Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » NAT traversal using SIP
  •  
henrysbox

Messages: 26
Karma: 0
Send a private message to this user

We just finished evaluating KWF software and everything seems to be working great, We were able to run some services like DNS,POP3,SMTP,FTP,HTTP including setting for each policy. We also experimented on port mapping, remote access, VPN and CITRIX connection. We didnt have a hard time configuring the firewall - it is straight forward and its all in the document.

But just before we finalized everything, we tried to setup an outside connection which requires a "telephony". the idea is to provide a multimedia telephony stream from outside connection to our private IP and without using kerio's client VPN or IKE, IPSec, since this "telephony" is not routable and it requires a NAT traversal. NAT Traversal is a way of telling your Firewall or router to route the "multimedia or telephony" RTP stream from public IP to your private network using 192.168.x.x based addresses.

We then setup a couple of ports to open - including SIP and RTP. We were able to connect to the system and retrieved some data information but the telephony part is not working. As we worked along evaluating KWF and its other features, we almost lost track of why we are evalutating your product. This is the deciding factor which we almost forgot - to be able to make the NAT traversal work so that the software we want to use will run properly.

Thus anyone of you tried NAT traversal without using IPsec or VPN? can you provide us some detail.

thanks
  •  
tweek

Messages: 5
Karma: 0
Send a private message to this user
Hi
I have tried Sipura SPA2000 VoIP device behind Winroute Firewall 6.0.4. But it was not even registering with VoIP service provider. Then I disabled the firewall and used Windows 2000 built-in NAT. Then it was working perfectly. Sipura SPA2000 uses SIP and KWF supports SIP but still...doesn't work...

Tweek(Tony)

[Updated on: Thu, 02 September 2004 08:33]

  •  
henrysbox

Messages: 26
Karma: 0
Send a private message to this user
right Tweek,

While we were testing the SIP, we first tried to set it up outside the firewall to see if the application was the problem, and to narrow down some error. Without firewall, we tried to make a couple of test calls and it work flawlesly.

We then tried to set it back again behind the firewall and run the same application. The application was able to connect to the client server, but no response after we initiate the call. The client recieves a ring but after he answer its just dead air, in short its not routing the call (their explanation). So do you think KWF is SIP-aware?

Any feedback from guru's out there?
  •  
tweek

Messages: 5
Karma: 0
Send a private message to this user
Yes KWF is SIP enabled since MSN messenger's voice chat is working perfectly from any system behind firewall without any special settings. I have tested it just by enabling UPnP. But I don't know what happens when I connect VoIP device.

Can anybody help if there are any special settings for SIP?
thanks
  •  
henrysbox

Messages: 26
Karma: 0
Send a private message to this user
We tried to test using KWF client VPN and it works fine. Hmmm you just gave me an idea. We havent tried using uPnP yet, simply because we dont trust it. We never included this in our optional scenario though i'm still skeptical in using uPnP. Its worth a try. Since I'm using win2k pro and it doesnt support uPnP, I have to setup a WinXP box for this. I'll post it here if it works. I wish KWF has support to various NAT transalation (i.e, Static NAT, Dynamic NAT, Overloading and Overlapping etc.)
or has an option to enable uPnP only to selected IP or Group.
Hope using WinXP and uPnP will do more good than harm.
  •  
feite

Messages: 523
Karma: 0
Send a private message to this user
You can add a rule to allow UPnP for only a range of ip addresses of a group. If you have a rule that allows all traffic from LAN to firewall than place a rule above that rule disallowing ip addresses that are not allowed to use UPnP.
  •  
henrysbox

Messages: 26
Karma: 0
Send a private message to this user
Thanks Feite,

I've added the rule that you mentioned. I also setup a WinXP box with UPnP enabled, but still it doesnt work. Our client sends us a copy of the log files of our test connection. based on the log files, we were able to connect to their server using our gateway IP via NAT, but when we tried to initiate a call, it shows a private IP 192.168.x.x. Based on their IT personnel, the problem lies on our firewall (kerio). It needs to be properly configured to provide SIP and NAT traversal.

Since because you only need to install their client application
(there is no hardware involved), anyone who has internet connection and subscription to their service can use their product.

I really like kerio but my boss is slowly loosing hope.
  •  
feite

Messages: 523
Karma: 0
Send a private message to this user
I tested KWF 6.0.4 with some UPnP test tools (intel or http://noeld.com/programs.asp?cat=dstools). Both do not show KWF as a UPnP device. Maybe KWF is not fully UPnP?
  •  
henrysbox

Messages: 26
Karma: 0
Send a private message to this user
Thanks again Feite,


I've tested the progran from the link that you posted and got the same results. Maybe it requires another hardware that is trully a UPnP enabled device to make it pass through. It's getting more complicated and out of scope so were dropping the option of using UPnP, ironic huh. Anyway who cares I dont want to use UPnP anyway. So were back discussing the NAT traversal thing.

oh by the way nice site you've found.

Rolling Eyes
  •  
henrysbox

Messages: 26
Karma: 0
Send a private message to this user
Kerio team,

I dont get it, Why KWF support such protocol (H.323 and SIP) if it cannot translate(NAT traversal) the voice packets properly? Why is it NAT traversal is limited only to IPsec?

Voice packets are discarted when it pass through the firewall. see warning message.
"Warning (2004): Unable to resolve IP address of destination NAT Dropping packets by traffic rule ..."

Please moderator enlighten me, is there another way to do this without using IPsec or VPN. Currently we think that KWF focus only to no other than basic NAT. And other features like NAT traversal and PAT (port address translation) are not fully supported (at all). Hope you have plans to have this feature available to your future release. I'm sure many KWF users will soon realize that they need this kind of functionality.


Confused
  •  
tomcat

Messages: 5
Karma: 0
Send a private message to this user
Hi, I have the same problem. And am trying for more then 24h to solve it.
My results are that there musst be some bug in kwf 6.0.4. I have tryed it very often and some times it works but if I restart kwf without changing anything it fails again. It's like an random number generator :-/
And for 2 times kwf crashs by using SIP Sad
I tests kwf at windows 2003 server and windows xp --> the problems are the same:-(


PS: please excuse my bad english

[Updated on: Sun, 19 September 2004 03:36]

Previous Topic: Traffic Policy support please
Next Topic: cannot access cctv from WAN
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Nov 18 07:15:46 CET 2017

Total time taken to generate the page: 0.00526 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.