[strongSwan] VoIP Data Leaks around VPN
Levine, Daniel J.
Daniel.Levine at jhuapl.edu
Wed Sep 10 22:52:24 CEST 2014
I have a VPN road warrior configuration using StrongSwan client apps on 2 Android phones (the road warriors). The VPN tunnels establish fine using IKEv2. The phones can now see each other on the VPN subnet (10.3.0.0/24) as well as the private network (10.1.0.0/24) behind the firewall. For completeness, the public network the VPN goes over is the 10.2.0.0/24 network. So the phones, a wireless router, and the outer half of the VPN server live over there. I think that covers the topology.
So, once this network is established, I'm using a SIP phone app on the Androids to register with an Asterisk server on the private network. That actually works nicely as well. I can even call an extension on the Asterisk server that plays a canned message just fine. Looking at the traffic, I see that everything is confined to the 10.3.0.0/24 and 10.1.0.0/24 network. Which is what I'd expect. Both phones work fine this way.
If I place a call to the other phone through the Asterisk server the call works great. Both phones send and receive the audio of their microphones. However, when I use tcpdump to examine the traffic on the Asterisk server (which is different from the VPN server on the 10.1.0.0/24 network) on the 10.1.0.0/24 network, I see that the traffic goes over the 10.2.0.0/24 network!
I have found that turning on SDP NAT rewrite causes causes the data confine itself to the 10.3.0.0/24 network, but I only get one way audio transmission in a direction related to who calls whom.
Any thoughts on what kind of issue I might have here? As I describe this, I'm thinking I should probably talk to the Asterisk people to figure out why it doesn't like talking over the VPN and then discovers the 10.2.0.0/24 path.
Thoughts? Anyone solve a problem like this?
Sent with Good (www.good.com)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users