One way audio on VoIP over IKEv2/IPsec connection

HExSM · March 15, 2018, 10:17am

Hello mikrotik community

I have a problem when I want to use our in-house PBX over an IKEv2/IPsec connection. When I do a call to a team mate in-house they can’t hear me, but I can hear them.
So I did some research and it seems it’s a problem with NAT. In the connection table I saw, that the reply dst address for the RTP-stream is wrong, which probably causes the issue.

SRC-ADDRESS           DST-ADDRESS           REPLY-SRC-ADDRESS     REPLY-DST-ADDRESS
192.168.2.100:4002    192.168.1.79:14006    192.168.1.79:14006    192.168.2.100:1025
192.168.2.100:4003    192.168.1.79:14006    192.168.1.79:14006    192.168.2.100:4003

The next thing I don’t understand is: Why is there a NAT between the IKEv2/IPsec network and the in-house network?
Can this NAT be removed and if yes, how?

Here is my NAT and IPsec configuration:

/ip firewall nat
add action=masquerade chain=srcnat comment="masquerade wan" out-interface-list=wan
add action=dst-nat chain=dstnat comment="mobile hub" dst-address-list=wan dst-address-type=local dst-port=5222 protocol=tcp to-addresses=192.168.1.79 to-ports=5222
add action=masquerade chain=srcnat comment="mobile hub (hairpin NAT)" dst-address=192.168.1.79 dst-port=5222 protocol=tcp src-address-list=lan

/ip ipsec mode-config
add address-pool=dhcp_ipsec address-prefix-length=32 name=cfg_roadwarrior static-dns=192.168.1.1 system-dns=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc pfs-group=none
/ip ipsec peer
add address=0.0.0.0/0 auth-method=rsa-signature certificate=IPsec-Server dh-group=modp2048 enc-algorithm=aes-256 exchange-mode=ike2 generate-policy=port-strict hash-algorithm=sha256 mode-config=cfg_roadwarrior passive=yes
/ip ipsec policy
set 0 dst-address=192.168.2.0/24 src-address=0.0.0.0/0

I hope anyone has an idea what to do

Thanks in advance!

evince · March 16, 2018, 8:37am

Hello, you need to add your src-address in ipsec policy :

/ip ipsec policy
set 0 dst-address=192.168.2.0/24 src-address=0.0.0.0/0

The, create a nat rule in src nat and accept, src-address=your_lan and dst_address=remote_lan.

Place the policy in the top.

Regards,

sindy · March 16, 2018, 11:00pm

I’ll try to clarify this. The IPsec policy is matched against outbound packets after almost all routing and firewall work has been done, just before the packet would be sent out via the interface found using standard routing rules and firewall rules. This means that if the default route uses an output interface for which src-nat is configured (like in your case, masquerade is a special case of src-nat), the packet is src-nat’ed. Your IPsec policy matches any src address so it matches the packet even though it has been src-nat’ed, but the question is how the recipient of such packet likes packets which come from an unexpected source address (there may be firewall rules dropping such packets, or the phone/PBX may ignore them).

So use ****

/ip firewall nat add action=accept chain=srcnat dst-address=192.168.2.0/24 place-before=0

to insert an exception rule before the masquerade one in chain

srcnat

of table NAT to see whether that helps.

Also, if you use fasttrack (if yes, there is a rule with ****

action=fasttrack-connection

somewhere in chain

forward

of

/ip firewall filter

), you need to create an exception from that rule for both packets sent to 192.168.2.0/24 and packets arriving from there, because fasttracked packets bypass IPsec policy matching too.

Or you can replace both the above by rules in ****

/ip firewall raw

table with

action=no-track

for packets sent to and coming from 192.168.2.0/24 if you don’t need a stateful firewall between the networks for some other reason.

HExSM · March 20, 2018, 7:52am

Thank you both for your support and the great explanation of what is happening in the background. Everything works as desired now

Best regards
Stefan