I have a softphone on a laptop which works fine on the LAN. So I decided to try it out over an SSL VPN which we have for the company.
The way we use the VPN is via something called Network Connect. Those who are familiar with Juniper SSL VPN will know that this an application which captures all traffic and encrypts and sends it via a local loopback to go out to the VPN.
Now, the phone works - to an extent. I can connect, and I can make calls, and people can make calls to me. The problem I have is that I dont hear anything from the person who is speaking locally attached to the PBX, but he can hear me fine. It is almost like the PBX cannot forward traffic to the VPN pool because of a) no route to it, or b) firewall policy blocking it.
To troubleshoot these, i allowed any-all in both directions for firewall policies and traced the route from the VPN to the PBX and back again, which appeared fine. So at this point I am a little bit lost.
The network setup is as follows (if this makes sense):
IPSOFTPHONE -> SSL - > FIREWALL -> JUNIPER SA 4500 -> VPN POOL -> FIREWALL -> LAN -> ROUTED CORE -> PBX
To begin with, this was not working at all, and the phone was not connecting. So I changed some policies on the 2nd firewall along the path to turn off NAT through the policy for the phone. This suddenly could connect ok, and calls were able to be made.
I am thinking along the lines of there is something on the Juniper box which is not passing the traffic as a true LAN connection from the PBX to the SSL connection as it goes back to the client on the internet. Something like a transparent setting on the Juniper for this traffic to pass back correctly? Any hints would be a help.
Thank you.
IP Softphone over Juniper SA SSL VPN
-
splinkio
Re: IP Softphone over Juniper SA SSL VPN
And again I have resolved this 
What I have realised is that Alcatels documentation on this is just complete rubbish. The lack of resource and knowledge about this is terrible. If you are not a professional expert in any of these areas then you are stuffed and got no chance of this working. Ok it wasnt Alcatel specific of why this wasnt working, but a pointer from Alcatel might have made me troubleshoot it sooner.
The "problem" lies with the SA 4500 (or any juniper IVE) and the firewall which sits between the client on the net and the SA device.
By default, nework connect connections through the Juniper SA, uses ESP mode (RFC 2406). This uses IPSEC with AES/SHA1 or AES/MD5 on its payload. the transport is UDP on port 4500. Of course, if you have not opened that up on the firewall which the VPN tunnels though, its not going to work.
So, the Juniper box also has another suppored method for encapsulating this traffic called oNCP (optimized network comminucations protocol) which is Juniper specific. oNCP uses SSL with rivest cipher 4-128 (RC4) and because its SSL, it uses 443 which (duh) is already open through the firewall to allow the SSL vpn to establish anyway.
So, setting oNCP as the fallback instead of using ESP for this VPN pool of users with softphones, suddenly started working and everyone is happy, including me.
I cannot stress enough that Alcatel need to get some kind of document together which is available for everyone to explain EXACTLY how this works and more importantly WHY it works. There is no information available (from what I can see) from Alcatel, to do with setting up a VPN and softphone configuration, and how the transport works, and how the phone exchanges data with a client on the VPN. I would not be surprised if I called them up and they said "VPN's are not supported with ipsoftphone" which would be their narrowminded approach. Maybe one day they will realise that people are actually using them, and they are going to be loosing out to other vendors if they dont get their act together.
If Frank reads this, and he wants me to put a config document on for the Juniper box for the IPsoftphone which might make people understand how this works over a VPN, then I can do this.
Sorry just annoyed with Alcatel's attitude sometimes.
What I have realised is that Alcatels documentation on this is just complete rubbish. The lack of resource and knowledge about this is terrible. If you are not a professional expert in any of these areas then you are stuffed and got no chance of this working. Ok it wasnt Alcatel specific of why this wasnt working, but a pointer from Alcatel might have made me troubleshoot it sooner.
The "problem" lies with the SA 4500 (or any juniper IVE) and the firewall which sits between the client on the net and the SA device.
By default, nework connect connections through the Juniper SA, uses ESP mode (RFC 2406). This uses IPSEC with AES/SHA1 or AES/MD5 on its payload. the transport is UDP on port 4500. Of course, if you have not opened that up on the firewall which the VPN tunnels though, its not going to work.
So, the Juniper box also has another suppored method for encapsulating this traffic called oNCP (optimized network comminucations protocol) which is Juniper specific. oNCP uses SSL with rivest cipher 4-128 (RC4) and because its SSL, it uses 443 which (duh) is already open through the firewall to allow the SSL vpn to establish anyway.
So, setting oNCP as the fallback instead of using ESP for this VPN pool of users with softphones, suddenly started working and everyone is happy, including me.
I cannot stress enough that Alcatel need to get some kind of document together which is available for everyone to explain EXACTLY how this works and more importantly WHY it works. There is no information available (from what I can see) from Alcatel, to do with setting up a VPN and softphone configuration, and how the transport works, and how the phone exchanges data with a client on the VPN. I would not be surprised if I called them up and they said "VPN's are not supported with ipsoftphone" which would be their narrowminded approach. Maybe one day they will realise that people are actually using them, and they are going to be loosing out to other vendors if they dont get their act together.
If Frank reads this, and he wants me to put a config document on for the Juniper box for the IPsoftphone which might make people understand how this works over a VPN, then I can do this.
Sorry just annoyed with Alcatel's attitude sometimes.
