How to configure Kamailio + Asterisk (on same server) to route between several disjoint networks?
As part of a project, I have installed a CentOS 6 test system (a virtual machine) with Asterisk 11.7.0 and Kamailio 4.1.1 downloaded from http://download.opensuse.org/repositories/home:/kamailio:/telephony/CentOS_C.... I am trying to setup a combination of Kamailio and Asterisk that will route SIP calls between all the configured networks in the test setup, in addition to being capable of using Asterisk in order to handle PSTN and IAX2 calls.
I am using the following online guide to modify my kamailio.cfg: http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb . Based on this, I generated the attached patch for my Kamailio configuration
My test setup has the following network interfaces: eth0: 10.1.0.3, on network 10.1.0.0/24 eth1: 192.168.5.18, on network 192.168.0.0/16 eth2: 10.0.0.2, on network 10.0.0.0/24 lo: 127.0.0.1, on network 127.0.0.0/8
I first configured Asterisk with SIP realtime support (with no Kamailio), and tested that all configured accounts could register from all interfaces, and that Asterisk could properly route media between any two disjoint networks. After installing Kamailio, the guide called for disabling Asterisk SIP authentication by setting passwords to NULL, and moving Asterisk SIP to a different port (I chose 5080) so that Asterisk and Kamailio could run on the same machine. At this point, the SIP clients (one softphone and one VoIP phone) can now register at port 5080 without authentication.
In the process of changing my Kamailio configuration according to the attached patch, the guide says that I should configure the IP of the network interface as the value of asterisk.bindip and kamailio.bindip. After performing all required changes, Kamailio does take over authentication at the default port of 5060. Testing shows that for all SIP clients with IPs belonging to the same network as the configured asterisk.bindip, both registration and media exchange work correctly, and that the SIP clients are still capable of calling into the Asterisk dialplan, and therefore, routing into Asterisk resources.
For SIP clients in disjoint networks, the failure mode depends on whether mhomed is enabled or disabled in kamailio.cfg.
For mhomed=0 (or unset), I have the following situation between the two SIP clients (one at 10.1.0.1, the other at 10.0.0.3), as shown by "sip show peers" in Asterisk (when asterisk.bindip is set to 192.168.5.18):
Privilege escalation protection disabled! See https://wiki.asterisk.org/wiki/x/1gKfAQ for more details. Name/username Host Dyn Forcerport ACL Port Status Description Realtime gatitoscomx64am_100/gatit 10.1.0.3 D N A 5060 OK (16 ms) Cached RT gatitoscomx64am_101/gatit 10.0.0.2 D N A 5060 OK (36 ms) Cached RT gatitoscomx64am_IM101 (Unspecified) D N A 0 UNREACHABLE Cached RT 3 sip peers [Monitored: 2 online, 1 offline Unmonitored: 0 online, 0 offline]
If I try to call from one SIP client to an extension in the Asterisk dialplan that does NOT map to a SIP client in a disjoint network, the media exchange works (with negotiatied media IP in the same network as the SIP client), regardless of whether the calling client belongs in the same network as asterisk.bindip. If I try to call from the same SIP client to an extension that maps to a SIP client in a disjoint network, the call fails, and I get the spoken message about the user at extension such-and-such being unavailable. Additionally, I get the following error message in the Asterisk logs: [Feb 25 16:53:14] NOTICE[13807][C-00000003] chan_sip.c: Call from 'gatitoscomx64am_101' (10.0.0.2:5060) to extension 'gatitoscomx64am_101' rejected because extension not found in context 'gatitoscomx64am-from-internal'.
