Folks,
please help me -- share with me techniques for NAT traversal you use and have hands-on experience with. People repeatedly ask about it, and I'd like to create an FAQ that reflects deployment experience and as wide user feed-back as possible. Just tell me the technique you use, its requirements, limitations, the devices it is known (not) to work with, why you prefer one method over the other, etc. I'll then try to compile it in an FAQ.
So please send me an e-mail, an example is attached. I will appreciate any practical details.
Thank you,
-Jiri
---------------------------------------------------------------- technique: using symmetric communication requirements: phone devices that support symmetric communication; existing species: Cisco's ATA configuration practice: ATAs need to be configured to advertise public address in signaling, or learn it from REGISTER replies; alternatively, one can rewrite signaling using ser's nethelper module; one needs to rewrite SIP anyway because ATAs don't advertise their symmetricity; see www.foo.bar for info on configuring ATA... limitations: non-symmetric devices, like Messenger don't work; misc: ATA has no display, that's why I am anxiously waiting for more vendors to support symmetric signaling
---------------------------------------------------------------- technique: UPnP requirements: NATs and phones with UPnP support; Messenger and snom are known to support UPnP; there is linux support for it configuration practice: of course, upnp requires by definition no configuration ;-) (I'm not serious -- anyone actually tried it?) ---------------------------------------------------------------- technique: geek tweaks: set-up port forwading manually configuration practice: you need to configure NATs to split its public-side port numbers accross your private-side phones, and configure the phones (if they allows so) to use these port numbers; also, phones need to be configured to use publicly reachable address in their payloads requriements: configurable NATs (many residental NATs are configurable) and configurable phones (ATAs do that, I heard pingtel did it too) ---------------------------------------------------------------- technique: ALG requirements: SIP-capable NAT (like Intertex or Cisco/PIX) issues: intertex freezes my ssh connections after some time on-line and elderly models don't like all Ethernet devices; when things don't work, the red-button off-on helps sometimes ---------------------------------------------------------------- technique: STUN requirements: STUN-enabled phone (like k-phone, snom) limitations: doesn't work over symmetric NATs (words-of-mouth propaganda has been telling me that many residential NATs are fortunately not symmetric, but I don't know how objective this information really is) ----------------------------------------------------------------
-- Jiri Kuthan http://iptel.org/~jiri/
Jiri Kuthan writes:
technique: UPnP requirements: NATs and phones with UPnP support; Messenger and snom are known to support UPnP; there is linux support for it
but how many nat boxes support upnp? last time i looked at ms upnp page, the list was very short.
technique: ALG requirements: SIP-capable NAT (like Intertex or Cisco/PIX)
i like this one. cisco ios nat that is built in every cisco router now has sip alg. you must have very recent ios version though.
technique: STUN requirements: STUN-enabled phone (like k-phone, snom) limitations: doesn't work over symmetric NATs (words-of-mouth propaganda has been telling me that many residential NATs are fortunately not symmetric, but I don't know how objective this information really is)
we have tried kphone's stun in all mojor dsl providers in finland that nat their customers and haven't had problems with any. in some cases you have to run stund in your outbound proxy and not in some other ip address.
-- juha
Hi Juha,
On Saturday 25 January 2003 09:57, jh@lohi.eng.song.fi wrote:
technique: STUN requirements: STUN-enabled phone (like k-phone, snom) limitations: doesn't work over symmetric NATs (words-of-mouth propaganda has been telling me that many residential NATs are fortunately not symmetric, but I don't know how objective this information really is)
we have tried kphone's stun in all mojor dsl providers in finland that nat their customers and haven't had problems with any. in some cases you have to run stund in your outbound proxy and not in some other ip address.
but you never tested it with a Linux 2.4 NAT box, or? ;) I had the problem that kphone 2.11 sends out the request from a different port then its listening. So the request goes out with a random port and comes back on 5060, which is blocked by the linux NAT because the source IP of the SIP server and the STUN server differ (see below). Attached find a patch which fixes this for UDP. I didn't tryed to fix TCP because i can't test it.
BTW do you use an old STUN version in kphone and as your server? Because i wasn't able to get a response from our iptel.org STUN server. Only your wirlab STUN server responses to the kphone requests.
Greetings Nils Ohlmeier
Nils Ohlmeier writes:
BTW do you use an old STUN version in kphone and as your server? Because i wasn't able to get a response from our iptel.org STUN server. Only your wirlab STUN server responses to the kphone requests.
KPhone 3.01 now supports the latest stun version.
-- juha
I need a couple of the new features in CVS, so I thought I'd try to build it.
