<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">El 02/05/14 11:41, Alex Villací­s Lasso
      escribió:<br>
    </div>
    <blockquote cite="mid:5363CAD1.1060909@palosanto.com" type="cite">
      <meta content="text/html; charset=ISO-8859-1"
        http-equiv="Content-Type">
      <div class="moz-cite-prefix">El 02/05/14 10:49, Alex Villací­s
        Lasso escribió:<br>
      </div>
      <blockquote cite="mid:5363BEA1.2010508@palosanto.com" type="cite">
        <meta content="text/html; charset=ISO-8859-1"
          http-equiv="Content-Type">
        <div class="moz-cite-prefix">El 27/04/14 07:47, Barry Flanagan
          escribió:<br>
        </div>
        <blockquote
cite="mid:CALJb54--1kUaxbWG+Yr-zZnfw6u_yYyZM5cAUDbY_OgNd8F0Uw@mail.gmail.com"
          type="cite">
          <div dir="ltr">
            <div class="gmail_extra">
              <div class="gmail_quote">On 26 April 2014 00:29, Alex
                Villací­s Lasso <span dir="ltr"><<a
                    moz-do-not-send="true"
                    href="mailto:a_villacis@palosanto.com"
                    target="_blank">a_villacis@palosanto.com</a>></span>
                wrote:<br>
                <blockquote class="gmail_quote" style="margin:0px 0px
                  0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
                  <div text="#000000" bgcolor="#FFFFFF">
                    <div style="font-family:-moz-fixed;font-size:14px"
                      lang="x-western">I am currently preparing a
                      kamailio-asterisk combination. The asterisk
                      installation uses realtime for SIP. The kamailio
                      configuration was based on the reference at <a
                        moz-do-not-send="true"
href="http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb"
                        target="_blank">http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb</a>
                      but has been heavily modified. Currently asterisk
                      runs on localhost and only listens on SIP/RTP at
                      127.0.0.1 . Therefore, all of the SIP traffic
                      appears to come from localhost, from the point of
                      view of asterisk. <br>
                      <br>
                      Currently I have a model on which internal SIP
                      phones get identified by the authentication
                      username, and then the contact names at From: and
                      To: get massaged to incorporate the SIP domain, in
                      order to emulate multiple-domain support. The
                      'sip' table in Asterisk defines all such contacts
                      as SIP accounts of the form <a
                        moz-do-not-send="true"
                        href="http://name_domain.com" target="_blank">name_domain.com</a>,
                      and the SIP phones are configured to use 'name' as
                      authentication username for domain '<a
                        moz-do-not-send="true" href="http://domain.com"
                        target="_blank">domain.com</a>'. However, SIP
                      providers that register on the server with
                      authentication names are left with their original
                      names, since in the model, SIP trunks are
                      available to all domains. <br>
                      <br>
                      Now I have to add support for SIP providers which
                      are to be authorized on the basis of IP only.
                      Apparently, the kamailio module permissions.so
                      (WITH_IPAUTH) is made for just this purpose, so I
                      enabled it. After authentication, I need to route
                      the INVITE to asterisk, and asterisk must somehow
                      match the account for the SIP trunk from the
                      available information on the INVITE request. <br>
                      <br>
                    </div>
                  </div>
                </blockquote>
                <div><br>
                </div>
                <div><br>
                </div>
                <div>What I have done in a similar situation is to use
                   force_send_socket in Kamailio when sending INVITEs
                  from your trusted host (your trunks) so that it is
                  coming in to Asterisk from a different port (say
                  5070), and then in your Asterisk sip.conf settings
                  create a new peer for this like so:</div>
                <div><br>
                </div>
                <div>[peer-incoming]</div>
                <div>
                  <div
                    style="font-family:arial,sans-serif;font-size:13px">context=peercontext</div>
                  <div
                    style="font-family:arial,sans-serif;font-size:13px">type=peer</div>
                  <div
                    style="font-family:arial,sans-serif;font-size:13px">
                    host=127.0.0.1</div>
                </div>
                <div style="font-family:arial,sans-serif;font-size:13px">port=5070</div>
                <div style="font-family:arial,sans-serif;font-size:13px"><br>
