VoIP Mailing List Archives
Mailing list archives for the VoIP community |
|
View previous topic :: View next topic |
Author |
Message |
a_villacis at palosant... Guest
|
Posted: Fri Apr 25, 2014 6:30 pm Post subject: [asterisk-users] Proper way to make Asterisk recognize SIP t |
|
|
I am currently preparing a kamailio-asterisk combination. The asterisk installation uses realtime for SIP. The kamailio configuration was based on the reference at http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb but has been heavily modified. Currently asterisk runs on localhost and only listens on SIP/RTP at 127.0.0.1 . Therefore, all of the SIP traffic appears to come from localhost, from the point of view of asterisk.
Currently I have a model on which internal SIP phones get identified by the authentication username, and then the contact names at From: and To: get massaged to incorporate the SIP domain, in order to emulate multiple-domain support. The 'sip' table in Asterisk defines all such contacts as SIP accounts of the form name_domain.com, and the SIP phones are configured to use 'name' as authentication username for domain 'domain.com'. However, SIP providers that register on the server with authentication names are left with their original names, since in the model, SIP trunks are available to all domains.
Now I have to add support for SIP providers which are to be authorized on the basis of IP only. Apparently, the kamailio module permissions.so (WITH_IPAUTH) is made for just this purpose, so I enabled it. After authentication, I need to route the INVITE to asterisk, and asterisk must somehow match the account for the SIP trunk from the available information on the INVITE request.
A typical INVITE for this scenario looks like this, before being processed by kamailio:
INVITE sip:6008010@172.28.161.218:5060;transport=udp;user=phone ([email]sip:6008010@172.28.161.218:5060;transport=udp;user=phone[/email]) SIP/2.0
Via: SIP/2.0/UDP 200.25.144.58:5060;branch=z9hG4bK+676ea13f680e853fd847230512a347561+32e3da76+1
Call-ID: FBE75B3A@32e3da76
From: <sip:042294440@200.25.144.58:5060;user=phone> ([email]sip:042294440@200.25.144.58:5060;user=phone[/email]);tag=32e3da76+1+544c000c+52be771c
To: <sip:6008010@172.28.161.218:5060;user=phone> ([email]sip:6008010@172.28.161.218:5060;user=phone[/email])
CSeq: 975469826 INVITE
Expires: 180
Organization: SetelGYE
Min-SE: 90
Session-Expires: 18000
Supported: replaces, 100rel, timer
Contact: <sip:042294440@200.25.144.58:5060;transport=udp;user=phone> ([email]sip:042294440@200.25.144.58:5060;transport=udp;user=phone[/email])
Content-Length: 149
Content-Type: application/sdp
Max-Forwards: 70
Allow: INVITE, ACK, CANCEL, BYE, OPTIONS, NOTIFY, PRACK, UPDATE, INFO, REFER
v=0
o=- 0 0 IN IP4 201.217.79.3
s=-
c=IN IP4 201.217.79.3
t=0 0
m=audio 5388 RTP/AVP 8 101
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
Here, 6008010 is the phone number that was dialed at the provider in order to reach my system, and 042294440 is the provider-supplied Caller-ID, which I want to preserve all the way to Asterisk. In particular, 042294440 appears as the value that ends up as $fU (From: username) while being processed in kamailio. If I pass the SIP packet as-is to asterisk, asterisk first tries to match by the value of $fU, which obviously fails to match the trunk name. It then tries to match by incoming IP, which also fails because asterisk received this packet from 127.0.0.1 . Finally, asterisk sort of matches to the first record in the sip table, which is *not* the SIP account for this trunk, but some other random account.
I have a partial solution that uses sqlops to make a query to the sip table, using the $si (source IP) and reads the trunk name in order to replace $fU. This works, as now $fU will have the trunk name and asterisk will now recognize the intended SIP account for the trunk. However, this has the unfortunate side effect of throwing out the Caller-ID information.
What is the standard/proper way to deal with this situation? Is there a well-known way to make Asterisk match the trunk name, without overwriting the Caller-ID information? Before you ask, requesting the provider to modify its INVITEs is not an option. I believe there is a standard way to deal with this, since this scenario should also arise with a kamailio that faces the internet, and relays INVITEs (after authentication) to an asterisk in a local network. As far as I can tell, the fact that in my case the 'local network' is localhost should be irrelevant. |
|
Back to top |
|
|
a_villacis at palosant... Guest
|
Posted: Fri Apr 25, 2014 6:48 pm Post subject: [asterisk-users] Proper way to make Asterisk recognize SIP t |
|
|
El 25/04/14 18:29, Alex Villacís Lasso escribió:
Quote: | I am currently preparing a kamailio-asterisk combination. The asterisk installation uses realtime for SIP. The kamailio configuration was based on the reference at http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb but has been heavily modified. Currently asterisk runs on localhost and only listens on SIP/RTP at 127.0.0.1 . Therefore, all of the SIP traffic appears to come from localhost, from the point of view of asterisk.
