Hello Mathias,
ok – if you got more details about that particular issue with the KEMI compared to the traditional cfg language, just open an issue on our tracker about it.
Cheers,
Henning
--
Henning Westerholt –
https://skalatan.de/blog/
Kamailio services –
https://gilawa.com
From: Mathias Schneuwly <mathias@schneuwlys.ch>
Sent: Friday, January 13, 2023 11:47 AM
To: Henning Westerholt <hw@gilawa.com>
Cc: sr-users@lists.kamailio.org
Subject: Re: [SR-Users] Parallel call forking with call authorization
Hi Henning
We wanted to reach some sort of security, but you are probably right, that restricting the access from certain IPs would be good enough instead of call authentication. I need to think about it.
But anyway, to me, something with failure-route and parallel call forking seems to be odd (at least using the python KEMI interpreter). More or less the same setup using the standard Kamailio dialplan (instead
of KEMI), seems to work as expected.
Best regards
Mathias
Am Fr., 13. Jan. 2023 um 11:04 Uhr schrieb Henning Westerholt <hw@gilawa.com>:
Hello Mathias,
I do not fully understand your remark about the concerns that somebody else send calls to your asterisk over that special endpoint.
If you configure the asterisk to only accept calls from a particular IP address, this should not be a problem.
Cheers,
Henning
--
Henning Westerholt – https://skalatan.de/blog/
Kamailio services – https://gilawa.com
From: Mathias Schneuwly <mathias@schneuwlys.ch>
Sent: Friday, January 13, 2023 10:37 AM
To: Henning Westerholt <hw@gilawa.com>
Cc: sr-users@lists.kamailio.org
Subject: Re: [SR-Users] Parallel call forking with call authorization
Thanks for your reply
This is what I'm doing at the moment to continue with the task as long as it does not work as I would expect. Without call authentication, the parallel forking works as expected.
If somehow possible I would like to keep it since I don't want anybody to send calls to Asterisk using this endpoint. This is a special context in Asterisk which provides some special functions like incoming and outgoing call authentication using Pin and others...
Best regards
Mathias
Am Fr., 13. Jan. 2023 um 10:20 Uhr schrieb Henning Westerholt <hw@gilawa.com>:
Hello,
Just a generic remark - if you manage also the asterisk, I’d suggest to not use the SIP authentication method for outgoing calls and just allow all calls from Kamailio towards asterisk. This would make your setup easier and call setup also (slightly) faster.
Cheers,
Henning
--
Henning Westerholt – https://skalatan.de/blog/
Kamailio services – https://gilawa.com
From: Mathias Schneuwly <mathias@schneuwlys.ch>
Sent: Friday, January 13, 2023 9:08 AM
To: sr-users@lists.kamailio.org
Subject: [SR-Users] Parallel call forking with call authorization
Hi
As a first notice; I already wrote to the mailing list, but without registration. I read afterwards that I should register first because of spam reasons. If this is a duplicate, then I'm sorry. I'm new to mailing lists...
I've an issue with parallel call forking together with call authentication. I hope somebody can give me some hints about what the problem could be and how I could solve this problem.
I'm using Kamailio 5.5.4 with the python KEMI binding.
Kamailio is in front of an Asterisk, which requires call authorization. RTPEngine is also inplace which does SRTP to RTP bridging. Simple calls from and to Asterisk through Kamailio and RTPEngine work without any issue. So the basic setup seems to work fine. The problem starts when I do parallel call forking where both calls are sent to Asterisk. If I use "KSR.tm.t_on_failure("trunk_authentication")" for authentication, the first branch is authenticating and the device rings, but the second branch does not authenticate. Well, that's not 100% true, if the SIP timeout appears on the first branch, I can see in the log, that the second branch enters the trunk_authentication method, but then, the call is already terminated.
Call forking to two devices (not behind Asterisk and without call authentication) works also as expected.
I made some trials with "KSR.tm.t_on_branch_failure("trunk_authentication")" but in this case, the behavior is strange. Then the authentication for both branches work and both devices are ringing. If a device hooks up, the second device does not stop ringing. And after a few seconds, the first device cancels the call, because it did not get the ACKs. I can also see that the CANCEL is sent from Kamailio to Asterisk, but Asterisk does not react to it.
For trunk authentication, I'm using the implementation from the well known examples plus a few own stuff. Btw, NAT is not enabled...:
def trunk_authentication(self, msg):
scode = KSR.pv.get("$T_reply_code")
self.log('notice', 'trunk_authentication {}'.format(scode))
if WITH_NAT and self.ksr_route_natmanage(msg) == -255:
return 1
# Call manage_rtp_engine to destroy RTPEngine if it has been used.
call_context = self.get_call_context(msg=msg)
callee_object = call_context.callee.get_callee_object()
if callee_object.connection_type:
call_context.manage_rtp_engine()
if KSR.tm.t_is_canceled() > 0:
return 1
if scode in [401, 407]:
KSR.pv.sets('$avp(auser)', KSR.pv.get('$sel(cfg_get.asterisk.trunk_username)'))
KSR.pv.sets('$avp(apass)', KSR.pv.get('$sel(cfg_get.asterisk.trunk_password)'))
if KSR.uac.uac_auth():
# enable additional event routes for forwarded requests
# - serial forking, RTP relaying handling, a.s.o.
if KSR.is_method_in('IBSU'):
if KSR.tm.t_is_set("branch_route") < 0:
KSR.tm.t_on_branch("ksr_branch_manage")
self.log('notice', 'Authentication Asterisk trunk')
if KSR.tm.t_relay() < 0:
KSR.sl.sl_reply_error()
return 1
Any ideas?
Best regards
Mathias