Issues with VoIP over IPSec VPN

maverickws · May 21, 2021, 12:51 PM

Hi all,

I'm having a weird issue hoping you guys can shed some light over the matter:

I am at location A and we have our servers at location B.
Location A is an office with a pfSense router and IPSec VPN to location B. We also have our phones on location A.

Location B is a datacenter where our IP PBX is at (Asterisk+FreePBX). The remote has 2 pfSense routers in HA. We receive calls just fine, without any issue, voice is clear both ways, all good.
However we cannot dial out.

I've captured the packets both at location A and location B.
What I found most weird is the following:
I can see the invite packets on my side, but I don't see them getting to the remote side.
Example:

Location A - IPSec Interface:

1	0.000000	phone_ip_address	pbx_ip_address	SIP/SDP	1411	Request: INVITE sip:dest_number@pbx_ip_address;user=phone | 
2	0.493312	phone_ip_address	pbx_ip_address	SIP/SDP	1411	Request: INVITE sip:dest_number@pbx_ip_address;user=phone | 
3	1.497405	phone_ip_address	pbx_ip_address	SIP/SDP	1411	Request: INVITE sip:dest_number@pbx_ip_address;user=phone | 
4	3.491759	phone_ip_address	pbx_ip_address	SIP/SDP	1411	Request: INVITE sip:dest_number@pbx_ip_address;user=phone | 
5	7.468388	phone_ip_address	pbx_ip_address	SIP/SDP	1411	Request: INVITE sip:dest_number@pbx_ip_address;user=phone | 
6	15.424257	phone_ip_address	pbx_ip_address	SIP/SDP	1411	Request: INVITE sip:dest_number@pbx_ip_address;user=phone | 
7	18.761780	pbx_ip_address  	phone_ip_addr 	SIP	498	Request: OPTIONS sip:1001@phone_ip_address:5060;user=phone;transport=udp | 
8	18.798179	phone_ip_address	pbx_ip_address	SIP/SDP	1242	Status: 200 OK | 
9	31.331245	phone_ip_address	pbx_ip_address	SIP/SDP	1411	Request: INVITE sip:dest_number@pbx_ip_address;user=phone |

Location B

IPSec interface

1	0.000000	pbx_ip_address	phone_ip_addr 	SIP	498	Request: OPTIONS sip:1001@phone_ip_address:5060;user=phone;transport=udp | 
2	0.082603	phone_ip_addr 	pbx_ip_address	SIP/SDP	1241	Status: 200 OK | 
157	60.000163	pbx_ip_address	phone_ip_addr 	SIP	498	Request: OPTIONS sip:1001@phone_ip_address:5060;user=phone;transport=udp | 
158	60.087715	phone_ip_addr 	pbx_ip_address	SIP/SDP	1242	Status: 200 OK |

DMZ interface

(where the PBX is connected to)

11	1.237192	pbx_ip_address	sip_provid_ip	SIP	471	Request: OPTIONS sip:sip_host_address:5060 | 
12	1.241730	sip_provid_ip	pbx_ip_address	SIP	442	Status: 200 OK | 
27	9.045812	sip_provid_ip	pbx_ip_address	SIP	379	Request: OPTIONS sip:744971@168.119.19.60:5060;line=gijqcpi | 
28	9.049211	pbx_ip_address	sip_provid_ip	SIP	907	Status: 200 OK | 
42	10.800516	pbx_ip_address	phone_ip_addr	SIP	500	Request: OPTIONS sip:1001@phone_ip_addr:5060;user=phone;transport=udp | 
43	10.901296	phone_ip_addr	pbx_ip_address	SIP/SDP	1244	Status: 200 OK | 
96	31.237019	pbx_ip_address	sip_provid_ip	SIP	470	Request: OPTIONS sip:sip_host_address:5060 | 
97	31.241534	sip_provid_ip	pbx_ip_address	SIP	441	Status: 200 OK | 
117	39.162243	sip_provid_ip	pbx_ip_address	SIP	379	Request: OPTIONS sip:744971@168.119.19.60:5060;line=gijqcpi | 
118	39.165808	pbx_ip_address	sip_provid_ip	SIP	907	Status: 200 OK | 
124	40.582276	pbx_ip_address	sip_provid_ip	SIP	617	Request: REGISTER sip:sip_host_address:5060  (1 binding) | 
125	40.587192	sip_provid_ip	pbx_ip_address	SIP	563	Status: 401 Unauthorized | 
126	40.590425	pbx_ip_address	sip_provid_ip	SIP	868	Request: REGISTER sip:sip_host_address:5060  (1 binding) | 
127	40.598006	sip_provid_ip	pbx_ip_address	SIP	551	Status: 200 OK  (1 binding) | 
179	61.237355	pbx_ip_address	sip_provid_ip	SIP	470	Request: OPTIONS sip:sip_host_address:5060 | 
180	61.241839	sip_provid_ip	pbx_ip_address	SIP	441	Status: 200 OK | 
201	69.272786	sip_provid_ip	pbx_ip_address	SIP	379	Request: OPTIONS sip:744971@168.119.19.60:5060;line=gijqcpi | 
202	69.276218	pbx_ip_address	sip_provid_ip	SIP	907	Status: 200 OK | 
203	70.800519	pbx_ip_address	phone_ip_addr	SIP	500	Request: OPTIONS sip:1001@phone_ip_addr:5060;user=phone;transport=udp | 
204	70.885263	phone_ip_addr	pbx_ip_address	SIP/SDP	1244	Status: 200 OK |

