[asterisk-users] Freepbx VPN SIP Client (SIP/2.0 401 Unauthorized)

basti mailinglist at unix-solution.de
Mon Nov 9 03:21:21 CST 2020 

On 08.11.20 14:18, John Fawcett wrote:
> On 06/11/2020 14:28, basti wrote:
>> Hello,
>> i try to connect my SIP Client (linphone) via VPN to FreePBX.
>> The routing looks OK. I can ping the Endpoints and traffic is routing.
>> I can also Register my Sip Client.
>>
>> debpbx*CLI> pjsip list contacts
>>
>>    Contact:  <Aor/ContactUri..............................> <Hash....>
>> <Status> <RTT(ms)..>
>> ==========================================================================================
>>
>>
>>    Contact:  731/sip:731 at 192.168.30.132:5060                163a967d99
>> Avail        15.722
>>    Contact:  734/sip:734 at 10.8.0.143:5060                    1b1aa8cbac
>> Avail        62.180
>>
>> So far so good. When I try to an other extension I get a timeout.
>> tcpdump:
>>
>> root at debpbx:/etc/asterisk# tcpdump -ni enp0s15 host 10.8.0.143 and not
>> port 80
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol
>> decode
>> listening on enp0s15, link-type EN10MB (Ethernet), capture size 262144
>> bytes
>> 13:03:04.086687 IP 10.8.0.143.5060 > 192.168.30.28.5060: SIP: INVITE
>> sip:731 at asterisk.kes SIP/2.0
>> 13:03:04.087364 IP 192.168.30.28.5060 > 10.8.0.143.5060: SIP: SIP/2.0
>> 401 Unauthorized
>> 13:03:04.126101 IP 10.8.0.143.5060 > 192.168.30.28.5060: SIP: ACK
>> sip:731 at asterisk.kes SIP/2.0
>> 13:03:09.054643 IP 10.8.0.143.5060 > 192.168.30.28.5060: SIP
>> 13:03:14.112561 IP 192.168.30.28.5060 > 10.8.0.143.5060: SIP: OPTIONS
>> sip:734 at 10.8.0.143:5060 SIP/2.0
>> 13:03:14.162609 IP 10.8.0.143.5060 > 192.168.30.28.5060: SIP: SIP/2.0
>> 200 Ok
>> 13:03:19.057752 IP 10.8.0.143.5060 > 192.168.30.28.5060: SIP
>> 13:03:29.060765 IP 10.8.0.143.5060 > 192.168.30.28.5060: SIP
>> 13:03:44.672509 IP 10.8.0.143.5060 > 192.168.30.28.5060: SIP
>>
>> I think the SIP/2.0 401 Unauthorized is the problem.
>> I also had add the VPN IP range to the local_net but that does not
>> solve the problem.
>>
>> root at debpbx:/etc/asterisk# grep -ri 10.8.0
>> sip_general_additional.conf:localnet=10.8.0.0/24
>> pjsip.transports.conf:local_net=10.8.0.0/24
>>
>>
> Your tcpdump doesn't show the full data of the invite and the 401
> response. You'd probably be better of logging the sip messages from
> asterisk console with something like:
> 
> pjsip set logger host 10.8.0.143
> 
> It's quite normal to have an initial 401 response to the first
> unauthorized INVITE. The 401 should contain an authentication header.
> The 401 response should be followed up by a second INVITE containing an
> authorization header. Maybe credentials are not setup correctly on the
> sip client.
> 
> John
> 

Thanks, i have fixed it. There was a package size Problem of the VPN tunnel.

More information about the asterisk-users mailing list