Re: [SR-Users] register fails from openvpn clients

Wed, 15 Jan 2014 11:24:01 -0800 

Tcpdump shows that responses are sent from kamailio to the clients, but clients 
don’t seem to receive them while connected to openvpn.

Packets are sent from the server (165.231.27.134) to my client (165.231.27.107):
20:30:30.668831 IP 165.231.27.107.55482 > 165.231.27.134.5060: SIP, length: 568
20:30:30.669155 IP 165.231.27.134.5060 > 165.231.27.107.55482: SIP, length: 551
20:30:31.181348 IP 165.231.27.107.55482 > 165.231.27.134.5060: SIP, length: 568
20:30:31.181554 IP 165.231.27.134.5060 > 165.231.27.107.55482: SIP, length: 551
20:30:32.167106 IP 165.231.27.107.55482 > 165.231.27.134.5060: SIP, length: 568
20:30:32.167355 IP 165.231.27.134.5060 > 165.231.27.107.55482: SIP, length: 551
20:30:34.164427 IP 165.231.27.107.55482 > 165.231.27.134.5060: SIP, length: 568
20:30:34.164626 IP 165.231.27.134.5060 > 165.231.27.107.55482: SIP, length: 551

but clients receive nothing:

20:30:30.669199 IP 165.231.27.107.55482 > 165.231.27.134.5060: SIP, length: 568
20:30:31.168801 IP 165.231.27.107.55482 > 165.231.27.134.5060: SIP, length: 568
20:30:32.169467 IP 165.231.27.107.55482 > 165.231.27.134.5060: SIP, length: 568
20:30:34.170137 IP 165.231.27.107.55482 > 165.231.27.134.5060: SIP, length: 568

I suspect that the problems occurs because of the via header:

20:59:46.104703 IP (tos 0x10, ttl 64, id 25843, offset 0, flags [none], proto 
UDP (17), length 579)
    165.231.27.134.5060 > 165.231.27.107.54497: SIP, length: 551
        SIP/2.0 401 Unauthorized
        Via: SIP/2.0/UDP 
212.194.26.254:54497;rport=54497;branch=z9hG4bKPjP5IK8W3I7iRqE1hlDxhFqSubJFadI9L3;received=165.231.27.107
        From: "meresmac-ser" 
<sip:6278@165.231.27.134>;tag=UhBz6N0PU.HrNRpL7oJeIjjW4Bw4ORvg
        To: "meresmac-ser" 
<sip:6278@165.231.27.134>;tag=b27e1a1d33761e85846fc98f5f3a7e58.b8c8
        Call-ID: 6UCLEfPOYP8iXs8zRKeohVQk2vnlR0CG
        CSeq: 19234 REGISTER
        WWW-Authenticate: Digest realm="165.231.27.134", 
nonce="UtbbzlLW2qKmzbnwe7FyKhQl+Tzk6gPT", qop="auth"
        Server: kamailio (4.1.0 (i386/linux))
        Content-Length: 0

Via: SIP/2.0/UDP 212.194.26.254: this is the ip address of my internet gateway

but when disabling openvpn everything is fine, this is the first packet sent 
from kamailio and received by my client:

21:07:55.597158 IP (tos 0x10, ttl 64, id 56684, offset 0, flags [none], proto 
UDP (17), length 560)
    165.231.27.134.5060 > 212.194.26.254.4216: SIP, length: 532
        SIP/2.0 401 Unauthorized
        Via: SIP/2.0/UDP 
192.168.1.209:4216;branch=z9hG4bKoL3qdL2fa2GCOGeG;rport=4216;received=212.194.26.254
        From: "meres-ser" 
<sip:6278@165.231.27.134>;tag=433AE961A89F2A8DE811E8397EDBAB0C
        To: "meres-ser" 
<sip:6278@165.231.27.134>;tag=b27e1a1d33761e85846fc98f5f3a7e58.a2a3
        Call-ID: B5C301517F108CDA7A860BE1A469F2A7F718E61B
        CSeq: 14578 REGISTER
        WWW-Authenticate: Digest realm="165.231.27.134", 
nonce="Utbdt1LW3IsugLC5WPoop28GYXb7rwuy", qop="auth"
        Server: kamailio (4.1.0 (i386/linux))
        Content-Length: 0

client sends REGISTER again, and server responds:

21:07:55.797353 IP (tos 0x10, ttl 64, id 56685, offset 0, flags [none], proto 
UDP (17), length 534)
    165.231.27.134.5060 > 212.194.26.254.4216: SIP, length: 506
        SIP/2.0 200 OK
        Via: SIP/2.0/UDP 
192.168.1.209:4216;branch=z9hG4bKeyaFfDUzfUzDzmxg;rport=4216;received=212.194.26.254
        From: "meres-ser" 
<sip:6278@165.231.27.134>;tag=433AE961A89F2A8DE811E8397EDBAB0C
        To: "meres-ser" 
<sip:6278@165.231.27.134>;tag=b27e1a1d33761e85846fc98f5f3a7e58.0fd3
        Call-ID: B5C301517F108CDA7A860BE1A469F2A7F718E61B
        CSeq: 14579 REGISTER
        Contact: 
<sip:6278@192.168.1.209:4216>;expires=600;received="sip:212.194.26.254:4216"
        Server: kamailio (4.1.0 (i386/linux))
        Content-Length: 0


So here the Via header has the client’s NAT ip (192.168.1.209)
Maybe the first packet (over openvpn) is not properly inspected by our Cisco 
firewall, and/or the via header is totally incorrect

Regards, 

Kostas

On Jan 15, 2014, at 6:02 PM, Alex Balashov <abalas...@evaristesys.com> wrote:

> Are you sure this isn't an issue of responses taking a different route (i.e. 
> down the tunnel) than the requests, or vice versa?
> 
> -- 
> Alex Balashov - Principal
> Evariste Systems LLC
> 235 E Ponce de Leon Ave
> Suite 106
> Decatur, GA 30030
> United States
> Tel: +1-678-954-0670
> Web: http://www.evaristesys.com/, http://www.alexbalashov.com/
> 
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users@lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users


_______________________________________________
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users

Reply via email to