White Paper - IPsec in VoIP Networks
The Problem with IPsec and NATs
Most NAT devices are used to provide a mapping of many devices on a private network onto a single public IP address. They do this by mapping ports as well as IP addresses. This means they alter the contents of the transport layer protocol, i.e UDP or TCP. When a NAPT device encounters an IPsec ESP packet it no longer has access to the transport layer ports and will usually revert to NAT-only operation.
If there is only one IPsec device behind the NAT this is not a problem, since the NAT will simply translate the private IP address to the public IP address. This enables the single device to communicate through the NAT to the far end.
VoIP over IPsec
However, there is a problem where there are multiple IPsec sources behind a NAPT communicating with a single server. For example, several VoIP phones located on a business network talking to the same SIP server in the hosting Service Provider's network.
As we have seen, IPsec encapsulates and obscures the transport layer port information which the NAPT needs to create unique bindings between source IP address and port and destination IP address and port. This behaviour is more correctly termed symmetric Network Address and Port Translator, and is by far the most widely used NAPT mechanism in access networks.
Presented with a number of IPsec streams heading out to the same destination, "VPN compatible NAPTs" change to NAT mode, thus they create a many-to-one relationship in the bindings. So, if two IPsec phones are trying to access the same server from behind the same NAPT, there is no way for the returning traffic to be steered via the appropriate binding to the correct phone.
In practice most NAPT products with a "VPN compatibility" mode use the binding created by the last outbound packet as the destination for inbound packets. Thus, one user will receive all the signalling.
|
IPsec and VoIP
