25 Jan
2003
25 Jan
'03
3:59 a.m.
Folks,
please help me -- share with me techniques for NAT traversal you
use and have hands-on experience with. People repeatedly ask
about it, and I'd like to create an FAQ that reflects deployment
experience and as wide user feed-back as possible. Just tell me the
technique you use, its requirements, limitations, the devices it
is known (not) to work with, why you prefer one method over the
other, etc. I'll then try to compile it in an FAQ.
So please send me an e-mail, an example is attached. I will appreciate
any practical details.
Thank you,
-Jiri
----------------------------------------------------------------
technique: using symmetric communication
requirements: phone devices that support symmetric communication;
existing species: Cisco's ATA
configuration
practice: ATAs need to be configured to advertise public address
in signaling, or learn it from REGISTER replies;
alternatively, one can rewrite signaling using ser's
nethelper module; one needs to rewrite SIP anyway
because ATAs don't advertise their symmetricity;
see www.foo.bar for info on configuring ATA...
limitations: non-symmetric devices, like Messenger don't work;
misc: ATA has no display, that's why I am anxiously
waiting for more vendors to support symmetric
signaling
----------------------------------------------------------------
technique: UPnP
requirements: NATs and phones with UPnP support; Messenger and
snom are known to support UPnP; there is linux
support for it
configuration
practice: of course, upnp requires by definition no configuration ;-)
(I'm not serious -- anyone actually tried it?)
----------------------------------------------------------------
technique: geek tweaks: set-up port forwading manually
configuration
practice: you need to configure NATs to split its public-side port
numbers accross your private-side phones, and configure
the phones (if they allows so) to use these port numbers;
also, phones need to be configured to use publicly
reachable address in their payloads
requriements: configurable NATs (many residental NATs are configurable)
and configurable phones (ATAs do that, I heard pingtel did
it too)
----------------------------------------------------------------
technique: ALG
requirements: SIP-capable NAT (like Intertex or Cisco/PIX)
issues: intertex freezes my ssh connections after some time on-line
and elderly models don't like all Ethernet devices;
when things don't work, the red-button off-on helps
sometimes
----------------------------------------------------------------
technique: STUN
requirements: STUN-enabled phone (like k-phone, snom)
limitations: doesn't work over symmetric NATs (words-of-mouth propaganda
has been telling me that many residential NATs are fortunately
not symmetric, but I don't know how objective this information
really is)
----------------------------------------------------------------
--
Jiri Kuthan http://iptel.org/~jiri/
25 Jan
25 Jan
10:57 a.m.
Jiri Kuthan writes:
technique: UPnP
requirements: NATs and phones with UPnP support; Messenger and
snom are known to support UPnP; there is linux
support for it
but how many nat boxes support upnp? last time i looked at ms upnp
page, the list was very short.
technique: ALG
requirements: SIP-capable NAT (like Intertex or Cisco/PIX)
i like this one. cisco ios nat that is built in every cisco router
now has sip alg. you must have very recent ios version though.
technique: STUN
requirements: STUN-enabled phone (like k-phone, snom)
limitations: doesn't work over symmetric NATs (words-of-mouth propaganda
has been telling me that many residential NATs are fortunately
not symmetric, but I don't know how objective this information
really is)
we have tried kphone's stun in all mojor dsl providers in finland that
nat their customers and haven't had problems with any. in some cases
you have to run stund in your outbound proxy and not in some other ip
address.
-- juha
5:20 p.m.
Hi Juha,
On Saturday 25 January 2003 09:57, jh(a)lohi.eng.song.fi wrote:
but you never tested it with a Linux 2.4 NAT box, or? ;)
I had the problem that kphone 2.11 sends out the request from a different port
then its listening. So the request goes out with a random port and comes back
on 5060, which is blocked by the linux NAT because the source IP of the SIP
server and the STUN server differ (see below).
Attached find a patch which fixes this for UDP. I didn't tryed to fix TCP
because i can't test it.
BTW do you use an old STUN version in kphone and as your server?
Because i wasn't able to get a response from our iptel.org STUN server. Only
your wirlab STUN server responses to the kphone requests.
Greetings
Nils Ohlmeier
--
gpg-key: http://www.ohlmeier.org/public_key.asc
technique:
STUN
requirements: STUN-enabled phone (like k-phone, snom)
limitations: doesn't work over symmetric NATs (words-of-mouth
propaganda has been telling me that many residential NATs are
fortunately not symmetric, but I don't know how objective this
information really is)
we have tried kphone's stun in all mojor dsl providers in finland that
nat their customers and haven't had problems with any. in some cases
you have to run stund in your outbound proxy and not in some other ip
address.
23 Feb
23 Feb
9:07 a.m.
Nils Ohlmeier writes:
BTW do you use an old STUN version in kphone and as
your server?
Because i wasn't able to get a response from our iptel.org STUN
server. Only your wirlab STUN server responses to the kphone
requests.
KPhone 3.01 now supports the latest stun version.
-- juha
7:28 p.m.
New subject: [Serusers] CVS code
I need a couple of the new features in CVS, so I thought I'd
try to build it.
