asterisk users - Jan 2009 - Incoming side of SIP trunk does not work unless I add "insecure=very"

The incoming (Class 5 switch to Asterisk PBX) side of a SIP trunk does not
work unless I add "insecure=very" to my "Outgoing settings",
but I don't
want to do that.  I do want to authenticate.  Outgoing (Asterisk PBX to
Class 5 switch) calls do authenticate and work.

The Nortel CS 1500 I'm using as the PSTN-side of my SIP trunk has a username
and password that it's sending out.  But the INVITE is responded by the
Asterisk with "SIP/2.0 403 Forbidden"

I've changed the INVITE message to mask the real telephone numbers, SIP
server, passwords, and IP addresses, but I did that using search and replace
so the structure is intact.

What do I need to configure in the "Incoming Settings" panel for the
CS
1500's INVITE to my Asterisk server to work?  I've tried all kinds of
combinations of user,username,authname using +15552027020,host with IP
and/or DNS name, but nothing appears to work.

Frank

INVITE message from Wireshark packet capture:

INVITE sip:+15552027020 at sip.acme.com SIP/2.0
From:
<sip:5552022441 at
172.16.10.40>;tag=f76c66d0-c7784528-13c4-2dbba4-767e6552-2db
ba4
To: <sip:+15552027020 at sip.acme.com>
Call-ID: f379f62-29173-3895-b14271f5-40802-45378 at 172.16.10.40
CSeq: 5102 INVITE
Via: SIP/2.0/UDP 172.16.10.40:5060;branch=z9hG4bK-2dbba4-b2a4fa3a-7cd7598
User-Agent: Nortel CS1500UA/v02.00.REL01
Accept: application/sdp
P-Asserted-Identity: <sip:5552022441 at 172.16.10.40;user=phone>
Privacy: none
Remote-Party-ID: <sip:5552022441 at 172.16.10.40;user=phone>;
party=calling;
privacy=off
Max-Forwards: 70
Supported: 100rel,replaces
Allow: INVITE, ACK, OPTIONS, CANCEL, BYE, REFER, PRACK
Contact: <sip:5552022441 at 172.16.10.40>
Authorization: Digest
username="username",realm="asterisk",nonce="118af2b0",uri="sip:+15552027020@
sip.acme.com",response="111e63ec2a1f3ebabefe4f7dae4087a1",algorithm=MD5
Content-Type: application/SDP
Content-Length: 167

v=0
o=- 2973921782 2973921782 IN IP4 172.16.10.65
s=SIP Call
c=IN IP4 172.16.10.65
t=0 0
m=audio 36224 RTP/AVP 0
a=rtpmap:0 PCMU/8000
a=ptime:20
a=sendrecv

Is sip.acme.com actually the domain you want to use?

Keep in mind the domain is part of the digest authentication process and 
is a factor in the encoding of the nonce.

Frank Bulk - iName.com wrote:
> The incoming (Class 5 switch to Asterisk PBX) side of a SIP trunk does not
> work unless I add "insecure=very" to my "Outgoing
settings", but I don't
> want to do that.  I do want to authenticate.  Outgoing (Asterisk PBX to
> Class 5 switch) calls do authenticate and work.
> 
> The Nortel CS 1500 I'm using as the PSTN-side of my SIP trunk has a
username
> and password that it's sending out.  But the INVITE is responded by the
> Asterisk with "SIP/2.0 403 Forbidden"
> 
> I've changed the INVITE message to mask the real telephone numbers, SIP
> server, passwords, and IP addresses, but I did that using search and
replace
> so the structure is intact.
> 
> What do I need to configure in the "Incoming Settings" panel for
the CS
> 1500's INVITE to my Asterisk server to work?  I've tried all kinds
of
> combinations of user,username,authname using +15552027020,host with IP
> and/or DNS name, but nothing appears to work.
> 
> Frank
> 
> INVITE message from Wireshark packet capture:
> 
> INVITE sip:+15552027020 at sip.acme.com SIP/2.0
> From:
> <sip:5552022441 at
172.16.10.40>;tag=f76c66d0-c7784528-13c4-2dbba4-767e6552-2db
> ba4
> To: <sip:+15552027020 at sip.acme.com>
> Call-ID: f379f62-29173-3895-b14271f5-40802-45378 at 172.16.10.40
> CSeq: 5102 INVITE
> Via: SIP/2.0/UDP 172.16.10.40:5060;branch=z9hG4bK-2dbba4-b2a4fa3a-7cd7598
> User-Agent: Nortel CS1500UA/v02.00.REL01
> Accept: application/sdp
> P-Asserted-Identity: <sip:5552022441 at 172.16.10.40;user=phone>
> Privacy: none
> Remote-Party-ID: <sip:5552022441 at 172.16.10.40;user=phone>;
party=calling;
> privacy=off
> Max-Forwards: 70
> Supported: 100rel,replaces
> Allow: INVITE, ACK, OPTIONS, CANCEL, BYE, REFER, PRACK
> Contact: <sip:5552022441 at 172.16.10.40>
> Authorization: Digest
>
username="username",realm="asterisk",nonce="118af2b0",uri="sip:+15552027020@
>
sip.acme.com",response="111e63ec2a1f3ebabefe4f7dae4087a1",algorithm=MD5
> Content-Type: application/SDP
> Content-Length: 167
> 
> v=0
> o=- 2973921782 2973921782 IN IP4 172.16.10.65
> s=SIP Call
> c=IN IP4 172.16.10.65
> t=0 0
> m=audio 36224 RTP/AVP 0
> a=rtpmap:0 PCMU/8000
> a=ptime:20
> a=sendrecv
> 
> 
> _______________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> 
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users

