Phones on different subnets over VPN

Hi All,

Let’s start with my configuration:

SIP Phone A (5010): Subnet 192.168.1.0/24
SIP Phone B (5020): Subnet 192.168.1.0/24
SIP Phone C (5030): Subnet 192.168.2.0/24 (over briged VPN, client ip tun0 192.168.1.231 and local network eth0 192.168.2.8)
Asterisk Server: 192.168.1.10 (also VPN briged server, bridge ip 192.168.1.230)

between Phone A/B and Phone C there isn’t nat nor firewall.

The problem is that the Phone C is not able to register:
I’ve tested with success ping from the asterisk server to the Phone C (192.168.2.22) and the Phone C is able to contact the Asterisk server, this is the sip debug:

[code][size=85]SIP Debugging enabled

<— SIP read from UDP:192.168.1.231:1027 —>
REGISTER sip:192.168.1.10 SIP/2.0
From: sip:5030@192.168.1.10;tag=4a015ed3386d59743875eda8_F5030192.168.2.22
To: sip:5030@192.168.1.10
Call-ID: 25_89392646322253875ed20_R@192.168.2.22
CSeq: 37 REGISTER
Via: SIP/2.0/UDP 192.168.2.22;branch=z9hG4bK25_893924872c5313875edc5_R5030
Content-Length: 0
Max-Forwards: 70
Contact: sip:5030@192.168.2.22;avaya-sc-enabled;transport=udp;q=1;expires=1000;reg-id=1;+sip.instance="urn:uuid:00000000-0000-1000-8000-001b4f5754b8"
Allow: INVITE,CANCEL,BYE,ACK,SUBSCRIBE,NOTIFY,MESSAGE,INFO,PUBLISH,REFER,UPDATE
User-Agent: Avaya one-X Deskphone
Supported: eventlist

<------------->
— (12 headers 0 lines) —
Sending to 192.168.1.231:5060 (no NAT)

<— Transmitting (no NAT) to 192.168.1.231:5060 —>
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 192.168.2.22;branch=z9hG4bK25_893924872c5313875edc5_R5030;received=192.168.1.231
From: sip:5030@192.168.1.10;tag=4a015ed3386d59743875eda8_F5030192.168.2.22
To: sip:5030@192.168.1.10;tag=as7ba282c6
Call-ID: 25_89392646322253875ed20_R@192.168.2.22
CSeq: 37 REGISTER
Server: Asterisk PBX 1.8.15.0
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH
Supported: replaces, timer
WW-Authenticate: Digest algorithm=MD5, realm=“asterisk”, nonce="687e6321"
Content-Length: 0

<------------>
Scheduling destruction of SIP dialog ‘25_89392646322253875ed20_R@192.168.2.22’ in 32000 ms (Method: REGISTER)
[/size][/code]

192.168.1.231 is the ip address of the vpn client,
this machine act also as gateway for the network 192.168.2.0 -> 192.168.1.0

This is my sip.conf

[code][size=85][general]
context=default
allowoverlap=no
udpbindaddr=192.168.1.10
tcpenable=no
tcpbindaddr=0.0.0.0
transport=udp
srvlookup=yes
nat=no

[authentication]
92.168.1.10
basic-options
dtmfmode=rfc2833
context=from-office
type=friend

natted-phone
directmedia=no
host=dynamic

public-phone
directmedia=yes

my-codecs
disallow=all
allow=ilbc
allow=g729
allow=gsm
allow=g723
allow=ulaw

ulaw-phone
disallow=all
allow=ulaw

[5010]
type=friend
username=5010
secret=5010
host=dynamic
context=default
callerid=roby

[5020]
type=friend
username=5020
secret=5020
host=dynamic
context=default
callerid=alberto

[5030]
type=friend
username=5030
secret=5030
host=dynamic
context=default
callerid=alberto2
[/size][/code]

extensions.conf

[size=85][default] exten => 5010,1,Dial(SIP/5010) exten => 5020,1,Dial(SIP/5020) exten => 5030,1,Dial(SIP/5030) [/size]

any idea?
tnx

I checked up also the VPN server and clients: i can confirm that’s using udp protocol.

The trace indicates that phone C doesn’t know how to authenticate, probably because it doesn’t know the password. The lack of a retransmission tends to suggest that the 401 did reach it.

this is not the problem, because tryin with phone A to register with 5030 and password 5030 it works correctly:

<--- SIP read from UDP:192.168.1.130:1025 --->
REGISTER sip:192.168.1.230 SIP/2.0
From: sip:5030@192.168.1.230;tag=a17d13508ac692508adfc0_F5030192.168.1.130
To: sip:5030@192.168.1.230
Call-ID: 1_f1f7043451d508ad5c0_R@192.168.1.130
CSeq: 2 REGISTER
Via: SIP/2.0/UDP 192.168.1.130;branch=z9hG4bK2_181d465f9785508adfed_R5030
Content-Length: 0
Max-Forwards: 70
Contact: <sip:5030@192.168.1.130;avaya-sc-enabled;transport=udp>;q=1;expires=1000;reg-id=1;+sip.instance="<urn:uuid:00000000-0000-1000-8000-001b4f57167c>"
Allow: INVITE,CANCEL,BYE,ACK,SUBSCRIBE,NOTIFY,MESSAGE,INFO,PUBLISH,REFER,UPDATE
User-Agent: Avaya one-X Deskphone
Supported: eventlist
Authorization: Digest username="5030",realm="asterisk",nonce="4a0bea57",uri="sip:192.168.1.230",response="9b537a1d630d8f4bda78a178c56ac600"

