[strongSwan] VoIP Data Leaks around VPN

Wed Sep 10 23:05:40 CEST 2014

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Daniel,

Does the asterisk server have a route to the VPN network over the VPN server?
What is SPD NAT rewrite?!
Can you look at what sockets are used by the SIP software? Also check the routing table on the Android devices.
I think it's a problem with the routing table, maybe caused by a route pushed to the phone via dhcp.
Also, you might want to increase verbosity for the asterisk server and look how and why it does what it does.
It sounds like a problem with asymmetric routing.

Regards,
Noel Kuntze

GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 10.09.2014 um 22:52 schrieb Levine, Daniel J.:
> I have a VPN road warrior configuration using StrongSwan client apps on 2 Android phones (the road warriors). The VPN tunnels establish fine using IKEv2.  The phones can now see each other on the VPN subnet (10.3.0.0/24) as well as the private network (10.1.0.0/24) behind the firewall. For completeness, the public network the VPN goes over is the 10.2.0.0/24 network. So the phones, a wireless router, and the outer half of the VPN server live over there.  I think that covers the topology.
> 
> So, once this network is established, I'm using a SIP phone app on the Androids to register with an Asterisk server on the private network. That actually works nicely as well. I can even call an extension on the Asterisk server that plays a canned message just fine.  Looking at the traffic, I see that everything is confined to the 10.3.0.0/24 and 10.1.0.0/24 network. Which is what I'd expect.  Both phones work fine this way.
> 
> If I place a call to the other phone through the Asterisk server the call works great. Both phones send and receive the audio of their microphones.  However, when I use tcpdump to examine the traffic on the Asterisk server (which is different from the VPN server on the 10.1.0.0/24 network) on the 10.1.0.0/24 network, I see that the traffic goes over the 10.2.0.0/24 network!
> 
> I have found that turning on SDP NAT rewrite causes causes the data confine itself to the 10.3.0.0/24 network, but I only get one way audio transmission in a direction related to who calls whom.
> 
> Any thoughts on what kind of issue I might have here?  As I describe this, I'm thinking I should probably talk to the Asterisk people to figure out why it doesn't like talking over the VPN and then discovers the 10.2.0.0/24 path.
> 
> Thoughts?  Anyone solve a problem like this?
> 
> Dan
> 
> 
> 
> Sent with Good (www.good.com)
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJUEL0iAAoJEDg5KY9j7GZY7KcQAJ3SiKPEt6Ri5u7Fe8Oa6xHo
DQOVJ++YrFDcl4G20O/EBHlY2lnnwPsY4RnQltzkX0/3LpKMoKilmhy3R21UjxCh
eDx6OKRpp7zOBNFYM8sY9c/l5PfyJIG9FPbAIhgyekFRDH/0ko2HVW2VEUqtYFRW
9hGTX05tTqMH9a5quMW2qbUWs+q4uRaxtlRPL6lV0knb5HDZYC49MnRUig8dvPDZ
+8LVrAAAVizq8faFxztCO6Qqjm4NVMfryzkpCYvbUttseuf9TXKvnH4I6kI6I4Ez
vvb0aYzHVuTVMfbs9TdrB1e2mW+/AvshvMJ5UCpzZHsle7d0qC/WVh9mjoNtZTBR
oHAvh36dRhBgMxeb4C9BA/XoEvdiLXd7Z0uxeW9DQQXvvevPC0XJ33FqKE3T/Nil
JyoVFVNwQgqlUzPJO4n6OMJ2IqWf4nzEU9pYemqzy+0NOACYyKFkxOsgC1FPn7cd
987cvzSlf8MSBrbC6ndgnIioKLlaWdyT20o3URMrFfw2kh2+2sgrVqmY0FjJMidk
T4vjXLW4Mbltf653lTb1hcMgOMgdyNhR2m4fRGNgHa0oZ3llL4g4viUs6rdx6bQ/
2PKZ1TvyygXfmVjzz1JqBb1RHbSVXBI/qBNjjOCHwrEg/Uq028pn57b/Z1b81QfI
siV0UfUyDik0yzx8jgNm
=ctkR
-----END PGP SIGNATURE-----