-- 
Alex Balashov
Evariste Systems
Web    : http://www.evaristesys.com/
Tel    : (+1) (678) 954-0670
Direct : (+1) (678) 954-0671
Mobile : (+1) (678) 237-1775

Frank Bulk - iName.com wrote:
>The incoming (Class 5 switch to Asterisk PBX) side of a SIP trunk does not
>work unless I add "insecure=very" to my "Outgoing
settings", but I don't
>want to do that.  I do want to authenticate.  Outgoing (Asterisk PBX to
>Class 5 switch) calls do authenticate and work.
>
>The Nortel CS 1500 I'm using as the PSTN-side of my SIP trunk has a
username
>and password that it's sending out.  But the INVITE is responded by the
>Asterisk with "SIP/2.0 403 Forbidden"
>
>I've changed the INVITE message to mask the real telephone numbers, SIP
>server, passwords, and IP addresses, but I did that using search and replace
>so the structure is intact.
>
>What do I need to configure in the "Incoming Settings" panel for
the CS
>1500's INVITE to my Asterisk server to work?  I've tried all kinds
of
>combinations of user,username,authname using +15552027020,host with IP
>and/or DNS name, but nothing appears to work.
>
>  
>
Do a sip debug on the asterisk console and see if it is actually is 
matching one of your sip.conf entries during an invite from the CS1500.  
Look for a line that says something like 'Found Peer....bla bla bla'.   
If you dont see that line, then you are not even adding the correct 
sip.conf entry to match the invite from the CS1500.

Andres
http://www.telesip.net
>Frank
>
>INVITE message from Wireshark packet capture:
>
>INVITE sip:+15552027020 at sip.acme.com SIP/2.0
>From:
><sip:5552022441 at
172.16.10.40>;tag=f76c66d0-c7784528-13c4-2dbba4-767e6552-2db
>ba4
>To: <sip:+15552027020 at sip.acme.com>
>Call-ID: f379f62-29173-3895-b14271f5-40802-45378 at 172.16.10.40
>CSeq: 5102 INVITE
>Via: SIP/2.0/UDP 172.16.10.40:5060;branch=z9hG4bK-2dbba4-b2a4fa3a-7cd7598
>User-Agent: Nortel CS1500UA/v02.00.REL01
>Accept: application/sdp
>P-Asserted-Identity: <sip:5552022441 at 172.16.10.40;user=phone>
>Privacy: none
>Remote-Party-ID: <sip:5552022441 at 172.16.10.40;user=phone>;
party=calling;
>privacy=off
>Max-Forwards: 70
>Supported: 100rel,replaces
>Allow: INVITE, ACK, OPTIONS, CANCEL, BYE, REFER, PRACK
>Contact: <sip:5552022441 at 172.16.10.40>
>Authorization: Digest
>username="username",realm="asterisk",nonce="118af2b0",uri="sip:+15552027020@
>sip.acme.com",response="111e63ec2a1f3ebabefe4f7dae4087a1",algorithm=MD5
>Content-Type: application/SDP
>Content-Length: 167
>
>v=0
>o=- 2973921782 2973921782 IN IP4 172.16.10.65
>s=SIP Call
>c=IN IP4 172.16.10.65
>t=0 0
>m=audio 36224 RTP/AVP 0
>a=rtpmap:0 PCMU/8000
>a=ptime:20
>a=sendrecv
>
>
>_______________________________________________
>-- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
>asterisk-users mailing list
>To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>
>  
>

After many hours of fiddling around, Andres gave me the final piece.  

