[asterisk-users] Incoming side of SIP trunk does not work unless I add "insecure=very"

Andres andres at telesip.net
Tue Jan 6 11:18:54 CST 2009 

Frank Bulk wrote:

>This is what I have in my configuration now:
>
>[ACME]
>host=sip.acme.com
>username=username
>secret=password
>type=friend
>  
>
Your problem is you are trying to do authenticate by host and by 
username at the same time.  That does not work in asterisk.  You should 
be seeing a Warning message in the console saying something like:

check_auth: username mismatch, have <ACME>, digest has <username>

That means you already matched to sip.conf entry ACME, but the digest 
has a different username, so it fails.  You can fix it by setting the 
paramters in the CS1500 to have the username = ACME.  That way the 
digest will come in as:

Digest username="ACME" ...bla bla bla

Andres
http://www.telesip.net

>I've done a SIP debug before, but I've done it again with the above
>configuration:
>	No user '5551236049' in SIP users list
>	Found peer 'ACME' for '5551236049' from 172.16.10.40:5060
>after which "SIP/2.0 401 Unauthorized" is issued after the un-authenticated
>INVITE and "SIP/2.0 403 Forbidden" after the authenticated INVITE.
>
>When I add "insecure=very", this is what the SIP debug shows:
>	No user '5551236049' in SIP users list
>	Found peer 'ACME' for '5551236049' from 172.16.10.40:5060
>	Found RTP audio format 0
>	Peer audio RTP is at port 172.16.10.65:36272
>	Found audio description format PCMU for ID 0
>	Capabilities: us - 0xc (ulaw|alaw), peer - audio=0x4
>(ulaw)/video=0x0 (nothing)/text=0x0 (nothing), combined - 0x4 (ulaw)
>	Non-codec capabilities (dtmf): us - 0x1 (telephone-event), peer -
>0x0 (nothing), combined - 0x0 (nothing)
>	Peer audio RTP is at port 172.16.10.65:36272
>	Looking for +15552127020 in from-sip-external (domain sip.acme.com)
>	list_route: hop: <sip:5551236049 at 172.16.10.40>
>
>It isn't very clear (to me) from the success how the "insecure=very" helps.
>
>  
>

>Frank
>
>-----Original Message-----
>From: Andres [mailto:andres at telesip.net] 
>Sent: Monday, January 05, 2009 7:43 PM
>To: frnkblk at iname.com; Asterisk Users Mailing List - Non-Commercial
>Discussion
>Subject: Re: [asterisk-users] Incoming side of SIP trunk does not work
>unless I add "insecure=very"
>
>Frank Bulk - iName.com wrote:
>
>  
>
>>The incoming (Class 5 switch to Asterisk PBX) side of a SIP trunk does not
>>work unless I add "insecure=very" to my "Outgoing settings", but I don't
>>want to do that.  I do want to authenticate.  Outgoing (Asterisk PBX to
>>Class 5 switch) calls do authenticate and work.
>>
>>The Nortel CS 1500 I'm using as the PSTN-side of my SIP trunk has a
>>    
>>
>username
>  
>
>>and password that it's sending out.  But the INVITE is responded by the
>>Asterisk with "SIP/2.0 403 Forbidden"
>>
>>I've changed the INVITE message to mask the real telephone numbers, SIP
>>server, passwords, and IP addresses, but I did that using search and
>>    
>>
>replace
>  
>
>>so the structure is intact.
>>
>>What do I need to configure in the "Incoming Settings" panel for the CS
>>1500's INVITE to my Asterisk server to work?  I've tried all kinds of
>>combinations of user,username,authname using +15552027020,host with IP
>>and/or DNS name, but nothing appears to work.
>>
>>
>>
>>    
>>
>Do a sip debug on the asterisk console and see if it is actually is
>matching one of your sip.conf entries during an invite from the CS1500.
>Look for a line that says something like 'Found Peer....bla bla bla'.
>If you dont see that line, then you are not even adding the correct
>sip.conf entry to match the invite from the CS1500.
>
>Andres
>http://www.telesip.net
>
>  
>
>>Frank
>>
>>INVITE message from Wireshark packet capture:
>>
>>INVITE sip:+15552027020 at sip.acme.com SIP/2.0
>>From:
>><sip:5552022441 at 172.16.10.40>;tag=f76c66d0-c7784528-13c4-2dbba4-767e6552-2d
>>    
>>
>b
>  
>
>>ba4
>>To: <sip:+15552027020 at sip.acme.com>
>>Call-ID: f379f62-29173-3895-b14271f5-40802-45378 at 172.16.10.40	
>>CSeq: 5102 INVITE
>>Via: SIP/2.0/UDP 172.16.10.40:5060;branch=z9hG4bK-2dbba4-b2a4fa3a-7cd7598
>>User-Agent: Nortel CS1500UA/v02.00.REL01
>>Accept: application/sdp
>>P-Asserted-Identity: <sip:5552022441 at 172.16.10.40;user=phone>
>>Privacy: none
>>Remote-Party-ID: <sip:5552022441 at 172.16.10.40;user=phone>; party=calling;
>>privacy=off
>>Max-Forwards: 70
>>Supported: 100rel,replaces
>>Allow: INVITE, ACK, OPTIONS, CANCEL, BYE, REFER, PRACK
>>Contact: <sip:5552022441 at 172.16.10.40>
>>Authorization: Digest
>>username="username",realm="asterisk",nonce="118af2b0",uri="sip:+15552027020
>>    
>>
>@
>  
>
>>sip.acme.com",response="111e63ec2a1f3ebabefe4f7dae4087a1",algorithm=MD5
>>Content-Type: application/SDP
>>Content-Length: 167
>>
>>v=0
>>o=- 2973921782 2973921782 IN IP4 172.16.10.65
>>s=SIP Call
>>c=IN IP4 172.16.10.65
>>t=0 0
>>m=audio 36224 RTP/AVP 0
>>a=rtpmap:0 PCMU/8000
>>a=ptime:20
>>a=sendrecv
>>
>>
>>_______________________________________________
>>-- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>
>>asterisk-users mailing list
>>To UNSUBSCRIBE or update options visit:
>>  http://lists.digium.com/mailman/listinfo/asterisk-users
>>
>>
>>
>>    
>>
>
>
>  
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20090106/4eed5172/attachment-0001.htm

More information about the asterisk-users mailing list