[asterisk-users] action at registering or de-registering
Hans Witvliet
hwit at a-domani.nl
Wed Nov 24 16:24:41 CST 2010
On Wed, 2010-11-24 at 15:47 -0600, Sherwood McGowan wrote:
> On Wed, Nov 24, 2010 at 3:08 PM, Hans Witvliet <hwit at a-domani.nl> wrote:
> > On Wed, 2010-11-24 at 08:29 -0500, Ryan Bullock wrote:
> >> On Asterisk 1.8 when a SIP peer resgisters or unregisters it generates
> >> a PeerStatus event. I don't know if this is in 1.4/1.6 as well, but
> >> should be easy enough to test.
> >>
> >> Here is an example of what I see on the manager interface during a
> >> register/unregister:
> >>
> >> Event: PeerStatus
> >> Privilege: system,all
> >> ChannelType: SIP
> >> Peer: SIP/twinkle
> >> PeerStatus: Registered
> >> Address: 192.168.56.1:5068
> >>
> >> Event: PeerStatus
> >> Privilege: system,all
> >> ChannelType: SIP
> >> Peer: SIP/twinkle
> >> PeerStatus: Unregistered
> >>
> >> I think that should work for whatever you need to do.
> >>
> >
> > I'm doing a fresh install, so 1.8 is what i'm going to use.
> >
> > What i want to check, is whether to person who is doing a register, is
> > realy the person at the other end of a VPN-tunnel.
> > With openvpn i'm absolutely sure which person is at a certain
> > vpn-ip-addres. I must check if the registering is faked or not.
> >
> > As ong as linphone (or for that matter any other softphone) does not
> > have a possibility for using the libraries from opensc, there is no
> > other way...
> >
> > So next couple of weeks i'll start exploring AMI,
> >
> > Thanks!
> >
> >
>
> Well, if that's all you need (restricting registrations for a SIP
> endpoint to a specific IP address), try one of the following
> methods...
>
> Method 1:
> In the endpoint definition, set the host to the vpn ip address, rather
> than setting it to dynamic. This disallows registrations. Then, use
> qualify=yes so Asterisk "knows" when the endpoint is available
> (responding to OPTIONS requests).
>
> Method 2:
> Use the permit,deny, and mask settings to define what ip address
> and/or network the endpoint should be at, thereby locking out use from
> another address.
> (http://www.voip-info.org/wiki/view/Asterisk+sip+permit-deny-mask)
>
> Either of those should resolve your needs
No, don't think so, (unless mistaken)
Everybody got a dynamic address from openvpn, something in 10.225.0.0/16
You never know what you wil get, so it got to be dynamic.
Anybody within that range is a valid user (otherwise he could not set up
the vpn-tunnel). But any rogue co-worker should not be able to register
as another co-worker, so method-2 won't do either.
sip/tls might have been a solution, but private keys are locked on a
card, and can ony be reached with the pkcs11-libs from opensc.
Hans
More information about the asterisk-users
mailing list