[Solved] SIP Over VPN Problem

Hussam · December 16, 2013, 9:48am

I have Two Office (A and B ) In each Office there is RB-750GL Router , both Office connected with L2TP VPN , in Each Office I have IP PBX connected to each other with SIP protocol.

Everything is working great , but at the end of the day office ( A ) disconnect the power from all the equipment and devices , next day morning they power up all the devices again , VPN is working fine ( file share , RDP …etc. ) except the SIP connection , if I change the PBX IP address in Office A the SIP connection will work again , then I can change it back after an hour.

I think the Router in the Office( B ) block the SIP traffic generated from The PBX because no replay from the target.
I delete all the firewall rules , and disable the NAT helper for SIP ( it have no work in VPN but I did it as try ) but the problem still the same I have to change the PBX IP address every day morning.
Any help Please.
see the attached image please

name29 · December 16, 2013, 10:52am

Hi,

Before change IP address, please verify connection in connection tracking and check src/dst/reply src/reply dst and check connection state.

Are you natting che SIP traffic between two office or che subnet are routed ?

THG · December 16, 2013, 5:03pm

Maybe you need a NAT bypass rule for your remote sites LAN IP addresses.

Hussam · December 17, 2013, 6:32pm

I didnt nat it because i use VPN , do i need to nat ???
all traffice working fine except SIP
any way i will try to nat and see what will happen

name29 · December 17, 2013, 7:05pm

Hi,

If possible not use NAT with VoIP ( Sip ).

Please verify that really your traffic between two PBX is not natted.

Can you post your routing table of the two router and ip/firewall (filter/nat) configuration?

When SIP not work, can you check if an entry exist into connection tracking and src/dst/dst reply/src reply is correct?

THG · December 17, 2013, 10:58pm

No, you do not need NAT for your VPN connection. Depending on the configuration, you might need a NAT bypass rule placed at the top of all other NAT rules.

http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#NAT_Bypass

Hussam · December 18, 2013, 4:16am

this is the routers configrations
Site A.png
Site B.png
this is the configration befor
then i add this NAT Bypass rule

site A
/ip firewall nat
add chain=srcnat action=accept place-before=0
src-address=192.168.50.0/24 dst-address=192.168.40.0/24

site B
/ip firewall nat
add chain=srcnat action=accept place-before=0
src-address=192.168.40.0/24 dst-address=192.168.50.0/24

but still the sme result every things is working fine through VPN except SIP , and please dont forget Sip is working if i just change the sip device IP address tell the next power disconnect then i have to change it again

name29 · December 18, 2013, 8:01am

Can you ping from pbx1 pbx2 and from pbx2 pbx1 ?

Please attach also connection tracking of SIP UDP connection when not working

djdrastic · December 18, 2013, 8:50am

Can you run a Wireshark trace behind the firewalls when the connetions works as well as when it doesn’t work ?

THG · December 18, 2013, 4:33pm

It sounds that the session timed out and something in the router pretend the keep alive probe. Do you have any filter rules in input and forward chain?

Hussam · December 19, 2013, 3:17pm

thank you Mr THG you are genius , it was VPN Nat bypass rule , but the strange thing it didnt work first time even after i restart the router , it work after i change the PBX IP again ( may be because it was already blocked by the firewall ) then i change it back after one hour , next day every thing still fine , thanks alot ( THG )

Kreacher · December 20, 2013, 5:46pm

thank you Mr THG you are genius , it was VPN Nat bypass rule ,

@Hussam
if he was helping you out please fell free to give him a Karma point, this must not paid by yours!

Hussam · December 21, 2013, 9:16am

Sorry dear i am new i wasnt know whats karma , sure i will do , thank you