<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">El 02/05/14 11:41, Alex Villacís Lasso
escribió:<br>
</div>
<blockquote cite="mid:5363CAD1.1060909@palosanto.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">El 02/05/14 10:49, Alex Villacís
Lasso escribió:<br>
</div>
<blockquote cite="mid:5363BEA1.2010508@palosanto.com" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div class="moz-cite-prefix">El 27/04/14 07:47, Barry Flanagan
escribió:<br>
</div>
<blockquote
cite="mid:CALJb54--1kUaxbWG+Yr-zZnfw6u_yYyZM5cAUDbY_OgNd8F0Uw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">On 26 April 2014 00:29, Alex
Villacís Lasso <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:a_villacis@palosanto.com"
target="_blank">a_villacis@palosanto.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px
0px
0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div style="font-family:-moz-fixed;font-size:14px"
lang="x-western">I am currently preparing a
kamailio-asterisk combination. The asterisk
installation uses realtime for SIP. The kamailio
configuration was based on the reference at <a
moz-do-not-send="true"
href="http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb"
target="_blank">http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb</a>
but has been heavily modified. Currently asterisk
runs on localhost and only listens on SIP/RTP at
127.0.0.1 . Therefore, all of the SIP traffic
appears to come from localhost, from the point of
view of asterisk. <br>
<br>
Currently I have a model on which internal SIP
phones get identified by the authentication
username, and then the contact names at From: and
To: get massaged to incorporate the SIP domain, in
order to emulate multiple-domain support. The
'sip' table in Asterisk defines all such contacts
as SIP accounts of the form <a
moz-do-not-send="true"
href="http://name_domain.com" target="_blank">name_domain.com</a>,
and the SIP phones are configured to use 'name' as
authentication username for domain '<a
moz-do-not-send="true" href="http://domain.com"
target="_blank">domain.com</a>'. However, SIP
providers that register on the server with
authentication names are left with their original
names, since in the model, SIP trunks are
available to all domains. <br>
<br>
Now I have to add support for SIP providers which
are to be authorized on the basis of IP only.
Apparently, the kamailio module permissions.so
(WITH_IPAUTH) is made for just this purpose, so I
enabled it. After authentication, I need to route
the INVITE to asterisk, and asterisk must somehow
match the account for the SIP trunk from the
available information on the INVITE request. <br>
<br>
</div>
</div>
</blockquote>
<div><br>
</div>
<div><br>
</div>
<div>What I have done in a similar situation is to use
force_send_socket in Kamailio when sending INVITEs
from your trusted host (your trunks) so that it is
coming in to Asterisk from a different port (say
5070), and then in your Asterisk sip.conf settings
create a new peer for this like so:</div>
<div><br>
</div>
<div>[peer-incoming]</div>
<div>
<div
style="font-family:arial,sans-serif;font-size:13px">context=peercontext</div>
<div
style="font-family:arial,sans-serif;font-size:13px">type=peer</div>
<div
style="font-family:arial,sans-serif;font-size:13px">
host=127.0.0.1</div>
</div>
<div style="font-family:arial,sans-serif;font-size:13px">port=5070</div>
<div style="font-family:arial,sans-serif;font-size:13px"><br>
</div>
<div style="font-family:arial,sans-serif;font-size:13px">
Now, when Asterisk receives an INVITE from <a
moz-do-not-send="true" href="http://127.0.0.1:5070">127.0.0.1:5070</a>
it will match this peer, whereas the rest, coming from
<a moz-do-not-send="true" href="http://127.0.0.1:5060">127.0.0.1:5060</a>,
will match your other subscribers.</div>
<div style="font-family:arial,sans-serif;font-size:13px"><br>
</div>
<div style="font-family:arial,sans-serif;font-size:13px">Here
is a bit of the Kamailio config:</div>
<div style="font-family:arial,sans-serif;font-size:13px">
<br>
</div>
<div style="font-family:arial,sans-serif;font-size:13px">
<div>if (is_method("INVITE"))</div>
<div> {</div>
<div> # If call is coming from a trusted source
(Trunk/PSTN) then we send it to Asterisk from port
5070</div>
<div> # so that Asterisk knows this is not
coming from a subscriber. The peer in Asterisk needs
to be set with port=5070</div>
<div> # as well as the host=<ip address></div>
<div> if (allow_trusted())</div>
<div> {</div>
<div> xlog("L_INFO","Inbound to Asterisk
from Trusted Source IP $si, Caller: $fU, Callee: $rU
with Call-ID $hdr(Call-ID)");</div>
<div> force_send_socket(<a
moz-do-not-send="true"
href="http://127.0.0.1:5070">127.0.0.1:5070</a>);</div>
<div> } else {</div>
<div> # This is a call from a registered
subscriber.</div>
<div> xlog("L_INFO","Inbound to Asterisk
from $fU to $rU with Call-ID $hdr(Call-ID)");</div>
<div> } </div>
<div> }</div>
<div> route(RELAY);</div>
<div> exit;</div>
<div>}</div>
<div><br>
</div>
</div>
<div>NOTE: Kamailio must be set to listen on <a
moz-do-not-send="true" href="http://127.0.0.1:5070">127.0.0.1:5070</a>
as well as your usual ports for this to work! Also,
your SIP Trunk trusted peers need to be in the
Kamailio trusted table, or explicitly test for the
src_ip rather than use allow_trusted().</div>
<br>
</div>
</div>
</div>
</blockquote>
I would rather have a solution that does not involve allocating
a new UDP port every time a new IP-trusted SIP trunk is
configured.<br>
<br>
I tried appending a P-Asserted Identity header to the incoming
INVITE before routing it to asterisk, like this:<br>
<br>
#!ifdef WITH_IPAUTH<br>
if((!is_method("REGISTER")) &&
allow_source_address() && $au == "")<br>
{<br>
# Attempt to create a P-Asserted-Identity if none
exists, to preserve<br>
# incoming Caller-ID<br>
if (!is_present_hf("P-Asserted-Identity"))<br>
{<br>
append_hf("P-Asserted-Identity:
<sip:$fU@$fd>\r\n");<br>
}<br>
<br>
# Loading $fU from database using IP<br>
sql_pvquery("elxpbx", "SELECT name FROM sip WHERE host =
'$si' AND sippasswd IS NULL", "$fU");<br>
<br>
# source IP allowed<br>
return;<br>
}<br>
#!endif<br>
<br>
With tcpdump, I can see that the header is indeed appended to
the SIP headers of the INVITE, but there is no effect in
Asterisk. From examination of the Asterisk 11.8.1 source code, I
see that channels/chan_sip.c contains a get_pai() function that
is supposed to process P-Asserted-Identity and extract a caller
ID. I am still studying the code, but I would appreciate help on
this issue, to see why my attempt is not working.<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
By placing debugging statements, I think get_pai() is not being
called when receiving an incoming INVITE, corresponding to an
incoming call from the IP-authenticated trunk being handled by an
IVR, but not yet routed to an internal extension. Why is this so?
Is this by design?<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
SOLVED: asterisk needs to be configured with trustrpid=yes in the
affected trunk for the P-Asserted-Identity header to take effect.
</body>
</html>