[VOIPSEC] RE: openvpn and voip

Thu Aug 4 10:47:38 CDT 2005

Volker Tanger wrote:
> We are using IPSec, but should be comparable to OpenVPN with respect
to

You're using IPSec in tunnel mode? I thought there were issues with NAT
traversal?  Or are you encapsulating IPSec in UDP?

For a service provider who needs to provide access network privacy and
cope with NAT traversal issues, I think tunneling is a good approach as
long as you do something to compress the headers and reduce overhead.
I've proposed something like this in the Voice over Cable space where
you run both SIP and RTP/RTCP through the security tunnel.  You can use
separate TOS/DiffServ Code Points on the IP stream to differentiate
between SIP and RTP flows within the security tunnel to get Cable DOCSIS
QoS services to work.  With today's crop of bump-in-the-wire security
processors, this also scales well.  You also have a point in your
network to implement Session Border Controller-like services such as
lawful intercept/CALEA and admission control with traffic shaping and
protocol policing.  Things that usually don't traverse a home NAT router
like SNMP magically start working so a service provider can monitor and
administer devices on the home LAN.  The down side is that the service
provider needs to deploy a bunch of VPN boxes in their network so it
adds cost and complexity to the solution.  If you believe that you
really need SBCs on your access network to establish a trust boundary,
adding VPN & tunneling capabilities to the SBC makes a whole lot of
problems much easier to deal with.

Geoff Devine
Chief Architect
Cedar Point Communications
______________________________________________________________________
From: Volker Tanger <vtlists at wyae.de>
Subject: Re: [VOIPSEC] openvpn and voip
To: Voipsec at voipsa.org
Message-ID: <20050802231745.1c751e86.vtlists at wyae.de>
Content-Type: text/plain; charset=US-ASCII

Greetings!

On Tue, 02 Aug 2005 14:58:06 -0400
"Eric \"Skippy\" Hope" <ehope at intrex.net> wrote:
>
> Has anyone heard of or know about using openvpn with sip softphones?  

Yes and no. We (http://www.innominate.com) do with our device attached
security appliances which works transparently with hardware phones,
too...
We are using IPSec, but should be comparable to OpenVPN with respect to 
your issues.

Some ideas for the VPN:

- If you do not use the asterisk as 100% proxy (i.e. each and every
voice is
  routed over the asterisk), each system has to be able to reach each
other
  directly. You must have a fully meshed VPN.

- Ale all VoIP systems (= all softphones + asterisk server) within the
  same VPN network? 

- If you are not 100% sure, test a plain UDP connection between two
phones
  by setting up a connection with e.g. netcat. If that's working, the
  problem is NOT the VPN. If you have problems, your full mesh has some
  holes.

So if it's not a VPN issue, it has to be addressing:

- How do you address the VoIP phones? FQDN? Then see below.
  "Phone number"? How's that configured in Asterisk?

- Dou you use DNS? Is Asterisk configured to do so? Do the FQDNs resolve
  to the VPN or the public address? Where do the PTRs resolve to?

- Trace the SIP connection. I assume you are going from phone to
registrar
  (asterisk) to phone? What addresses are being used within the SIP
  trialogue? Check at each single step (leaving the caller, reaching the
  registrar, leaving the registrar, reaching the called).

Good luck!

Volker

-- 

Volker Tanger    http://www.wyae.de/volker.tanger/
--------------------------------------------------
vtlists at wyae.de                    PGP Fingerprint
378A 7DA7 4F20 C2F3 5BCC  8340 7424 6122 BB83 B8CB

------------------------------

_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

End of Voipsec Digest, Vol 8, Issue 3
*************************************