For mhomed=1, the output of "sip show peers" changes to the following (when asterisk.bindip is set to 192.168.5.18): Privilege escalation protection disabled! See https://wiki.asterisk.org/wiki/x/1gKfAQ for more details. Name/username Host Dyn Forcerport ACL Port Status Description Realtime gatitoscomx64am_100/gatit 192.168.5.18 D N A 5060 OK (19 ms) Cached RT gatitoscomx64am_101/gatit 192.168.5.18 D N A 5060 OK (34 ms) Cached RT gatitoscomx64am_IM101 (Unspecified) D N A 0 UNREACHABLE Cached RT 3 sip peers [Monitored: 2 online, 1 offline Unmonitored: 0 online, 0 offline]
From wireshark sniffing, I can see that the SDP payload sent from the client to Kamailio contains the IP address of the client, which is accessible by both Kamailio and Asterisk. However, the SDP payload in the OK response sent back to the client contains a media port with the IP address of asterisk.bindip (the one that appears in the "Host" column in the "sip show peers" report), not the IP address of the interface that received the INVITE. This results in broken media negotiation for all SIP clients belonging to networks other than the one that contains asterisk.bindip.
In either case, I have to hardcode an IP address in kamailio.cfg, which is not satisfactory. IPs assigned to interfaces can and do change, especially if the interface is managed with DHCP. To escape this, I tried setting asterisk.bindip to 127.0.0.1, but since apparently localhost is also a disjoint network, all of the above described problems apply.
Related to these issues, I am not satisfied with leaving Asterisk running unauthenticated SIP at the nonstandard port. Somebody suggested blocking the port with iptables, but I do not want to rely on this alone. I tried setting bindaddr=127.0.0.1 so that only Kamailio gets to talk to Asterisk, but this also has the side effect of restricting the media negotiation to localhost only.
I am asking for help in building a Kamailio/Asterisk configuration that will support all of the networks and route media between all of them, just as if Asterisk were the only program running. Ideally, the configuration should not encode the current IP of any interface (except, maybe, localhost). What is the official name (if any) for the setup I am describing above? Does it have a standard setup procedure? How is Asterisk secured so that clients cannot bypass authentication using the Asterisk SIP port directly?
Puh, too many questions in one email.
First, you should describe what you want to achieve. Eg. is there routing between the networks done by the server? E.g. can a clinet on 10.1.0.0/24 ping a client on 192.168.0.0/16? If yes, there is no need for Kamailio/Asterisk to listen on multiple interfaces.
If there is no routing, you need to have a media relay too. Either use rtpproxy or just configure Asterisk with "canreinvite=no" to avoid media offloading.
So, what setup have you choosen? Then we can think about problems.
regards Klaus
Am 25.02.2014 23:31, schrieb Alex Villacís Lasso:
As part of a project, I have installed a CentOS 6 test system (a virtual machine) with Asterisk 11.7.0 and Kamailio 4.1.1 downloaded from http://download.opensuse.org/repositories/home:/kamailio:/telephony/CentOS_C.... I am trying to setup a combination of Kamailio and Asterisk that will route SIP calls between all the configured networks in the test setup, in addition to being capable of using Asterisk in order to handle PSTN and IAX2 calls.
I am using the following online guide to modify my kamailio.cfg: http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb . Based on this, I generated the attached patch for my Kamailio configuration
My test setup has the following network interfaces: eth0: 10.1.0.3, on network 10.1.0.0/24 eth1: 192.168.5.18, on network 192.168.0.0/16 eth2: 10.0.0.2, on network 10.0.0.0/24 lo: 127.0.0.1, on network 127.0.0.0/8
I first configured Asterisk with SIP realtime support (with no Kamailio), and tested that all configured accounts could register from all interfaces, and that Asterisk could properly route media between any two disjoint networks. After installing Kamailio, the guide called for disabling Asterisk SIP authentication by setting passwords to NULL, and moving Asterisk SIP to a different port (I chose 5080) so that Asterisk and Kamailio could run on the same machine. At this point, the SIP clients (one softphone and one VoIP phone) can now register at port 5080 without authentication.
