SIP header rewrite and NAT through VPN tunnel

  • 1
  • Question
  • Updated 4 years ago
  • Answered
Hello,

Is HiveOS able to do SIP inspection where the SIP header, specifically the Contact header, gets rewritten with the NAT IP address when traffic is traversing a VPN tunnel?

I believe Cisco ASA does this.

I have been testing the following scenario:

BR200-WP with a L3 VPN tunnel to a HiveOS VA. SIP phone connected to BR200-WP on a replicated Aerohive network with NAT enabled. Lets say the SIP phone gets given an IP address of 192.168.0.1 and this is NAT'd by the BR200-WP as traffic enters the VPN tunnel with 10.0.0.1.

When the phone registers with the SIP server at the other end of the tunnel, the SIP server sees the registration come from 192.168.0.1 (pre-NAT) and not from the post-NAT address of 10.0.0.1. When taking a packet capture the "Contact" SIP header is the pre-NAT address, e.g.:

Contact: <sip:1234@192.168.0.1:5060>;methods="INVITE, ACK, BYE, CANCEL, OPTIONS, INFO, MESSAGE, SUBSCRIBE, NOTIFY, PRACK, UPDATE, REFER"

Therefore when someone rings the SIP number the SIP server is trying to send the SIP and RTP traffic to 192.168.0.1 which isn't routable.

When I do this with a Cisco ASA, where the traffic is being NAT'd from the remote end through the VPN tunnel and "inspect sip" is turned on this isn't a problem. The SIP headers are rewritten correctly with the post-NAT IP address.

Am I missing a setting in HiveManager? Or does HiveOS not support this?

FYI, I have managed to get this working by making some changes to the SIP server so that it uses the source IP address (which will be the post-NAT address) instead of taking any notice of the SIP header.

Thanks!
Photo of Hank Marvin

Hank Marvin

  • 6 Posts
  • 0 Reply Likes

Posted 4 years ago

  • 1
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
I believe this is something supported by the SIP conntrack module when NAT is performed - HiveOS is Linux-based. However, as to what the expected behaviour is here, only an employee from Aerohive could tell you.
Photo of Hank Marvin

Hank Marvin

  • 6 Posts
  • 0 Reply Likes
Yes, you're correct. NAT SIP and SIP conntrack modules are needed when handling SIP with NAT via iptables. Guessing HiveOS isn't loading (or doesn't support) nf_nat_sip and/or nf_conntrack_sip :-(

Anyone from Aerohive able to comment? Can this get added to the roadmap? Can't quite believe this is missing!
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
HiveOS uses a flow-based forwarding engine, we do not use iptables in the access points. I will talk to my peers responsible for this area, but my understanding is that our expected use-case is SIP within the organization where NAT would not be needed, not external.
Photo of Hank Marvin

Hank Marvin

  • 6 Posts
  • 0 Reply Likes
Thank you Mike for making inquiries. Hopefully the expected use-case can be changed and this can be fixed for the future :)

I don't think it's unusual to use SIP with NAT, especially when you're deploying telephony to branch sites and in a large deployment you may end up with overlapping subnets, therefore you need to use NAT through the VPN tunnel.