[VOIPSEC] RE: openvpn and voip
gdevine at cedarpointcom.com
Thu Aug 4 16:47:38 BST 2005
Volker Tanger wrote:
> We are using IPSec, but should be comparable to OpenVPN with respect
You're using IPSec in tunnel mode? I thought there were issues with NAT
traversal? Or are you encapsulating IPSec in UDP?
For a service provider who needs to provide access network privacy and
cope with NAT traversal issues, I think tunneling is a good approach as
long as you do something to compress the headers and reduce overhead.
I've proposed something like this in the Voice over Cable space where
you run both SIP and RTP/RTCP through the security tunnel. You can use
separate TOS/DiffServ Code Points on the IP stream to differentiate
between SIP and RTP flows within the security tunnel to get Cable DOCSIS
QoS services to work. With today's crop of bump-in-the-wire security
processors, this also scales well. You also have a point in your
network to implement Session Border Controller-like services such as
lawful intercept/CALEA and admission control with traffic shaping and
protocol policing. Things that usually don't traverse a home NAT router
like SNMP magically start working so a service provider can monitor and
administer devices on the home LAN. The down side is that the service
provider needs to deploy a bunch of VPN boxes in their network so it
adds cost and complexity to the solution. If you believe that you
really need SBCs on your access network to establish a trust boundary,
adding VPN & tunneling capabilities to the SBC makes a whole lot of
problems much easier to deal with.
Cedar Point Communications
From: Volker Tanger <vtlists at wyae.de>
Subject: Re: [VOIPSEC] openvpn and voip
To: Voipsec at voipsa.org
Message-ID: <20050802231745.1c751e86.vtlists at wyae.de>
Content-Type: text/plain; charset=US-ASCII
On Tue, 02 Aug 2005 14:58:06 -0400
"Eric \"Skippy\" Hope" <ehope at intrex.net> wrote:
> Has anyone heard of or know about using openvpn with sip softphones?
Yes and no. We (http://www.innominate.com) do with our device attached
security appliances which works transparently with hardware phones,
We are using IPSec, but should be comparable to OpenVPN with respect to
Some ideas for the VPN:
- If you do not use the asterisk as 100% proxy (i.e. each and every
routed over the asterisk), each system has to be able to reach each
directly. You must have a fully meshed VPN.
- Ale all VoIP systems (= all softphones + asterisk server) within the
same VPN network?
- If you are not 100% sure, test a plain UDP connection between two
by setting up a connection with e.g. netcat. If that's working, the
problem is NOT the VPN. If you have problems, your full mesh has some
So if it's not a VPN issue, it has to be addressing:
- How do you address the VoIP phones? FQDN? Then see below.
"Phone number"? How's that configured in Asterisk?
- Dou you use DNS? Is Asterisk configured to do so? Do the FQDNs resolve
to the VPN or the public address? Where do the PTRs resolve to?
- Trace the SIP connection. I assume you are going from phone to
(asterisk) to phone? What addresses are being used within the SIP
trialogue? Check at each single step (leaving the caller, reaching the
registrar, leaving the registrar, reaching the called).
Volker Tanger http://www.wyae.de/volker.tanger/
vtlists at wyae.de PGP Fingerprint
378A 7DA7 4F20 C2F3 5BCC 8340 7424 6122 BB83 B8CB
Voipsec mailing list
Voipsec at voipsa.org
End of Voipsec Digest, Vol 8, Issue 3
More information about the Voipsec