Currently I have a model on which internal SIP phones get identified by the authentication username, and then the contact names at From: and To: get massaged to incorporate the SIP domain, in order to emulate multiple-domain support. The 'sip' table in Asterisk defines all such contacts as SIP accounts of the form name_domain.com, and the SIP phones are configured to use 'name' as authentication username for domain 'domain.com'. However, SIP providers that register on the server with authentication names are left with their original names, since in the model, SIP trunks are available to all domains.
Now I have to add support for SIP providers which are to be authorized on the basis of IP only. Apparently, the kamailio module permissions.so (WITH_IPAUTH) is made for just this purpose, so I enabled it. After authentication, I need to route the INVITE to asterisk, and asterisk must somehow match the account for the SIP trunk from the available information on the INVITE request.
A typical INVITE for this scenario looks like this, before being processed by kamailio:
INVITE sip:6008010@172.28.161.218:5060;transport=udp;user=phone ([email]sip:6008010@172.28.161.218:5060;transport=udp;user=phone[/email]) SIP/2.0
Via: SIP/2.0/UDP 200.25.144.58:5060;branch=z9hG4bK+676ea13f680e853fd847230512a347561+32e3da76+1
Call-ID: FBE75B3A@32e3da76
From: <sip:042294440@200.25.144.58:5060;user=phone> ([email]sip:042294440@200.25.144.58:5060;user=phone[/email]);tag=32e3da76+1+544c000c+52be771c
To: <sip:6008010@172.28.161.218:5060;user=phone> ([email]sip:6008010@172.28.161.218:5060;user=phone[/email])
CSeq: 975469826 INVITE
Expires: 180
Organization: SetelGYE
Min-SE: 90
Session-Expires: 18000
Supported: replaces, 100rel, timer
Contact: <sip:042294440@200.25.144.58:5060;transport=udp;user=phone> ([email]sip:042294440@200.25.144.58:5060;transport=udp;user=phone[/email])
Content-Length: 149
Content-Type: application/sdp
Max-Forwards: 70
Allow: INVITE, ACK, CANCEL, BYE, OPTIONS, NOTIFY, PRACK, UPDATE, INFO, REFER
v=0
o=- 0 0 IN IP4 201.217.79.3
s=-
c=IN IP4 201.217.79.3
t=0 0
m=audio 5388 RTP/AVP 8 101
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
Here, 6008010 is the phone number that was dialed at the provider in order to reach my system, and 042294440 is the provider-supplied Caller-ID, which I want to preserve all the way to Asterisk. In particular, 042294440 appears as the value that ends up as $fU (From: username) while being processed in kamailio. If I pass the SIP packet as-is to asterisk, asterisk first tries to match by the value of $fU, which obviously fails to match the trunk name. It then tries to match by incoming IP, which also fails because asterisk received this packet from 127.0.0.1 . Finally, asterisk sort of matches to the first record in the sip table, which is *not* the SIP account for this trunk, but some other random account.
I have a partial solution that uses sqlops to make a query to the sip table, using the $si (source IP) and reads the trunk name in order to replace $fU. This works, as now $fU will have the trunk name and asterisk will now recognize the intended SIP account for the trunk. However, this has the unfortunate side effect of throwing out the Caller-ID information.
What is the standard/proper way to deal with this situation? Is there a well-known way to make Asterisk match the trunk name, without overwriting the Caller-ID information? Before you ask, requesting the provider to modify its INVITEs is not an option. I believe there is a standard way to deal with this, since this scenario should also arise with a kamailio that faces the internet, and relays INVITEs (after authentication) to an asterisk in a local network. As far as I can tell, the fact that in my case the 'local network' is localhost should be irrelevant.
| If I manage to coax Kamailio to add a (synthetized) P-Asserted-Identity header to the INVITE request before sending it to Asterisk, will Asterisk be able to use it? Will this information show up on a CDR? |
|
Back to top |
|
|
cloos at jhcloos.com Guest
|
Posted: Sat Apr 26, 2014 5:35 pm Post subject: [asterisk-users] Proper way to make Asterisk recognize SIP t |
|
|
And related thereto:
What needs to be done on kama and ast to ensure that all incoming calls
which route through a given kama box always matches a sip.conf [section]
based on the socket(7)'s remote address, w/o any consideration of the
INVITE's sip headers or body?
