ian@drumoak.demon.co.uk
2004-Oct-07 06:47 UTC
[Asterisk-Users] Confused about NAT and Authentication with FWD
I have recently started experimenting with Asterisk. I am running the system the
other side of the a NAT router and trying to connect to FWD. I have opened UDP
ports and have configured sip.conf to handle NAT.
The problem:
I can call from the FWD phone and the extension on Asterisk rings and there is
two way sound so no problem.
Now if in the extension.conf file I have,
exten => _.,3,Dial(SIP/${EXTEN}@fwd,20)
where fwd is the same name as the definition in sip.conf then I can see that
Asterisk is handling the call as if it is going across the NAT ( see attached
sip debug output). However (there is always a however) I get and the call
fails.
Oct 6 20:01:20 NOTICE[1087269568]: chan_sip.c:6766 handle_response: Failed to
authenticate on INVITE to '"465605"
<sip:465605@fwd.pulver.com>;tag=as1ba1c908'
If I change the Dial entry in extension.conf to
exten => _.,3,Dial(SIP/${EXTEN}@fwd.pulver.com,20)
Then I no longer see the outgoing connection being handled as if it is going
across a NAT. The call does connect but there is only sound from the asterisk
originating end I cannot get sound from the FWD end.
What Am I doing wrong.
CALL with exten => _.,3,Dial(SIP/${EXTEN}@fwd,20)
Contact: <sip:465605@68.107.251.237>
Call-ID: 2317f28d1068db997e49c4d57ae5c27e@fwd.pulver.com
CSeq: 103 ACK
User-Agent: Asterisk PBX
Content-Length: 0
(NAT) to 69.90.155.70:5060
We're at 68.107.251.237 port 16988
Answering/Requesting with root capability 4
Answering with preferred capability 0x8(ALAW)
Answering with non-codec capability 0x1(G723)
Reliably Transmitting:
INVITE sip:467919@fwd.pulver.com SIP/2.0
Via: SIP/2.0/UDP 68.107.251.237:5060;branch=z9hG4bK5ff7a339;rport
From: "465605" <sip:465605@fwd.pulver.com>;tag=as1ba1c908
To: <sip:467919@fwd.pulver.com>
Contact: <sip:465605@68.107.251.237>
Call-ID: 2317f28d1068db997e49c4d57ae5c27e@fwd.pulver.com
CSeq: 104 INVITE
User-Agent: Asterisk PBX
Proxy-Authorization: Digest username="",
realm="fwd.pulver.com", algorithm=MD5,
uri="sip:467919@fwd.pulver.com",
nonce="4164968c9e998958628497b2972ac7a4f16294a3",
response="a2898d0ce04b6e2eab98239005f7fdef", opaque=""
Date: Thu, 07 Oct 2004 01:01:20 GMT
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER
Content-Type: application/sdp
Content-Length: 242
v=0
o=root 3282 3284 IN IP4 68.107.251.237
s=session
c=IN IP4 68.107.251.237
t=0 0
m=audio 16988 RTP/AVP 0 8 101
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=silenceSupp:off - - - -
(NAT) to 69.90.155.70:5060
Sip read:
SIP/2.0 407 Proxy Authentication Required
Via: SIP/2.0/UDP 68.107.251.237:5060;branch=z9hG4bK5ff7a339;rport=5060
From: "465605" <sip:465605@fwd.pulver.com>;tag=as1ba1c908
To: <sip:467919@fwd.pulver.com>;tag=cb2000b247d89723001a836145f3b053.3772
Call-ID: 2317f28d1068db997e49c4d57ae5c27e@fwd.pulver.com
CSeq: 104 INVITE
Proxy-Authenticate: Digest realm="fwd.pulver.com",
nonce="4164968c9e998958628497b2972ac7a4f16294a3"
Server: Sip EXpress router (0.8.12 (i386/linux))
Content-Length: 0
9 headers, 0 lines
Transmitting:
ACK sip:467919@fwd.pulver.com SIP/2.0
Via: SIP/2.0/UDP 68.107.251.237:5060;branch=z9hG4bK5ff7a339;rport
From: "465605" <sip:465605@fwd.pulver.com>;tag=as1ba1c908
To: <sip:467919@fwd.pulver.com>;tag=cb2000b247d89723001a836145f3b053.3772
Contact: <sip:465605@68.107.251.237>
Call-ID: 2317f28d1068db997e49c4d57ae5c27e@fwd.pulver.com
CSeq: 104 ACK
User-Agent: Asterisk PBX
Content-Length: 0
(NAT) to 69.90.155.70:5060
