[Kamailio-Users] two UACs behind same NAT

Daniel-Constantin Mierla miconda at gmail.com
Mon May 11 10:04:49 CEST 2009



On 05/04/2009 11:43 PM, Iñaki Baz Castillo wrote:
> El Lunes, 4 de Mayo de 2009, Dubravko Caric escribió:
>   
>>> There is a really easy way to detect if a router is performing SIP ALG:
>>> - Configure you UA in the LAN with *no* STUN/ICE, just private IP.
>>> - Capture a INVITE/REGISTER from that UA in the proxy (in the public
>>> network). - Check if "Via" and/or "Contact" headers contain the router
>>> public IP instead of the UA private IP.
>>> - If so, you are behind a *fucking* router with SIP ALG enabled.
>>>       
>> I did everything as you described and I can confirm that this router has
>> SIP ALG enabled.
>>     
>
> Bad luck then... :(
> SIP ALG is the worst enemy for SIP.
>   
workarounds could be:
- run sip server also on a different port than 5060 (say 5070) - 
kamailio is just fine doing it. Point the users behind such ALGs to this 
port. Still alg can detect it, but most of them do the detection by port 
5060
- use TCP if the phone supports it - most of algs do not touch TCP 
connections, but ...
- use TLS if the phone supports it - safest - the alg cannot touch it
- recommended - send back the router and ask for money return

Cheers,
Daniel

>
>   
>>> If you can dissable it (by web, telnet...) please add that information
>>> to the wiki page:
>>>  http://www.voip-info.org/wiki/view/Routers+SIP+ALG
>>> (or sent it to me directly and I'll add it).
>>>       
>> there is no way to change this (turn ON/OFF) because there is no such
>> option in the web interface of the router.
>>     
>
> Have you tryed via telnet? Most of the commercial routers don't show the SIP 
> ALG option in the web interface, but via telnet.
>
>
>
>   
>> what i will try to do (over this
>> weekend) is to load DD-WRT firmware (which isn't Linksys firmware) and if
>> this goes well I'll put this solution on wiki.
>>
>>     
>
>   
>> I checked this closely once more and I was wrong (I had too much traces
>> open) :( what really happens is that UAC sends "OK" with right port in
>> Contact header towards the router but the router is the one that changes
>> this port to "0" and sends this malformed message to the proxy.
>>     
>
> Yes, setting a "cool" port (as 0) is a common "feature" in SIP ALG enabled 
> routers. It's also very common to see ports like 12333453 (yes, greater than 
> 2^16).
>
>
>
>   
>> Thanks once more
>>     
>
> Please, add any information you get to dissable SIP ALG in this router to the 
> Wiki I suggested. Also, you can add information about the issues you had due 
> to this SIP ALG router. Really thanks for it. :)
>
>
>
>   

-- 
Daniel-Constantin Mierla
http://www.asipto.com/




More information about the Users mailing list