I2004 over VPN
DComTalk.com Forum Index DComTalk.com
Discussion of VoIP, VPN, Video Conferencen, DSL and other data commucations.
 
 FAQFAQ   MemberlistMemberlist     RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 
 
Google
 
Web dcomtalk.com
I2004 over VPN

 
Post new topic   Reply to topic    DComTalk.com Forum Index -> Nortel
Author Message
Guest
Posted: Tue Nov 15, 2005 9:21 am    Post subject: I2004 over VPN Reply with quote
Background: We have a i2004 that connects to our vpn through a 4 port
linux router. We are running a BCM
v 3.6 build 2.2c.

Problem :Hey everyone, Im having a issue where my ip phone is
periodically not recieving a dialtone/voice on either side of the phone
connection. The ip phone does register and can make outgoing calls but
will sometimes have no voice or dialtone.

link to schematic:
http://www.thestreetwise.com/compujesus/network-schema.jpg

My diagnosis and things ive tried:
At first i thought that the problem was with the firewall on the
linux router. so i started by adding adding the following lines inside
of my firewall.user file to direct the vpn traffic:

iptables -A forwarding_rule -o ppp0 -j ACCEPT
iptables -A forwarding_rule -i ppp0 -j ACCEPT
iptables -t nat -A postrouting_rule -o ppp0 -j MASQUERADE

Then i read that the registration of the ip phone is done through port
udp 7000. so i added the appropriate line inside of my firewall.user
and tried again. success the phone registered but i had no voice
traffic. I then added a line to direct port traffic 51000:51255 (Im
sorry im not posting the iptable commands for this as i am not verry
good with the whole structure of linux iptables and chains.)
.. After doing this i recieved dialtone initially but after about 10
minutes or so i checked again and the dialtone and voice was gone. So
then i tried to make a outgoing call and a incomming call and both
worked, but still no voice.

Now im stumped, i feel like ive tried soo much to get this to work and
now need the help of someone more experienced to either help with my
iptables or to give me some insight on what im doing wrong. THANK YOU
EVERYONE WHO HELPS IVE BEEN STRESSING OVER THIS FOR A WHILE. THANKS!
Back to top
coota
Guest
Posted: Tue Nov 15, 2005 4:31 pm    Post subject: Re: I2004 over VPN Reply with quote
Are you doing any NAT
Back to top
Guest
Posted: Wed Nov 16, 2005 11:45 pm    Post subject: Re: I2004 over VPN Reply with quote
well hers a copy of exactly what im doing as well as a log of my
iptables -L


/usr/sbin/iptables -A forwarding_rule -o $1 -j ACCEPT

/usr/sbin/iptables -A forwarding_rule -i $1 -j ACCEPT

/usr/sbin/iptables -t nat -A postrouting_rule -o $1 -j MASQUERADE



###########BCM REGISTER PORT#################

/usr/sbin/iptables -t nat -A prerouting_rule -i ppp0 -p udp
--sport 7000
/usr/sbin/iptables -A input_rule -i ppp0 -p udp
--sport 7000


###########incoming voice###########

/usr/sbin/iptables -t nat -A prerouting_rule -i ppp0 -p udp
--sport 28000
/usr/sbin/iptables -A input_rule -i ppp0 -p udp
--sport 28000


###########outgoing voice###########

/usr/sbin/iptables -t nat -A postrouting_rule -o ppp0 -p udp
--dport 5100
/usr/sbin/iptables -A output_rule -o ppp0 -p udp
--dport 5100


/sbin/route add -net 10.0.0.0 netmask 255.0.0.0 dev ppp0

/sbin/route add -net 10.10.0.0 netmask 255.255.0.0 dev pp0


and heres my iptables -L log:


Chain INPUT (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere state
INVALID
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
DROP tcp -- anywhere anywhere tcp
option=!2 flags:SYN/SYN
input_rule all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT gre -- anywhere anywhere
REJECT tcp -- anywhere anywhere
reject-with tcp-reset
REJECT all -- anywhere anywhere
reject-with icmp-port-unreachable

Chain FORWARD (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere state
INVALID
TCPMSS tcp -- anywhere anywhere tcp
flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
forwarding_rule all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere state
INVALID
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
output_rule all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
REJECT tcp -- anywhere anywhere
reject-with tcp-reset
REJECT all -- anywhere anywhere
reject-with icmp-port-unreachable

Chain forwarding_rule (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere

Chain input_rule (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp
spt:7000
ACCEPT udp -- anywhere anywhere udp
spts:28000:28255

Chain output_rule (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp
dpts:51000:52000
Back to top
XBarNone
Guest
Posted: Thu Nov 17, 2005 5:28 am    Post subject: Re: I2004 over VPN Reply with quote
Have you tried taking the firewall out all together. try it with no firewall
to trouble shoot. use the firewall built into the BCM
Back to top
compufxr
Guest
Posted: Thu Nov 17, 2005 5:21 pm    Post subject: Re: I2004 over VPN Reply with quote
If you are using a "Linksys" router (as shown in your diagram - and not
a "Linux" router) then that is your problem. We have had numerous
problems with "cheap" routers. We strictly use contivity 221's now for
our remote VPN users.

We have a Cisco PIX 506E for our firewall in the office. We connect to
the PIX via the contivity through an IPSEC tunnel. IT works great for
us. The Contivity even has a "nail down" feature that you can check to
keep the VPN tunnel up continuously. The reason you are losing voice
and dialtone is that the VPN is shutting down. If there is no activity
the VPN tunnel will close and then phone will cease to work. One thing
we have noticed about the "cheap" routers is that they do not keep the
tunnel open - even if you turn on the keepalive.

One last thing, regarding your firewall is that a VPN it makes opening
ports a moot point. The VPN will pass all traffic since it is a secure
connection. So, you should not have to open any ports on your firewall
(except, of course for the VPN ports).

I realize that the contivity's are expensive - but - you get what you
pay for!

Hope this helps!
Back to top
Guest
Posted: Fri Nov 18, 2005 9:21 am    Post subject: Re: I2004 over VPN Reply with quote
Hey, i was thinking about what you said and if the vpn connection is
terminated why am i still able to make and recieve calls (without any
voice communication). I feel as if for some reason all my RTP packets
are disapearing, I think i need to just pull out ethereal and tcpdump
and do some dirt digging, But does anyone have any ideas? thanks
Back to top
 
Post new topic   Reply to topic    DComTalk.com Forum Index -> Nortel All times are GMT
Page 1 of 1

 
 You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum




VoIP Solutions: Telephone Systems Electronics Satellite TV Tech & Gadgets
Powered by phpBB