It build and installed, but complained of a missing reference: realm_column I changed modules/auth/checks.c to read: checks.c: keys[0] = domain_column; instead of realm_column and that fixed the load reference.
My script references the functions: addRecordRoute() and rewriteFromRoute()
I remember seeing something a few days ago about rewriteFromRoute() going away. I see these new functions: loose_route, strict_route and record_route.
In a nutshell, do I just lose the rewriteFromRoute() calls and add record_route(1) instead of addRecordRoute()?
thanks,
---greg Greg Fausak
I'm seeing this error:
0(30906) Warning: sl_send_reply: I won't send a reply for ACK!! 0(30906) ERROR: sl_reply_error used: Regretfuly, we were not able to process the URI (479/SL) 0(30906) TRACE:In route[3] 0(30906) ERROR: do_action: bad uri <sip:92143357976@216.87.144.203:5060 SIP/2.0 Via: SIP/2.0/UDP 216.87.145.26:5060 From: "August.Net Dallas" sip:4695461235@216.87.144.203;tag=c4943000a2f3d673090b2-3dbc5751 To: sip:2143357976@216.87.144.203;user=phone;tag=38980230-8C3 Call-ID: 003094c4-3d2f000e-090136b1-00386102@216.87.145.26 User-Agent: Cisco-SIP-IP-Phone/2 CSeq: 103 BYE Route: sip:92143357976@216.87.144.196:5060;user=phone Content-Length: 0 Authorization: Digest username="4695461235",realm="augustvoice.net",uri="sip:216.87.144.203",r esponse="2d8e38148a0c514b8a679368d3d68d49",nonce="3e5916a900000000017345 53a066af6285ae680a7f031ca4",algorithm=md5
Any ideas?
My call will connect for 8 seconds, then drop.
---greg Greg Fausak
At 07:43 PM 2/23/2003, Greg Fausak wrote:
I'm seeing this error:
0(30906) Warning: sl_send_reply: I won't send a reply for ACK!!
That tells, that you script is configured to reply ACKs somewhere. I can't tell more until I see the script.
0(30906) ERROR: sl_reply_error used: Regretfuly, we were not able to process the URI (479/SL) 0(30906) TRACE:In route[3] 0(30906) ERROR: do_action: bad uri
The request bellow is probably not the one which triggered the messages above -- it is not an ACK. Also, it is either incomplete or broken (see first line).
-Jiri
<sip:92143357976@216.87.144.203:5060 SIP/2.0 Via: SIP/2.0/UDP 216.87.145.26:5060 From: "August.Net Dallas" sip:4695461235@216.87.144.203;tag=c4943000a2f3d673090b2-3dbc5751 To: sip:2143357976@216.87.144.203;user=phone;tag=38980230-8C3 Call-ID: 003094c4-3d2f000e-090136b1-00386102@216.87.145.26 User-Agent: Cisco-SIP-IP-Phone/2 CSeq: 103 BYE Route: sip:92143357976@216.87.144.196:5060;user=phone Content-Length: 0 Authorization: Digest username="4695461235",realm="augustvoice.net",uri="sip:216.87.144.203",r esponse="2d8e38148a0c514b8a679368d3d68d49",nonce="3e5916a900000000017345 53a066af6285ae680a7f031ca4",algorithm=md5
Any ideas?
My call will connect for 8 seconds, then drop.
---greg Greg Fausak
Serusers mailing list serusers@lists.iptel.org http://lists.iptel.org/mailman/listinfo/serusers
-- Jiri Kuthan http://iptel.org/~jiri/
Warning: CVS status is still work in progress and has not been tested yet.
At 06:28 PM 2/23/2003, Greg Fausak wrote:
I need a couple of the new features in CVS, so I thought I'd try to build it.
It build and installed, but complained of a missing reference: realm_column I changed modules/auth/checks.c to read: checks.c: keys[0] = domain_column; instead of realm_column and that fixed the load reference.
It's fixed on CVS now, thanks.
My script references the functions: addRecordRoute() and rewriteFromRoute()
I remember seeing something a few days ago about rewriteFromRoute() going away. I see these new functions: loose_route, strict_route and record_route.
In a nutshell, do I just lose the rewriteFromRoute() calls and add record_route(1) instead of addRecordRoute()?
1) s/addRecordRoute/record_route(lr) 2) s/rewriteFromRoute/loose_route
#1 makes ser put loose record-routes in messages (lr=1), #2 makes it interpret loose routes.
-Jiri
-
Greg Fausak -
jh@lohi.eng.song.fi -
Jiri Kuthan -
Nils Ohlmeier