WAN Interface

50	15.677163	pbx_ip_address	sip_provider_ip	SIP	471	Request: OPTIONS sip:sip_host_address:5060 | 
51	15.681791	sip_provider_ip	pbx_ip_address	SIP	442	Status: 200 OK | 
57	19.901763	sip_provider_ip	pbx_ip_address	SIP	379	Request: OPTIONS sip:744971@168.119.19.60:5060;line=gijqcpi | 
58	19.905063	pbx_ip_address	sip_provider_ip	SIP	907	Status: 200 OK | 
120	45.677775	pbx_ip_address	sip_provider_ip	SIP	471	Request: OPTIONS sip:sip_host_address:5060 | 
121	45.682246	sip_provider_ip	pbx_ip_address	SIP	442	Status: 200 OK | 
137	50.019491	sip_provider_ip	pbx_ip_address	SIP	379	Request: OPTIONS sip:744971@168.119.19.60:5060;line=gijqcpi | 
138	50.022970	pbx_ip_address	sip_provider_ip	SIP	907	Status: 200 OK | 
148	55.240973	pbx_ip_address	phone_ip_addr 	SIP	500	Request: OPTIONS sip:1001@phone_ip_address:5060;user=phone;transport=udp | 
149	55.331269	phone_ip_addr 	pbx_ip_address	SIP/SDP	1244	Status: 200 OK | 
210	75.677596	pbx_ip_address	sip_provider_ip	SIP	471	Request: OPTIONS sip:sip_host_address:5060 | 
211	75.682035	sip_provider_ip	pbx_ip_address	SIP	442	Status: 200 OK | 
222	80.128742	sip_provider_ip	pbx_ip_address	SIP	379	Request: OPTIONS sip:744971@168.119.19.60:5060;line=gijqcpi | 
223	80.132219	pbx_ip_address	sip_provider_ip	SIP	907	Status: 200 OK | 
289	104.866176	pbx_ip_address	sip_provider_ip	SIP	617	Request: REGISTER sip:sip_host_address:5060  (1 binding) | 
290	104.870735	sip_provider_ip	pbx_ip_address	SIP	563	Status: 401 Unauthorized | 
291	104.874160	pbx_ip_address	sip_provider_ip	SIP	868	Request: REGISTER sip:sip_host_address:5060  (1 binding) | 
292	104.881614	sip_provider_ip	pbx_ip_address	SIP	551	Status: 200 OK  (1 binding) | 
302	105.676832	pbx_ip_address	sip_provider_ip	SIP	471	Request: OPTIONS sip:sip_host_address:5060 | 
303	105.681478	sip_provider_ip	pbx_ip_address	SIP	442	Status: 200 OK | 
309	110.240629	sip_provider_ip	pbx_ip_address	SIP	379	Request: OPTIONS sip:744971@168.119.19.60:5060;line=gijqcpi | 
310	110.244076	pbx_ip_address	sip_provider_ip	SIP	907	Status: 200 OK | 
326	115.241190	pbx_ip_address	phone_ip_addr 	SIP	500	Request: OPTIONS sip:1001@phone_ip_address:5060;user=phone;transport=udp | 
327	115.324611	phone_ip_addr 	pbx_ip_address	SIP/SDP	1244	Status: 200 OK |

I was hoping to see the INVITE that showed on the IPSec interface on location A showing on location B, however those don't show.
The IP Phone reach the PBX server fine, it has TFTP, config files and the likes, everything is loaded fine. I see some traffic back and forth, except those INVITE. Not sure about it but I was expecting to see them on the other side, maybe that's not it, dunno. As mentioned initially, incoming calls work fine.

Some ideas please? Thank you.

EDIT: After reading some topics here in the forums about VOIP issues we also disabled pf scrubbing on both ends, saved and tested, however the results were the same.

JKnott · May 21, 2021, 1:00 PM

@maverickws

That IPSec is used is irrelevant. A VPN simply provides an IP connection between two points. The issue could be routing, filters and our all time favourite NAT, if used. Based on your description, my bet would be on rules.

maverickws · May 21, 2021, 1:00 PM

@jknott Hi and thanks for your reply. I'm also thinking that the fact of being a VPN wasn't all that important but I wanted to give the most information possible, cause I'm clueless on this.
About NAT, since the IP Phone is connecting directly to the PBX, not connecting to its public IP, I figure NAT isn't involved.
Don't know what rules could be influencing on this. We allow all traffic from location A to location B, and we can see on the above packet captures that communications between the pbx_ip_address and phone_ip_addr are present on all the captures. Since we're not blocking any ports or protocols, and allowing all traffic between these networks, what kind of rules (or filters?) could be influencing? Thank you

May 21, 2021, 3:34 PM

@maverickws

I assume your IPSec VTIs running on a 1400 Byte MTU. IP Fragmentation doesn't work on the pfsense IPSec implementation the last time I checked. There is an open Issue about that somewhere in Redmine.
So your 1411 Bytes long SIP-Invites get dropped due to this limitation. What you can do is to rise the VTI MTU, depending on your WAN MTU and your configured encryption. Another workaround is to switch to SIP over TCP, so the segments get right sized according to the configured mss on the VTI Interface.

JKnott · May 21, 2021, 3:48 PM

@artes

SIP normally uses TCP. It's RTP that uses UDP.

May 21, 2021, 3:58 PM

@jknott

Well, SIP supports boths, @maverickws 's implementation is using UDP if you take a closer look on the captures he provided.

maverickws · May 21, 2021, 5:57 PM

@Artes
Thanks a lot for your input. Actually your comment was right on the spot. Location B has a requirement of 1400 MTU. After changing to TCP instead of UDP, everything is working. Great help, thanks a lot both you and @JKnott for the comments!

Have a nice weekend ahead! Cheers!