1
Virtual private networks / SIP/Calls problem when using NAT over IPSEC with BINAT
« on: June 23, 2022, 08:36:59 am »
Hi all,
I've been pulling my hair out over the last few days trying to troubleshoot an issue. Initially this was happening with PFSense so I later tried OPNsense.
The scenario is, I have an OPNsense box with a WAN interface (example 5.6.7. and LAN interface (real one 10.19.96.3). On the LAN, I have a FreePBX box with IP 10.19.96.4. I am connecting over to the SIP Provider via an IPSEC connection that I have established with them using IPSec Ike v1. They have a particular requirement in-place in that the Phase 2 IP address that they connect to needs to be a public IP.
What I have in my own Phase 2 settings is as follows:
Local Network:
Type: Address
Address: 1.2.3.4 (not the real entry, the real entry is a public IP assigned to me by my provider)
Remote Network:
Type: Network
Address: 2.3.4.0/24 (not the real entry, the real entry is the SIP provider's public address space)
Manual SPD Entry:
10.19.96.4/32 (IP address of my PBX)
For the NAT, I have the following One-to-One entry:
Interface: IPsec
Type: BINAT
External Network: 1.2.3.4/32
Source: 10.19.96.4/32
Destination: 2.3.4.0/24
Nat Reflection: Disable
For the Firewall Rules, I have opened it up so that the IPSec interface has allow IPV4 any source, any destination. I have the rule on the LAN interface too.
What is happening is that when my SIP Provider sends a SIP INVITE to the PBX via the firewall, I see the following entries in the Firewall Log File for IPSec interface:
Interface: IPSec
Source: 2.3.4.5:5060
Destination: 1.2.3.4:5060
Proto: UDP
When I see this entry, the call from the SIP Provider times out. I never received the call at the PBX either. When it does work, I see the following entries in the Firewall Log File for IPSec interface:
Interface: IPSec
Source: 2.3.4.5:5060
Destination: 10.19.96.4:5060
Proto: UDP
So to summarise, for non-working, the Firewall logs shows the destination as the external IP address, for working, the Firewall logs show the destination as the internal IP address.
Any help is really appreciated!
I've been pulling my hair out over the last few days trying to troubleshoot an issue. Initially this was happening with PFSense so I later tried OPNsense.
The scenario is, I have an OPNsense box with a WAN interface (example 5.6.7. and LAN interface (real one 10.19.96.3). On the LAN, I have a FreePBX box with IP 10.19.96.4. I am connecting over to the SIP Provider via an IPSEC connection that I have established with them using IPSec Ike v1. They have a particular requirement in-place in that the Phase 2 IP address that they connect to needs to be a public IP.
What I have in my own Phase 2 settings is as follows:
Local Network:
Type: Address
Address: 1.2.3.4 (not the real entry, the real entry is a public IP assigned to me by my provider)
Remote Network:
Type: Network
Address: 2.3.4.0/24 (not the real entry, the real entry is the SIP provider's public address space)
Manual SPD Entry:
10.19.96.4/32 (IP address of my PBX)
For the NAT, I have the following One-to-One entry:
Interface: IPsec
Type: BINAT
External Network: 1.2.3.4/32
Source: 10.19.96.4/32
Destination: 2.3.4.0/24
Nat Reflection: Disable
For the Firewall Rules, I have opened it up so that the IPSec interface has allow IPV4 any source, any destination. I have the rule on the LAN interface too.
What is happening is that when my SIP Provider sends a SIP INVITE to the PBX via the firewall, I see the following entries in the Firewall Log File for IPSec interface:
Interface: IPSec
Source: 2.3.4.5:5060
Destination: 1.2.3.4:5060
Proto: UDP
When I see this entry, the call from the SIP Provider times out. I never received the call at the PBX either. When it does work, I see the following entries in the Firewall Log File for IPSec interface:
Interface: IPSec
Source: 2.3.4.5:5060
Destination: 10.19.96.4:5060
Proto: UDP
So to summarise, for non-working, the Firewall logs shows the destination as the external IP address, for working, the Firewall logs show the destination as the internal IP address.
Any help is really appreciated!