For those looking to implement SIP Trunks on a CS-1500 with Asterisk, here
are the pieces:

Diagram:
       CS-1500 ------ customer PBX
(172.16.10.40)        (172.16.10.195)

HOST: should be the DNS name assigned to the CS-1500's SIP interface.  e.g.
sip.acme.com
NUSR: user name used for the CS 1500 to login into the customer PBX.  Needs
to match up FreePBX's "Trunk Name".  For those who use the CLI,
this section
in sip.conf is encased in square brackets. i.e. [customername]
NPSW: password used for the CS 1500 to login into the customer PBX.  Needs
to match up with the secret= line.  i.e. secret=password
IP: IP address of the customer PBX. i.e. 172.16.10.195
LUSR: user name used for the customer PBX to login into the CS 1500. Needs
to match up with the username= line.  i.e. username=customername
LPSW: password used for the customer PBX to login into the CS 1500. Needs to
match up with the secret= line. i.e. secret=password.

For simplicity we made NUSR/LUSR the same and NPSW/LPSW the same.  Since you
need to define a trunk per customer, it makes the most sense and it easiest
to support and implement.

Here's what you need to add to Asterisk's sip.conf (yes, just those few
lines!)

[customername]
host=sip.acme.com
type=friend
username=customername
secret=password

And the CS-1500 output:
TYP TG 
NUM 1234
TGTP 2WAY 
TGNM SIP 
MG NO 
SIGT SIP 
STSI 0 
HNPA 555
RC 0 
RTP 0 
TRNL PRFX 
PRFX 24 
APFX NONE 
TRFC NONE 
4XCD YES 
ACKA NO 
TYPC NOCO 
NXX UNKN 
LATA 000 
CMCT NO 
TGID NONE 
SIT NO 
CNAR NO 
LRN NONE 
TNDM NO 
LDAT NO 
TRFC NONE 
EOAT NO 
ATIC NO 
CMCO NO 
TGMU NO 
HOST sip.acme.com 
NUSR customername 
NPSW password
IP 172.16.10.195
PORT 5060 
PROT UDP 
T38F NO 
AUTH YES 
LUSR customername
LPSW password 
CLIM 7 
CPBY 0 

Frank

-----Original Message-----
From: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Frank Bulk -
iName.com
Sent: Monday, January 05, 2009 6:25 PM
To: asterisk-users at lists.digium.com
Subject: [asterisk-users] Incoming side of SIP trunk does not work unless I
add "insecure=very"

The incoming (Class 5 switch to Asterisk PBX) side of a SIP trunk does not
work unless I add "insecure=very" to my "Outgoing settings",
but I don't
want to do that.  I do want to authenticate.  Outgoing (Asterisk PBX to
Class 5 switch) calls do authenticate and work.

The Nortel CS 1500 I'm using as the PSTN-side of my SIP trunk has a username
and password that it's sending out.  But the INVITE is responded by the
Asterisk with "SIP/2.0 403 Forbidden"

I've changed the INVITE message to mask the real telephone numbers, SIP
server, passwords, and IP addresses, but I did that using search and replace
so the structure is intact.

What do I need to configure in the "Incoming Settings" panel for the
CS
1500's INVITE to my Asterisk server to work?  I've tried all kinds of
combinations of user,username,authname using +15552027020,host with IP
and/or DNS name, but nothing appears to work.

Frank

INVITE message from Wireshark packet capture:

INVITE sip:+15552027020 at sip.acme.com SIP/2.0
From:
<sip:5552022441 at
172.16.10.40>;tag=f76c66d0-c7784528-13c4-2dbba4-767e6552-2db
ba4
To: <sip:+15552027020 at sip.acme.com>
Call-ID: f379f62-29173-3895-b14271f5-40802-45378 at 172.16.10.40
CSeq: 5102 INVITE
Via: SIP/2.0/UDP 172.16.10.40:5060;branch=z9hG4bK-2dbba4-b2a4fa3a-7cd7598
User-Agent: Nortel CS1500UA/v02.00.REL01
Accept: application/sdp
P-Asserted-Identity: <sip:5552022441 at 172.16.10.40;user=phone>
Privacy: none
Remote-Party-ID: <sip:5552022441 at 172.16.10.40;user=phone>;
party=calling;
privacy=off
Max-Forwards: 70
Supported: 100rel,replaces
Allow: INVITE, ACK, OPTIONS, CANCEL, BYE, REFER, PRACK
Contact: <sip:5552022441 at 172.16.10.40>
Authorization: Digest
username="username",realm="asterisk",nonce="118af2b0",uri="sip:+15552027020@
sip.acme.com",response="111e63ec2a1f3ebabefe4f7dae4087a1",algorithm=MD5
Content-Type: application/SDP
Content-Length: 167

v=0
o=- 2973921782 2973921782 IN IP4 172.16.10.65
s=SIP Call
c=IN IP4 172.16.10.65
t=0 0
m=audio 36224 RTP/AVP 0
a=rtpmap:0 PCMU/8000
a=ptime:20
a=sendrecv


_______________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users