Re: SIP ALG and VoIP
Guys, Thanks for the quick response and advice...always helpful as usual On Tue, Jan 11, 2022 at 8:07 AM Stuart Henderson wrote: > On 2022-01-11, Chris Cappuccio wrote: > > Atticus [grobe...@gmail.com] wrote: > >> It isn't just SIP. You will need to set up NAT traversal and make sure > RTP > >> traffic can pass as well. Setting up a STUN server and configuring the > >> clients to use it should aid in the NAT portion. The RTP traffic should > be > > Sometime STUN can be used to optimise things (getting call media direct > between endpoints rather than going via a PBX) but it adds complication > and is hardly ever _needed_. > > >> fine as long as pf is being stateful. If the phones register over SIP > fine, > >> but have no audio, then the RTP traffic isn't getting where it should. > IMO, > >> it makes more sense to use an on-site PBX so you only have to deal with > >> traffic to/from the one host, but that doesn't sound like an option for > you. > >> > > > > Using Asterisk as a SIP server and media gateway, on a public IP with > phones > > behind NAT, you can get NAT traversal via RFC 3581+symmetric RTP > (sip.conf > > nat=yes) without STUN and without a firewall SIP ALG. > > > > Freeswitch and also Kamailio + rtpproxy can do similar. These gateways > are > > all capable of symmetric RTP, and have been since forever. > > > > If you are connecting phones inside of your NAT to an outside SIP > provider, > > or PBX device, make sure the PBX has a public IP (not behind another NAT > > itself) and has symmetric RTP enabled. > > Most end-user-facing SIP providers (rather than wholesale providers) > seem pretty capable of handling client devices or PBXs behind NAT. > > Generally getting this to work natively requires that whoever is > configuring > it understands how the protocols work, and software that allows things like > sending RTP back to the IP that a SIP message was received from, and > sending SIP keepalives back to the source port that it received requests > from (frequent enough to avoid them timing out). It's not hard, but > is often not something that techs from a telco will do. > > Another way to do things is to use VPNs and bypass firewalls/NAT that > way. > > >
Re: SIP ALG and VoIP
Thanks to both of you for the valued information. Much appreciated. @Atticus This was rather short notice.I wasn't aware that they had gone ahead with the service installation. Unfortunately in this case there's no on-site PBX. Understandable given the current work-from-home situation. The provider (Bell) is installing a dry-loop that should fix the issue in this case @Chris Thanks for identifying some additional solutions. I'll have to find a suitable solution for a separate client installation in the next 2 weeks. They will also use softphones and will not have any on-site PBX. On a separate note, I looked at all the logs but couldn't see any attempted/dropped SIP traffic from the softphones from any of the internal users or Bell techs during the morning testing. Shouldn't there be some traffic? On Tue, Jan 11, 2022 at 1:18 AM Chris Cappuccio wrote: > Atticus [grobe...@gmail.com] wrote: > > It isn't just SIP. You will need to set up NAT traversal and make sure > RTP > > traffic can pass as well. Setting up a STUN server and configuring the > > clients to use it should aid in the NAT portion. The RTP traffic should > be > > fine as long as pf is being stateful. If the phones register over SIP > fine, > > but have no audio, then the RTP traffic isn't getting where it should. > IMO, > > it makes more sense to use an on-site PBX so you only have to deal with > > traffic to/from the one host, but that doesn't sound like an option for > you. > > > > Using Asterisk as a SIP server and media gateway, on a public IP with > phones > behind NAT, you can get NAT traversal via RFC 3581+symmetric RTP (sip.conf > nat=yes) without STUN and without a firewall SIP ALG. > > Freeswitch and also Kamailio + rtpproxy can do similar. These gateways are > all capable of symmetric RTP, and have been since forever. > > If you are connecting phones inside of your NAT to an outside SIP provider, > or PBX device, make sure the PBX has a public IP (not behind another NAT > itself) and has symmetric RTP enabled. >
Re: SIP ALG and VoIP
Happy New Year to everyone! I currently run openBSD FW v7.0 with vpn setups at a few client sites. Fantastic...no issues. One client recently changed office location (this week exactly) and had Bell install a voip system using softphones. The phones worked last week. However, now that the rest of server-room equipment has been brought over and installed on the weekend including the BSD FW, the phones stopped working. A Bell tech spent most of the day on site today switching the Bell modem from bridge mode to pass-through mode but still no luck. We've decided to install a dry-loop to remedy the issue. I prefer not to open any ports obviously, but should I have added a pf rule that explicitly opens port 5060/udp for the sip server? Is anyone using pf with voip phones that could point me in the right direction? I have another client doing a similar implementation in the next 2 weeks albeit different ISP & VoIP provider. So I'm kind of interested in what's the best option or config going forward. Thanks in advance for your response.
