VyOS SIP issue

nat
voip

#1

I have a Voice Soft Switch running behind the VyOS router. This connects to another Soft Switch via IPSec tunnel. Tunnel is up. But we cannot make calls. We can see lots of malformed packets. Technician at the other end says, Vyos isn’t able to manage ISUP part of the SIP packet. Is there anything i could do with VyOS to fix this?

Thanks in advance


#2

ISUP is an SS7 protocol, typically your gateway translates ISUP messaging <-> SIP messaging, but it can be transmitted “transparently” between gateways. So, to confirm precisely what is happening, can you definitively say you are doing the latter?

Can you provide more detail about what “malformed” packets means?


#3

VyOS receives SIP-I packet from a Soft Switch and then it does following:

  • Apply source NAT to change the source IP of the packet
  • Port forward the UDP 5060 packets to another IP

As per the technician, only the ISUP part of the packets corrupted. They suspect VyOS can’t process such packets.


#4

Can you post your config? Can your provider be more precise about what “corrupted” means? There isn’t really any “processing” per-se that VyOS would normally do, packet data is just bits and bytes.


#5

Extremely sorry for the delay. Following is the configuration.

interfaces {
ethernet eth0 {
address x.x.x.x/26
duplex auto
hw-id 06:3f:3b:ed:4f:b0
smp_affinity auto
speed auto
}
ethernet eth1 {
address x.x.x.x/28
duplex auto
hw-id 06:4b:34:db:25:44
smp_affinity auto
speed auto
}
loopback lo {
}
}
nat {
destination {
rule 2000 {
description “1-to-1 NAT”
destination {
address x.x.x.x
}
inbound-interface eth1
translation {
address x.x.x.x
}
}
}
source {
rule 2000 {
description “1-to-1 NAT”
outbound-interface eth1
source {
address x.x.x.x
}
translation {
address x.x.x.x
}
}
}
}
protocols {
static {
route x.x.x.x/8 {
next-hop x.x.x.x {
}
}
}
}
service {
ssh {
port 22
}
}
system {
config-management {
commit-revisions 20
}
console {
device ttyS0 {
speed 9600
}
}
domain-name abc.com
gateway-address x.x.x.x
host-name vyos
login {
user root {
authentication {
encrypted-password ****************
plaintext-password ****************
}
level admin
}
user vyatta {
authentication {
encrypted-password ****************
plaintext-password ****************
}
level admin
}
}
name-server 10.0.80.11
name-server 10.0.80.12
ntp {
server time.service.networklayer.com {
}
}
package {
auto-sync 1
repository community {
components main
distribution stable
password ****************
url http://packages.vyatta.com/vyatta
username “”
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone America/Chicago
}
vpn {
ipsec {
esp-group ESP-1-EAST {
lifetime 3600
pfs disable
proposal 1 {
encryption aes256
hash sha1
}
}
ike-group IKE-1-EAST {
lifetime 86400
proposal 1 {
dh-group 5
encryption aes256
hash sha1
}
}
ipsec-interfaces {
interface eth1
}
nat-networks {
allowed-network x.x.x.x/32 {
}
allowed-network 1x.x.x.x/32 {
}
}
nat-traversal enable
site-to-site {
peer x.x.x.x {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
remote-id x.x.x.x
}
default-esp-group ESP-1-EAST
ike-group IKE-1-EAST
local-address x.x.x.x
tunnel 1 {
local {
prefix x.x.x.x/32
}
remote {
prefix x.x.x.x/32
}
}
tunnel 2 {
local {
prefix x.x.x.x/32
}
remote {
prefix x.x.x.x/32
}
}
}
}
}
}


#6

you need to disable sip conntrack


#7

Awesome, after disabling sip conntrack we can initiate the calls. Thanks very much. But now we face another problem. Only one side can hear the calls. Other side party cannot hear the audio.

When we checked, we identified that other end voip switch forward RTP packets to the IP behind the NAT, not to the Nated IP. IP behind the NAT appears at SDP. In my VyOS i configured one to one NAT. Am i missing anything?


#8

One side hearing issue is due to NAT. I removed NAT and it’s working fine now.
Thank you everyone for your help!


#9

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.