?
Solved

Asterisk, calls between 2 Asterisk boxes, authenticating by IP address only

Posted on 2010-01-09
14
Medium Priority
?
445 Views
Last Modified: 2013-12-21
Hello,
 
  I am trying to route calls from one Asterisk box to another, via IP address authentication only.  However, I keep getting 407 proxy authentication required messages in the sip debug, and the calls drop immediately with a 503 message.

Here is the setup.

I want Box A to route calls to Box B, and Box B to send the calls to my service provider:

Box A (LINUX3) 192.168.0.132:

SIP.CONF:

;peer to send calls through
[LINUX4]
type=peer
host=192.168.0.133
context=my_trunk
deny=0.0.0.0/0
permit=192.168.0.133
insecure=invite
sendrpid=yes
trustrpid=no
nat=no

; MY UA
[my_phone]
type=friend
username=myusername
secret=securepass
host=dynamic
context=my_trunk


EXTENSIONS.CONF:

[my_trunk]
;10 digit dialing prepend 1
exten => _NXXXXXXXXX,1,Dial(SIP/1${EXTEN}@LINUX4)


BOX 2 (LINUX4) 192.168.0.133

SIP.CONF:

[LINUX3]
type=peer
host=192.168.0.132
context=from_LINUX3
deny=0.0.0.0/0
permit=192.168.0.132
insecure=invite
sendrip=yes
trustrip=no
nat=no

EXTENSIONS.CONF:

[from_LINUX3]
exten => NXXXXXXXXX,1, Dial(SIP/1${EXTEN}@my_service_provider)

exten => 1NXXXXXXXXX,1,Dial(SIP/$(EXTEN}@my_service_provider)


I do not want to register the 2 boxes with each other via username and password, I want only IP authentication between the boxes.

Thanks for the help!



0
Comment
Question by:jkockler
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 3
  • 2
14 Comments
 
LVL 4

Author Comment

by:jkockler
ID: 26274265
I solved this issue through adding the "fromuser=local-ip address" to the [LINUX4] peer entry on Box A.

Now the problem is getting the caller id to pass from the UA registered with Box A.  As of now the caller id is not being accepted on Box B as it is set in sip.conf on Box A.  I have to set the caller id for the [LINUX4] peer entry on Box A.  How can I get Box A to pass the caller id for it's registered UA, to Box B??
0
 
LVL 4

Author Comment

by:jkockler
ID: 26274280
Correction, I have to set the callerid on Box B, for the [LINUX3] entry.  Wanted to clarify that.  How can I get the caller id to display, that is being passed,from the UA registered to Box A?
0
 
LVL 4

Author Comment

by:jkockler
ID: 26274297
It seems the "from user" entry on Box A, is setting the caller id to the ip address as set in "from user."  I think I should be able to send calls to Box B without the "fromuser" entry.  
0
Create CentOS 7 Newton Packstack Running Keystone

A bug was filed against RDO for the installation of Keystone v3. This guide is designed to walk you through the configuration for using Keystone v3 with Packstack. You will accomplish this using various repos and the Answers file.

 
LVL 4

Author Comment

by:jkockler
ID: 26274319
Got it!  .. Eliminated the "fromuser=localip" on Box A.  Then added fromuser=""  to the [LINUX3] entry on Box B .. Now the caller id being sent from Box A, is what is set for the UA, and Box B is using that caller id to pass the calls to the provider.  Excellent!
0
 
LVL 4

Author Comment

by:jkockler
ID: 26274339
Well now for some reason it is working with or without the fromuser= field.  Now the config is back to the way it was when I was getting the 407 proxy auth required messages, but instead now it is working fine with no 407 messages??  Very strange.  
0
 
LVL 12

Expert Comment

by:Steve
ID: 26275211
any reason why you dont use IAX ?
0
 
LVL 4

Author Comment

by:jkockler
ID: 26275662
why would you suggest it?  Lets hear some pros and cons.
0
 
LVL 12

Expert Comment

by:Steve
ID: 26275738
IAX allows you to link your 2 x asterisk boxes and Trunk calls between them, not only one call but multiple calls simulateneously.. you can also route voice calls between them (eg. dialout on a handset on siteA but trunk it and use the siteB access ports for local dialout there) etc. etc.. you can then prefix all phones on both sites.. eg, dial 50xxx (xxx being local extension) of all handsets so all users can direct call every other handset..

with multiple asterisk boxes in different locations, its much better.. just my 2c :)
0
 
LVL 4

Author Comment

by:jkockler
ID: 26275751
Should I not be able to make more than one call between asterisk boxes with SIP?  I just tested it and iseemed to work fine?
0
 
LVL 19

Accepted Solution

by:
feptias earned 2000 total points
ID: 26277688
SIP is able to send multiple calls. IAX has advantages when the connection between the servers has to get through a NAT firewall because IAX only uses one port for signalling and audio streaming. IAX should also require a little less bandwidth than SIP when set to operate as a trunk and more than one call is active at the same time.