In the process of changing my Kamailio configuration according to the attached patch, the guide says that I should configure the IP of the network interface as the value of asterisk.bindip and kamailio.bindip. After performing all required changes, Kamailio does take over authentication at the default port of 5060. Testing shows that for all SIP clients with IPs belonging to the same network as the configured asterisk.bindip, both registration and media exchange work correctly, and that the SIP clients are still capable of calling into the Asterisk dialplan, and therefore, routing into Asterisk resources.
For SIP clients in disjoint networks, the failure mode depends on whether mhomed is enabled or disabled in kamailio.cfg.
For mhomed=0 (or unset), I have the following situation between the two SIP clients (one at 10.1.0.1, the other at 10.0.0.3), as shown by "sip show peers" in Asterisk (when asterisk.bindip is set to 192.168.5.18):
Privilege escalation protection disabled! See https://wiki.asterisk.org/wiki/x/1gKfAQ for more details. Name/username Host Dyn Forcerport ACL Port Status Description Realtime gatitoscomx64am_100/gatit 10.1.0.3 D N A 5060 OK (16 ms) Cached RT gatitoscomx64am_101/gatit 10.0.0.2 D N A 5060 OK (36 ms) Cached RT gatitoscomx64am_IM101 (Unspecified) D N A 0 UNREACHABLE Cached RT 3 sip peers [Monitored: 2 online, 1 offline Unmonitored: 0 online, 0 offline]
If I try to call from one SIP client to an extension in the Asterisk dialplan that does NOT map to a SIP client in a disjoint network, the media exchange works (with negotiatied media IP in the same network as the SIP client), regardless of whether the calling client belongs in the same network as asterisk.bindip. If I try to call from the same SIP client to an extension that maps to a SIP client in a disjoint network, the call fails, and I get the spoken message about the user at extension such-and-such being unavailable. Additionally, I get the following error message in the Asterisk logs: [Feb 25 16:53:14] NOTICE[13807][C-00000003] chan_sip.c: Call from 'gatitoscomx64am_101' (10.0.0.2:5060) to extension 'gatitoscomx64am_101' rejected because extension not found in context 'gatitoscomx64am-from-internal'.
For mhomed=1, the output of "sip show peers" changes to the following (when asterisk.bindip is set to 192.168.5.18): Privilege escalation protection disabled! See https://wiki.asterisk.org/wiki/x/1gKfAQ for more details. Name/username Host Dyn Forcerport ACL Port Status Description Realtime gatitoscomx64am_100/gatit 192.168.5.18 D N A 5060 OK (19 ms) Cached RT gatitoscomx64am_101/gatit 192.168.5.18 D N A 5060 OK (34 ms) Cached RT gatitoscomx64am_IM101 (Unspecified) D N A 0 UNREACHABLE Cached RT 3 sip peers [Monitored: 2 online, 1 offline Unmonitored: 0 online, 0 offline]
From wireshark sniffing, I can see that the SDP payload sent from the client to Kamailio contains the IP address of the client, which is accessible by both Kamailio and Asterisk. However, the SDP payload in the OK response sent back to the client contains a media port with the IP address of asterisk.bindip (the one that appears in the "Host" column in the "sip show peers" report), not the IP address of the interface that received the INVITE. This results in broken media negotiation for all SIP clients belonging to networks other than the one that contains asterisk.bindip.
In either case, I have to hardcode an IP address in kamailio.cfg, which is not satisfactory. IPs assigned to interfaces can and do change, especially if the interface is managed with DHCP. To escape this, I tried setting asterisk.bindip to 127.0.0.1, but since apparently localhost is also a disjoint network, all of the above described problems apply.
Related to these issues, I am not satisfied with leaving Asterisk running unauthenticated SIP at the nonstandard port. Somebody suggested blocking the port with iptables, but I do not want to rely on this alone. I tried setting bindaddr=127.0.0.1 so that only Kamailio gets to talk to Asterisk, but this also has the side effect of restricting the media negotiation to localhost only.