Oct 6 20:01:20 NOTICE[1087269568]: chan_sip.c:6766 handle_response: Failed to
authenticate on INVITE to '"465605"
<sip:465605@fwd.pulver.com>;tag=as1ba1c908'
Reliably Transmitting:
CANCEL sip:467919@fwd.pulver.com SIP/2.0
Via: SIP/2.0/UDP 68.107.251.237:5060;branch=z9hG4bK5ff7a339;rport
From: "465605" <sip:465605@fwd.pulver.com>;tag=as1ba1c908
To: <sip:467919@fwd.pulver.com>
Contact: <sip:465605@68.107.251.237>
Call-ID: 2317f28d1068db997e49c4d57ae5c27e@fwd.pulver.com
CSeq: 104 CANCEL
User-Agent: Asterisk PBX
Proxy-Authorization: Digest username="",
realm="fwd.pulver.com", algorithm=MD5,
uri="sip:467919@fwd.pulver.com",
nonce="4164968c9e998958628497b2972ac7a4f16294a3",
response="8228360b3e3e342544e5c08d16cc824e", opaque=""
Content-Length: 0
Call with exten => _.,3,Dial(SIP/${EXTEN}@fwd.pulver.com,20)
Sip read:
INVITE sip:467919@192.168.0.163 SIP/2.0
Via: SIP/2.0/UDP 192.168.0.160:5060;branch=z9hG4bK-2729a2aa
From: SPA2202 <sip:2000@192.168.0.163>;tag=d7f857520fa6972o0
To: <sip:467919@192.168.0.163>
Call-ID: 4dd7bf1-74628526@192.168.0.160
CSeq: 101 INVITE
Max-Forwards: 70
Contact: SPA2202 <sip:2000@192.168.0.160:5060>
Expires: 240
User-Agent: Sipura/SPA2000-2.0.10(e)
Content-Length: 428
Allow: ACK, BYE, CANCEL, INFO, INVITE, NOTIFY, OPTIONS, REFER
Supported: x-sipura
Content-Type: application/sdp
v=0
o=- 25855460 25855460 IN IP4 192.168.0.160
s=-
c=IN IP4 192.168.0.160
t=0 0
m=audio 16388 RTP/AVP 2 0 4 8 18 96 97 98 100 101
a=rtpmap:2 G726-32/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:4 G723/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:18 G729a/8000
a=rtpmap:96 G726-40/8000
a=rtpmap:97 G726-24/8000
a=rtpmap:98 G726-16/8000
a=rtpmap:100 NSE/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:30
a=sendrecv
14 headers, 19 lines
Using latest request as basis request
Sending to 192.168.0.160 : 5060 (NAT)
Found RTP audio format 2
Found RTP audio format 0
Found RTP audio format 4
Found RTP audio format 8
Found RTP audio format 18
Found RTP audio format 96
Found RTP audio format 97
Found RTP audio format 98
Found RTP audio format 100
Found RTP audio format 101
Peer audio RTP is at port 192.168.0.160:16388
Found description format G726-32
Found description format PCMU
Found description format G723
Found description format PCMA
Found description format G729a
Found description format G726-40
Found description format G726-24
Found description format G726-16
Found description format NSE
Found description format telephone-event
Capabilities: us - 0xc(ULAW|ALAW), peer -
audio=0x51d(G723|ULAW|ALAW|G726|G729A|ILBC)/video=0x0(EMPTY), combined -
0xc(ULAW|ALAW)
Non-codec capabilities: us - 0x1(G723), peer - 0x1(G723), combined - 0x1(G723)
Reliably Transmitting (no NAT):
SIP/2.0 407 Proxy Authentication Required
Via: SIP/2.0/UDP 192.168.0.160:5060;branch=z9hG4bK-2729a2aa
From: SPA2202 <sip:2000@192.168.0.163>;tag=d7f857520fa6972o0
To: <sip:467919@192.168.0.163>;tag=as054b897b
Call-ID: 4dd7bf1-74628526@192.168.0.160
CSeq: 101 INVITE
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER
Contact: <sip:467919@192.168.0.163>
Proxy-Authenticate: Digest realm="asterisk",
nonce="21a2c901"
Content-Length: 0
to 192.168.0.160:5060
Scheduling destruction of call '4dd7bf1-74628526@192.168.0.160' in 15000
ms
Found user '2000'
Sip read:
ACK sip:467919@192.168.0.163 SIP/2.0
Via: SIP/2.0/UDP 192.168.0.160:5060;branch=z9hG4bK-2729a2aa
From: SPA2202 <sip:2000@192.168.0.163>;tag=d7f857520fa6972o0
To: <sip:467919@192.168.0.163>;tag=as054b897b
