Connectivity issue over OVPN

sirtcp · July 20, 2013, 4:57pm

hi everyone,

i am testing Freebpx and i am a big fan of Voice over IP.i installed Freepbx 2.11 with asterisk 1.8 on debian 6.0.7.

i configured 2 Freebpx boxes for testing, for example. “A” and “B”

they are both behind my Firewall (lets name it FW). my firewall support OVPN.

on A i have installed OPEN VPN server directly on the PBX OS (which is debian)
on B i am trying to connect it via firwall vpn which is in routing mode. i dont wana use “tap device” since it will create lot of broadcast and in my country internet is very expensive.

now, when i connect directly to PBX “A” bypassing FW VPN. i can use it in normal fashion with out any trouble (only for now, as i am using very basic of Freepbx)
every thing like conferencing to recording and extension calling and etc working great.

but when i connect to my FW vpn and try to register my software sip client to my PBX “B” it doesn’t connect.

i just wanted to know what mistake i am doing here.
or in other word what i am doing in case “B” or with PBX “B” is it workable or i am just wasting my time.

if our PBX is behind firewall which method is the best.

installing OVPN on the PABX box.
using firewall VPN with TAP device (broadcast)
port forwarding.

i hope you guys will not mind my basic questions…

my next test would be Behind NAT / port forwarding. but first i need to

Thanks.

MYk

SkykingOH · July 20, 2013, 6:17pm

The best is a external box with the VPN client. Then the tunnel interface can be in route mode and not propogate broadcast traffic.

That being said you can turn off broadcast on the tunnel interface if you do create it on the server. Don’t bridge the tunnel with your LAN, allow IP forwarding in sysconfig between interfaces on your Debian box and route from your LAN to the TUN.

Lastly as to why it doesn’t work. I suspect you don’t have the networks enumerated in SIP localnets in FreePBX SIP settings or some other NAT construct that is causing Asterisk to think that the traffic destined for the remote network is not on a connected segment.

sirtcp · July 20, 2013, 11:32pm

Thanks for sharing your comments, what i am getting from your message is that, Asterisk daemon does not see the routing table like other application does. we have to manually tell Asterisk about the subnet that we want to route it.

here is my network diagram

freepbx<---->Firewall with VPN server<------>win7-With-OVPNclint

Here is my tcpdump output on Freepbx box.
where 10.51.9.22 is sip softphone box

At first we can see my freepbx send/receive ICMP ping packet.
and in last line we can see Freebpx box can sand receive sip packet to the sip client

but my sip client stuck to “processing” state. i am using Ekiga soft phone.

04:16:16.223569 IP 10.51.9.22 > pbxpk.test.com: ICMP echo request, id 1, seq 33, length 40
04:16:16.223610 IP pbxpk.test.com > 10.51.9.22: ICMP echo reply, id 1, seq 33, length 40
04:16:17.248516 IP 10.51.9.22 > pbxpk.test.com: ICMP echo request, id 1, seq 34, length 40
04:16:17.248551 IP pbxpk.test.com > 10.51.9.22: ICMP echo reply, id 1, seq 34, length 40
04:16:18.203843 IP 10.51.9.22 > pbxpk.test.com: ICMP echo request, id 1, seq 35, length 40
04:16:18.203870 IP pbxpk.test.com > 10.51.9.22: ICMP echo reply, id 1, seq 35, length 40
04:16:19.203472 IP 10.51.9.22 > pbxpk.test.com: ICMP echo request, id 1, seq 36, length 40
04:16:19.203505 IP pbxpk.test.com > 10.51.9.22: ICMP echo reply, id 1, seq 36, length 40
04:16:24.424365 IP 10.51.9.22.sip > pbxpk.test.sip: SIP, length: 507
04:16:24.424955 IP pbxpk.test.com.sip > 10.51.9.22.sip: SIP, length: 572
04:16:24.549463 IP 10.51.9.22.sip > pbxpk.test.sip: SIP, length: 666
04:16:24.549953 IP pbxpk.test.com.sip > 10.51.9.22.sip: SIP, length: 493

however same client work great when i dial VPN directly to freepbx box. which is “A” (refer to my first message)

in settings>Asterisk sip settings
i add the network 10.51.9.0 255.255.255.0
it didnt work
in settings>Asterisk sip settings
(as you mantioned earlier it could be NAT or routing issue)
i tested all four option (yes,no,never,route) but still no lock.
in applications>extensions tab.
i also tested all 4 options in NAT field “Yes,no RFC etc” still no luck

would you please be more specific according to my testing that what should have been the issue?

Thanks
Myk

sirtcp · July 20, 2013, 11:47pm

i think this is not a VPN related issue. i brought my laptop here in office means no VPN, i am directly connected to my office wifi. and now i am trying to connect the client. it is still showing the same error all other PCs are also showing the same issue “processing” message.
i checked my freebpx status

Asterisk
OK
MySQL
OK
Web Server
OK
SSH Server
OK

now i am confused why it not working

here is my astrisk log file
[2013-07-21 04:35:14] NOTICE[2163] res_fax.c: Configuration file ‘res_fax.conf’ not found, not changing options.
[2013-07-21 04:35:14] NOTICE[2163] iax2-provision.c: No IAX provisioning configuration found, IAX provisioning disabled.
[2013-07-21 04:35:14] NOTICE[2163] app_queue.c: No queuerules.conf file found, queues will not follow penalty rules
[2013-07-21 04:35:14] ERROR[2163] cdr_custom.c: Unable to load cdr_custom.conf. Not logging custom CSV CDRs.
[2013-07-21 04:35:14] ERROR[2163] res_clialiases.c: res_clialiases configuration file ‘cli_aliases.conf’ not found
[2013-07-21 04:35:14] NOTICE[1363] chan_mgcp.c: Unable to load config mgcp.conf, MGCP disabled
[2013-07-21 04:35:14] WARNING[2163] app_minivm.c: Failed to load configuration file. Module activated with default settings.
[2013-07-21 04:35:14] ERROR[2163] res_config_ldap.c: Cannot load configuration file: res_ldap.conf
[2013-07-21 04:35:14] NOTICE[2163] res_config_ldap.c: Cannot reload LDAP RealTime driver.
[2013-07-21 04:35:14] ERROR[2163] cel_custom.c: Unable to load cel_custom.conf. Not logging CEL to custom CSVs.
[2013-07-21 04:35:14] WARNING[2163] res_phoneprov.c: Unable to load users.conf

are those error causing this issue.

Thanks,

Myk

sirtcp · July 21, 2013, 11:13am

ok i did “asterisk -r” it is said that
NOTICE[1385]: chan_sip.c:25730 handle_request_register: Registration from ‘<sip:[email protected]. 100.210>’ failed for ‘10.51.9.22:5060’ - Wrong password

however this is not true, i change it to most easiest password “xyz123” and i am 100% i am not typing wrong password it is still not working. can anyone please share my my sip client is failed to register.

Thanks

sirtcp · July 21, 2013, 4:10pm

ok i am closing this threat and trying to reinstall the whole package. i think i might have done some thing bad during the installation. lets see.

Thanks skyking