I am asking for help in building a Kamailio/Asterisk configuration that will support all of the networks and route media between all of them, just as if Asterisk were the only program running. Ideally, the configuration should not encode the current IP of any interface (except, maybe, localhost). What is the official name (if any) for the setup I am describing above? Does it have a standard setup procedure? How is Asterisk secured so that clients cannot bypass authentication using the Asterisk SIP port directly?
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
El 26/02/14 05:25, Klaus Darilion escribió:
Puh, too many questions in one email.
I am sorry about that. I wanted to provide as much useful information as possible on my email, including what I had observed, and what I have already tried. After all the exposition, I just want to 1) have a setup that routes media between several disjoint networks, 2) while being secure by default even if the firewall gets misconfigured, 3) without having to hardcode a particular IP address in the configuration file.
First, you should describe what you want to achieve. Eg. is there routing between the networks done by the server? E.g. can a clinet on 10.1.0.0/24 ping a client on 192.168.0.0/16? If yes, there is no need for Kamailio/Asterisk to listen on multiple interfaces.
No, the server is not supposed to route ordinary traffic between networks.
If there is no routing, you need to have a media relay too. Either use rtpproxy or just configure Asterisk with "canreinvite=no" to avoid media offloading.
The asterisk instance was supposed to be already configured with directmedia=no the whole time. This was set both in the configuration file and in each of the realtime peers. The full sip.conf file is attached. The #include'd files at the end are currently empty. You can see the commented-out attempt to listen on localhost only.
I fail to see why rtpproxy would be required in this setup, since asterisk already opens RTP ports on all interfaces. In the (already tested) asterisk-only scenario, media is routed between the test networks through asterisk when it does all of the SIP negotiation itself.
So, what setup have you choosen? Then we can think about problems.
regards Klaus
Am 25.02.2014 23:31, schrieb Alex Villacís Lasso:
As part of a project, I have installed a CentOS 6 test system (a virtual machine) with Asterisk 11.7.0 and Kamailio 4.1.1 downloaded from http://download.opensuse.org/repositories/home:/kamailio:/telephony/CentOS_C.... I am trying to setup a combination of Kamailio and Asterisk that will route SIP calls between all the configured networks in the test setup, in addition to being capable of using Asterisk in order to handle PSTN and IAX2 calls.
I am using the following online guide to modify my kamailio.cfg: http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb . Based on this, I generated the attached patch for my Kamailio configuration
My test setup has the following network interfaces: eth0: 10.1.0.3, on network 10.1.0.0/24 eth1: 192.168.5.18, on network 192.168.0.0/16 eth2: 10.0.0.2, on network 10.0.0.0/24 lo: 127.0.0.1, on network 127.0.0.0/8
I first configured Asterisk with SIP realtime support (with no Kamailio), and tested that all configured accounts could register from all interfaces, and that Asterisk could properly route media between any two disjoint networks. After installing Kamailio, the guide called for disabling Asterisk SIP authentication by setting passwords to NULL, and moving Asterisk SIP to a different port (I chose 5080) so that Asterisk and Kamailio could run on the same machine. At this point, the SIP clients (one softphone and one VoIP phone) can now register at port 5080 without authentication.
In the process of changing my Kamailio configuration according to the attached patch, the guide says that I should configure the IP of the network interface as the value of asterisk.bindip and kamailio.bindip. After performing all required changes, Kamailio does take over authentication at the default port of 5060. Testing shows that for all SIP clients with IPs belonging to the same network as the configured asterisk.bindip, both registration and media exchange work correctly, and that the SIP clients are still capable of calling into the Asterisk dialplan, and therefore, routing into Asterisk resources.
For SIP clients in disjoint networks, the failure mode depends on whether mhomed is enabled or disabled in kamailio.cfg.
