SIP NAT TraversalPosted on: 2014-09-01 | Categories: Business VoIP VoIP VoIP Services VoIP Technology
In an ideal world all devices on the Internet would be able to communicate directly (roll out of IPv6 promises to make this possible with almost unlimited addressing space). However as of today most of us still use good old IPv4 which means all our private networks are behind NAT (Network Address Translation) device.
To help network administrators configure their NAT equipment to allow SIP phones (or softphones) to communicate with VoIPstudio network (SIP proxy servers and RTP media gateways), below you can find call flow diagrams showing network addresses and ports involved. In diagrams below green lines indicate SIP (Session Initiation Protocol) used for signalling (call set up and tear down), blue lines indicate RTP (Real-time Transport Protocol) which transmits audio streams during a call.
Once SIP phone is powered on it will attempt to register it’s location with VoIPstudio network. This is to allow routing of incoming calls to specific endpoints on the network. It also creates NAT binding which is than kept open thanks to periodic “keepalive” packets which are sent between SIP phone and VoIPstudio servers.
Figure 1. SIP NAT Traversal – REGISTER
- SIP phone sends REGISTER packet from it’s LAN IP address. Usually a default source port configured in most SIP phones is UDP 5060, however this can be any UDP port.
- SIP packet generated by the phone reaches NAT Router which rewrites source port (in our example to UDP 15723) and creates NAT binding LAN:192.168.1.9:UDP:5060 <-> WAN:126.96.36.199:UDP:15723
- REGISTER request reaches VoIPstudio SIP server on public IP address UDP port 5060.
- VoIPstudio SIP server responds with “401 Unauthorized” message asking SIP phone to send REGISTER request once more with user credentials and sends it back to NAT device at WAN:188.8.131.52:UDP:15723.
- NAT device based on information in NAT bindings table forwards SIP packet to the phone at LAN:192.168.1.9:UDP:5060
- SIP phones resends REGISTER packet along with user credentials and VoIPstudio registrar server stores terminal location as WAN:184.108.40.206:UDP:15723
Note: there can be more than one SIP phone on Private LAN, as NAT Router will create a unique random WAN_IP:port binding for each device as shown (2) in Figure 1 above.
Normally NAT device would close NAT binding created in step (2) Figure 1 above after a short period of inactivity (usually 60 – 900 seconds depending on the device). This would make impossible for VoIPstudio servers to reach phone and alert it on incoming calls. To keep NAT binding open, we use SIP Keepalive technique, which sends SIP OPTIONS packet (which has no function other than make the SIP phone reply to it with SIP OK) every 30 seconds.
Figure 2. SIP NAT Traversal – Keepalive
- SIP OPTIONS packet sent from public IP address of VoIPstudio server UDP port 5060 (same PublicIP:UDP_port as previously used for registration) to NAT Router PublicIP:UDP:port stored during registration.
- Phone responds with SIP OK which refreshes NAT binding LAN:192.168.1.9:UDP:5060 <-> WAN:220.127.116.11:UDP:15723 and keeps it open for future communication.
When making an outbound call SIP phone will send SIP INVITE packet to VoIPstudio server which is challenged for user credentials and re-sent. After successful authentication VoIPstudio server responds with SIP OK packet that includes information about RTP (media) server public IP and UDP port number where phone should send it’s audio stream.
Figure 3. SIP NAT Traversal – Outbound Call
- SIP phone sends INVITE packet to SIP server which is challenged for credentials.
- After successful authentication SIP server responds with SIP OK and provides public IP address and port number (in our example above 18.104.22.168 port 12321) of media (audio) server where SIP phone should send it’s audio stream.
- SIP phone starts sending RTP audio data from pre-configured UDP port (5685 in our example above).
- NAT Router rewrites UDP port 5685 to a random UDP port (23589 in our example above) and creates NAT binding.
- Media server starts sending audio stream to NAT Router public IP address and source UDP port 23589. NAT Router device based on information in NAT bindings table forwards RTP audio packets to the phone at LAN:192.168.1.9:UDP:5685.
When routing an inbound call VoIPstudio SIP server uses terminal location (public IP address and port number) information stored during Registration process shown in Figure 1 above.
Figure 4. SIP NAT Traversal – Inbound Call
- VoIPstudio SIP server sends INVITE packet to NAT Router which using it’s NAT binding table forwards it to SIP phone. It includes information about RTP (audio) server public IP address and port number (in our example above 22.214.171.124 port 16232) where phone should send it’s RTP audio stream.
- Phone responds with SIP OK which includes information about port number where VoIPstudio media (RTP) server should send it’s audio streams.
- Media (RTP) server starts sending audio to NAT Router public IP address UDP port 5685. This packets however initially fail to reach the phone, as there is no NAT binding yet.
- SIP phone starts sending audio from pre-configured UDP port 5685.
- NAT Router rewrites UDP port 5685 to a random UDP port (27483 in our example above) and creates NAT binding.
- Media server switches destination port to the one assigned by NAT Router device and audio RTP audio starts flowing in both directions.
Note: time between steps 3 and 6 described above is between 20-50ms, therefore there is no noticeable silence at the beginning of the call.
Most modern NAT Routers and SIP phones will work as presented in above diagrams “out of the box”. However if you notice problems with inbound calls, one way audio or other unusual behaviour, please make sure your equipment is configured as below:
VoIPstudio Interoperability Requirements
- It needs to allow outbound traffic to destinations with UDP port 5060 (SIP) and UDP ports 10000-2000 (RTP). Most firewalls will block inbound traffic only. However if your device also blocks outbound connections, you may need to adjust it’s configuration.
- It needs to create NAT binding for a period no shorter than 30 seconds (interval of SIP keepalive packets).
- Needs to use symteric SIP signalling and RTP streams. That is it must send and receive data on the same port number. Luckily most modern SIP phones by defaul use this method of communication.