asterisk users - Aug 2017 - Outbound Calls via Proxy to use Call ID from registration

Hello List

I work at an SIP Provider and we have added and SBC in front of our
Voice Switch to protect it.

This requires all our SIP Trunk customers to register via a 'proxy'.

I struggle with Asterisk to work over a proxy.

This is what I have done so far.

register => username at sip.example.com:password at sbc.example.com

This works fine, asterisk is sending registrations via the SBC to the
voice switch defined by URI.

[username]
type=peer
secret=password
host=sip.example.com
outboundproxy=sbc.example.com
context=from-ISP-X

From the Dialplan that string is dialed:

Dial(SIP/username/${EXTEN})

This works fine, asterisk sends the call to the outboundproxy defined
in the sip.conf section of [username].

Before adding outboundproxy setting, incomming calls were
matched because they originated from the host and passed to the correct
context.

I have set allowguest=no to challenge all those sip attackers in
[default] who occasionaly managed to call internal extensions defined
there.

Now incomming calls do not originate from the ip of sip.example.com
anymore, but from the ip of sbc.example.com and are not set to the
context [from-ISP-X] but probably to [default] and challenged.

Of course, I could allow guests, but that would bring back the problem
of having unwanted calls from sip scanners.

So how do I tell the asterisk to also match calls from the ip of the
outbound proxy?

-Beno?t Panizzon-
-- 
I m p r o W a r e   A G    -    Leiter Commerce Kunden
______________________________________________________

Zurlindenstrasse 29             Tel  +41 61 826 93 00
CH-4133 Pratteln                Fax  +41 61 826 93 01
Schweiz                         Web  http://www.imp.ch
______________________________________________________

Not sure maybe there's a better solution but I thought about using another
peer with type=user for incoming connections.

On Mon, May 22, 2017, 6:13 PM Benoit Panizzon <benoit.panizzon at imp.ch>
wrote:
> Hello List
>
> I work at an SIP Provider and we have added and SBC in front of our
> Voice Switch to protect it.
>
> This requires all our SIP Trunk customers to register via a
'proxy'.
>
> I struggle with Asterisk to work over a proxy.
>
> This is what I have done so far.
>
> register => username at sip.example.com:password at sbc.example.com
>
> This works fine, asterisk is sending registrations via the SBC to the
> voice switch defined by URI.
>
> [username]
> type=peer
> secret=password
> host=sip.example.com
> outboundproxy=sbc.example.com
> context=from-ISP-X
>
> From the Dialplan that string is dialed:
>
> Dial(SIP/username/${EXTEN})
>
> This works fine, asterisk sends the call to the outboundproxy defined
> in the sip.conf section of [username].
>
> Before adding outboundproxy setting, incomming calls were
> matched because they originated from the host and passed to the correct
> context.
>
> I have set allowguest=no to challenge all those sip attackers in
> [default] who occasionaly managed to call internal extensions defined
> there.
>
> Now incomming calls do not originate from the ip of sip.example.com
> anymore, but from the ip of sbc.example.com and are not set to the
> context [from-ISP-X] but probably to [default] and challenged.
>
> Of course, I could allow guests, but that would bring back the problem
> of having unwanted calls from sip scanners.
>
> So how do I tell the asterisk to also match calls from the ip of the
> outbound proxy?
>
> -Beno?t Panizzon-
> --
> I m p r o W a r e   A G    -    Leiter Commerce Kunden
> ______________________________________________________
>
> Zurlindenstrasse 29             Tel  +41 61 826 93 00
> CH-4133 Pratteln                Fax  +41 61 826 93 01
> Schweiz                         Web  http://www.imp.ch
> ______________________________________________________
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> Check out the new Asterisk community forum at:
> https://community.asterisk.org/
>
> New to Asterisk? Start here:
>       https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20170522/8338bfc1/attachment.html>

Hello List
> I work at an SIP Provider and we have added and SBC in front of our
> Voice Switch to protect it.
Well using two peers for incomming and outgoing calls solve the
previous issue.

Now I have a new one.

The SBC in use needs to match incomming calls from the asterisk with
the call id used in the registration.

We have tested this with a couple of PBX, which do use the call ID used
during registration automatically for outbound invites.

Not so my asterisk server.

So I assumed that when I refer to a 'peer' definition in the register
statement, I could make asterisk understand, that the registration and
outgoing peers belong together and then use the same call ID.

But how do I refer to a peer in the registration statement?

I did try different variants of:

register => sip-user at sip-outbound

[sip-outbound]
username=sip-user
secret=go-fishing
type=peer
host=asterisk-pbs.example.com
outboundproxy=ip.address.of.proxy
insecure=invite,port
qualify=yes
dtfmmode=auto
canreinvite=yes
context=from-sip
nat=no
t38pt_udptl=yes

But that is not matching.

If course if I do:

register=>sip-user at asterisk-pbs.example.com:go-fishing at
ip.address.of.proxy

registration is successfull, but invites sent via dial
sip://callerid at sip-outbound do not match the call ID used during
registration.

Anyone a hint how to make asterisk properly use the call ID of the
registration?

-Beno?t Panizzon-
-- 
I m p r o W a r e   A G    -    Leiter Commerce Kunden
______________________________________________________

Zurlindenstrasse 29             Tel  +41 61 826 93 00
CH-4133 Pratteln                Fax  +41 61 826 93 01
Schweiz                         Web  http://www.imp.ch
______________________________________________________

On Mon, Aug 28, 2017, at 05:45 AM, Benoit Panizzon
wrote:
> Hello List
> 
> > I work at an SIP Provider and we have added and SBC in front of our
> > Voice Switch to protect it.
> 
> Well using two peers for incomming and outgoing calls solve the
> previous issue.
> 
> Now I have a new one.
> 
> The SBC in use needs to match incomming calls from the asterisk with
> the call id used in the registration.
> 
> We have tested this with a couple of PBX, which do use the call ID used
> during registration automatically for outbound invites.
> 
> Not so my asterisk server.
> 
> So I assumed that when I refer to a 'peer' definition in the
register
> statement, I could make asterisk understand, that the registration and
> outgoing peers belong together and then use the same call ID.
Can you define what exactly you mean by call id? If you are referring to
the Call-ID SIP header that's not how it works. It's unique within a
dialog and not reused like that[1][2].

[1] https://tools.ietf.org/html/rfc3261#page-37
[2] https://tools.ietf.org/html/rfc3261#section-20.8

-- 
Joshua Colp
Digium, Inc. | Senior Software Developer
445 Jan Davis Drive NW - Huntsville, AL 35806 - US
Check us out at: www.digium.com & www.asterisk.org