Call-ID: 4dd7bf1-74628526@192.168.0.160
CSeq: 101 ACK
Max-Forwards: 70
Contact: SPA2202 <sip:2000@192.168.0.160:5060>
User-Agent: Sipura/SPA2000-2.0.10(e)
Content-Length: 0
10 headers, 0 lines
Sip read:
INVITE sip:467919@192.168.0.163 SIP/2.0
Via: SIP/2.0/UDP 192.168.0.160:5060;branch=z9hG4bK-1051ed72
From: SPA2202 <sip:2000@192.168.0.163>;tag=d7f857520fa6972o0
To: <sip:467919@192.168.0.163>
Call-ID: 4dd7bf1-74628526@192.168.0.160
CSeq: 102 INVITE
Max-Forwards: 70
Proxy-Authorization: Digest
username="2000",realm="asterisk",nonce="21a2c901",uri="sip:467919@192.168.0.163",algorithm=MD5,response="8471345eb0616f4f354cb5da516e4c19"
Contact: SPA2202 <sip:2000@192.168.0.160:5060>
Expires: 240
User-Agent: Sipura/SPA2000-2.0.10(e)
Content-Length: 428
Allow: ACK, BYE, CANCEL, INFO, INVITE, NOTIFY, OPTIONS, REFER
Supported: x-sipura
Content-Type: application/sdp
v=0
o=- 25855460 25855460 IN IP4 192.168.0.160
s=-
c=IN IP4 192.168.0.160
t=0 0
m=audio 16388 RTP/AVP 2 0 4 8 18 96 97 98 100 101
a=rtpmap:2 G726-32/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:4 G723/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:18 G729a/8000
a=rtpmap:96 G726-40/8000
a=rtpmap:97 G726-24/8000
a=rtpmap:98 G726-16/8000
a=rtpmap:100 NSE/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:30
a=sendrecv
15 headers, 19 lines
Using latest request as basis request
Sending to 192.168.0.160 : 5060 (non-NAT)
Found RTP audio format 2
Found RTP audio format 0
Found RTP audio format 4
Found RTP audio format 8
Found RTP audio format 18
Found RTP audio format 96
Found RTP audio format 97
Found RTP audio format 98
Found RTP audio format 100
Found RTP audio format 101
Peer audio RTP is at port 192.168.0.160:16388
Found description format G726-32
Found description format PCMU
Found description format G723
Found description format PCMA
Found description format G729a
Found description format G726-40
Found description format G726-24
Found description format G726-16
Found description format NSE
Found description format telephone-event
Capabilities: us - 0xc(ULAW|ALAW), peer -
audio=0x51d(G723|ULAW|ALAW|G726|G729A|ILBC)/video=0x0(EMPTY), combined -
0xc(ULAW|ALAW)
Non-codec capabilities: us - 0x1(G723), peer - 0x1(G723), combined - 0x1(G723)
Found user '2000'
Looking for 467919 in sip
list_route: hop: <sip:2000@192.168.0.160:5060>
Transmitting (no NAT):
SIP/2.0 100 Trying
Via: SIP/2.0/UDP 192.168.0.160:5060;branch=z9hG4bK-1051ed72
From: SPA2202 <sip:2000@192.168.0.163>;tag=d7f857520fa6972o0
To: <sip:467919@192.168.0.163>;tag=as4fa94ab9
Call-ID: 4dd7bf1-74628526@192.168.0.160
CSeq: 102 INVITE
User-Agent: Asterisk PBX
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER
Contact: <sip:467919@192.168.0.163>
Content-Length: 0
to 192.168.0.160:5060
We're at 68.107.251.237 port 13108
Answering/Requesting with root capability 4
Answering with preferred capability 0x8(ALAW)
Answering with non-codec capability 0x1(G723)
12 headers, 11 lines
Reliably Transmitting:
INVITE sip:467919@fwd.pulver.com SIP/2.0
Via: SIP/2.0/UDP 68.107.251.237:5060;branch=z9hG4bK4b2b17a4
From: "465605" <sip:465605@68.107.251.237>;tag=as7dd80117
To: <sip:467919@fwd.pulver.com>
Contact: <sip:465605@68.107.251.237>
Call-ID: 6ddd80ff6e776bc610230a926b4cf89d@68.107.251.237
CSeq: 102 INVITE
User-Agent: Asterisk PBX
Date: Thu, 07 Oct 2004 00:56:48 GMT
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER
Content-Type: application/sdp
Content-Length: 242
v=0
o=root 3282 3282 IN IP4 68.107.251.237
s=session
c=IN IP4 68.107.251.237
t=0 0