I tried a several variations, but nothing quite worked.
-JimC
--
James Cloos <cloos@jhcloos.com> OpenPGP: 0x997A9F17ED7DAEA6
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users |
|
Back to top |
|
|
barryf-lists at flanag... Guest
|
Posted: Sun Apr 27, 2014 7:35 am Post subject: [asterisk-users] Proper way to make Asterisk recognize SIP t |
|
|
On 26 April 2014 23:32, James Cloos <cloos@jhcloos.com (cloos@jhcloos.com)> wrote:
Quote: | And related thereto:
What needs to be done on kama and ast to ensure that all incoming calls
which route through a given kama box always matches a sip.conf [section]
based on the socket(7)'s remote address, w/o any consideration of the
INVITE's sip headers or body?
I tried a several variations, but nothing quite worked.
|
Something like:
[peer_inbound]
context=peercontext
type=peer
host=192.168.1.1
Â
...should do the job.
Hope this helps.
-Barry Flanagan |
|
Back to top |
|
|
barryf-lists at flanag... Guest
|
Posted: Sun Apr 27, 2014 7:47 am Post subject: [asterisk-users] Proper way to make Asterisk recognize SIP t |
|
|
On 26 April 2014 00:29, Alex VillacÃÂs Lasso <a_villacis@palosanto.com (a_villacis@palosanto.com)> wrote:
Quote: | I am currently preparing a kamailio-asterisk combination. The asterisk installation uses realtime for SIP. The kamailio configuration was based on the reference at http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb but has been heavily modified. Currently asterisk runs on localhost and only listens on SIP/RTP at 127.0.0.1 . Therefore, all of the SIP traffic appears to come from localhost, from the point of view of asterisk.
Currently I have a model on which internal SIP phones get identified by the authentication username, and then the contact names at From: and To: get massaged to incorporate the SIP domain, in order to emulate multiple-domain support. The 'sip' table in Asterisk defines all such contacts as SIP accounts of the form name_domain.com, and the SIP phones are configured to use 'name' as authentication username for domain 'domain.com'. However, SIP providers that register on the server with authentication names are left with their original names, since in the model, SIP trunks are available to all domains.
Now I have to add support for SIP providers which are to be authorized on the basis of IP only. Apparently, the kamailio module permissions.so (WITH_IPAUTH) is made for just this purpose, so I enabled it. After authentication, I need to route the INVITE to asterisk, and asterisk must somehow match the account for the SIP trunk from the available information on the INVITE request.
|
What I have done in a similar situation is to use  force_send_socket in Kamailio when sending INVITEs from your trusted host (your trunks) so that it is coming in to Asterisk from a different port (say 5070), and then in your Asterisk sip.conf settings create a new peer for this like so:
[peer-incoming]
context=peercontext
type=peer
host=127.0.0.1
port=5070
Now, when Asterisk receives an INVITE from 127.0.0.1:5070 it will match this peer, whereas the rest, coming from 127.0.0.1:5060, will match your other subscribers.
Here is a bit of the Kamailio config:
if (is_method("INVITE"))
  {
    # If call is coming from a trusted source (Trunk/PSTN) then we send it to Asterisk from port 5070
    # so that Asterisk knows this is not coming from a subscriber. The peer in Asterisk needs to be set with port=5070
    # as well as the host=<ip address>
    if (allow_trusted())
    {
      xlog("L_INFO","Inbound to Asterisk from Trusted Source IP $si, Caller: $fU, Callee: $rU with Call-ID $hdr(Call-ID)");
      force_send_socket(127.0.0.1:5070);
    } else {
      # This is a call from a registered subscriber.
      xlog("L_INFO","Inbound to Asterisk from $fU to $rU with Call-ID $hdr(Call-ID)");
    }  Â
  }
  route(RELAY);
  exit;
}
NOTE: Kamailio must be set to listen on 127.0.0.1:5070 as well as your usual ports for this to work! Also, your SIP Trunk trusted peers need to be in the Kamailio trusted table, or explicitly test for the src_ip rather than use allow_trusted().
Hope this helps.
-Barry Flanagan |
|
Back to top |
|
|
cloos at jhcloos.com Guest
|
Posted: Sun Apr 27, 2014 9:18 am Post subject: [asterisk-users] Proper way to make Asterisk recognize SIP t |
|
|
Quote: | Quote: | Quote: | Quote: | Quote: | "BF" == Barry Flanagan <barryf-lists@flanagan.ie> writes:
|
|
|
|
|
BF> Something like:
BF> [peer_inbound]
BF> context=peercontext
BF> type=peer
BF> host=192.168.1.1
BF> ...should do the job.
