[strongSwan] VoIP Data Leaks around VPN
noel at familie-kuntze.de
Wed Sep 10 23:05:40 CEST 2014
-----BEGIN PGP SIGNED MESSAGE-----
Does the asterisk server have a route to the VPN network over the VPN server?
What is SPD NAT rewrite?!
Can you look at what sockets are used by the SIP software? Also check the routing table on the Android devices.
I think it's a problem with the routing table, maybe caused by a route pushed to the phone via dhcp.
Also, you might want to increase verbosity for the asterisk server and look how and why it does what it does.
It sounds like a problem with asymmetric routing.
GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 10.09.2014 um 22:52 schrieb Levine, Daniel J.:
> I have a VPN road warrior configuration using StrongSwan client apps on 2 Android phones (the road warriors). The VPN tunnels establish fine using IKEv2. The phones can now see each other on the VPN subnet (10.3.0.0/24) as well as the private network (10.1.0.0/24) behind the firewall. For completeness, the public network the VPN goes over is the 10.2.0.0/24 network. So the phones, a wireless router, and the outer half of the VPN server live over there. I think that covers the topology.
> So, once this network is established, I'm using a SIP phone app on the Androids to register with an Asterisk server on the private network. That actually works nicely as well. I can even call an extension on the Asterisk server that plays a canned message just fine. Looking at the traffic, I see that everything is confined to the 10.3.0.0/24 and 10.1.0.0/24 network. Which is what I'd expect. Both phones work fine this way.
> If I place a call to the other phone through the Asterisk server the call works great. Both phones send and receive the audio of their microphones. However, when I use tcpdump to examine the traffic on the Asterisk server (which is different from the VPN server on the 10.1.0.0/24 network) on the 10.1.0.0/24 network, I see that the traffic goes over the 10.2.0.0/24 network!
> I have found that turning on SDP NAT rewrite causes causes the data confine itself to the 10.3.0.0/24 network, but I only get one way audio transmission in a direction related to who calls whom.
> Any thoughts on what kind of issue I might have here? As I describe this, I'm thinking I should probably talk to the Asterisk people to figure out why it doesn't like talking over the VPN and then discovers the 10.2.0.0/24 path.
> Thoughts? Anyone solve a problem like this?
> Sent with Good (www.good.com)
> Users mailing list
> Users at lists.strongswan.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
-----END PGP SIGNATURE-----
More information about the Users