Regarding your original problem, is it possible that the Caller ID of the UA matched a user name on Box B? I had a problem like this only a couple of days ago:
UA ----> Asterisk A ----> Asterisk B
My UA had a caller ID of 4003. I had been testing various things and consequently had a "peer" definition for 4003 on both Asterisk A and Asterisk B. This meant that the sip.conf file on Asterisk B had the following:
[4003]
type=friend
host=dynamic
secret=myUApassword
context=from-internal

[AsteriskA]
type=peer
host=<ip_of_asterisk_A>
context=from-asteriskA

I was expecting the calls to be handled in context [from-asteriskA], but in fact the calls were failing with 407 Authentication Required. I found it was because the From header contained a user number of 4003 and Asterisk B was matching on that in preference to matching on the senders IP address. The simplest solution I could find (other than deleting the 4003 definition on Asterisk B) was to change type=friend to type=peer - like this:
[4003]
type=peer
host=dynamic
secret=myUApassword
context=from-internal

[AsteriskA]
type=peer
host=<ip_of_asterisk_A>
context=from-asteriskA
0
 
LVL 19

Expert Comment

by:feptias
ID: 26277711
I should add that the snippet I showed from my sip.conf is by way of illustration only and is not complete - however, I should have shown that I included the following line in the AsteriskA peer definition (it is quite important to the IP authentication vs. username/password authentication):
 insecure=invite

So Asterisk A peer definition was roughly like this:
[AsteriskA]
type=peer
host=<ip_of_asterisk_A>
context=from-asteriskA
insecure=invite
0
 
LVL 4

Author Comment

by:jkockler
ID: 26279416
Yes indeed Feptias!... I in fact do have duplicate peer entries on both boxes.  

If the issue returns, I will remember to set duplicate entries to type=peer... Strange that it suddenly started to work for me without changing my duplicate entry to type=peer.

Just curious, what part of the SIP debug actually showed that Asterisk B was using the 4003 info from it's local sip config, instead of what Asterisk A was sending?
0
 
LVL 19

Expert Comment

by:feptias
ID: 26281504
I suspect that your problem suddenly disappeared because you made some changes to the "fromuser" setting on Box A. The user part of the From header is what Asterisk matches against the device names of peer definitions in sip.conf, so if the From header sent by Asterisk A contained 4003@asteriskA, then Box B would match it to its own peer [4003]. The value given for "fromuser" on Box A would change the contents of the From header it sends to Box B.

The CLI command "sip set debug on" makes Asterisk print all SIP packets to the console. When Asterisk receives an INVITE request you will see the INVITE packet printed in full, but just after it (and before the response it sends back) there are a bunch of additional lines of output written to the console:
<------------->
--- (14 headers 14 lines) ---
  == Using SIP RTP CoS mark 5
Sending to 192.168.1.109 : 5060 (no NAT)
Using INVITE request as basis request - 7c785b17fc04021eb1310e44ff8@192.168.1.109
Found peer 'asteriska-in' for '4003' from 192.168.1.109:5060
...

The line that starts "Found peer.." tells you which peer definition in sip.conf has been matched to the call. I also knew that it was matching the wrong peer because it was sending back a 407 Not Authorised response. If it had been matching the correct peer there would be no such authentication challenge response because it has the line "insecure=invite".
0
 
LVL 4

Author Closing Comment

by:jkockler
ID: 31675001
This was most likely the issue and solution:


"Regarding your original problem, is it possible that the Caller ID of the UA matched a user name on Box B?"
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Setting up Secure Ubuntu server on VMware 1.      Insert the Ubuntu Server distribution CD or attach the ISO of the CD which is in the “Datastore”. Note that it is important to install the x64 edition on servers, not the X86 editions. 2.      Power on th…
In part one, we reviewed the prerequisites required for installing SQL Server vNext. In this part we will explore how to install Microsoft's SQL Server on Ubuntu 16.04.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Suggested Courses
Course of the Month11 days, 16 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question