[asterisk-users] IAX2 over OpenVPN connection.... working but
Steve Totaro
stotaro at totarotechnologies.com
Sun Dec 9 17:16:49 CST 2012
On Sun, Dec 9, 2012 at 2:54 PM, Stephen Brown <stephen.brown75 at gmail.com> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> So a friend of mine and I setup a static key based point to point
> OpenVPN connection from my box to his for the express intent of carrying
> IAX traffic encrypted.
>
> His network on his lan is 172.30.1.0/24 and mine is 10.0.30.0/24. His
> PBX is located at 172.30.1.48 and mine is at 10.0.30.2. We had an
> existing working IAX trunk in place prior to the VPN, and after we
> brought the VPN up we set the host= parameter within Asterisk
> accordingly on each end to match the local IP's and discovered it did
> not work. The trunk remained in an UNKNOWN status on each end, even
> though we could ping each box locally, SSH, and even SIP worked.
>
> Here's where I am baffled and I am hoping someone with intricate
> knowledge of this implementation may be able to explain it to me. What
> we had to do to get this working was to set the host= parameter to the
> respective endpoint IP's of the VPN tunnel, 172.10.1.1 in my case, and
> 172.10.1.2 in his case. Calls flow normally now and we cannot understand
> how or why. I would have assumed with a destination of either LAN as
> defined by the routing table it would have left out on the OpenVPN
> connection by default, and what's even more strange is that IAX is the
> only protocol that does not appear to function as intended.
>
> Any takers? :)
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
>
> iEYEARECAAYFAlDE7GcACgkQ3sJXNEncx7is9QCcCciMYFJ7ZXjYxuHC2EYD0PZY
> waAAniNNx8GuC5To7ajlGR5sYs3yftFK
> =lcWJ
> -----END PGP SIGNATURE-----
>
>
First, not so much of an answer but more of a question. Why use IAX2
in your scenario? SIP would seem to be very logical in this case if
you already tested it and it works.
IAX2 really only has merits where NAT and multiple ports are an issue.
It has been known to create many problems and headaches.
Since OpenVPN negates the multiple ports over the web, and NAT isn't a
problem from what you have stated, why even bother with IAX2?
To cleanly solve your issue, create an OpenVPN tunnel directly between
the boxen with the same IP/subnet scheme. That is what I would do, as
each tunnel is a "subinterface" of sorts, there is no need to keep the
addressing scheme of your LANs. SIP and IAX2 should both work for you
(I still suggest SIP). Creating a separate subnet for your OpenVPN
connection will arguably also add a bit of security between networks.
What does your IPtables look like? Maybe you are blocking IAX? Turn
of debugging and post verbose.
Thanks,
Steve T
More information about the asterisk-users
mailing list