<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif";
        mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
        {mso-style-priority:99;
        mso-style-link:"Balloon Text Char";
        margin:0cm;
        margin-bottom:.0001pt;
        font-size:8.0pt;
        font-family:"Tahoma","sans-serif";
        mso-fareast-language:EN-US;}
span.EmailStyle17
        {mso-style-type:personal-compose;
        font-family:"Calibri","sans-serif";
        color:windowtext;}
span.BalloonTextChar
        {mso-style-name:"Balloon Text Char";
        mso-style-priority:99;
        mso-style-link:"Balloon Text";
        font-family:"Tahoma","sans-serif";}
.MsoChpDefault
        {mso-style-type:export-only;
        font-family:"Calibri","sans-serif";
        mso-fareast-language:EN-US;}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-GB link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>Hi all<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I was wondering if anyone can help me with a problem I am having with using TLS SIP when NAT routers are involved?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The scenario is as follows –<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>SIP UA --- > NAT firewall --- > Internet --- > Freeswitch --- > Internet --- > NAT Firewall --- > SIP UA<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>When I use UDP as the transport protocol, everything works fine. This is down to (correct me if I am wrong) the NAT router being able to inspect the SIP traffic, and changing the SIP INVITE message so that the public IP is used for the RTP stream. This is seen in the following ( 1.2.3.4 = SIP UA, 50.50.50.50 = Freeswitch server) –<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt'> </span><span style='font-size:10.0pt;font-family:"Courier New"'>recv 1042 bytes from udp/[1.2.3.4]:34019 at 08:40:24.302496:<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> ------------------------------------------------------------------------<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> INVITE sip:1004@50.50.50.50 SIP/2.0<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> Via: SIP/2.0/UDP 1.2.3.4:34019;branch=z9hG4bKD8xhgo0smbsOQMUy;rport<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> Contact: <sip:1002@1.2.3.4:34019><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> Max-Forwards: 70<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> From: "1002" <sip:1002@50.50.50.50>;tag=A6E182EBB96E21919A44C50399F1BF27<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> Allow: OPTIONS, INVITE, ACK, REFER, CANCEL, BYE, NOTIFY<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> Supported: replaces, path<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> User-Agent: Acrobits Softphone Business/1.8.8<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> To: <sip:1004@50.50.50.50><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> Content-Type: application/sdp<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> Call-ID: 2926496CCA1C6189C90A52D821B06B5E9DBA2B32<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> CSeq: 1 INVITE<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> Proxy-Authorization: Digest username="1002",realm="50.50.50.50",algorithm=MD5,uri="sip:1004@50.50.50.50",nonce="09195369-6474-4310-b3a6-60e7d9c780f1",qop=auth,cnonce="1b774f833fd01b5b29954c2ddc2b5457",nc=00000002,response="07bda5b4c5fa5e17f653a3e9c7a2f05e"<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> Content-Length: 241<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> <o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> v=0<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> o=- 10805 6353 IN IP4 1.2.3.4 <b><span style='color:red'>< --- Public IP address used so that the other party knows to send the RTP stream to this address.<o:p></o:p></span></b></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> s=xynwwjx<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> c=IN IP4 1.2.3.4<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> t=0 0<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> m=audio 34962 RTP/AVP 102 3 0 8 9 101<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> a=rtpmap:101 telephone-event/8000<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> a=rtpmap:102 ILBC/8000<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> a=fmtp:102 mode=30<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> a=fmtp:101 0-15<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> a=ptime:30<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Courier New"'> a=sendrecv</span><span style='font-size:10.0pt'><o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>This was obtained from the Siptrace on the Freeswitch server. The Freeswitch server then forwards these details to the other party.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>The problem occurs when TLS is used, as the NAT firewalls are unable to inspect the SIP packets. Here is another SIPtrace on the Freeswitch server for TLS example (again I have changed the public IPs to the same as the above example) –<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'>recv 1048 bytes from tls/[1.2.3.4]:64403 at 16:00:42.271063:<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> ------------------------------------------------------------------------<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> INVITE sip:1002@50.50.50.50 SIP/2.0<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> Via: SIP/2.0/TLS 1.2.3.4:64403;branch=z9hG4bKz6qAkQj3XsYuJ5Os;rport<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> Contact: <sip:1004@1.2.3.4:64403;transport=tls><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> Max-Forwards: 70<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> From: "Ben" <sip:1004@50.50.50.50>;tag=F28D08D5E039D8FE021D08022A72F982<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> Allow: OPTIONS, INVITE, ACK, REFER, CANCEL, BYE, NOTIFY<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> Supported: