Re: [asterisk-users] New thread - SIP over VPN
On Sat, 2009-09-26 at 22:47 -0700, Dave Platt wrote: Isn't an SSL based tunnel all TCP? There seems to be a good deal of feeling (and evidence) that trying to use TCP as the container for a tunnel is likely to cause more trouble than it solves. Yes, the TCP layer will make the tunnel reliable - but at the expense of adding unpredictable amounts of latency, due to TCP's built-in exponential-backoff retry timing. Things get *really* nasty if you try to wrap one TCP connection in another, because both connections will be independently retrying any lost or delayed packets - you'll end up retransmitting quite a bit more data than you would if you simply used TCP/IP (or TCP/IP wrapped in UDP/IP) and throughput will suffer. That is the main reason why the widespread of (TCP) SSH-tunnels is discouraged: as you get an TCP-protocol encapsulated in another TCP-layer. Missing frames will be corrected by the outermost TCP-protocal-suite, however as soon as you got a bad-connection (Often wifi) and are confronted with timeouts, re-transmissions will on make things worse. and end-up with a snowball-effect. So i would opt for ipsec-tunnel or openvpn with UDP. If you have a rock-solid connection you could even use an openSSH-vpn tunnel. hw ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2009 - October 13 - 15 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] New thread - SIP over VPN
On Sat, 26 Sep 2009, Alan Lord (News) wrote: Hmmm, has anyone tried SIP over a VPN? We are thinking of testing this but haven't yet... Al I have a client with Sonicwall VPNs. Asterisk is at head office on internal LAN, six external locations all have Linksys 2102 ATAs and Polycom IP501 phones registering and placing calls through the tunnels. It seems to work fine, but there is plenty of bandwidth between the offices, and they use G729. I think wrapping up the UDP stream into a TCP based tunnel might cause havoc if there is any packet loss or delay. j ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2009 - October 13 - 15 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] New thread - SIP over VPN
I use SIP over OpenVPN incessantly. Works great. Jeff LaCoursiere wrote: On Sat, 26 Sep 2009, Alan Lord (News) wrote: Hmmm, has anyone tried SIP over a VPN? We are thinking of testing this but haven't yet... Al I have a client with Sonicwall VPNs. Asterisk is at head office on internal LAN, six external locations all have Linksys 2102 ATAs and Polycom IP501 phones registering and placing calls through the tunnels. It seems to work fine, but there is plenty of bandwidth between the offices, and they use G729. I think wrapping up the UDP stream into a TCP based tunnel might cause havoc if there is any packet loss or delay. j ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2009 - October 13 - 15 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- Alex Balashov - Principal Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2009 - October 13 - 15 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] New thread - SIP over VPN
Depending on the latency, wrapping the UDP stream into a TCP-based tunnel can be good -- if the VPN tunnel occasionally drops a packet, the tunnel will re-transmit the UDP packet. Of course, if the (one-way) latency is too high, the re-transmitted payload will arrive outside the jitter buffer and be dropped by the SIP CPE. Frank -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Jeff LaCoursiere Sent: Saturday, September 26, 2009 2:32 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: [asterisk-users] New thread - SIP over VPN On Sat, 26 Sep 2009, Alan Lord (News) wrote: Hmmm, has anyone tried SIP over a VPN? We are thinking of testing this but haven't yet... Al I have a client with Sonicwall VPNs. Asterisk is at head office on internal LAN, six external locations all have Linksys 2102 ATAs and Polycom IP501 phones registering and placing calls through the tunnels. It seems to work fine, but there is plenty of bandwidth between the offices, and they use G729. I think wrapping up the UDP stream into a TCP based tunnel might cause havoc if there is any packet loss or delay. j ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2009 - October 13 - 15 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2009 - October 13 - 15 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] New thread - SIP over VPN
On Sat, 2009-09-26 at 19:32 +, Jeff LaCoursiere wrote: On Sat, 26 Sep 2009, Alan Lord (News) wrote: Hmmm, has anyone tried SIP over a VPN? We are thinking of testing this but haven't yet... Al I have a client with Sonicwall VPNs. Asterisk is at head office on internal LAN, six external locations all have Linksys 2102 ATAs and Polycom IP501 phones registering and placing calls through the tunnels. It seems to work fine, but there is plenty of bandwidth between the offices, and they use G729. I think wrapping up the UDP stream into a TCP based tunnel might cause havoc if there is any packet loss or delay. snip We are using SIP over both IPSec and SSL VPNs very successfully with access controls in the tunnel ingress via the ISCS network security management project (http://iscs.sourceforge.net). There are a couple of issues. I'm not sure what you mean by a TCP tunnel unless you are referring to something like using OpenVPN over TCP rather than the default UDP. IPSec tunnels (which we use for LAN-to-LAN connections) are an IP level protocol and not TCP. OpenVPN (which we use for remote access) defaults to UDP port 1194 but can use any UDP or TCP socket. There has been some discussion that using it over TCP for VoIP