That of course was something I tested, although I used the hostname;
perhaps the dual-v4/v6 got in the way?
-JimC
--
James Cloos <cloos@jhcloos.com> OpenPGP: 0x997A9F17ED7DAEA6
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users |
|
Back to top |
|
|
a_villacis at palosant... Guest
|
Posted: Fri May 02, 2014 10:50 am Post subject: [asterisk-users] Proper way to make Asterisk recognize SIP t |
|
|
El 27/04/14 07:47, Barry Flanagan escribió:
Quote: | On 26 April 2014 00:29, Alex Villacís Lasso <a_villacis@palosanto.com (a_villacis@palosanto.com)> wrote:
Quote: | I am currently preparing a kamailio-asterisk combination. The asterisk installation uses realtime for SIP. The kamailio configuration was based on the reference at http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb but has been heavily modified. Currently asterisk runs on localhost and only listens on SIP/RTP at 127.0.0.1 . Therefore, all of the SIP traffic appears to come from localhost, from the point of view of asterisk.
Currently I have a model on which internal SIP phones get identified by the authentication username, and then the contact names at From: and To: get massaged to incorporate the SIP domain, in order to emulate multiple-domain support. The 'sip' table in Asterisk defines all such contacts as SIP accounts of the form name_domain.com, and the SIP phones are configured to use 'name' as authentication username for domain 'domain.com'. However, SIP providers that register on the server with authentication names are left with their original names, since in the model, SIP trunks are available to all domains.
Now I have to add support for SIP providers which are to be authorized on the basis of IP only. Apparently, the kamailio module permissions.so (WITH_IPAUTH) is made for just this purpose, so I enabled it. After authentication, I need to route the INVITE to asterisk, and asterisk must somehow match the account for the SIP trunk from the available information on the INVITE request.
|
What I have done in a similar situation is to use force_send_socket in Kamailio when sending INVITEs from your trusted host (your trunks) so that it is coming in to Asterisk from a different port (say 5070), and then in your Asterisk sip.conf settings create a new peer for this like so:
[peer-incoming]
context=peercontext
type=peer
host=127.0.0.1
port=5070
Now, when Asterisk receives an INVITE from 127.0.0.1:5070 it will match this peer, whereas the rest, coming from 127.0.0.1:5060, will match your other subscribers.
Here is a bit of the Kamailio config:
if (is_method("INVITE"))
{
# If call is coming from a trusted source (Trunk/PSTN) then we send it to Asterisk from port 5070
# so that Asterisk knows this is not coming from a subscriber. The peer in Asterisk needs to be set with port=5070
# as well as the host=<ip address>
if (allow_trusted())
{
xlog("L_INFO","Inbound to Asterisk from Trusted Source IP $si, Caller: $fU, Callee: $rU with Call-ID $hdr(Call-ID)");
force_send_socket(127.0.0.1:5070);
} else {
# This is a call from a registered subscriber.
xlog("L_INFO","Inbound to Asterisk from $fU to $rU with Call-ID $hdr(Call-ID)");
}
}
route(RELAY);
exit;
}
NOTE: Kamailio must be set to listen on 127.0.0.1:5070 as well as your usual ports for this to work! Also, your SIP Trunk trusted peers need to be in the Kamailio trusted table, or explicitly test for the src_ip rather than use allow_trusted().
| I would rather have a solution that does not involve allocating a new UDP port every time a new IP-trusted SIP trunk is configured.
I tried appending a P-Asserted Identity header to the incoming INVITE before routing it to asterisk, like this:
#!ifdef WITH_IPAUTH
if((!is_method("REGISTER")) && allow_source_address() && $au == "")
{
# Attempt to create a P-Asserted-Identity if none exists, to preserve
# incoming Caller-ID
if (!is_present_hf("P-Asserted-Identity"))
{
append_hf("P-Asserted-Identity: <sip:$fU@$fd>\r\n");
}
# Loading $fU from database using IP
sql_pvquery("elxpbx", "SELECT name FROM sip WHERE host = '$si' AND sippasswd IS NULL", "$fU");
# source IP allowed
return;
}
#!endif
With tcpdump, I can see that the header is indeed appended to the SIP headers of the INVITE, but there is no effect in Asterisk. From examination of the Asterisk 11.8.1 source code, I see that channels/chan_sip.c contains a get_pai() function that is supposed to process P-Asserted-Identity and extract a caller ID. I am still studying the code, but I would appreciate help on this issue, to see why my attempt is not working. |
|
Back to top |
|
|
a_villacis at palosant... Guest
|
Posted: Fri May 02, 2014 11:42 am Post subject: [asterisk-users] Proper way to make Asterisk recognize SIP t |
|
|
El 02/05/14 10:49, Alex Villacís Lasso escribió:
Quote: | El 27/04/14 07:47, Barry Flanagan escribió:
Quote: | On 26 April 2014 00:29, Alex Villacís Lasso <a_villacis@palosanto.com (a_villacis@palosanto.com)> wrote:
Quote: | I am currently preparing a kamailio-asterisk combination. The asterisk installation uses realtime for SIP. The kamailio configuration was based on the reference at http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb but has been heavily modified. Currently asterisk runs on localhost and only listens on SIP/RTP at 127.0.0.1 . Therefore, all of the SIP traffic appears to come from localhost, from the point of view of asterisk.