                </div>
                <div style="font-family:arial,sans-serif;font-size:13px">
                  Now, when Asterisk receives an INVITE from <a
                    moz-do-not-send="true" href="http://127.0.0.1:5070">127.0.0.1:5070</a>
                  it will match this peer, whereas the rest, coming from
                  <a moz-do-not-send="true" href="http://127.0.0.1:5060">127.0.0.1:5060</a>,
                  will match your other subscribers.</div>
                <div style="font-family:arial,sans-serif;font-size:13px"><br>
                </div>
                <div style="font-family:arial,sans-serif;font-size:13px">Here


                  is a bit of the Kamailio config:</div>
                <div style="font-family:arial,sans-serif;font-size:13px">
                  <br>
                </div>
                <div style="font-family:arial,sans-serif;font-size:13px">
                  <div>if (is_method("INVITE"))</div>
                  <div>    {</div>
                  <div>        # If call is coming from a trusted source
                    (Trunk/PSTN) then we send it to Asterisk from port
                    5070</div>
                  <div>        # so that Asterisk knows this is not
                    coming from a subscriber. The peer in Asterisk needs
                    to be set with port=5070</div>
                  <div>        # as well as the host=<ip address></div>
                  <div>        if (allow_trusted())</div>
                  <div>        {</div>
                  <div>            xlog("L_INFO","Inbound to Asterisk
                    from Trusted Source IP $si, Caller: $fU, Callee: $rU
                    with Call-ID $hdr(Call-ID)");</div>
                  <div>            force_send_socket(<a
                      moz-do-not-send="true"
                      href="http://127.0.0.1:5070">127.0.0.1:5070</a>);</div>
                  <div>        } else {</div>
                  <div>            # This is a call from a registered
                    subscriber.</div>
                  <div>            xlog("L_INFO","Inbound to Asterisk
                    from $fU to $rU with Call-ID $hdr(Call-ID)");</div>
                  <div>         }   </div>
                  <div>    }</div>
                  <div>    route(RELAY);</div>
                  <div>    exit;</div>
                  <div>}</div>
                  <div><br>
                  </div>
                </div>
                <div>NOTE: Kamailio must be set to listen on <a
                    moz-do-not-send="true" href="http://127.0.0.1:5070">127.0.0.1:5070</a>
                  as well as your usual ports for this to work! Also,
                  your SIP Trunk trusted peers need to be in the
                  Kamailio trusted table, or explicitly test for the
                  src_ip rather than use allow_trusted().</div>
                <br>
              </div>
            </div>
          </div>
        </blockquote>
        I would rather have a solution that does not involve allocating
        a new UDP port every time a new IP-trusted SIP trunk is
        configured.<br>
        <br>
        I tried appending a P-Asserted Identity header to the incoming
        INVITE before routing it to asterisk, like this:<br>
        <br>
        #!ifdef WITH_IPAUTH<br>
            if((!is_method("REGISTER")) &&
        allow_source_address() && $au == "")<br>
            {<br>
                # Attempt to create a P-Asserted-Identity if none
        exists, to preserve<br>
                # incoming Caller-ID<br>
                if (!is_present_hf("P-Asserted-Identity"))<br>
                {<br>
                    append_hf("P-Asserted-Identity:
        <sip:$fU@$fd>\r\n");<br>
                }<br>
        <br>
                # Loading $fU from database using IP<br>
                sql_pvquery("elxpbx", "SELECT name FROM sip WHERE host =
        '$si' AND sippasswd IS NULL", "$fU");<br>
                <br>
                # source IP allowed<br>
                return;<br>
            }<br>
        #!endif<br>
        <br>
        With tcpdump, I can see that the header is indeed appended to
        the SIP headers of the INVITE, but there is no effect in
        Asterisk. From examination of the Asterisk 11.8.1 source code, I
        see that channels/chan_sip.c contains a get_pai() function that
        is supposed to process P-Asserted-Identity and extract a caller
        ID. I am still studying the code, but I would appreciate help on
        this issue, to see why my attempt is not working.<br>
        <br>
        <fieldset class="mimeAttachmentHeader"></fieldset>
        <br>
      </blockquote>
      By placing debugging statements, I think get_pai() is not being
      called when receiving an incoming INVITE, corresponding to an
      incoming call from the IP-authenticated trunk being handled by an
      IVR, but not yet routed to an internal extension. Why is this so?
      Is this by design?<br>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
    </blockquote>
    SOLVED: asterisk needs to be configured with trustrpid=yes in the
    affected trunk for the P-Asserted-Identity header to take effect.
  </body>
</html>