Markus
2020-Aug-29 20:37 UTC
[asterisk-users] 401 Unauthorized when originating SIP user exists on remote server
Hi list!
I'm trying to make a SIP test call from Bria and/or 3CXPhone from a PC
behind NAT.
From Bria/3CXPhone I connect to an Asterisk 11.25.0 server on the
internet at 100.100.94.210 with a SIP account "3333" created in
sip.conf:
[3333]
type=friend
secret=something
host=dynamic
nat=yes
qualify=no
disallow=all
allow=alaw
allow=ulaw
canreinvite=no
context=voipin
I dial +1234 which goes to remote-server:
exten => +1234,1,Dial(SIP/${EXTEN}@remote-server)
On remote-server (IP: 100.100.92.16), which is running Asterisk 10.7.1,
I have the following entry for 100.100.94.210 in sip.conf:
[incoming-server]
host=100.100.94.210
type=peer
insecure=port,invite
context=voipin
disallow=all
allow=alaw
canreinvite=no
dtmfmode=rfc2833
However, there's also a SIP account "3333" on that same server:
[3333]
type=friend
secret=something
host=dynamic
nat=yes
qualify=no
disallow=all
allow=alaw
allow=ulaw
canreinvite=no
context=voipin
When I make that call I get "401 Unauthorized" from remote-server.
When
I modify the username on 100.100.94.210 to "4444" or anything else
that
doesn't exist on 100.100.92.16, the call connects.
tcpdump:
100.100.94.210.5060 > 100.100.92.16.5060: SIP, length: 839
INVITE sip:+1234 at 100.100.92.16 SIP/2.0
Via: SIP/2.0/UDP 100.100.94.210:5060;branch=z9hG4bK0aa2c03b
Max-Forwards: 70
From: <sip:3333 at 100.100.94.210>;tag=as14990327
To: <sip:+1234 at 100.100.92.16>
Contact: <sip:3333 at 100.100.94.210:5060>
Call-ID: 6c33aa196f7a2c206a6b50a27b6a23d6 at 100.100.94.210:5060
CSeq: 102 INVITE
User-Agent: Asterisk PBX 11.25.0
Shouldn't Asterisk check first for IP-based authentication and ignore
the From: part? In my case, use only the "incoming-server" peer.
Let's imagine remote-server would receive SIP calls which originate from
the PSTN... and the originating caller somewhere in the world uses
"3333" as username/CLI so that it makes it into the "From:
sip:....@"
part. That call would also get rejected with 401 Unauthorized if I'm not
mistaken?
Is there a switch I'm missing?
Thank you, as always!
Markus
Joshua C. Colp
2020-Aug-30 10:29 UTC
[asterisk-users] 401 Unauthorized when originating SIP user exists on remote server
On Sat, Aug 29, 2020 at 5:39 PM Markus <universe at truemetal.org> wrote: <snip>> Shouldn't Asterisk check first for IP-based authentication and ignore > the From: part? In my case, use only the "incoming-server" peer. > > Let's imagine remote-server would receive SIP calls which originate from > the PSTN... and the originating caller somewhere in the world uses > "3333" as username/CLI so that it makes it into the "From: sip:....@" > part. That call would also get rejected with 401 Unauthorized if I'm not > mistaken? > > Is there a switch I'm missing? >chan_sip has a fixed matching order where From based occurs first, there's no option to change that. The chan_pjsip module made this ordering configurable. -- Joshua C. Colp Asterisk Technical Lead Sangoma Technologies Check us out at www.sangoma.com and www.asterisk.org -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20200830/95c786ef/attachment.html>