replaces, path<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> User-Agent: Acrobits Softphone Business/1.8.8<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> To: <sip:1002@50.50.50.50><o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> Content-Type: application/sdp<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> Call-ID: 32166133760BDDAD823725B563F6A1B3989090D6<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> CSeq: 1 INVITE<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> Authorization: Digest username="1004",realm="50.50.50.50",algorithm=MD5,uri="sip:1002@50.50.50.50",nonce="5af9829e-716d-4472-924f-84eb41d9e78e",qop=auth,cnonce="d641702f981e10f3a41e074061bdb5b3",nc=00000003,response="a9f577ac37f8f367b2f839a58d43e1e0"<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> Content-Length: 240<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> <o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> v=0<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> o=- 71766 47529 IN IP4 172.16.234.176 <b><span style='color:red'>< --- Using Private IP for the RTP details<o:p></o:p></span></b></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> s=fscmvnc<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> c=IN IP4 172.16.234.176<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> t=0 0<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> m=audio 64628 RTP/AVP 3 102 101<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> a=rtpmap:101 telephone-event/8000<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> a=rtpmap:102 ILBC/8000<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> a=fmtp:102 mode=30<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> a=fmtp:101 0-15<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> a=ptime:30<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> a=sendrecv<o:p></o:p></span></p><p class=MsoNormal style='text-autospace:none'><span style='font-size:10.0pt;font-family:"Courier New"'> ------------------------------------------------------------------------<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>As you can see, the SIP UAs are going to try and use a non-existent private IP address to send the RTP stream to.<o:p></o:p></p><p class=MsoNormal>I can also confirm that the UAs are trying to do this, by looking at the SIP logs built in to the SIP UA client software.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>My (Freeswitch related) question is, am I able to set something in Freeswitch to change the details to be the public IP of the firewall? The SIP messages include the correct IP, can the Freeswitch server use this address and replace the Private IP with this one?<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I have heard about TLS proxies/STUn servers etc etc, but would much rather use Freeswitch to do this. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Any suggestions are welcome, also please let me know if I have misunderstood any of the concepts behind SIP/VOIP and firewalls – I am rather new to the VOIP game!<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Kind regards<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Ben <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><b><span style='mso-fareast-language:EN-GB'>Ben Naylor<o:p></o:p></span></b></p><p class=MsoNormal><b><span style='mso-fareast-language:EN-GB'>Network Support Engineer<o:p></o:p></span></b></p><p class=MsoNormal><a href="http://www.sirran.com/"><span style='color:windowtext;mso-fareast-language:EN-GB;text-decoration:none'><img border=0 width=144 height=67 id="Picture_x0020_2" src="cid:image001.png@01CC899A.3D8ECF40" alt="Description: Description: cid:image001.png@01CC4312.3962A460"></span></a><span style='mso-fareast-language:EN-GB'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:8.0pt;mso-fareast-language:EN-GB'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:8.0pt;mso-fareast-language:EN-GB'>T: +44 (0)</span><span lang=EN-US style='font-size:8.0pt;mso-fareast-language:EN-GB'>207 096 1648`</span><span style='font-size:8.0pt;mso-fareast-language:EN-GB'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:8.0pt;mso-fareast-language:EN-GB'>M: +44 (0)7924 349 113<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:8.0pt;mso-fareast-language:EN-GB'>F: +44 (0)207 150 595<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:8.0pt;mso-fareast-language:EN-GB'>E: <a href="mailto:bnaylor@sirran.com"><span style='color:blue'>bnaylor@sirran.com</span></a> W: <u><span style='color:blue'><a href="http://www.sirran.com/"><span style='color:blue'>www.sirran.com</span></a><o:p></o:p></span></u></span></p><p class=MsoNormal><span style='font-size:8.0pt;mso-fareast-language:EN-GB'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:8.0pt;mso-fareast-language:EN-GB'>A: SiRRAN Communications Ltd, The Hawk Business Park, Easingwold, YO61 3FE<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:8.0pt;mso-fareast-language:EN-GB'>Registered Office: SiRRAN Communications Ltd,. <span style='color:#333333'>6-9 Trinity Street Dublin 2, Ireland</span><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:8.0pt;mso-fareast-language:EN-GB'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:8.0pt;mso-fareast-language:EN-GB'>_____________________________________________________________<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:8.0pt;mso-fareast-language:EN-GB'>The information contained in this e-mail and any attached documents may be privileged, confidential and protected from disclosure. If you are not the intended recipient you may not read, copy, distribute or use this information. If you have received this communication in error, please notify the sender immediately by replying to this message and then delete it from your system.<o:p></o:p></span></p><p class=MsoNormal><b><span style='mso-fareast-language:EN-GB'><o:p> </o:p></span></b></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>