Hello.
I have Kamailio ( K in further ) and 2x Asterisk boxes ( A1 and A2 in further ) configured, so UAC registers at K and when it sends a call, it's routed to A1 or A2, balanced.
The problem is, that I cannot find how to authorize INVITE requests, so unregistered UAC could not send INVITE requests. Simply cannot find anything.
I'm making registration, using www_authorize() and checking all INVITES with proxy_authorize(). Just after kamailio is started - everything works fine and as planned: registered UAC can call and not registered - cannot. But after aproximately 40 seconds everything is stopped. Not calls passed and everybody receives 407 Proxy Authorization is required.
So, the question: how it is correctly to verify that incoming INVITE on K is authorized? It seems to me that I'm doing that in wrong way.
Thank you.
Hello,
On 12/2/10 1:42 PM, Spinov Evgeniy wrote:
Hello.
I have Kamailio ( K in further ) and 2x Asterisk boxes ( A1 and A2 in further ) configured, so UAC registers at K and when it sends a call, it's routed to A1 or A2, balanced.
The problem is, that I cannot find how to authorize INVITE requests, so unregistered UAC could not send INVITE requests. Simply cannot find anything.
I'm making registration, using www_authorize() and checking all INVITES with proxy_authorize(). Just after kamailio is started - everything works fine and as planned: registered UAC can call and not registered - cannot. But after aproximately 40 seconds everything is stopped. Not calls passed and everybody receives 407 Proxy Authorization is required.
So, the question: how it is correctly to verify that incoming INVITE on K is authorized? It seems to me that I'm doing that in wrong way.
you have to do proxy_authorize() for each invite you want to authorize (if you look at default config file for v3.1.x and search for WITH_AUTH, you will see the config actions for authentication). The asterisks must accept SIP traffic based on source ip filtering, allowing only calls coming from kamailio.
If you mean that the calls are interrupted after 40 seconds, then it is very likely ACK is not routed properly. If you mean something else, capture the SIP traffic via ngrep/wireshark, run kamailio in higher debug lever (debug=3 in config) and send the SIP trace and the syslog messages. Also, try to describe in more details what actually seems to go wrong. All these will help people here on mailing list to give you proper hints how to solve.
Cheers, Daniel
Thank you for your reply.
I will insert part of configuration file, to show where is problem occurs. Block is pretty simple:
if (method=="INVITE") {
if (!proxy_authorize("", "sipusers")) {
xlog("L_NOTICE", "[$Tf] Detected INVITE before authorization $fU -> $tU\n");
proxy_challenge("", "0");
break;
} else if (!check_from()) {
sl_send_reply("403", "Use From=ID");
break;
}
consume_credentials();
}
ds_select_dst("1", "4");
xlog("L_NOTICE", "Balancing call to asterisk => $du, from $fU \n");
route(RELAY);
exit;
This is Kamailio 3.0.3. I've tried on recently released 3.1.1 - problem is the same. Also, I've started running debug, to find out how exactly auth requests are processed. And I've figured out that failing requests differs on following:
After all authorization staff ends: 6(1678) DEBUG: auth [api.c:246]: authorization is OK 6(1678) DEBUG: auth [api.c:194]: nonce index= 9 6(1678) DEBUG: auth [index.c:187]: nonce already used 6(1678) DEBUG: auth [api.c:198]: nonce index not valid
After that, core is freeing resources and I receive "Detected INVITE before authorization" message, which means that proxy_authorize returned false. So this is not ACK routing problem. Why this error occur and how I can deal with it?
Also I've made investigation with packet dumps and they are correct. If you like, I can put them here, but it senseless, cause UA is replying in same way every time: 1. -> INVITE 2. <- 407 from K 3. -> ACK 4. -> DIGEST
Hope this will help.
On Fri, 03 Dec 2010 11:20:38 +0100, Daniel-Constantin Mierla miconda@gmail.com wrote:
Hello,
On 12/2/10 1:42 PM, Spinov Evgeniy wrote:
Hello.
I have Kamailio ( K in further ) and 2x Asterisk boxes ( A1 and A2 in further ) configured, so UAC registers at K and when it sends a call, it's routed to A1 or A2, balanced.
The problem is, that I cannot find how to authorize INVITE requests, so unregistered UAC could not send INVITE requests. Simply cannot find anything.
I'm making registration, using www_authorize() and checking all INVITES with proxy_authorize(). Just after kamailio is started - everything works fine and as planned: registered UAC can call and not registered - cannot. But after aproximately 40 seconds everything is stopped. Not calls passed and everybody receives 407 Proxy Authorization is required.
So, the question: how it is correctly to verify that incoming INVITE on K is authorized? It seems to me that I'm doing that in wrong way.
you have to do proxy_authorize() for each invite you want to authorize (if you look at default config file for v3.1.x and search for WITH_AUTH, you will see the config actions for authentication). The asterisks must accept SIP traffic based on source ip filtering, allowing only calls coming from kamailio.
If you mean that the calls are interrupted after 40 seconds, then it is very likely ACK is not routed properly. If you mean something else, capture the SIP traffic via ngrep/wireshark, run kamailio in higher debug lever (debug=3 in config) and send the SIP trace and the syslog messages. Also, try to describe in more details what actually seems to go wrong. All these will help people here on mailing list to give you proper hints how to solve.
Cheers, Daniel
-- Daniel-Constantin Mierla Kamailio (OpenSER) Advanced Training Jan 24-26, 2011, Irvine, CA, USA http://www.asipto.com
Problem was solved and the issue was in the script causing double proxy_authorize check.
Due to one nonce index on authorization, kamailio failed authorization with wrong index in debug.
Still cannot get why it worked for 40 seconds.
On Fri, 03 Dec 2010 11:20:38 +0100, Daniel-Constantin Mierla miconda@gmail.com wrote:
Hello,
On 12/2/10 1:42 PM, Spinov Evgeniy wrote:
Hello.
I have Kamailio ( K in further ) and 2x Asterisk boxes ( A1 and A2 in further ) configured, so UAC registers at K and when it sends a call, it's routed to A1 or A2, balanced.
The problem is, that I cannot find how to authorize INVITE requests, so unregistered UAC could not send INVITE requests. Simply cannot find anything.
I'm making registration, using www_authorize() and checking all INVITES with proxy_authorize(). Just after kamailio is started - everything works fine and as planned: registered UAC can call and not registered - cannot. But after aproximately 40 seconds everything is stopped. Not calls passed and everybody receives 407 Proxy Authorization is required.
So, the question: how it is correctly to verify that incoming INVITE on K is authorized? It seems to me that I'm doing that in wrong way.
you have to do proxy_authorize() for each invite you want to authorize (if you look at default config file for v3.1.x and search for WITH_AUTH, you will see the config actions for authentication). The asterisks must accept SIP traffic based on source ip filtering, allowing only calls coming from kamailio.
If you mean that the calls are interrupted after 40 seconds, then it is very likely ACK is not routed properly. If you mean something else, capture the SIP traffic via ngrep/wireshark, run kamailio in higher debug lever (debug=3 in config) and send the SIP trace and the syslog messages. Also, try to describe in more details what actually seems to go wrong. All these will help people here on mailing list to give you proper hints how to solve.
Cheers, Daniel
-- Daniel-Constantin Mierla Kamailio (OpenSER) Advanced Training Jan 24-26, 2011, Irvine, CA, USA http://www.asipto.com
-
Daniel-Constantin Mierla -
Spinov Evgeniy