Re: link aggregation config
I've a few openbsd 6.8 installations running as a FW/router/vpn at some client offices. No problems, It just works! I would like to use openbsd 6.9 on x86 HW (either lanner device or dell rack mount svr) at this new client (mining industry). They're however in a bandwidth constrained location being a mining site. The current ISP - xplornet - provides an LTE-25 connection and from what I've been told, the connections terminate via an ethernet cable from ISP provided modem. The client has added 2 additional services for a total of 3 LTE connections. I would like to bundle these 3 connections to provide increased bandwidth for the local LAN. I was thinking of using aggr(4) to config the interfaces, but I need some clarification or direction on how best to achieve this. At the moment this is strictly for internet access and there are no session based services as yet. Based on what I see in the man aggr - ifconfig aggr0 create ifconfig aggr0 trunkport em0 ifconfig aggr0 trunkport em1 ifconfig aggr0 trunkport em2 ifconfig aggr0 192.168.1.100/24 ifconfig aggr0 up Do I need to assign the wan ips to the respective interfaces in the aggr0? I've looked at all the postings over the last 3 years so far and I've not come across anyone using a similar setup. Is there anyone doing this type of bonding with multiple wan ips? I'm not looking for fail-over or active/passive setups but mainly bonding. Thanks in advance for your comments
iamahuman
Modifying and resending due to advisory received... This is my first time responding to a post so forgive me if I violate any protocols here. I currently use OBSD 6.8 amd64 as a FW for 3 office clients, all running on high-end repurposed desktops. Due to covid I've had to quickly setup ikev for a very small number of home users, none of which are roadwarriors and all use Win10. Yes, I know I should be using ikev2, so don't chew me out, at the time it was just quicker. Using the UI in Win10 is not the way to go. Apparently the Win10 default parameters via UI does not provide the required ciphers. I used powershell to modify the parameters first then use the vpn connection properties to finalize the settings. It worked 100% of the times without fail. When I duplicated using only the Win10 UI iand t failed in every instance. Here are the powershell cmds I used to modify my default vpn settings which has worked everytime - PS C:\> Add-VpnConnection -Name "VPN_NAME" -ServerAddress vpn.domain.com -TunnelType "L2tp" PS C:\> Set-VpnConnectionIPsecConfiguration -ConnectionName "VPN_NAME" -AuthenticationTransformConstants None -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup Group14 -PassThru -Force Here's some info I found helpful - L2TP issues with Win 10 – phase1 does not form due to insecure default parameters REGISTRY SOLUTION: https://www.stevenjordan.net/2016/09/secure-ikev2-win-10.html Create a registry key that enforces modern cipher and transform sets. STEP 1: Edit Registry or create GPO: HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters\ STEP 2: Create new DWORD value: NegotiateDH2048_AES256 STEP 3: Modify DWORD value: 2 One caveat, whenever a major Win10 update is installed it tends to reset the Win10 vpn parameters you modified. It's not consistent, but I've had to reset it a few times. Other than that it has been flawless so far...if you can call it that. Hopefully this helps. On Wed, Jan 13, 2021 at 8:04 AM Cand Tec wrote: > > This is my first time responding to a post so forgive me if I violate any > protocols here. I currently use OBSD 6.8 amd64 as a FW for 3 office clients, > all running on high-end repurposed desktops. Due to covid I've had to quickly > setup ikev for a very small number of home users, none of which are > roadwarriors and all use Win10. Yes, I know I should be using ikev2, so don't > chew me out, at the time it was just quicker. > Using the UI in Win10 is not the way to go. Apparently the Win10 default > parameters via UI does not provide the required ciphers. > I used powershell to modify the parameters first then use the vpn connection > properties to finalize the settings. It worked 100% of the times without > fail. When I duplicated using only the Win10 UI iand t failed in every > instance. > > Here are the powershell cmds I used to modify my default vpn settings which > has worked everytime - > > PS C:\> Add-VpnConnection -Name "VPN_NAME" -ServerAddress vpn.domain.com > -TunnelType "L2tp" > > PS C:\> Set-VpnConnectionIPsecConfiguration -ConnectionName "VPN_NAME" > -AuthenticationTransformConstants None -CipherTransformConstants AES256 > -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup > Group14 -PassThru -Force > > > > Here's some info I found helpful - > > > L2TP issues with Win 10 – phase1 does not form due to insecure default > parameters > > REGISTRY SOLUTION: > https://www.stevenjordan.net/2016/09/secure-ikev2-win-10.html > > > > Create a registry key that enforces modern cipher and transform sets. > > STEP 1: Edit Registry or create GPO: > > HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters\ > STEP 2: Create new DWORD value: > NegotiateDH2048_AES256 > > STEP 3: Modify DWORD value: 2 > > > One caveat, whenever a major Win10 update is installed it tends to reset the > Win10 vpn parameters you modified. It's not consistent, but I've had to reset > it a few times. Other than that it has been flawless so far...if you can call > it that. > > Hopefully this helps. > > > On Wed, Jan 13, 2021 at 5:30 AM Patrick Wildt wrote: >> >> Am Wed, Jan 13, 2021 at 01:12:09AM -0700 schrieb Ian Timothy: >> > Hi, >> > >> > I'm trying to get IKEv2 VPN working with Windows 10. I'm able to use PSK >> > with macOS without issue. Changing to EAP MSCHAP for use with Windows >> > results in the following error: >> > >> > "The network connection between your computer and the VPN server could not >> > be established because the remote server is not responding. The could be >> > because one of the network
