[strongSwan] VoIP Data Leaks around VPN

Noel Kuntze noel at familie-kuntze.de
Wed Sep 10 23:05:40 CEST 2014

Hash: SHA1

Hello Daniel,

Does the asterisk server have a route to the VPN network over the VPN server?
What is SPD NAT rewrite?!
Can you look at what sockets are used by the SIP software? Also check the routing table on the Android devices.
I think it's a problem with the routing table, maybe caused by a route pushed to the phone via dhcp.
Also, you might want to increase verbosity for the asterisk server and look how and why it does what it does.
It sounds like a problem with asymmetric routing.

Noel Kuntze

GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 10.09.2014 um 22:52 schrieb Levine, Daniel J.:
> I have a VPN road warrior configuration using StrongSwan client apps on 2 Android phones (the road warriors). The VPN tunnels establish fine using IKEv2.  The phones can now see each other on the VPN subnet ( as well as the private network ( behind the firewall. For completeness, the public network the VPN goes over is the network. So the phones, a wireless router, and the outer half of the VPN server live over there.  I think that covers the topology.
> So, once this network is established, I'm using a SIP phone app on the Androids to register with an Asterisk server on the private network. That actually works nicely as well. I can even call an extension on the Asterisk server that plays a canned message just fine.  Looking at the traffic, I see that everything is confined to the and network. Which is what I'd expect.  Both phones work fine this way.
> If I place a call to the other phone through the Asterisk server the call works great. Both phones send and receive the audio of their microphones.  However, when I use tcpdump to examine the traffic on the Asterisk server (which is different from the VPN server on the network) on the network, I see that the traffic goes over the network!
> I have found that turning on SDP NAT rewrite causes causes the data confine itself to the network, but I only get one way audio transmission in a direction related to who calls whom.
> Any thoughts on what kind of issue I might have here?  As I describe this, I'm thinking I should probably talk to the Asterisk people to figure out why it doesn't like talking over the VPN and then discovers the path.
> Thoughts?  Anyone solve a problem like this?
> Dan
> Sent with Good (www.good.com)
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
Version: GnuPG v2


More information about the Users mailing list