For mhomed=0 (or unset), I have the following situation between the two SIP clients (one at 10.1.0.1, the other at 10.0.0.3), as shown by "sip show peers" in Asterisk (when asterisk.bindip is set to 192.168.5.18):
Privilege escalation protection disabled! See https://wiki.asterisk.org/wiki/x/1gKfAQ for more details. Name/username Host Dyn Forcerport ACL Port Status Description Realtime gatitoscomx64am_100/gatit 10.1.0.3 D N A 5060 OK (16 ms) Cached RT gatitoscomx64am_101/gatit 10.0.0.2 D N A 5060 OK (36 ms) Cached RT gatitoscomx64am_IM101 (Unspecified) D N A 0 UNREACHABLE Cached RT 3 sip peers [Monitored: 2 online, 1 offline Unmonitored: 0 online, 0 offline]
If I try to call from one SIP client to an extension in the Asterisk dialplan that does NOT map to a SIP client in a disjoint network, the media exchange works (with negotiatied media IP in the same network as the SIP client), regardless of whether the calling client belongs in the same network as asterisk.bindip. If I try to call from the same SIP client to an extension that maps to a SIP client in a disjoint network, the call fails, and I get the spoken message about the user at extension such-and-such being unavailable. Additionally, I get the following error message in the Asterisk logs: [Feb 25 16:53:14] NOTICE[13807][C-00000003] chan_sip.c: Call from 'gatitoscomx64am_101' (10.0.0.2:5060) to extension 'gatitoscomx64am_101' rejected because extension not found in context 'gatitoscomx64am-from-internal'.
For mhomed=1, the output of "sip show peers" changes to the following (when asterisk.bindip is set to 192.168.5.18): Privilege escalation protection disabled! See https://wiki.asterisk.org/wiki/x/1gKfAQ for more details. Name/username Host Dyn Forcerport ACL Port Status Description Realtime gatitoscomx64am_100/gatit 192.168.5.18 D N A 5060 OK (19 ms) Cached RT gatitoscomx64am_101/gatit 192.168.5.18 D N A 5060 OK (34 ms) Cached RT gatitoscomx64am_IM101 (Unspecified) D N A 0 UNREACHABLE Cached RT 3 sip peers [Monitored: 2 online, 1 offline Unmonitored: 0 online, 0 offline]
From wireshark sniffing, I can see that the SDP payload sent from the client to Kamailio contains the IP address of the client, which is accessible by both Kamailio and Asterisk. However, the SDP payload in the OK response sent back to the client contains a media port with the IP address of asterisk.bindip (the one that appears in the "Host" column in the "sip show peers" report), not the IP address of the interface that received the INVITE. This results in broken media negotiation for all SIP clients belonging to networks other than the one that contains asterisk.bindip.
In either case, I have to hardcode an IP address in kamailio.cfg, which is not satisfactory. IPs assigned to interfaces can and do change, especially if the interface is managed with DHCP. To escape this, I tried setting asterisk.bindip to 127.0.0.1, but since apparently localhost is also a disjoint network, all of the above described problems apply.
Related to these issues, I am not satisfied with leaving Asterisk running unauthenticated SIP at the nonstandard port. Somebody suggested blocking the port with iptables, but I do not want to rely on this alone. I tried setting bindaddr=127.0.0.1 so that only Kamailio gets to talk to Asterisk, but this also has the side effect of restricting the media negotiation to localhost only.
I am asking for help in building a Kamailio/Asterisk configuration that will support all of the networks and route media between all of them, just as if Asterisk were the only program running. Ideally, the configuration should not encode the current IP of any interface (except, maybe, localhost). What is the official name (if any) for the setup I am describing above? Does it have a standard setup procedure? How is Asterisk secured so that clients cannot bypass authentication using the Asterisk SIP port directly?
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
El 26/02/14 11:39, Alex Villacís Lasso escribió:
El 26/02/14 05:25, Klaus Darilion escribió:
Puh, too many questions in one email.
I am sorry about that. I wanted to provide as much useful information as possible on my email, including what I had observed, and what I have already tried. After all the exposition, I just want to 1) have a setup that routes media between several disjoint networks, 2) while being secure by default even if the firewall gets misconfigured, 3) without having to hardcode a particular IP address in the configuration file.