Re: IKEv2 on Windows 10
This is my first time responding to a post so forgive me if I violate any protocols here. I currently use OBSD 6.8 amd64 as a FW for 3 office clients, all running on high-end repurposed desktops. Due to covid I've had to quickly setup ikev for a very small number of home users, none of which are roadwarriors and all use Win10. Yes, I know I should be using ikev2, so don't chew me out, at the time it was just quicker. Using the UI in Win10 is not the way to go. Apparently the Win10 default parameters via UI does not provide the required ciphers. I used powershell to modify the parameters first then use the vpn connection properties to finalize the settings. It worked 100% of the times without fail. When I duplicated using only the Win10 UI iand t failed in every instance. Here are the powershell cmds I used to modify my default vpn settings which has worked everytime - PS C:\> Add-VpnConnection -Name "VPN_NAME" -ServerAddress vpn.domain.com -TunnelType "L2tp" PS C:\> Set-VpnConnectionIPsecConfiguration -ConnectionName "VPN_NAME" -AuthenticationTransformConstants None -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup None -DHGroup Group14 -PassThru -Force Here's some info I found helpful - [image: image.png] L2TP issues with Win 10 – phase1 does not form due to insecure default parameters *REGISTRY SOLUTION:* https://www.stevenjordan.net/2016/09/secure-ikev2-win-10.html Create a registry key that enforces modern cipher and transform sets. *STEP 1*: Edit Registry or create GPO: HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters\ *STEP 2:* Create new DWORD value: NegotiateDH2048_AES256 *STEP 3:* Modify DWORD value: 2 One caveat, whenever a major Win10 update is installed it tends to reset the Win10 vpn parameters you modified. It's not consistent, but I've had to reset it a few times. Other than that it has been flawless so far...if you can call it that. Hopefully this helps. On Wed, Jan 13, 2021 at 5:30 AM Patrick Wildt wrote: > Am Wed, Jan 13, 2021 at 01:12:09AM -0700 schrieb Ian Timothy: > > Hi, > > > > I'm trying to get IKEv2 VPN working with Windows 10. I'm able to use PSK > with macOS without issue. Changing to EAP MSCHAP for use with Windows > results in the following error: > > > > "The network connection between your computer and the VPN server could > not be established because the remote server is not responding. The could > be because one of the network devices (e.g. firewalls, NAT, routers, etc.) > between your computer and the remote server is not configured to allow VPN > connections." > > > > I’ve worked through many examples online, but I’m not sure what's the > next step to troubleshoot this? > > > > Thanks! > > > > > > > > # uname -rsv > > OpenBSD 6.8 GENERIC.MP#2 > > > > > > # > > # iked.conf > > # > > > > ikev2 "vpn-psk" passive esp \ > > from 0.0.0.0/0 to 0.0.0.0/0 \ > > Hi, > > if you're using config address (as in giving peers a tunnel IP), you > need to configure > > from 0.0.0.0/0 to 0.0.0.0 \ > > The "to" becomes a /32, a /0 is wrong. This is because of internal > semantics. Anyway, this confusing bit has been changed in -current, > as you can read here: > > https://www.openbsd.org/faq/current.html > > But unless you're using current, you still need the line above. > > But since you're complaining about EAP MSCHAP, I don't know what's the > issue there. Maybe tobhe@ or sthen@ have an idea. > > Patrick > > > local egress peer any \ > > srcid vpn.company.com \ > > eap "mschap-v2" \ > > config address 10.0.2.0/24 \ > > config netmask 255.255.0.0 \ > > config name-server 10.0.0.1 \ > > tag "$name-$id" > > > > # Changing 'eap "mschap-v2"' to 'psk "password"' works just fine for > macOS. > > > > > > # > > # Generate certificates > > # > > > > pkg_add zip > > > > ikectl ca vpn create > > ikectl ca vpn install > > > > # CN should be same as srcid in iked.conf > > ikectl ca vpn certificate vpn.company.com create > > ikectl ca vpn certificate vpn.company.com install > > > > # CN should be same as client ip address > > ikectl ca vpn certificate 10.0.2.100 create > > ikectl ca vpn certificate 10.0.2.100 export > > > > > > # > > # Windows config > > # > > > > - VPN device > >- General tab > > - Server: vpn.company.com > >- Security tab > > - VPN type: IKEv2 > > - Authentication: Use machine certificates > > > > - Certs install > >- ca.crt --> Certificates (Local Computer)/Trusted Root Certification > Authorities/Certificates > >- 10.0.2.100 --> Certificates (Local Computer)/Personal/Certificates > > > > > > # > > # iked log > > # > > > > doas iked -dvv > > create_ike: using signature for peer > > ikev2 "vpn-eap" passive tunnel esp inet from 0.0.0.0/0 to 0.0.0.0/0 > local 23.AAA.AAA.129 peer any ikesa enc aes-128-gcm,aes-256-gcm prf > hmac-sha2-256,hmac-sha2-384,hmac-sha2-512,hmac-sha1 group >
