SIP/Calls problem when using NAT over IPSEC with BINAT

Started by voipuser, June 23, 2022, 08:36:59 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 23, 2022, 08:36:59 AM
Hi all,

I've been pulling my hair out over the last few days trying to troubleshoot an issue. Initially this was happening with PFSense so I later tried OPNsense.

The scenario is, I have an OPNsense box with a WAN interface (example 5.6.7.8) and LAN interface (real one 10.19.96.3). On the LAN, I have a FreePBX box with IP 10.19.96.4. I am connecting over to the SIP Provider via an IPSEC connection that I have established with them using IPSec Ike v1. They have a particular requirement in-place in that the Phase 2 IP address that they connect to needs to be a public IP.

What I have in my own Phase 2 settings is as follows:

Local Network:

Type: Address
Address: 1.2.3.4 (not the real entry, the real entry is a public IP assigned to me by my provider)

Remote Network:

Type: Network
Address: 2.3.4.0/24 (not the real entry, the real entry is the SIP provider's public address space)

Manual SPD Entry:
10.19.96.4/32 (IP address of my PBX)

For the NAT, I have the following One-to-One entry:

Interface: IPsec
Type: BINAT
External Network: 1.2.3.4/32
Source: 10.19.96.4/32
Destination: 2.3.4.0/24
Nat Reflection: Disable

For the Firewall Rules, I have opened it up so that the IPSec interface has allow IPV4 any source, any destination. I have the rule on the LAN interface too.

What is happening is that when my SIP Provider sends a SIP INVITE to the PBX via the firewall, I see the following entries in the Firewall Log File for IPSec interface:

Interface: IPSec
Source: 2.3.4.5:5060
Destination: 1.2.3.4:5060
Proto: UDP

When I see this entry, the call from the SIP Provider times out. I never received the call at the PBX either. When it does work, I see the following entries in the Firewall Log File for IPSec interface:

Interface: IPSec
Source: 2.3.4.5:5060
Destination: 10.19.96.4:5060
Proto: UDP

So to summarise, for non-working, the Firewall logs shows the destination as the external IP address, for working, the Firewall logs show the destination as the internal IP address.

Any help is really appreciated!
June 23, 2022, 09:51:09 AM #1
Update: I was filtering the firewall logs for only the IPSec interface. When I started filtering based on the port (5060) I can that the packet comes in on the IPSec interface but then I see another firewall log entry where the packet goes out of the WAN interface. I need to make sure it doesn't go out of the WAN, it needs to be NAT'd to the LAN IP and then sent to the LAN interface.
Print
Go Up Pages1
User actions