can produce better results because the packets are less likely to be delivered out of order although perhaps with greater latency. All VPN processes will introduce additional latency. We have not found that to be a problem but several rounds of encryption / decryption over long distance connections in complex environments might introduce enough latency to be problematic. We have not found that yet. Depending on your VPN protocol implementation, there may or may not be an option to pass the ToS bits from the original packet into the IP header of the VPN packet. This is very important. Even though the Internet will not honor the ToS bits, you will want the gateways on both ends to do so, especially the one placing the packets onto your last mile. Since the VPN gateways cannot look inside the packet until it is decrypted, they have no way of distinguishing a large FTP packet from an RTP packet. Passing the ToS bits through may help. However, be careful. Most VoIP implementations seem to be setting DSCP bits instead of explicitly the ToS bits. DSCP uses the ToS bits but in a way different from the way ToS is set up to interpret them. If I remember correctly, setting DSCP to Expedited Forwarding sets the bits which coincide with ToS in such a way that Linux based gateways will place the packets into the band 1 which is the default processing band and not band 0 which is the high priority band. For example, on Asterisk, we did not set our RTP QoS to b8 but rather to b0 (if I recall correctly). We have one case using OpenVPN where the sound quality is occasionally problematic. In our case it's a little easy. The remote desktops are based upon our soon to be released SimplicITy model (http://www.ssiservices.biz) and accessed via NX or X2Go technology. Usually, the only traffic passing through the OpenVPN tunnel is the VoIP traffic. We have thus changed the gateway itself to treat all UDP packets on port 1194 as high priority. We'll see if that makes the problem go away. Hope this helps - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsulli...@opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2009 - October 13 - 15 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] New thread - SIP over VPN
On Sat, 26 Sep 2009, John A. Sullivan III wrote: snip We are using SIP over both IPSec and SSL VPNs very successfully with access controls in the tunnel ingress via the ISCS network security management project (http://iscs.sourceforge.net). There are a couple of issues. I'm not sure what you mean by a TCP tunnel unless you are referring to something like using OpenVPN over TCP rather than the default UDP. Isn't an SSL based tunnel all TCP? [snip] to UDP port 1194 but can use any UDP or TCP socket. There has been some discussion that using it over TCP for VoIP can produce better results because the packets are less likely to be delivered out of order although perhaps with greater latency. The resends would have to happen within the jitter buffer period, as someone else pointed out, or I would think large chunks would be missing in the audio (the missing packet plus all the ones queued up after it that missed the jitter window). Total speculation on my part. [snipped excellent tips on ToS!] Cheers, j ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2009 - October 13 - 15 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] New thread - SIP over VPN
On Sat, 2009-09-26 at 22:09 +, Jeff LaCoursiere wrote: On Sat, 26 Sep 2009, John A. Sullivan III wrote: snip We are using SIP over both IPSec and SSL VPNs very successfully with access controls in the tunnel ingress via the ISCS network security management project (http://iscs.sourceforge.net). There are a couple of issues. I'm not sure what you mean by a TCP tunnel unless you are referring to something like using OpenVPN over TCP rather than the default UDP. Isn't an SSL based tunnel all TCP? Not in the case of OpenVPN. I'm not sure about the commercial offerings. That could very well be the case as I believe most of them developed out of the web proxy model. I was probably trapped by my own context! Thanks - John snip -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsulli...@opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2009 - October 13 - 15 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] New thread - SIP over VPN
On Sat, 2009-09-26 at 19:32 +, Jeff LaCoursiere wrote: On Sat, 26 Sep 2009, Alan Lord (News) wrote: Hmmm, has anyone tried SIP over a VPN? We are thinking of testing this but haven't yet... Al I have a client with Sonicwall VPNs. Asterisk is at head office on internal LAN, six external locations all have Linksys 2102 ATAs and Polycom IP501 phones registering and placing calls through the tunnels. It seems to work fine, but there is plenty of bandwidth between the offices, and they use G729. I think wrapping up the UDP stream into a TCP based tunnel might cause havoc if there is any packet loss or delay. Packet loss shouldn't be your major concern, delay, (latency) is a real pita ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2009 - October 13 - 15 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] New thread - SIP over VPN
