Issues with VoIP over IPSec VPN
-
Hi all,
I'm having a weird issue hoping you guys can shed some light over the matter:
I am at location A and we have our servers at location B.
Location A is an office with a pfSense router and IPSec VPN to location B. We also have our phones on location A.Location B is a datacenter where our IP PBX is at (Asterisk+FreePBX). The remote has 2 pfSense routers in HA. We receive calls just fine, without any issue, voice is clear both ways, all good.
However we cannot dial out.I've captured the packets both at location A and location B.
What I found most weird is the following:
I can see the invite packets on my side, but I don't see them getting to the remote side.
Example:Location A - IPSec Interface:
1 0.000000 phone_ip_address pbx_ip_address SIP/SDP 1411 Request: INVITE sip:dest_number@pbx_ip_address;user=phone | 2 0.493312 phone_ip_address pbx_ip_address SIP/SDP 1411 Request: INVITE sip:dest_number@pbx_ip_address;user=phone | 3 1.497405 phone_ip_address pbx_ip_address SIP/SDP 1411 Request: INVITE sip:dest_number@pbx_ip_address;user=phone | 4 3.491759 phone_ip_address pbx_ip_address SIP/SDP 1411 Request: INVITE sip:dest_number@pbx_ip_address;user=phone | 5 7.468388 phone_ip_address pbx_ip_address SIP/SDP 1411 Request: INVITE sip:dest_number@pbx_ip_address;user=phone | 6 15.424257 phone_ip_address pbx_ip_address SIP/SDP 1411 Request: INVITE sip:dest_number@pbx_ip_address;user=phone | 7 18.761780 pbx_ip_address phone_ip_addr SIP 498 Request: OPTIONS sip:1001@phone_ip_address:5060;user=phone;transport=udp | 8 18.798179 phone_ip_address pbx_ip_address SIP/SDP 1242 Status: 200 OK | 9 31.331245 phone_ip_address pbx_ip_address SIP/SDP 1411 Request: INVITE sip:dest_number@pbx_ip_address;user=phone |
Location B
IPSec interface
1 0.000000 pbx_ip_address phone_ip_addr SIP 498 Request: OPTIONS sip:1001@phone_ip_address:5060;user=phone;transport=udp | 2 0.082603 phone_ip_addr pbx_ip_address SIP/SDP 1241 Status: 200 OK | 157 60.000163 pbx_ip_address phone_ip_addr SIP 498 Request: OPTIONS sip:1001@phone_ip_address:5060;user=phone;transport=udp | 158 60.087715 phone_ip_addr pbx_ip_address SIP/SDP 1242 Status: 200 OK |
DMZ interface
(where the PBX is connected to)
11 1.237192 pbx_ip_address sip_provid_ip SIP 471 Request: OPTIONS sip:sip_host_address:5060 | 12 1.241730 sip_provid_ip pbx_ip_address SIP 442 Status: 200 OK | 27 9.045812 sip_provid_ip pbx_ip_address SIP 379 Request: OPTIONS sip:744971@168.119.19.60:5060;line=gijqcpi | 28 9.049211 pbx_ip_address sip_provid_ip SIP 907 Status: 200 OK | 42 10.800516 pbx_ip_address phone_ip_addr SIP 500 Request: OPTIONS sip:1001@phone_ip_addr:5060;user=phone;transport=udp | 43 10.901296 phone_ip_addr pbx_ip_address SIP/SDP 1244 Status: 200 OK | 96 31.237019 pbx_ip_address sip_provid_ip SIP 470 Request: OPTIONS sip:sip_host_address:5060 | 97 31.241534 sip_provid_ip pbx_ip_address SIP 441 Status: 200 OK | 117 39.162243 sip_provid_ip pbx_ip_address SIP 379 Request: OPTIONS sip:744971@168.119.19.60:5060;line=gijqcpi | 118 39.165808 pbx_ip_address sip_provid_ip SIP 907 Status: 200 OK | 124 40.582276 pbx_ip_address sip_provid_ip SIP 617 Request: REGISTER sip:sip_host_address:5060 (1 binding) | 125 40.587192 sip_provid_ip pbx_ip_address SIP 563 Status: 401 Unauthorized | 126 40.590425 pbx_ip_address sip_provid_ip SIP 868 Request: REGISTER sip:sip_host_address:5060 (1 binding) | 127 40.598006 sip_provid_ip pbx_ip_address SIP 551 Status: 200 OK (1 binding) | 179 61.237355 pbx_ip_address sip_provid_ip SIP 470 Request: OPTIONS sip:sip_host_address:5060 | 180 61.241839 sip_provid_ip pbx_ip_address SIP 441 Status: 200 OK | 201 69.272786 sip_provid_ip pbx_ip_address SIP 379 Request: OPTIONS sip:744971@168.119.19.60:5060;line=gijqcpi | 202 69.276218 pbx_ip_address sip_provid_ip SIP 907 Status: 200 OK | 203 70.800519 pbx_ip_address phone_ip_addr SIP 500 Request: OPTIONS sip:1001@phone_ip_addr:5060;user=phone;transport=udp | 204 70.885263 phone_ip_addr pbx_ip_address SIP/SDP 1244 Status: 200 OK |
WAN Interface
