Netscreen firewall VPN with Asterisk

Juniper/Netscreen firewalls with Asterisk

Juniper NetScreen Rule configurations

5.x has SIP predefined, I defined IAX like this:
set service "IAX2" protocol udp src-port 4569-4569 dst-port 4569-4569 timeout never

Juniper NetScreen VPN Configurations 3/7/2005

I got help from Netscreen.

A little bit about my setup. NS50 on the head end, NS5XT/XP/GT on the remote ends. All the Netscreens perform NAT. The NS50 is on a permanent public IP. The remote ends are on a mix of permanent public IPs, and cable modems behind NAT, so NAT traversal was required. All the NetScreen are on resonably recent ScreenOS 5.something (didn't have the problem with ScreenOS 4 - thanks Netscreen?). I'm evaluating all this using Asterisk Stable 1.0.5. Because we use microsoft products I always have to 'set flow tcp-mss' and 'set flow path-mtu' to get Outlook working.

Changes I had to make:
All the physical interfaces need to have their bandwidth set to something other than 0, preferably same as physical interface speed. I had to remove ALL QOS settings from every policy on the 5XT/XP/GT. On Juniper's recommendation I moved all the VOIP-enabled VPN's to route-based from policy-based.

Policy Settings:
Finally, I needed four policies per device for each bi-directional tunnel (two policies for each direction). One policy is the general VPN policy, allow all, etc. The second policy is set to ignore service SIP - their predefined SIP works just fine.

This seems to be key to getting this all going:
set policy id 10051 from "Untrust" to "Trust" "Remote_addr" "local_addr" "SIP" permit log
set policy id 10051 application "IGNORE"

I think I also had to bump up some screening settings about flooding but I'm not certain now if those were necessary, watch your logs.

Notes:
It was a bear to get it going the first time. I would watch the asterisk console while I made a call to a meetme over the VPN. I would see the call setup occur and the phone would join the meetme but there would be no audio.

Now calls over the VPN work pretty well, occasionally the phones disconnect from the server momentarily from bandwidth lag.

I'm not sure the QOS settings I had in place on the NS50 needed to be removed, but you might want to remove them and add them back after VOIP worked.

Phones that have been tested to work:


Juniper/Netscreen firewalls with Asterisk

Juniper NetScreen Rule configurations

5.x has SIP predefined, I defined IAX like this:
set service "IAX2" protocol udp src-port 4569-4569 dst-port 4569-4569 timeout never

Juniper NetScreen VPN Configurations 3/7/2005

I got help from Netscreen.

A little bit about my setup. NS50 on the head end, NS5XT/XP/GT on the remote ends. All the Netscreens perform NAT. The NS50 is on a permanent public IP. The remote ends are on a mix of permanent public IPs, and cable modems behind NAT, so NAT traversal was required. All the NetScreen are on resonably recent ScreenOS 5.something (didn't have the problem with ScreenOS 4 - thanks Netscreen?). I'm evaluating all this using Asterisk Stable 1.0.5. Because we use microsoft products I always have to 'set flow tcp-mss' and 'set flow path-mtu' to get Outlook working.

Changes I had to make:
All the physical interfaces need to have their bandwidth set to something other than 0, preferably same as physical interface speed. I had to remove ALL QOS settings from every policy on the 5XT/XP/GT. On Juniper's recommendation I moved all the VOIP-enabled VPN's to route-based from policy-based.

Policy Settings:
Finally, I needed four policies per device for each bi-directional tunnel (two policies for each direction). One policy is the general VPN policy, allow all, etc. The second policy is set to ignore service SIP - their predefined SIP works just fine.

This seems to be key to getting this all going:
set policy id 10051 from "Untrust" to "Trust" "Remote_addr" "local_addr" "SIP" permit log
set policy id 10051 application "IGNORE"

I think I also had to bump up some screening settings about flooding but I'm not certain now if those were necessary, watch your logs.

Notes:
It was a bear to get it going the first time. I would watch the asterisk console while I made a call to a meetme over the VPN. I would see the call setup occur and the phone would join the meetme but there would be no audio.

Now calls over the VPN work pretty well, occasionally the phones disconnect from the server momentarily from bandwidth lag.

I'm not sure the QOS settings I had in place on the NS50 needed to be removed, but you might want to remove them and add them back after VOIP worked.

Phones that have been tested to work:


Created by: smithnc, Last modification: Wed 23 of May, 2012 (18:22 UTC) by admin
Please update this page with new information, just login and click on the "Edit" or "Discussion" tab. Get a free login here: Register Thanks! - Find us on Google+