pfSense Support Subscription

Author Topic: VOIP thru IpSec VPN problems  (Read 387 times)

0 Members and 1 Guest are viewing this topic.

Offline rbrtpf

  • Newbie
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
VOIP thru IpSec VPN problems
« on: September 13, 2017, 02:10:05 pm »
I have two PfSense devices. One in location "A" and the other at location "B". At location "A", on the local lan, is a VOIP (FreePBX) telephone box. This VOIP box is being "hit" with phishing attempts to connect from various countries.

When I create a firewall rule that allows only my VOIP providers ip address to connect to the VOIP box the 'hits' stop. Problem is that behind the router at location "B" are two extensions that are connected to the VOIP box via an IpSec VPN (between the two PfSense routers.) We are losing one side of the conversation. They can hear the incoming call but the incoming call cannot hear them.

I am struggling to create firewall rules that will allow the location "B" extensions to remain connected. Suggestions?

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9078
  • Karma: +1037/-306
    • View Profile
Re: VOIP thru IpSec VPN problems
« Reply #1 on: September 13, 2017, 02:17:09 pm »
No rules you place on WAN should affect any connections over IPsec if the tunnel is still establishing.

Are you positive the phones are connecting to the FreePBX over the VPN for both SIP and RTP?

You might want to look at the states/packet captures/logs to be sure.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline rbrtpf

  • Newbie
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
Re: VOIP thru IpSec VPN problems
« Reply #2 on: September 17, 2017, 07:08:28 am »
My location "B" extensions will dial out and receive calls but, no audio and the calls time out after 31 seconds. Clearly SIP is working but RTP is failing.

I have adjusted "Firewall Optimization Options" to 'High-Latency' (up one level from default) on both ends.

I have disabled "PF Scrubbing" on both ends.

FreePBX logfile clearly states "Disconnecting call 'SIP/[sanitized4security]' for lack of RTP activity in 31 seconds" so, it is RTP failing.

Both ends of the IPsec VPN are pfSense v2.3. Everything was working before the adjustments for location "A" to allow ONLY connection from my SIP provider ip address. Would this rule block RTP from location "B" somehow? As you stated, rules placed on WAN should not effect IPsec tunnel.

Do I need to add a rule at location "B" to allow RTP?

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9078
  • Karma: +1037/-306
    • View Profile
Re: VOIP thru IpSec VPN problems
« Reply #3 on: September 17, 2017, 12:04:35 pm »
It is almost impossible to diagnose something like this wilout real information and screen captures, packet captures, etc.

You can start by describing, in detail, where the:

Phones are
The PBX is
The SIP trunks, of any, are.

Preferably in relation to the PfSense node(s).

It sounds like you broke the connection to the SIP provider and it has nothing to do with IPsec. The all need different things. If your SIP provider has any guidance for configuring a firewall that does NAT, that would also be helpful information.

But ALL of those settings such as high-latency and no scrubbing back to the default. They are meaningless. You probably need additional port forwards, firewall rules, and maybe some static NAT ports done properly.

Look for blocked connections from the SIP provider when you make a call that fails.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline rbrtpf

  • Newbie
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
Re: VOIP thru IpSec VPN problems
« Reply #4 on: September 18, 2017, 07:10:23 am »
First, remember that everything worked until I setup my SIP provider as an alias to insert the 'alias' into the firewall rules to accept traffic ONLY from SIP provider. Once this was in place (to stop the blacklist IP address attacks) RTP stopped working for the extensions at home location "B". I can still dial a number from any extension at location "B" and receive calls from (my cellphone) to any extension at location "B". However, no voice (RTP) and all calls (to or from) time out after 31 seconds due to lack of voice connection.

I have not broken my connection to my SIP Provider as location "A" (Office) calls are still working and do not time out.

The IPsec tunnel is simple shared key type.

All extensions connect to 192.168.16.222 the FreePBX box.

Attached is a drawing (crude) and a packet capture (level of detail set at "medium") from the PfSense at "location A (office)" of the Yealink T23G extension (ip address) 192.168.242.170 at "location B".

Your help is greatly appreciated. Thank you in advance.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9078
  • Karma: +1037/-306
    • View Profile
Re: VOIP thru IpSec VPN problems
« Reply #5 on: September 18, 2017, 10:12:43 am »
Please just download and attach the pcap so wireshark can do the heavy lifting. Thanks.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9078
  • Karma: +1037/-306
    • View Profile
Re: VOIP thru IpSec VPN problems
« Reply #6 on: September 18, 2017, 10:21:41 am »
Quote
First, remember that everything worked until I setup my SIP provider as an alias to insert the 'alias' into the firewall rules to accept traffic ONLY from SIP provider. Once this was in place (to stop the blacklist IP address attacks) RTP stopped working for the extensions at home location "B".

