Freeswitch over NETMAPped VPN

I’ve made a configuration with Freeswitch and a VPN connection that could help other, so I post it here. The network configuration is: two local networks (192.168.0.0/24) using one gateway for each network. The two gateways are connected through a PPTP VPN, and use NETMAP to map from their local 192.168.0.0/24 to the VPN addresses 172.16.X.0/24 (and vice versa), X being different for the two local networks of course. This way the Freeswitch network is accessible via 172.16.1.0/24 and the other network (with the phone on it) is accessible via 172.16.2.0/24. A little schematic to be clear about it:

   172.16.2.0/24 — 172.16.2.1 (gateway) 192.168.0.1 — 192.168.0.2 (phone)
   (VPN)
   172.16.1.0/24 — 172.16.1.1 (gateway) 192.168.0.1 — 192.168.0.5 (Freeswitch)

In this configuration, the phone can be accessed either locally with 192.168.0.2 or by the two networks with 172.16.2.2 (thanks to the NETMAP rules). In the same way, Freeswitch has the local IP 192.168.0. but can also be reached via the VPN address: 172.16.1.5.

Main difficulties were to: 1) make phone and Freeswitch use the VPN addresses instead of “probed” local ones, and 2) make the phone be recognized as an internal member, and as such a “default plan” user (and not just the “public plan” like external members do).

We have several things to do in order to make all this working. First we’ll deal with Freeswitch.

Make Freeswitch use its VPN address instead of the local one: conf/sip_profiles/internal.xml:
<param name="ext-rtp-ip" value="172.16.1.5"/>
<param name="ext-sip-ip" value="172.16.1.5"/>

Add the phone’s user into the directory: conf/directory/default/100X.xml:
<user id="100X" cidr="172.16.2.2/32">
(The X must be replaced of course. The cidr parameter is very important, it’s what defines the user in the “internal” zone, and as such capable of calling outside. Note: the cidr should be /32 because if you specify a wider range, every user in that range will place calls with the 100X caller ID instead of theirs).

Restart Freeswitch, and next step with the phone:

First, we have to make sure the phone’s DNS is giving the Freeswitch’s VPN address when we ask for the domain.

$ ping sip.myfreeswitch.com
PING sip.myfreeswitch.com (172.16.1.5): 56 data bytes
...

If it’s not, you’ll have to update the DNS configuration until it gives the correct answer. Don’t use the /etc/hosts file to do that, because DNS doesn’t use that file.

With that, we’re sure to be able to use the “sip.myfreeswitch.com” domain and reach the Freeswitch server using the VPN.

Then, just set up the phone as you would. You have some important options to set. For example on a PAP2T:
– EXT IP: 172.16.2.1 (you have to give here the VPN address, so that Freeswitch can communicate with it).
– NAT Mapping Enable: yes
– NAT Keep Alive Enable: yes

Now make the phone register and try calling… it should work 🙂 If not, try some tcpdump on both sides (Freeswitch and phone) and also have a look at Freeswitch logs.

1 thought on “Freeswitch over NETMAPped VPN”

  1. Hello there! I could have sworn I’ve been to this site before but after checking
    through some of the post I realized it’s new to me.
    Anyways, I’m definitely happy I found it and I’ll be bookmarking and checking
    back frequently!

Comments are closed.