On Sat, 2009-09-26 at 22:09 +, Jeff LaCoursiere wrote: On Sat, 26 Sep 2009, John A. Sullivan III wrote: snip We are using SIP over both IPSec and SSL VPNs very successfully with access controls in the tunnel ingress via the ISCS network security management project (http://iscs.sourceforge.net). There are a couple of issues. I'm not sure what you mean by a TCP tunnel unless you are referring to something like using OpenVPN over TCP rather than the default UDP. Isn't an SSL based tunnel all TCP? No, could be either. [snip] to UDP port 1194 but can use any UDP or TCP socket. There has been some discussion that using it over TCP for VoIP can produce better results because the packets are less likely to be delivered out of order although perhaps with greater latency. The resends would have to happen within the jitter buffer period, as someone else pointed out, or I would think large chunks would be missing in the audio (the missing packet plus all the ones queued up after it that missed the jitter window). Total speculation on my part. Re-sending audio packets is waste of resource, Better to have an audio-stream with an occasional missing packet, than the delay of waiting for re-transmission and re-ordering. ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2009 - October 13 - 15 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] New thread - SIP over VPN
Last week I did a Microsoft VPM from one XP computer to another via Verizon broadband wireless. SIP worked ok, but BLF on a Grand Stream 2010 didn't work. In addition to the VPN the phone was behind a NAT router. The phone was already set up behind the NAT Router, the only difference was to get the connectivity via Wireless VPN. There could have been some missing ports in the VPN environment. The audio was good, but there were times it lost clarity, likely to wireless bandwidth/lag/jitter issues. I decided that couldn't be my main business phone. Cary Fitch ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2009 - October 13 - 15 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] New thread - SIP over VPN
Resending is not a waste if the re-transmitted packet can arrive within the jitter buffer window. Practically speaking, though, since UDP packets are generally not retransmitted (unless it's within some kind of TCP-based tunnel), it's a moot point. Frank -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Hans Witvliet Sent: Saturday, September 26, 2009 6:06 PM To: asterisk-users@lists.digium.com Subject: Re: [asterisk-users] New thread - SIP over VPN snip Re-sending audio packets is waste of resource, Better to have an audio-stream with an occasional missing packet, than the delay of waiting for re-transmission and re-ordering. ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2009 - October 13 - 15 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2009 - October 13 - 15 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] New thread - SIP over VPN
As with many applications using UDP as a transport, most UDP-based application-layer VPN schemes (such as OpenVPN) do have some sort of rudimentary backward acknowledgment and reliability layers implemented on top of UDP. They're just a lot more lightweight, primitive, and generally much faster and less exacting than TCP. Frank Bulk wrote: Resending is not a waste if the re-transmitted packet can arrive within the jitter buffer window. Practically speaking, though, since UDP packets are generally not retransmitted (unless it's within some kind of TCP-based tunnel), it's a moot point. Frank -Original Message- From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Hans Witvliet Sent: Saturday, September 26, 2009 6:06 PM To: asterisk-users@lists.digium.com Subject: Re: [asterisk-users] New thread - SIP over VPN snip Re-sending audio packets is waste of resource, Better to have an audio-stream with an occasional missing packet, than the delay of waiting for re-transmission and re-ordering. ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2009 - October 13 - 15 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2009 - October 13 - 15 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- Alex Balashov - Principal Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2009 - October 13 - 15 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] New thread - SIP over VPN
Isn't an SSL based tunnel all TCP? Not in the case of OpenVPN. I'm not sure about the commercial offerings. Correct. My recollection is that OpenSSL uses TCP for the setup and management of the tunnel (e.g. authentication and key exchange) and uses UDP to carry the actual payload... each tunneled IP packet is wrapped in a UDP datagram. That way, the UDP transport mimics the basic characteristics of normal IP transport - it's best-efforts, order not guaranteed, and no built-in retries. The number of lost (or out-of-order) packets in such a tunneled connection shouldn't be significantly different than what you'd see if you weren't using a tunnel at all. There seems to be a good deal of feeling (and evidence) that trying to use TCP as the container for a tunnel is likely to cause more trouble than it solves. Yes, the TCP layer will make the tunnel reliable - but at the expense of adding unpredictable amounts of latency, due to TCP's built-in exponential-backoff retry timing. Things get *really* nasty if you try to wrap one TCP connection in another, because both connections will be independently retrying any lost or delayed packets - you'll end up retransmitting quite a bit more data than you would if you simply used TCP/IP (or TCP/IP wrapped in UDP/IP) and throughput will suffer. I've been using an OpenSSL tunnel to connect my Nokia N810 internet tablet to my Asterisk server, for about a year now. It works very nicely, eliminating NAT- related problems (no need to STUN) and allowing me to use VoIP from most WiFi networks I can log onto. ___ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- AstriCon 2009 - October 13 - 15 Phoenix, Arizona Register Now: http://www.astricon.net asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users