There is no way a rule on WAN at location A can impact SIP over IPsec between A & B. You must be blocking something now that needs to be passed to/from the SIP provider.  Perhaps site A and B were using the actual public IP address from B to A for RTP and not IPsec at all? Add the WAN address of Site B to the alias and see what happens.

Check your firewall logs.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline rbrtpf

  • Newbie
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
Re: VOIP thru IpSec VPN problems
« Reply #7 on: September 18, 2017, 10:51:06 am »
Thank you for your suggestion.

Sorry, please notice that it says "newbie" below my login so, simplest of questions.

You said "Add the WAN address of Site B to the alias and see what happens." By that you mean to add the Site B WAN Address as an alias of the site A firewall rules?

But, that confuses me. All other computers, I have no problem ssh into, etc. through the VPN tunnel.

I am correct in that site B should be communicating back to the FreePBX box through the IPsec tunnel NOT site B connecting to my SIP provider over the internet?

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9078
  • Karma: +1037/-306
    • View Profile
Re: VOIP thru IpSec VPN problems
« Reply #8 on: September 18, 2017, 10:52:18 am »
No. Add it to the alias you are using to limit connections from the SIP provider. To also pass those connections from site B (if they exist).
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline rbrtpf

  • Newbie
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
Re: VOIP thru IpSec VPN problems
« Reply #9 on: September 18, 2017, 07:15:28 pm »
Your suggestion has solved my problem. Adding the ip address of location "B" to the location "A" alias gave permission for a voice connection.

I believe, as you have suggested, that it has to do with the extension responding to FreePBX with location "B" wan address in the RTP requests strings. As PfSense would allow ONLY my SIP provider then PfSense was rejecting the extensions RTP request.

Thank you. Your patience and help are greatly appreciated.


Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9078
  • Karma: +1037/-306
    • View Profile
Re: VOIP thru IpSec VPN problems
« Reply #10 on: September 18, 2017, 07:29:16 pm »
Glad that worked.

There is probably something in the PBX that will treat the site B subnet as an inside subnet so it gets the PBX's inside address in the SIP/RTP requests so that site connects over the VPN instead of over the WAN.

It would probably be a good idea to fix that.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline awair

  • Jr. Member
  • **
  • Posts: 75
  • Karma: +2/-0
    • View Profile
Re: VOIP thru IpSec VPN problems
« Reply #11 on: September 22, 2017, 02:17:49 pm »
I'm using an older version of FreePBX with a similar setup.

Have a look at sip_nat.conf, mine is like this:
Code: [Select]
localnet=192.168.1.0/255.255.255.0     ;SiteA
localnet=192.168.2.0/255.255.255.0      ;SiteB
nat=yes
externip=1.2.3.4
fromdomain=example.com

You can also set similar in Settings/Asterisk SIP Settings (- my system highlights an Error because the contents are different: I've chosen to leave this, while it works, until I change the network again).
2.3.2-RELEASE-p1 (amd64)
and toying with the SG-1000

Offline rbrtpf

  • Newbie
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
Re: VOIP thru IpSec VPN problems
« Reply #12 on: September 22, 2017, 02:54:18 pm »
Yes, thank you, I am aware of this FreePBX option.

My issue was NOT with FreePBX connecting ONLY with my SIP provider it was the extensions located through IPSec VPN that could not properly connect.

Every situation is unique, mine more unique than many, I suspect but, the issue was PfSense (doing it's job) allowing ONLY my SIP provider to connect and NOT allowing my extensions through VPN to connect. Once the VPN alias I setup was added then, my extensions connected and worked properly.

I appreciate your suggestion.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9078
  • Karma: +1037/-306
    • View Profile
Re: VOIP thru IpSec VPN problems
« Reply #13 on: September 22, 2017, 04:25:08 pm »
I believe you are still missing the point. But they're your phone conversations going over the clear internet instead of the VPN so no skin off my nose.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline rbrtpf

  • Newbie
  • *
  • Posts: 14
  • Karma: +0/-0
    • View Profile
Re: VOIP thru IpSec VPN problems
« Reply #14 on: September 22, 2017, 04:43:03 pm »
I'll see what FreePBX forum thinks about this.

But, it appears to me that this is a PfSense issue not allowing connection. I think your right that the ipaddress is being changed (probably by FreePBX) and therefore PfSense will block but, I am still working this out.

By your comment, I just now realize that you are right the conversions could be connecting over the net.

We'll see.