|
From: | Filip Řezáč |
Subject: | [Linphone-developers] Linphone desktop 5.2.1 DTLS-SRTP VPN IP problem |
Date: | Mon, 4 Mar 2024 22:08:15 +0100 |
User-agent: | Mozilla Thunderbird |
Hello guys,
my name is Filip Rezac and I am from VSB Technical University od Ostrava, Czech Republic.
We are dealing with a development project
where we encountered a possible problem in the
implementation of the Linphone SW client.
Situation is as follows:
- we have two networks each containing a
Kamailio SIP server, when these networks are
transparent to each other and the SIP servers are
interconnected by a SIP trunk.
- the SW desktop client Linphone in
version 5.2.1 with SIP account 103 is registered on
the kamailio.osk1.lab SIP server with IP:
10.10.0.190, where the client has a physical IP
address of 192.168.30.27 and the desktop also runs an
OVPN tunnel to the OSK1 network, which assigns the IP
address 10.11 .0.2.
- the HW phone Innovaphone IP112A with SIP
account 302 is registered on the second SIP server
kamailio.osk3.lab with IP: 10.3.1.190, when
the phone is directly connected via Ethernet to the
infrastructure and has IP 10.10.0.151.
- SIP over TLS security is set on both SIP
clients (switched to SIP over UDP for debugging)
and the media goes directly between the clients secured
by the DTLS-SRTP method.
- the whole topology is shown below:
- THE PROBLEM is as follows:
- if I make a call from the SW client Linphone (account 103) to the HW phone Innovaphone (account 302), signaling goes through without problems, the call is established properly and the media is secured by SRTP.
- however, if I make a call from the
Innovaphone HW phone (account 302) to the Linphone SW
client (account 103), the signaling goes through
without any problems, but a DTLS session error occurs
when setting up the call and the call ends within about
5 seconds.
- signaling debug revealed that if the caller is a Linphone SW client (account 103), the client's VPN IP address is correctly indicated in the Message body of the INVITE message at line c of the SDP: 10.11.0.2 see. printscreen below:
- but if the caller is an Innovaphone HW phone (account 302), then in the 200 OK response, the physical IP address is incorrectly stated in the SDP line c: 192.168.30.27 instead of the VPN IP address (10.11.0.2), see prinscreen below:
- in our opinion, this causes a
subsequent error in the DTLS handshake and as a result the
call drops.
- the interesting thing about the whole think
is that if we simulate the same situation, but both
clients are connected to one kamailio SIP server (there is
no SIP trunk), then calls go through from both
sides without problems even if the Linphone SW client is
connected via OVPN tunnel.
- also, if we turn off encryption of the
media and the calls run through the pure RTP,
calls go through without problems even within the SIP
trunk.
- we also tried change various settings
on Linphone, unfortunately without success:
turning off IPv6
support or set STUN server and enable ICE protocol.
- You can find the captured .pcap in the attachment , which contains both calls: first a working call from the SW client Linphone (account 103) to the HW phone Innovaphone (account 302) and then the second non-functioning call from the HW phone Innovaphone (account 302) to the SW client Linphone (account 103).
I understand that this is a rather unique situation, but it is very important for us that the call goes with DTLS-SRTP media encryption on both sides when using these clients, when the success of the entire development project depends on it.
I am therefore asking for your help and I will be fully available in case of questions or comments.
Thank You very much,
best regards,
Filip Řezáč
linphone_wrong_ip.pcap
Description: Binary data
smime.p7s
Description: Elektronicky podpis S/MIME
[Prev in Thread] | Current Thread | [Next in Thread] |