50 15.677163 pbx_ip_address sip_provider_ip SIP 471 Request: OPTIONS sip:sip_host_address:5060 | 51 15.681791 sip_provider_ip pbx_ip_address SIP 442 Status: 200 OK | 57 19.901763 sip_provider_ip pbx_ip_address SIP 379 Request: OPTIONS sip:744971@168.119.19.60:5060;line=gijqcpi | 58 19.905063 pbx_ip_address sip_provider_ip SIP 907 Status: 200 OK | 120 45.677775 pbx_ip_address sip_provider_ip SIP 471 Request: OPTIONS sip:sip_host_address:5060 | 121 45.682246 sip_provider_ip pbx_ip_address SIP 442 Status: 200 OK | 137 50.019491 sip_provider_ip pbx_ip_address SIP 379 Request: OPTIONS sip:744971@168.119.19.60:5060;line=gijqcpi | 138 50.022970 pbx_ip_address sip_provider_ip SIP 907 Status: 200 OK | 148 55.240973 pbx_ip_address phone_ip_addr SIP 500 Request: OPTIONS sip:1001@phone_ip_address:5060;user=phone;transport=udp | 149 55.331269 phone_ip_addr pbx_ip_address SIP/SDP 1244 Status: 200 OK | 210 75.677596 pbx_ip_address sip_provider_ip SIP 471 Request: OPTIONS sip:sip_host_address:5060 | 211 75.682035 sip_provider_ip pbx_ip_address SIP 442 Status: 200 OK | 222 80.128742 sip_provider_ip pbx_ip_address SIP 379 Request: OPTIONS sip:744971@168.119.19.60:5060;line=gijqcpi | 223 80.132219 pbx_ip_address sip_provider_ip SIP 907 Status: 200 OK | 289 104.866176 pbx_ip_address sip_provider_ip SIP 617 Request: REGISTER sip:sip_host_address:5060 (1 binding) | 290 104.870735 sip_provider_ip pbx_ip_address SIP 563 Status: 401 Unauthorized | 291 104.874160 pbx_ip_address sip_provider_ip SIP 868 Request: REGISTER sip:sip_host_address:5060 (1 binding) | 292 104.881614 sip_provider_ip pbx_ip_address SIP 551 Status: 200 OK (1 binding) | 302 105.676832 pbx_ip_address sip_provider_ip SIP 471 Request: OPTIONS sip:sip_host_address:5060 | 303 105.681478 sip_provider_ip pbx_ip_address SIP 442 Status: 200 OK | 309 110.240629 sip_provider_ip pbx_ip_address SIP 379 Request: OPTIONS sip:744971@168.119.19.60:5060;line=gijqcpi | 310 110.244076 pbx_ip_address sip_provider_ip SIP 907 Status: 200 OK | 326 115.241190 pbx_ip_address phone_ip_addr SIP 500 Request: OPTIONS sip:1001@phone_ip_address:5060;user=phone;transport=udp | 327 115.324611 phone_ip_addr pbx_ip_address SIP/SDP 1244 Status: 200 OK |
I was hoping to see the INVITE that showed on the IPSec interface on location A showing on location B, however those don't show.
The IP Phone reach the PBX server fine, it has TFTP, config files and the likes, everything is loaded fine. I see some traffic back and forth, except those INVITE. Not sure about it but I was expecting to see them on the other side, maybe that's not it, dunno. As mentioned initially, incoming calls work fine.Some ideas please? Thank you.
EDIT: After reading some topics here in the forums about VOIP issues we also disabled pf scrubbing on both ends, saved and tested, however the results were the same.
-
That IPSec is used is irrelevant. A VPN simply provides an IP connection between two points. The issue could be routing, filters and our all time favourite NAT, if used. Based on your description, my bet would be on rules.
-
@jknott Hi and thanks for your reply. I'm also thinking that the fact of being a VPN wasn't all that important but I wanted to give the most information possible, cause I'm clueless on this.
About NAT, since the IP Phone is connecting directly to the PBX, not connecting to its public IP, I figure NAT isn't involved.
Don't know what rules could be influencing on this. We allow all traffic from location A to location B, and we can see on the above packet captures that communications between thepbx_ip_address
andphone_ip_addr
are present on all the captures. Since we're not blocking any ports or protocols, and allowing all traffic between these networks, what kind of rules (or filters?) could be influencing? Thank you -
I assume your IPSec VTIs running on a 1400 Byte MTU. IP Fragmentation doesn't work on the pfsense IPSec implementation the last time I checked. There is an open Issue about that somewhere in Redmine.
So your 1411 Bytes long SIP-Invites get dropped due to this limitation. What you can do is to rise the VTI MTU, depending on your WAN MTU and your configured encryption. Another workaround is to switch to SIP over TCP, so the segments get right sized according to the configured mss on the VTI Interface. -
@artes
SIP normally uses TCP. It's RTP that uses UDP.
-
Well, SIP supports boths, @maverickws 's implementation is using UDP if you take a closer look on the captures he provided.
-
@Artes
Thanks a lot for your input. Actually your comment was right on the spot. Location B has a requirement of 1400 MTU. After changing to TCP instead of UDP, everything is working. Great help, thanks a lot both you and @JKnott for the comments!Have a nice weekend ahead! Cheers!