[Users] Proxy authentication message to wrong port

Klaus Darilion klaus.mailinglists at pernau.at
Tue Aug 8 09:55:51 CEST 2006


Use force_rport()
http://openser.org/dokuwiki/doku.php?id=openser_v1.1.0_core_cookbook#force_rport

regards
klaus

M D wrote:
> Hi
> 
> I have an OpenSER 1.1 box on a public IP running a config taken 
> more-or-less verbatim from the iptel.org <http://iptel.org> getting 
> started examples. I have a UA behind a PIX which is translating port 
> 5060 on the phone to port 8907 on the firewall. OpenSER is ignoring this 
> and sending replies to INVITEs to port 5060 on the firewall.
> 
> If it's likely to make any difference, the PATed IP and the IP of the 
> OpenSER box are on the same network.
> 
>  31  61.574505 193.x.x.15 -> 193.x.x.5 SIP/SDP Request: INVITE 
> sip:5551212 at 193.x.x.5 <mailto:sip:5551212 at 193.x.x.5>;user=phone, with 
> session description
>  32  61.575998 193.x.x.5 -> 193.x.x.15 SIP Status: 407 Proxy 
> Authentication Required
> 
> Aug  4 16:05:38 sip3 /usr/sbin/openser[22195]: SIP Request:
> Aug  4 16:05:38 sip3 /usr/sbin/openser[22195]:  method:  <INVITE>
> Aug  4 16:05:38 sip3 /usr/sbin/openser[22195]:  uri:     < 
> sip:5551212 at 193.x.x.5 <mailto:sip:5551212 at 193.x.x.5>;user=phone>
> Aug  4 16:05:38 sip3 /usr/sbin/openser[22195]:  version: <SIP/2.0>
> Aug  4 16:05:38 sip3 /usr/sbin/openser[22195]: parse_headers: flags=2
> Aug  4 16:05:38 sip3 /usr/sbin/openser[22195]: Found param type 232, 
> <branch> = <z9hG4bK4ae31c203ab6ceb>; state=16
> Aug  4 16:05:38 sip3 /usr/sbin/openser[22195]: end of header reached, 
> state=5
> Aug  4 16:05:38 sip3 /usr/sbin/openser[22195]: parse_headers: Via found, 
> flags=2
> Aug  4 16:05:38 sip3 /usr/sbin/openser[22195]: parse_headers: this is 
> the first via
> Aug  4 16:05:38 sip3 /usr/sbin/openser[22195]: After parse_msg...
> Aug  4 16:05:38 sip3 /usr/sbin/openser[22195]: preparing to run routing 
> scripts...
> Aug  4 16:05:38 sip3 /usr/sbin/openser[22195]: parse_headers: flags=100
> Aug  4 16:05:38 sip3 /usr/sbin/openser[22195]: DEBUG:parse_to:end of 
> header reached, state=10
> Aug  4 16:05:38 sip3 /usr/sbin/openser[22195]: DBUG:parse_to: 
> display={}, ruri={sip:5551212 at 193.x.x.5 
> <mailto:sip:5551212 at 193.x.x.5>;user=phone}
> Aug  4 16:05:38 sip3 /usr/sbin/openser[22195]: DEBUG: get_hdr_field: 
> <To> [39]; uri=[ sip:5551212 at 193.x.x.5 
> <mailto:sip:5551212 at 193.x.x.5>;user=phone]
> Aug  4 16:05:38 sip3 /usr/sbin/openser[22195]: DEBUG: to body [< 
> sip:5551212 at 193.x.x.5 <mailto:sip:5551212 at 193.x.x.5>;user=phone>^M ]
> Aug  4 16:05:38 sip3 /usr/sbin/openser[22195]: get_hdr_field: cseq 
> <CSeq>: <1> <INVITE>
> Aug  4 16:05:38 sip3 /usr/sbin/openser[22195]: DEBUG: get_hdr_body : 
> content_length=284
> Aug  4 16:05:38 sip3 /usr/sbin/openser[22195]: found end of header
> Aug  4 16:05:38 sip3 /usr/sbin/openser[22195]: DEBUG: is_maxfwd_present: 
> max_forwards header not found!
> Aug  4 16:05:38 sip3 /usr/sbin/openser[22195]: DEBUG: add_param: 
> tag=3783260355
> Aug  4 16:05:38 sip3 /usr/sbin/openser[22195]: DEBUG:parse_to:end of 
> header reached, state=29
> Aug  4 16:05:38 sip3 /usr/sbin/openser[22195]: DBUG:parse_to: 
> display={}, ruri={sip:84410001 at 193.x.x.5 <mailto:sip:84410001 at 193.x.x.5> 
> ;user=phone}
> Aug  4 16:05:38 sip3 /usr/sbin/openser[22195]: parse_headers: flags=200
> Aug  4 16:05:38 sip3 /usr/sbin/openser[22195]: find_first_route: No 
> Route headers found
> Aug  4 16:05:38 sip3 /usr/sbin/openser[22195]: loose_route: There is no 
> Route HF
> Aug  4 16:05:38 sip3 /usr/sbin/openser[22195]: grep_sock_info - checking 
> if host==us: 12==12 &&  [ 193.x.x.5] == [193.x.x.5]
> Aug  4 16:05:38 sip3 /usr/sbin/openser[22195]: grep_sock_info - checking 
> if port 5060 matches port 5060
> Aug  4 16:05:38 sip3 /usr/sbin/openser[22195]: XXX INVITE handler: start
> Aug  4 16:05:38 sip3 /usr/sbin/openser[22195]: parse_headers: flags=10000
> Aug  4 16:05:38 sip3 /usr/sbin/openser[22195]: pre_auth(): Credentials 
> with given realm not found
> Aug  4 16:05:38 sip3 /usr/sbin/openser[22195]: XXX INVITE handler: 
> proxy_authorize failed
> Aug  4 16:05:38 sip3 /usr/sbin/openser[22195]: build_auth_hf(): 
> 'Proxy-Authenticate: Digest realm=" 193.x.x.5", 
> nonce="44d3636e40c00e3f51456a587f994d0f285325af"^M '
> Aug  4 16:05:38 sip3 /usr/sbin/openser[22195]: parse_headers: 
> flags=ffffffffffffffff
