thr3ads.net - asterisk users - [asterisk-users] Freepbx VPN SIP Client (SIP/2.0 401 Unauthorized) [Nov 2020]

If this information is useful, please help other people find it:
Share via:

basti

2020-Nov-06 13:28 UTC

[asterisk-users] Freepbx VPN SIP Client (SIP/2.0 401 Unauthorized)

Hello,
i try to connect my SIP Client (linphone) via VPN to FreePBX.
The routing looks OK. I can ping the Endpoints and traffic is routing.
I can also Register my Sip Client.

debpbx*CLI> pjsip list contacts

   Contact:  <Aor/ContactUri..............................>
<Hash....>
<Status> <RTT(ms)..>
=========================================================================================
   Contact:  731/sip:731 at 192.168.30.132:5060                163a967d99 
Avail        15.722
   Contact:  734/sip:734 at 10.8.0.143:5060                    1b1aa8cbac 
Avail        62.180

So far so good. When I try to an other extension I get a timeout.
tcpdump:

root at debpbx:/etc/asterisk# tcpdump -ni enp0s15 host 10.8.0.143 and not 
port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s15, link-type EN10MB (Ethernet), capture size 262144 bytes
13:03:04.086687 IP 10.8.0.143.5060 > 192.168.30.28.5060: SIP: INVITE 
sip:731 at asterisk.kes SIP/2.0
13:03:04.087364 IP 192.168.30.28.5060 > 10.8.0.143.5060: SIP: SIP/2.0 
401 Unauthorized
13:03:04.126101 IP 10.8.0.143.5060 > 192.168.30.28.5060: SIP: ACK 
sip:731 at asterisk.kes SIP/2.0
13:03:09.054643 IP 10.8.0.143.5060 > 192.168.30.28.5060: SIP
13:03:14.112561 IP 192.168.30.28.5060 > 10.8.0.143.5060: SIP: OPTIONS 
sip:734 at 10.8.0.143:5060 SIP/2.0
13:03:14.162609 IP 10.8.0.143.5060 > 192.168.30.28.5060: SIP: SIP/2.0 200 Ok
13:03:19.057752 IP 10.8.0.143.5060 > 192.168.30.28.5060: SIP
13:03:29.060765 IP 10.8.0.143.5060 > 192.168.30.28.5060: SIP
13:03:44.672509 IP 10.8.0.143.5060 > 192.168.30.28.5060: SIP

I think the SIP/2.0 401 Unauthorized is the problem.
I also had add the VPN IP range to the local_net but that does not solve 
the problem.

root at debpbx:/etc/asterisk# grep -ri 10.8.0
sip_general_additional.conf:localnet=10.8.0.0/24
pjsip.transports.conf:local_net=10.8.0.0/24

John Fawcett

2020-Nov-08 13:18 UTC

head link

[asterisk-users] Freepbx VPN SIP Client (SIP/2.0 401 Unauthorized)

On 06/11/2020 14:28, basti wrote:> Hello,
> i try to connect my SIP Client (linphone) via VPN to FreePBX.
> The routing looks OK. I can ping the Endpoints and traffic is routing.
> I can also Register my Sip Client.
>
> debpbx*CLI> pjsip list contacts
>
>   Contact:  <Aor/ContactUri..............................>
<Hash....>
> <Status> <RTT(ms)..>
>
=========================================================================================>
>
>   Contact:  731/sip:731 at 192.168.30.132:5060                163a967d99
> Avail        15.722
>   Contact:  734/sip:734 at 10.8.0.143:5060                    1b1aa8cbac
> Avail        62.180
>
> So far so good. When I try to an other extension I get a timeout.
> tcpdump:
>
> root at debpbx:/etc/asterisk# tcpdump -ni enp0s15 host 10.8.0.143 and not
> port 80
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> listening on enp0s15, link-type EN10MB (Ethernet), capture size 262144
> bytes
> 13:03:04.086687 IP 10.8.0.143.5060 > 192.168.30.28.5060: SIP: INVITE
> sip:731 at asterisk.kes SIP/2.0
> 13:03:04.087364 IP 192.168.30.28.5060 > 10.8.0.143.5060: SIP: SIP/2.0
> 401 Unauthorized
> 13:03:04.126101 IP 10.8.0.143.5060 > 192.168.30.28.5060: SIP: ACK
> sip:731 at asterisk.kes SIP/2.0
> 13:03:09.054643 IP 10.8.0.143.5060 > 192.168.30.28.5060: SIP
> 13:03:14.112561 IP 192.168.30.28.5060 > 10.8.0.143.5060: SIP: OPTIONS
> sip:734 at 10.8.0.143:5060 SIP/2.0
> 13:03:14.162609 IP 10.8.0.143.5060 > 192.168.30.28.5060: SIP: SIP/2.0
> 200 Ok
> 13:03:19.057752 IP 10.8.0.143.5060 > 192.168.30.28.5060: SIP
> 13:03:29.060765 IP 10.8.0.143.5060 > 192.168.30.28.5060: SIP
> 13:03:44.672509 IP 10.8.0.143.5060 > 192.168.30.28.5060: SIP
>
> I think the SIP/2.0 401 Unauthorized is the problem.
> I also had add the VPN IP range to the local_net but that does not
> solve the problem.
>
> root at debpbx:/etc/asterisk# grep -ri 10.8.0
> sip_general_additional.conf:localnet=10.8.0.0/24
> pjsip.transports.conf:local_net=10.8.0.0/24
>
>Your tcpdump doesn't show the full data of the invite and the 401
response. You'd probably be better of logging the sip messages from
asterisk console with something like:

pjsip set logger host 10.8.0.143

It's quite normal to have an initial 401 response to the first
unauthorized INVITE. The 401 should contain an authentication header.
The 401 response should be followed up by a second INVITE containing an
authorization header. Maybe credentials are not setup correctly on the
sip client.

John

asterisk users - Nov 2020 - Freepbx VPN SIP Client (SIP/2.0 401 Unauthorized)

[asterisk-users] Freepbx VPN SIP Client (SIP/2.0 401 Unauthorized)

[asterisk-users] Freepbx VPN SIP Client (SIP/2.0 401 Unauthorized)