I2004 over VPN

Background: We have a i2004 that connects to our vpn through a 4 port linux router. We are running a BCM v 3.6 build 2.2c.

Problem :Hey everyone, Im having a issue where my ip phone is periodically not recieving a dialtone/voice on either side of the phone connection. The ip phone does register and can make outgoing calls but will sometimes have no voice or dialtone.

link to schematic:

formatting link
My diagnosis and things ive tried: At first i thought that the problem was with the firewall on the linux router. so i started by adding adding the following lines inside of my firewall.user file to direct the vpn traffic:

iptables -A forwarding_rule -o ppp0 -j ACCEPT iptables -A forwarding_rule -i ppp0 -j ACCEPT iptables -t nat -A postrouting_rule -o ppp0 -j MASQUERADE

Then i read that the registration of the ip phone is done through port udp 7000. so i added the appropriate line inside of my firewall.user and tried again. success the phone registered but i had no voice traffic. I then added a line to direct port traffic 51000:51255 (Im sorry im not posting the iptable commands for this as i am not verry good with the whole structure of linux iptables and chains.) . After doing this i recieved dialtone initially but after about 10 minutes or so i checked again and the dialtone and voice was gone. So then i tried to make a outgoing call and a incomming call and both worked, but still no voice.

Now im stumped, i feel like ive tried soo much to get this to work and now need the help of someone more experienced to either help with my iptables or to give me some insight on what im doing wrong. THANK YOU EVERYONE WHO HELPS IVE BEEN STRESSING OVER THIS FOR A WHILE. THANKS!

Reply to
Zenofex
Loading thread data ...

Are you doing any NAT

Reply to
coota

well hers a copy of exactly what im doing as well as a log of my iptables -L

/usr/sbin/iptables -A forwarding_rule -o $1 -j ACCEPT

/usr/sbin/iptables -A forwarding_rule -i $1 -j ACCEPT

/usr/sbin/iptables -t nat -A postrouting_rule -o $1 -j MASQUERADE

###########BCM REGISTER PORT#################

/usr/sbin/iptables -t nat -A prerouting_rule -i ppp0 -p udp

--sport 7000 /usr/sbin/iptables -A input_rule -i ppp0 -p udp

--sport 7000

###########incoming voice###########

/usr/sbin/iptables -t nat -A prerouting_rule -i ppp0 -p udp

--sport 28000 /usr/sbin/iptables -A input_rule -i ppp0 -p udp

--sport 28000

###########outgoing voice###########

/usr/sbin/iptables -t nat -A postrouting_rule -o ppp0 -p udp

--dport 5100 /usr/sbin/iptables -A output_rule -o ppp0 -p udp

--dport 5100

/sbin/route add -net 10.0.0.0 netmask 255.0.0.0 dev ppp0

/sbin/route add -net 10.10.0.0 netmask 255.255.0.0 dev pp0

and heres my iptables -L log:

Chain INPUT (policy DROP) target prot opt source destination DROP all -- anywhere anywhere state INVALID ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED DROP tcp -- anywhere anywhere tcp option=!2 flags:SYN/SYN input_rule all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere ACCEPT gre -- anywhere anywhere REJECT tcp -- anywhere anywhere reject-with tcp-reset REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain FORWARD (policy DROP) target prot opt source destination DROP all -- anywhere anywhere state INVALID TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED forwarding_rule all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere

Chain OUTPUT (policy DROP) target prot opt source destination DROP all -- anywhere anywhere state INVALID ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED output_rule all -- anywhere anywhere ACCEPT all -- anywhere anywhere REJECT tcp -- anywhere anywhere reject-with tcp-reset REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain forwarding_rule (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere

Chain input_rule (1 references) target prot opt source destination ACCEPT udp -- anywhere anywhere udp spt:7000 ACCEPT udp -- anywhere anywhere udp spts:28000:28255

Chain output_rule (1 references) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpts:51000:52000

Reply to
Zenofex

Have you tried taking the firewall out all together. try it with no firewall to trouble shoot. use the firewall built into the BCM

Reply to
XBarNone

If you are using a "Linksys" router (as shown in your diagram - and not a "Linux" router) then that is your problem. We have had numerous problems with "cheap" routers. We strictly use contivity 221's now for our remote VPN users.

We have a Cisco PIX 506E for our firewall in the office. We connect to the PIX via the contivity through an IPSEC tunnel. IT works great for us. The Contivity even has a "nail down" feature that you can check to keep the VPN tunnel up continuously. The reason you are losing voice and dialtone is that the VPN is shutting down. If there is no activity the VPN tunnel will close and then phone will cease to work. One thing we have noticed about the "cheap" routers is that they do not keep the tunnel open - even if you turn on the keepalive.

One last thing, regarding your firewall is that a VPN it makes opening ports a moot point. The VPN will pass all traffic since it is a secure connection. So, you should not have to open any ports on your firewall (except, of course for the VPN ports).

I realize that the contivity's are expensive - but - you get what you pay for!

Hope this helps!

Reply to
compufxr

Hey, i was thinking about what you said and if the vpn connection is terminated why am i still able to make and recieve calls (without any voice communication). I feel as if for some reason all my RTP packets are disapearing, I think i need to just pull out ethereal and tcpdump and do some dirt digging, But does anyone have any ideas? thanks

Reply to
Zenofex

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.