[Asterisk-Users] Using IAXTEL with RSA authentication. MD5 works, RSA not. [2]

Steve Haehnichen s-asterisk at trix.com
Tue Sep 16 18:14:26 MST 2003 

[  Sorry, I incorrectly copied some Reference headers into this post
   and tacked it onto the wrong thread.   -Steve ]

So far, I have been able to receive incoming iaxtel calls via my
assigned 1-700-xxx-xxxx number, but only when using md5
authentication in iax.conf:

[iaxtel]
type=user                ; Incoming calls only
context=incoming
auth=md5
secret=<mysecret>        ; Required for MD5
inkeys=iaxtel

Where <mysecret> is my iaxtel password.  This works great.

If I use "auth=rsa", I can see the incoming connection attempt on
"iax2 debug", but the incoming call is ignored with no error messages
or dialed extensions.  (See below)

My iaxtel public key looks like this:

# ls -l /var/lib/asterisk/keys/iaxtel.pub 
   4 -rw-r--r--    1 root root 272 Sep 13 22:15 /var/lib/asterisk/keys/iaxtel.pub
# md5sum /var/lib/asterisk/keys/iaxtel.pub 
  d919b3ef03eb4dc54c8fee86bfeeada1  /var/lib/asterisk/keys/iaxtel.pub

I'm not sure where that key came from.  How do I get an updated public
key from iaxtel?  Is it automatic?  Do I also need a private key?  How
do I make one?  (I have none)

It's really not critical since md5 seems secure enough here, but I
thought I'd ask in case anyone else has run into this.  (I'd like to
eventually set up my own RSA IAX2 trunks.)


By the way, iaxtel and FWD is a great combo!  I have single phones out
on the internet using the fwdnat service and FWD server, since that's
the only thing that works behind some firewalls.  Those phones can
dial in to my own Asterisk (also behind NAT) via my 1-700 iaxtel
number.  This seems to be the best workaround for too-much-NAT.

Thanks,
-Steve

Here is the iax2 debug for a failed incoming call with RSA authentication:

IAX2 Debugging Enabled
Rx-Frame Retry[No] -- OSeqno: 000 ISeqno: 000 Type: IAX     Subclass: NEW    
   Timestamp: 00001ms  SCall: 00058  DCall: 00000 [12.37.165.130:4569]
   VERSION         : 2
   CALLED NUMBER   : s
   CALLING NUMBER  : 52285         *** my FWD number
   CALLING NAME    : Steve FWD     *** the caller-id name in the BudgeTone phone
   LANGUAGE        : en
   FORMAT          : 2
   CAPABILITY      : 2
   ADSICPE         : 2

Tx-Frame Retry[000] -- OSeqno: 000 ISeqno: 001 Type: IAX     Subclass: AUTHREQ
   Timestamp: 00001ms  SCall: 00002  DCall: 00058 [12.37.165.130:4569]
   AUTHMETHODS     : 4
   CHALLENGE       : 206606603
   USERNAME        : iaxtel

***  This challenge makes it look it starts right off with MD5 auth.   
***  I don't see anything RSA-looking.

Rx-Frame Retry[No] -- OSeqno: 001 ISeqno: 001 Type: IAX     Subclass: ACK    
   Timestamp: 00001ms  SCall: 00058  DCall: 00002 [12.37.165.130:4569]
Rx-Frame Retry[No] -- OSeqno: 001 ISeqno: 001 Type: IAX     Subclass: HANGUP 
   Timestamp: 07234ms  SCall: 00058  DCall: 00002 [12.37.165.130:4569]
Tx-Frame Retry[-01] -- OSeqno: 001 ISeqno: 002 Type: IAX     Subclass: ACK    
   Timestamp: 07234ms  SCall: 00002  DCall: 00058 [12.37.165.130:4569]

More information about the asterisk-users mailing list