez was right on point. This fixed the problem:
> > externip=123.123.123.123
> > localnet=192.168.100.0/255.255.255.0
> > nat=no in each extension.
> >
> So now I am confused, If you have a VPN setup between sites, why are
> calls going outside the VPN?  Or do you have remote agents that are
> not using a VPN?
>
> --
> Paul Belanger | dCAP
> Polybeacon | Consultant
> Jabber: paul.belanger at polybeacon.com | IRC: pabelanger (Freenode)
> blog.polybeacon.com
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>               http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20100922/4ed4a18f/attachment.htm

On 09/22/2010 08:36 AM, Carlos Chavez wrote:
> Do you have a localnet statement in your sip.conf?  That and using
> nat=no will make sure Asterisk does not replace the IP address in the
> Invite.
>   
I just wanted to give a +1 for this response.  I am using openvpn to
connect road warriors and remote offices to a central asterisk server. 
When setting up the configuration for the road warriors I created a new
subnet for them, but forgot to include their subnet as a localnet
directive in sip.conf.  The result was that sip clients on the road
warrior network would be able to register, but then when initiating a
sip call the 200 response (to the INVITE from the client) from the
asterisk server would include a contact address for some external ip
that I did not recognize.  This hint here allowed me to fix this bug,
now calls from the road warrior subnet are coming in fine.  Thanks!