Text only | Text with Images

OPNsense Forum

English Forums => Virtual private networks => Topic started by: voipuser on June 23, 2022, 08:36:59 AM

Title: SIP/Calls problem when using NAT over IPSEC with BINAT
Post by: voipuser on June 23, 2022, 08:36:59 AM
Hi all,

I've been pulling my hair out over the last few days trying to troubleshoot an issue. Initially this was happening with PFSense so I later tried OPNsense.

The scenario is, I have an OPNsense box with a WAN interface (example 5.6.7.8) and LAN interface (real one 10.19.96.3). On the LAN, I have a FreePBX box with IP 10.19.96.4. I am connecting over to the SIP Provider via an IPSEC connection that I have established with them using IPSec Ike v1. They have a particular requirement in-place in that the Phase 2 IP address that they connect to needs to be a public IP.

What I have in my own Phase 2 settings is as follows:

Local Network:

Type: Address
Address: 1.2.3.4 (not the real entry, the real entry is a public IP assigned to me by my provider)

Remote Network:

Type: Network
Address: 2.3.4.0/24 (not the real entry, the real entry is the SIP provider's public address space)

Manual SPD Entry:
10.19.96.4/32 (IP address of my PBX)

For the NAT, I have the following One-to-One entry:

Interface: IPsec
Type: BINAT
External Network: 1.2.3.4/32
Source: 10.19.96.4/32
Destination: 2.3.4.0/24
Nat Reflection: Disable

For the Firewall Rules, I have opened it up so that the IPSec interface has allow IPV4 any source, any destination. I have the rule on the LAN interface too.

What is happening is that when my SIP Provider sends a SIP INVITE to the PBX via the firewall, I see the following entries in the Firewall Log File for IPSec interface:

Interface: IPSec
Source: 2.3.4.5:5060
Destination: 1.2.3.4:5060
Proto: UDP

When I see this entry, the call from the SIP Provider times out. I never received the call at the PBX either. When it does work, I see the following entries in the Firewall Log File for IPSec interface:

Interface: IPSec
Source: 2.3.4.5:5060
Destination: 10.19.96.4:5060
Proto: UDP

So to summarise, for non-working, the Firewall logs shows the destination as the external IP address, for working, the Firewall logs show the destination as the internal IP address.

Any help is really appreciated!
Title: Re: SIP/Calls problem when using NAT over IPSEC with BINAT
Post by: voipuser on June 23, 2022, 09:51:09 AM
Update: I was filtering the firewall logs for only the IPSec interface. When I started filtering based on the port (5060) I can that the packet comes in on the IPSec interface but then I see another firewall log entry where the packet goes out of the WAN interface. I need to make sure it doesn't go out of the WAN, it needs to be NAT'd to the LAN IP and then sent to the LAN interface.
Text only | Text with Images