Currently I have a model on which internal SIP phones get identified by the authentication username, and then the contact names at From: and To: get massaged to incorporate the SIP domain, in order to emulate multiple-domain support. The 'sip' table in Asterisk defines all such contacts as SIP accounts of the form name_domain.com, and the SIP phones are configured to use 'name' as authentication username for domain 'domain.com'. However, SIP providers that register on the server with authentication names are left with their original names, since in the model, SIP trunks are available to all domains.
Now I have to add support for SIP providers which are to be authorized on the basis of IP only. Apparently, the kamailio module permissions.so (WITH_IPAUTH) is made for just this purpose, so I enabled it. After authentication, I need to route the INVITE to asterisk, and asterisk must somehow match the account for the SIP trunk from the available information on the INVITE request.
|
What I have done in a similar situation is to use force_send_socket in Kamailio when sending INVITEs from your trusted host (your trunks) so that it is coming in to Asterisk from a different port (say 5070), and then in your Asterisk sip.conf settings create a new peer for this like so:
[peer-incoming]
context=peercontext
type=peer
host=127.0.0.1
port=5070
Now, when Asterisk receives an INVITE from 127.0.0.1:5070 it will match this peer, whereas the rest, coming from 127.0.0.1:5060, will match your other subscribers.
Here is a bit of the Kamailio config:
if (is_method("INVITE"))
{
# If call is coming from a trusted source (Trunk/PSTN) then we send it to Asterisk from port 5070
# so that Asterisk knows this is not coming from a subscriber. The peer in Asterisk needs to be set with port=5070
# as well as the host=<ip address>
if (allow_trusted())
{
xlog("L_INFO","Inbound to Asterisk from Trusted Source IP $si, Caller: $fU, Callee: $rU with Call-ID $hdr(Call-ID)");
force_send_socket(127.0.0.1:5070);
} else {
# This is a call from a registered subscriber.
xlog("L_INFO","Inbound to Asterisk from $fU to $rU with Call-ID $hdr(Call-ID)");
}
}
route(RELAY);
exit;
}
NOTE: Kamailio must be set to listen on 127.0.0.1:5070 as well as your usual ports for this to work! Also, your SIP Trunk trusted peers need to be in the Kamailio trusted table, or explicitly test for the src_ip rather than use allow_trusted().
| I would rather have a solution that does not involve allocating a new UDP port every time a new IP-trusted SIP trunk is configured.
I tried appending a P-Asserted Identity header to the incoming INVITE before routing it to asterisk, like this:
#!ifdef WITH_IPAUTH
if((!is_method("REGISTER")) && allow_source_address() && $au == "")
{
# Attempt to create a P-Asserted-Identity if none exists, to preserve
# incoming Caller-ID
if (!is_present_hf("P-Asserted-Identity"))
{
append_hf("P-Asserted-Identity: <sip:$fU@$fd>\r\n");
}
# Loading $fU from database using IP
sql_pvquery("elxpbx", "SELECT name FROM sip WHERE host = '$si' AND sippasswd IS NULL", "$fU");
# source IP allowed
return;
}
#!endif
With tcpdump, I can see that the header is indeed appended to the SIP headers of the INVITE, but there is no effect in Asterisk. From examination of the Asterisk 11.8.1 source code, I see that channels/chan_sip.c contains a get_pai() function that is supposed to process P-Asserted-Identity and extract a caller ID. I am still studying the code, but I would appreciate help on this issue, to see why my attempt is not working.
| By placing debugging statements, I think get_pai() is not being called when receiving an incoming INVITE, corresponding to an incoming call from the IP-authenticated trunk being handled by an IVR, but not yet routed to an internal extension. Why is this so? Is this by design? |
|
Back to top |
|
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|