<------------->
--- (13 headers 0 lines) ---
Sending to 192.168.1.130:5060 (no NAT)

<--- Transmitting (no NAT) to 192.168.1.130:5060 --->
SIP/2.0 200 OK
Via: SIP/2.0/UDP 192.168.1.130;branch=z9hG4bK2_181d465f9785508adfed_R5030;received=192.168.1.130
From: sip:5030@192.168.1.230;tag=a17d13508ac692508adfc0_F5030192.168.1.130
To: sip:5030@192.168.1.230;tag=as4bf3dde6
Call-ID: 1_f1f7043451d508ad5c0_R@192.168.1.130
CSeq: 2 REGISTER
Server: Asterisk PBX 1.8.15.0
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH
Supported: replaces, timer
Expires: 1000
Contact: <sip:5030@192.168.1.130;avaya-sc-enabled;transport=udp>;expires=1000
Date: Fri, 26 Oct 2012 15:21:46 GMT
Content-Length: 0

i’ve experienced this type of problem (SIP/2.0 401 Unauthorized) when asterisk was started with nat=yes but no nat present on my network.

401 is not a problem! The problem is that the phone has not reacted to it by sending its authentication data.

It appears that the address has been NATed from …22:5060 to …231:1027 and that Asterisk is behaving as though NAT=yes, as it is ignoring the Via header’s IP address. I don’t understand why that is. I’d guess the 401 is never reaching the phone, but then, why is the phone not repeating the request?

the phones A and C are the same model Avaya 9620L.
Are configured with the same httpserver that has 46xxsetting.txt inside.

Same firmware is installed.

The phone repeat the request over and over, on the first post you can find only 1 request.

[quote=“david55”]401 is not a problem! The problem is that the phone has not reacted to it by sending its authentication data.

It appears that the address has been NATed from …22:5060 to …231:1027 and that Asterisk is behaving as though NAT=yes, as it is ignoring the Via header’s IP address. I don’t understand why that is. I’d guess the 401 is never reaching the phone, but then, why is the phone not repeating the request?[/quote]

Then i’ve to understand why asterisk see the Phone C as NATed.

To complete the information:

192.168.1.231 , the address where asterisk want to reach the Phone C is the VPN client address.
This address is used by the Asterisk server as gateway to reach the subnet 192.168.2.0/24.

Then,for test purpose, i can do a NAT for that phone on 192.168.1.231???

The phone repeat the request over and over, on the first post you can find only 1 request.

A VPN should be invisible!

Or are you saying that the phone is dual homed and the .22 address is bogus, because it is actually originating on the 231 interface.

The ip 192.168.2.22 in real, his gateway is 192.168.2.8

192.168.2.8 is assined to the interface on the local subnet 192.168.2.0/24 that act as gateway for the subnet 192.168.1.0/24

192.168.1.231 is the ip assigned to the virtual Ethernet interface manager by openvpn.

Then i think that this is not a problem but expected beheviour:

Asterisk sends the packet back to the IP in the received parameter:

Via: SIP/2.0/UDP 192.168.2.22;branch=z9hG4bK27_70a33958c70e8c38df0f42_R5030;received=192.168.1.231

Now i think that i’ve to implement some sort of nat.

with only 3 phones i decide to restrict:

rtpstart=19500
rtpend=20000

i’m now tryin with this DNAT:

iptables -t nat -A PREROUTING -p udp -d 192.168.1.231 --dport 5060 -j DNAT --to-destination 192.168.2.22
iptables -t nat -A PREROUTING -p udp -d 192.168.1.231 --dport 19500:20000 -j DNAT --to-destination 192.168.2.22
iptables -t filter -P FORWARD ACCEPT

now i’m unable to reregister the phone because is not in my home

With tris Dnat settings i was ablee to register the phone but no audio because i needed also to do Nat the same ip where the asterisk server was binded with a lot of trouble.

I decider indeed to implement a different solution:

Install bridge-utils on the vpnclient.
Add an interface to the openvpn client with no ip assigned.
Change the configuration of the vpnclient adding two scripts:

up "/etc/openvpn/up.sh"
down “/etc/openvpn/down.sh”

Up.sh: Change the value of the interfaces according the interface added (eth1) and the associated ip/mask/broadcast to the bridge(192.168.1.232)

[code]#!/bin/bash

#################################

Set up Ethernet bridge on Linux

Requires: bridge-utils

#################################

Define Bridge Interface

br=“br0”

Define list of TAP interfaces to be bridged,

for example tap=“tap0 tap1 tap2”.

tap=“tap0”

Define physical ethernet interface to be bridged

with TAP interface(s) above.

eth="eth0"
eth_ip="192.168.2.232"
eth_netmask="255.255.255.0"
eth_broadcast=“192.168.2.255”

for t in $tap; do
openvpn --mktun --dev $t
done

brctl addbr $br
brctl addif $br $eth

for t in $tap; do
brctl addif $br $t
done

for t in $tap; do
ifconfig $t 0.0.0.0 promisc up
done

ifconfig $eth 0.0.0.0 promisc up

ifconfig $br $eth_ip netmask $eth_netmask broadcast $eth_broadcast[/code]

Down.sh:

[code]#!/bin/bash

####################################

Tear Down Ethernet bridge on Linux

####################################

Define Bridge Interface

br=“br0”

Define list of TAP interfaces to be bridged together

tap=“tap0”

ifconfig $br down
brctl delbr $br

for t in $tap; do
openvpn --rmtun --dev $t
done
[/code]

Now i changed ip to the phone:

Ip: 192.168.1.233
Gateway: 192.168.1.254 (the gateway of my local subnet)

Now the phone C works correctly because is on the same subnet as asterisk server.