[asterisk-users] chan_sip doesn't authenticate on INVITE from a Dial() command

Sun Oct 25 10:27:00 CDT 2020

Hi.

I'm trying to get Asterisk 13 to authenticate when it sends an INVITE, and for 
some reason it's simply not doing it.

I've even resorted to reading the source code to try and work out what I'm 
doing wrong...

In channels/chan_sip.c I find:

 * SIP Dial string syntax:
 *     SIP/devicename
 * or SIP/username at domain (SIP uri)
 * or SIP/username[:password[:md5secret[:authname[:transport]]]]@host[:port]
 * or SIP/devicename/extension
 * or SIP/devicename/extension/IPorHost
 * or SIP/username at domain//IPorHost
 * and there is an optional [!dnid] argument you can append to alter the
 * To: header.

(Note: I don't think I have ever seen that optional "!dnid" argument 
documented anywhere...?)

So, the version with the username and password looks to me like what I want...

Dial(SIP/${SIPuser}:${SIPpass}@${SIPhost})  or else
Dial(SIP/${SIPuser}:${SIPpass}@${SIPhost}!${SIPdial})

would seem to be what I need (I need to authenticate to SIPhost with the 
credentials SIPuser and SIPpass and I want to dial on to SIPdial).

However, doing this results in the NOTICE message:

chan_sip.c:23862 handle_response_invite: Failed to authenticate on INVITE to 
'"Antony Stone" <sip:Polycom650 at 198.51.100.29>;tag=as6625b0b4'

The first thing which puzzles me about this is that 198.51.100.29 is the IP 
address of the telephone I dialled *in* to the context with in order to cause 
the Dial() command to get processed (and Polycom650 is indeed the username of 
the telephone).

This has nothing at all to do with the username and password I'm trying to 
authenticate with at the remote server.

If I do a packet capture on this machine to show what it's actually sending 
out to SIPhost, I see three packets:

1 0.000000000  192.0.2.29 → 203.0.113.56 SIP/SDP 960 Request: INVITE 
sip:9411 at the.remote.ser.ver

2 0.007364024 203.0.113.56 → 192.0.2.29  SIP 558 Status: 401 Unauthorized

3 0.007552844  192.0.2.29 → 203.0.113.56 SIP 485 Request: ACK 
sip:9411 at the.remote.ser.ver

and that's it.

Asterisk sends the (unauthorised) INVITE, as normal, the remote server 
understandably says "401 Unauthorised" in response, to which I expect Asterisk 
to say "ACK" and then repeat the INVITE with the authentication included, but 
it does nothing after the ACK - it doesn't even try to authenticate.

If I create a stanza in sip.conf such as:

[RemoteServer]
type=peer
fromuser=9411
secret=3ce12cda9d
host=the.remote.ser.ver

and change the Dial() to:

Dial(SIP/RemoteServer/${SIPdial})

then all works, and the packet capture shows me exactly the same as above, but 
then followed by a fourth packet, which is the INVITE complete with 
authentication (which of course works).

However, creating stanzas in sip.conf is not an option for me, since I need to 
be able to dial out using account credentials which are going to be passed in 
to the dialplan as variables from an AMI Originate request (I'm creating this 
dialplan in order to check whether credentials which have been supplied to me 
are in fact correct and allow me to place a call).

So, what am I doing wrong - how can I get Asterisk to actually use the 
credentials which I've supplied in the Dial() command?

Thanks for any help :)

Antony.

-- 
I conclude that there are two ways of constructing a software design: One way 
is to make it so simple that there are _obviously_ no deficiencies, and the 
other way is to make it so complicated that there are no _obvious_ 
deficiencies.

 - C A R Hoare

                                                   Please reply to the list;
                                                         please *don't* CC me.