Thank you Andrei,
this is the ngrep output from 'ngrep bart port 5060'. I'm only connecting the natted phone:
# U 213.219.137.148:5060 -> 212.71.0.90:5060 REGISTER sip:ser.edpnet.net:5060 SIP/2.0..Via: SIP/2.0/UDP 213.219.137.148:50198..Supported: replaces..User-Agent: SIP201 (lp201sip.100a)..Contact: sip:bart@10.0.0.2:5060;expires=60..From: sip:bart@ser.edpnet.net ;tag=a000002-13c4-0-42e-7 fea..To: sip:bart@ser.edpnet.net..Call-ID: a000002-13c4-0-406-79bf-1..CSeq: 1 REGISTER..Content-Length:0.... # U 212.71.0.90:5060 -> 213.219.137.148:5060 SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP 213.219.137.148:50198;rport=5060..From: sip:bart@ser.edpnet.net ;tag=a000002 -13c4-0-42e-7fea..To: sip:bart@ser.edpnet.net;tag=61a88e7fd5f0561d96cde0cc9ecba6d7.9adf..Call-ID : a000002-13c4-0-406-79 bf-1..CSeq: 1 REGISTER..WWW-Authenticate: Digest realm="ser.edpnet.net", nonce="40fb952b226d9f0726f09c5fda8db0fe3b9a47d2" ..Server: Sip EXpress router (0.8.13-dev-33-usrloc (i386/linux))..Content-Length: 0..Warning: 392 212.71.0.90:5060 "Noisy feedback tells: pid=17817 req_src_ip=213.219.137.148 req_src_port=5060 in_uri=sip:ser.edpnet.net:5060 out_uri=sip:ser.edpnet.net:5060 via_cnt==1"....
--- the second register:
U 213.219.137.148:5060 -> 212.71.0.90:5060 REGISTER sip:ser.edpnet.net:5060 SIP/2.0..Via: SIP/2.0/UDP 213.219.137.148:50198..Supported: replaces..User-Agent: SIP201 (lp201sip.100a)..Contact: sip:bart@10.0.0.2:5060;expires=60..From: sip:bart@ser.edpnet.net ;tag=a000002-13c4-0-42e-7 fea..To: sip:bart@ser.edpnet.net..Call-ID: a000002-13c4-0-406-79bf-1..CSeq: 1 REGISTER..Content-Length:0.... # U 212.71.0.90:5060 -> 213.219.137.148:5060 SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP 213.219.137.148:50198;rport=5060..From: sip:bart@ser.edpnet.net ;tag=a000002-13c4-0-42e-7fea..To: sip:bart@ser.edpnet.net;tag=61a88e7fd5f0561d96cde0cc9ecba6d7.9adf..Call-ID : a000002-13c4-0-406-79 bf-1..CSeq: 1 REGISTER..WWW-Authenticate: Digest realm="ser.edpnet.net", nonce="40fb952cf1352a491276a2e811642001d3698340" ..Server: Sip EXpress router (0.8.13-dev-33-usrloc (i386/linux))..Content-Length: 0..Warning: 392 212.71.0.90:5060 "Noisy feedback tells: pid=17817 req_src_ip=213.219.137.148 req_src_port=5060 in_uri=sip:ser.edpnet.net:5060 out_uri=sip:ser.edpnet.net:5060 via_cnt==1".... #
So I guess my UA doesn't resend the request with the proper auth?
thanks, Bart
-----Original Message----- From: Andrei Pelinescu-Onciul [mailto:pelinescu-onciul@fokus.fraunhofer.de] Sent: vrijdag 16 juli 2004 17:22 To: Bart Van Daal Cc: serusers@lists.iptel.org Subject: Re: [Serusers] NAT vs. NoNat authentication
On Jul 16, 2004 at 13:38, Bart Van Daal B.Vandaal@edpnet.net wrote:
Hi,
Is there a difference in authenticating a natted or
non-nated UA using
www_authen? The reason i'm asking is because when my UA is directly connected to the internet it authenticates fine but when
NATed I get
the following error:
parse_headers: flags=4096 0(12877) pre_auth(): Credentials with given realm not found 0(12877) ---:: didn't authorize 0(12877) build_auth_hf(): 'WWW-Authenticate: Digest realm="ser.edpnet.net",
nonce="40f7be4edbd22e214821f2a3937968fc049ae290" '
0(12877) parse_headers: flags=-1
This is normal if it happens only for the first request. Your UA sends the first request without auth. info., the server sends back a negative reply with and auth. header and then your UA is supposed to retry to send the request with proper auth.
In the future please include network dumps.
Andrei
On Jul 19, 2004 at 11:38, Bart Van Daal B.Vandaal@edpnet.net wrote:
Thank you Andrei,
this is the ngrep output from 'ngrep bart port 5060'. I'm only connecting the natted phone:
# U 213.219.137.148:5060 -> 212.71.0.90:5060 REGISTER sip:ser.edpnet.net:5060 SIP/2.0..Via: SIP/2.0/UDP 213.219.137.148:50198..Supported: replaces..User-Agent: SIP201 (lp201sip.100a)..Contact: sip:bart@10.0.0.2:5060;expires=60..From: sip:bart@ser.edpnet.net ;tag=a000002-13c4-0-42e-7 fea..To: sip:bart@ser.edpnet.net..Call-ID: a000002-13c4-0-406-79bf-1..CSeq: 1 REGISTER..Content-Length:0....
Does the phone use STUN? It's strange it puts the nat ip in Via, but it leaves a private ip in Contact. Also the port in via it's not correct (packet comes from 213.219.137.148:5060 but in via you have 213.219.137.148:50198). Looks like broken nat traversal.
# U 212.71.0.90:5060 -> 213.219.137.148:5060 SIP/2.0 401 Unauthorized..Via: SIP/2.0/UDP 213.219.137.148:50198;rport=5060..From: sip:bart@ser.edpnet.net ;tag=a000002 -13c4-0-42e-7fea..To: sip:bart@ser.edpnet.net;tag=61a88e7fd5f0561d96cde0cc9ecba6d7.9adf..Call-ID : a000002-13c4-0-406-79 bf-1..CSeq: 1 REGISTER..WWW-Authenticate: Digest realm="ser.edpnet.net", nonce="40fb952b226d9f0726f09c5fda8db0fe3b9a47d2" ..Server: Sip EXpress router (0.8.13-dev-33-usrloc (i386/linux))..Content-Length: 0..Warning: 392 212.71.0.90:5060 "Noisy feedback tells: pid=17817 req_src_ip=213.219.137.148 req_src_port=5060 in_uri=sip:ser.edpnet.net:5060 out_uri=sip:ser.edpnet.net:5060 via_cnt==1"....
[...]
So I guess my UA doesn't resend the request with the proper auth?
Yes. Now the question is if it ever receives the 401 reply (dropped at the nat?). If it receives it, it might not like it (e.g. it's a buggy UA which doesn't like rport).
Andrei
-
Andrei Pelinescu-Onciul -
Bart Van Daal