[Asterisk-Users] SIP and VPN
Lists Pleasants
lists at pleasants.net
Thu Nov 10 07:45:55 MST 2005
ScreenOS 5.0x and 5.1x has some issues wit SIP. Try the policies I have
listed below.
set policcy id 1001 from "Trust" to "Trust" "Local" "Remote" "SIP"
permit log count
set policy id 1001 application "IGNORE"
set policy id 1002 from "Trust" to "Trust" "Remote" "Local" "SIP"
permit log count
set policy id 1002 application "IGNORE"
I am running 5.2r1 without any issues but I have turned off any
application deep scanning.
unset alg sql
unset alg q931
unset alg h245
unset alg ras
unset alg sip
-Chip
-----Original Message-----
From: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Mark
Johnson
Sent: Thursday, November 10, 2005 9:15 AM
To: asterisk-users at lists.digium.com
Subject: [Asterisk-Users] SIP and VPN
Anyone out there got a SIP phone (mine's a Cisco 7940) to work through a
VPN with a Netscreen 5gt? It has always worked for me with any ScreenOS
version 4.x. I had the need to upgrade it to ScreenOS 5.x and it breaks
the phone. Here's the goofy part, it works enough to still register
with the phone system and check if there is voicemail waiting. But I
get no audio on outbound calls. Inbound calls seem to work OK. The
netscreen is not in NAT mode, but in route mode. When the phone system
talks to the phone at home, it uses the home LAN address. In debug
mode, the phone system doesn't seem to notice anything is wrong.
I don't know if this means anything or not, but... On the phone system,
if I do a "nmap -sU -p5060 <homephoneip>" it comes back with the port is
open. If I do the same thing from my home PC and nmap the SIP port on
the phone system, it comes back "open|filtered" which I think means no
UDP packet is returning. SSH to the phone system works fine from home.
I also noticed that NTP os broken on the phone, so something is wrong
with UDP.
I found a really good article from someone having the same issues but it
made no difference for me. I have a support contract through Juniper,
but they still have not found any resolution. Here's the sip.conf
section. I tried some variations with canreinvite and some things, but
it didn't help. This has worked for me over a year like this. Anyone
got any ideas? Thanks! Mark
[1426]
type=friend
username=123456
secret=123456
host=dynamic
;canreinvite=no
;disallow=all
;allow=ulaw,alaw
;dtmfmode=inband
;nat=never
context=office
mailbox=1426 at home
linelabel="First Last"
callerid=First Last <1426>
line => 1426
_______________________________________________
--Bandwidth and Colocation sponsored by Easynews.com --
Asterisk-Users mailing list
Asterisk-Users at lists.digium.com
http://lists.digium.com/mailman/listinfo/asterisk-users
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
More information about the asterisk-users
mailing list