m=audio 13108 RTP/AVP 0 8 101
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=silenceSupp:off - - - -
(no NAT) to 69.90.155.70:5060
Sip read:
SIP/2.0 100 trying -- your call is important to us
Via: SIP/2.0/UDP 68.107.251.237:5060;branch=z9hG4bK4b2b17a4
From: "465605" <sip:465605@68.107.251.237>;tag=as7dd80117
To: <sip:467919@fwd.pulver.com>
Call-ID: 6ddd80ff6e776bc610230a926b4cf89d@68.107.251.237
CSeq: 102 INVITE
Server: Sip EXpress router (0.8.12 (i386/linux))
Content-Length: 0
sip.conf
[general]
port = 5060
bindaddr = 192.168.0.163
externip = 68.107.251.237
localnet = 192.168.0.0/255.255.255.0
context = sip
serverlookup = yes
tos = reliability
nat=yes
disallow = all
allow = ulaw
allow = alaw
context = from-sip
reinvite = no
caninvite = no
maxexpirey = 180
defaultexpirey = 160
register => 465605:password@fwd.pulver.com/2000
[fwd]
type=friend
secret=password
usename=465605
fromuser=465605
fromdomain=fwd.pulver.com
host=fwd.pulver.com
dtmfmode=rfc2833
disallow=all
allow=ulaw
allow=alaw
nat=yes
reinvite=no
canreinvite=no
insecure=very
qualify=yes
context=sip
promsicredir=yes
[2000]
type=friend
username=2000
secret=password
host=dynamic
context=sip
mailbox=2000
callerid="SPA1" <2000>
dtmfmode=inband
disallow=all
allow=ulaw
allow=alaw
nat=0
extension conf
[general]
static=yes
writeprotect=yes
[sip]
exten => 2000,1,Dial(SIP/2000,20)
exten => 2000,2,Voicemail(u2000)
exten => 2000,102,Voicemail(b2000)
exten => 2000,103,Hangup
exten => _.,1,SetCallerID(465605)
exten => _.,2,SetCIDName(465605)
exten => _.,3,Dial(SIP/${EXTEN}@fwd,20)
Thanks
Ian L
Kristian Kielhofner
2004-Oct-07 08:23 UTC
[Asterisk-Users] Confused about NAT and Authentication with FWD
ian@drumoak.demon.co.uk wrote:> I have recently started experimenting with Asterisk. I am running the > system the other side of the a NAT router and trying to connect to > FWD. I have opened UDP ports and have configured sip.conf to handle > NAT. > > The problem: > > I can call from the FWD phone and the extension on Asterisk rings and > there is two way sound so no problem. > > Now if in the extension.conf file I have, exten => > _.,3,Dial(SIP/${EXTEN}@fwd,20) > > where fwd is the same name as the definition in sip.conf then I can > see that Asterisk is handling the call as if it is going across the > NAT ( see attached sip debug output). However (there is always a > however) I get and the call fails. > > Oct 6 20:01:20 NOTICE[1087269568]: chan_sip.c:6766 handle_response: > Failed to authenticate on INVITE to '"465605" > <sip:465605@fwd.pulver.com>;tag=as1ba1c908' > > If I change the Dial entry in extension.conf to > > exten => _.,3,Dial(SIP/${EXTEN}@fwd.pulver.com,20) > > Then I no longer see the outgoing connection being handled as if it > is going across a NAT. The call does connect but there is only sound > from the asterisk originating end I cannot get sound from the FWD > end. > > What Am I doing wrong. >Two things to do that I can think of: 1) In sip.conf, add externip="your ip here" under [general]. "Your ip here" should be the public address that you connect to the net with. If you are on the same network as the * box, go to getip.dyndns.org - and it will tell you what to put here. 2) Modify rtp.conf to change the port range, and then tell your NAT firewall to forward that range (as well as SIP) to your * box. Other than that, it is FWD specific... You may want to look at chan_sip2 (which has outgoing proxy support, something that FWD uses to help with the SIP NAT problem). -- Kristian Kielhofner