[Asterisk-Dev] Re: [Asterisk-Users] Asterisk and SIP phones

Wed Oct 6 09:43:56 MST 2004

On Wed, 6 Oct 2004 11:58:38 -0400, Michael Di Martino <mdm at telx.com> wrote:
> No I meant I am NOT opposed to setting up another Asterisk server.
> Please tell me more about that solution.

Rerun by popular demand ...

Benjk's law of VoIP NAT traversal:

1) If you must use SIP, don't use NAT.

2) If you must use NAT, use IAX instead of SIP

3) If you cannot avoid neither NAT nor SIP, build a VPN tunnel,
preferably IPsec.

and in more detail:

#2 SIP/IAX gateway

[SIP-phone1]---SIP--->[Asterisk1]===IAX===>[Asterisk2]---SIP--->[SIP-phone2]

The above is secure (against break-in not against eavesdropping) and reliable.

Set up an Asterisk server at each location. Connect your SIP phones as
usual to their local Asterisk server. Set up IAX peering between the
two Asterisk servers (over the Internet, including NAT traversal
scenarios), then set up your dialplan such that calls to remote phones
are delivered through the IAX peering link. Asterisk will do the work
converting from SIP to IAX and from IAX to SIP, the SIP phones will
not be aware there is an IAX link in between.

For more details, search the Wiki with keywords NAT traversal and IAX peering.

#3 VPN tunnel

Scenario 1: standalone Windoze box with Xlite wants to connect to
remote Asterisk

[Xlite]---SIP--->[Network-layer]===PPTP===(internet)===>[PIX]---SIP--->[Asterisk]

Scenario 2: two LANs joined via VPN tunnel, Asterisk on one side, phones on both

[SIP-phones]---SIP--->[PIX]===IPsec===>[PIX]---SIP--->[Asterisk]

Scenario 3: Like Scenario 2 but no money for PIX VPN license, using
IPsec pass-through

[SIP-phones]--SIP-->[Wolverine]==IPsec==[PIX]==IPsec==>[Wolverine]---SIP-->[Asterisk]

All of the above are secure (against break-in and eavesdropping) and reliable.

rgds
benjk

-- 
Sunrise Telephone Systems, 9F Shibuya Daikyo Bldg., 1-13-5 Shibuya,
Tokyo, Japan.

NB: Spam filters in place. Messages unrelated to the * mailing lists
may get trashed.