It build and installed, but complained of a missing reference:
realm_column
I changed modules/auth/checks.c to read:
checks.c: keys[0] = domain_column;
instead of realm_column and that fixed the load reference.
My script references the functions:
addRecordRoute() and rewriteFromRoute()
I remember seeing something a few days ago about
rewriteFromRoute() going away. I see these new functions:
loose_route, strict_route and record_route.
In a nutshell, do I just lose the rewriteFromRoute() calls
and add record_route(1) instead of addRecordRoute()?
thanks,
---greg
Greg Fausak
8:43 p.m.
New subject: [Serusers] Reoute_route
I'm seeing this error:
0(30906) Warning: sl_send_reply: I won't send a reply for ACK!!
0(30906) ERROR: sl_reply_error used: Regretfuly, we were not able to
process the URI (479/SL)
0(30906) TRACE:In route[3] 0(30906) ERROR: do_action: bad uri
<sip:92143357976@216.87.144.203:5060 SIP/2.0
Via: SIP/2.0/UDP 216.87.145.26:5060
From: "August.Net Dallas"
<sip:4695461235@216.87.144.203>;tag=c4943000a2f3d673090b2-3dbc5751
To: <sip:2143357976@216.87.144.203;user=phone>;tag=38980230-8C3
Call-ID: 003094c4-3d2f000e-090136b1-00386102(a)216.87.145.26
User-Agent: Cisco-SIP-IP-Phone/2
CSeq: 103 BYE
Route: <sip:92143357976@216.87.144.196:5060;user=phone>
Content-Length: 0
Authorization: Digest
username="4695461235",realm="augustvoice.net",uri="sip:216.87.144.203",r
esponse="2d8e38148a0c514b8a679368d3d68d49",nonce="3e5916a900000000017345
53a066af6285ae680a7f031ca4",algorithm=md5
Any ideas?
My call will connect for 8 seconds, then drop.
---greg
Greg Fausak
10:05 p.m.
New subject: [Serusers] Reoute_route
At 07:43 PM 2/23/2003, Greg Fausak wrote:
I'm seeing this error:
0(30906) Warning: sl_send_reply: I won't send a reply for ACK!!
That tells, that you script is configured to reply ACKs somewhere.
I can't tell more until I see the script.
0(30906) ERROR: sl_reply_error used: Regretfuly, we
were not able to
process the URI (479/SL)
0(30906) TRACE:In route[3] 0(30906) ERROR: do_action: bad uri
The request bellow is probably not the one which triggered the
messages above -- it is not an ACK. Also, it is either incomplete
or broken (see first line).
-Jiri
<sip:92143357976@216.87.144.203:5060 SIP/2.0
Via: SIP/2.0/UDP 216.87.145.26:5060
From: "August.Net Dallas"
<sip:4695461235@216.87.144.203>;tag=c4943000a2f3d673090b2-3dbc5751
To: <sip:2143357976@216.87.144.203;user=phone>;tag=38980230-8C3
Call-ID: 003094c4-3d2f000e-090136b1-00386102(a)216.87.145.26
User-Agent: Cisco-SIP-IP-Phone/2
CSeq: 103 BYE
Route: <sip:92143357976@216.87.144.196:5060;user=phone>
Content-Length: 0
Authorization: Digest
username="4695461235",realm="augustvoice.net",uri="sip:216.87.144.203",r
esponse="2d8e38148a0c514b8a679368d3d68d49",nonce="3e5916a900000000017345
53a066af6285ae680a7f031ca4",algorithm=md5
Any ideas?
My call will connect for 8 seconds, then drop.
---greg
Greg Fausak
_______________________________________________
Serusers mailing list
serusers(a)lists.iptel.org
http://lists.iptel.org/mailman/listinfo/serusers
--
Jiri Kuthan http://iptel.org/~jiri/
10:34 p.m.
New subject: [Serusers] CVS code
Warning: CVS status is still work in progress and has not been
tested yet.
At 06:28 PM 2/23/2003, Greg Fausak wrote:
I need a couple of the new features in CVS, so I
thought I'd
try to build it.
It build and installed, but complained of a missing reference:
realm_column
I changed modules/auth/checks.c to read:
checks.c: keys[0] = domain_column;
instead of realm_column and that fixed the load reference.
It's fixed on CVS now, thanks.
My script references the functions:
addRecordRoute() and rewriteFromRoute()
I remember seeing something a few days ago about
rewriteFromRoute() going away. I see these new functions:
loose_route, strict_route and record_route.
In a nutshell, do I just lose the rewriteFromRoute() calls
and add record_route(1) instead of addRecordRoute()?
1) s/addRecordRoute/record_route(lr)
2) s/rewriteFromRoute/loose_route
#1 makes ser put loose record-routes in messages (lr=1), #2 makes it
interpret loose routes.
-Jiri
7943
days inactive
7972
days old
7 comments
4 participants
participants (4)
-
Greg Fausak -
jh@lohi.eng.song.fi -
Jiri Kuthan -
Nils Ohlmeier