First, you should describe what you want to achieve. Eg. is there routing between the networks done by the server? E.g. can a clinet on 10.1.0.0/24 ping a client on 192.168.0.0/16? If yes, there is no need for Kamailio/Asterisk to listen on multiple interfaces.
No, the server is not supposed to route ordinary traffic between networks.
If there is no routing, you need to have a media relay too. Either use rtpproxy or just configure Asterisk with "canreinvite=no" to avoid media offloading.
The asterisk instance was supposed to be already configured with directmedia=no the whole time. This was set both in the configuration file and in each of the realtime peers. The full sip.conf file is attached. The #include'd files at the end are currently empty. You can see the commented-out attempt to listen on localhost only.
I fail to see why rtpproxy would be required in this setup, since asterisk already opens RTP ports on all interfaces. In the (already tested) asterisk-only scenario, media is routed between the test networks through asterisk when it does all of the SIP negotiation itself.
Regarding security, I think rtpproxy can help me. I have configured asterisk to listen for SIP traffic on localhost only. Of course, this means asterisk will send the media to localhost only, but now I can be sure there is no way to bypass kamailio authentication from the outside.
My test setup resembles a typical NAT traversal. However, instead of a single private interface and a single outgoing interface, I need to route between localhost (which behaves here as the private network) and multiple external interfaces (similar to the "public" network). A partially-working patch to kamailio.cfg is attached to this email. The known problems with the patch are: - Incoming calls (external->kamailio->asterisk) are handled and media is correctly routed with multiple rtpproxy instances. However, calls generated from Asterisk itself (asterisk->kamailio->external) do not have their media routed correctly. This is because I need to choose which rtpproxy set to use in order to route the media, and I do not know which field to use at the required point for an outgoing INVITE. For incoming INVITEs, I am using $Ri, and for OK replies to those INVITES, I am using $(hdr(Record-Route)[1] (I believe this is not optimal and that a better solution must exist). - I am forced to hardcode IPs to the various defined interfaces. As explained before, IPs can and do change, and removing the need to hardcode the IPs will make configuration and maintenance easier. I must add that I want to build a generic solution that can be minimally modified for several deployments.
Is this setup recognizable as an already-solved problem (minus the localhost trick)? How is it done correctly?
Am 27.02.2014 23:43, schrieb Alex Villacís Lasso:
Is this setup recognizable as an already-solved problem (minus the localhost trick)? How is it done correctly?
I think your setup is too complex. If I didn't missed your requirements I think you can do it this way:
From routing point of view, you could do the setup with Asterisk, without KAmailio. IF you need Kamailio too (for whatever features) then what about this:
| Server | | | client1---net1-------| IP1:5060 Kamailio |<-------\ | | \ client2---net2-------| IP2:5060 Kamailio |<--\ | | | / / | 0.0.0.0:5070 Asterisk |<------- | 0.0.0.0:10000-20000: Asterisk RTP |
Block port 5070 from outside with iptables, so clients are forced through Kamailio. For the communication between Asterisk and Kamailio use the same socket as for the communication with the clients and Kamailio, eg:
client1-IP ------- IP1:5060 --- Kamailio ---- IP1:5060 | IP1:5070 ---- \ Asterisk / IP2:5070 --- | client2-IP ------- IP2:5060 --- Kamailio ---- IP2:5060
Asterisk usually uses the local routing table to find the IP address to put in the SDP. As the communication with client 1 is via Kamailio IP1 and with client 2 via Kamailio IP2, Asterisk should populate the SDP correctly.
Further, if you configure Kamailio with mhomed=1 and forward to ASterisk always using the proper IP, e.g a request which is received on IP1:5060 is forwarded to IP1:5070, then also the Route/Record-Route and Via headers should be populated correctly. For REGISTER routing I think it is best to use Path header (new Asterisks should support this).
regards Klaus
PS: I have not tried it but I am quite sure it should work.
-
Alex Villacís Lasso -
Klaus Darilion