> Aug  4 16:05:38 sip3 /usr/sbin/openser[22195]: check_via_address( 
> 193.x.x.15, 10.200.100.46 <http://10.200.100.46>, 0)
> Aug  4 16:05:38 sip3 /usr/sbin/openser[22195]: DEBUG:destroy_avp_list: 
> destroying list (nil)
> Aug  4 16:05:38 sip3 /usr/sbin/openser[22195]: receive_msg: cleaning up
> 
> How can I force proxy_challenge() to send its challenge to port 8907?
> 
> Cheers,
> 
> Mark
> 
> 
> Config:
> 
> debug=8
> fork=yes
> log_stderror=no
> 
> listen= 193.82.139.5 <http://193.82.139.5>
> port=5060
> children=4
> 
> dns=no
> rev_dns=no
> fifo="/tmp/ser_fifo"
> fifo_db_url="mysql://openserro:openserro@localhost/openser"
> 
> loadmodule "/usr/lib/openser/modules/mysql.so"
> loadmodule "/usr/lib/openser/modules/sl.so"
> loadmodule "/usr/lib/openser/modules/tm.so"
> loadmodule "/usr/lib/openser/modules/rr.so"
> loadmodule "/usr/lib/openser/modules/maxfwd.so"
> loadmodule "/usr/lib/openser/modules/usrloc.so"
> loadmodule "/usr/lib/openser/modules/registrar.so"
> loadmodule "/usr/lib/openser/modules/auth.so"
> loadmodule "/usr/lib/openser/modules/auth_db.so"
> loadmodule "/usr/lib/openser/modules/uri.so"
> loadmodule "/usr/lib/openser/modules/uri_db.so"
> loadmodule "/usr/lib/openser/modules/nathelper.so"
> loadmodule "/usr/lib/openser/modules/textops.so"
> 
> modparam("auth_db|uri_db|usrloc", "db_url", 
> "mysql://openserro:openserro@localhost/openser")
> modparam("auth_db", "calculate_ha1", 1)
> modparam("auth_db", "password_column", "password")
> 
> modparam("nathelper", "natping_interval", 30)
> modparam("nathelper", "ping_nated_only", 1)
> modparam("nathelper", "rtpproxy_sock", "unix:/var/run/rtpproxy.sock")
> 
> modparam("usrloc", "db_mode", 2)
> 
> modparam("registrar", "nat_flag", 6)
> 
> modparam("rr", "enable_full_lr", 1)
> 
> route {
> 
>         # -----------------------------------------------------------------
>         # Sanity Check Section
>         # -----------------------------------------------------------------
>         if (!mf_process_maxfwd_header("10")) {
>                 sl_send_reply("483", "Too Many Hops");
>                 return;
>         };
> 
>         if (msg:len > max_len) {
>                 sl_send_reply("513", "Message Overflow");
>                 return;
>         };
> 
>         # -----------------------------------------------------------------
>         # Record Route Section
>         # -----------------------------------------------------------------
>         if (method!="REGISTER") {
>                 record_route();
>         };
> 
>         if (method=="BYE" || method=="CANCEL") {
>                 unforce_rtp_proxy();
>         }
> 
>         # -----------------------------------------------------------------
>         # Loose Route Section
>         # -----------------------------------------------------------------
>         if (loose_route()) {
> 
>                 if ((method=="INVITE" || method=="REFER") && !has_totag()) {
>                         sl_send_reply("403", "Forbidden");
>                         return;
>                 };
> 
>                 if (method=="INVITE") {
> 
>                         if (!proxy_authorize("","subscriber")) {
>                                 proxy_challenge("","0");
>                                 return;
>                         } else if (!check_from()) {
>                                 sl_send_reply("403", "Use From=ID");
>                                 return;
>                         };
>                         consume_credentials();
> 
>                         if (nat_uac_test("19")) {
>                                 setflag(6);
>                                 force_rport();
>                                 fix_nated_contact();
>                         };
>                         force_rtp_proxy("l");
>                 };
>                 route(1);
>                 return;
>         };
> 
>         # -----------------------------------------------------------------
>         # Call Type Processing Section
>         # -----------------------------------------------------------------
>         if (uri!=myself) {
>                 route(4);
>                 route(1);
>                 return;
>         };
> 
>         if (method=="ACK") {
>                 route(1);
>                 return;
>         } else if (method=="CANCEL") {
>                 route(1);
>                 return;
>         } else if (method=="INVITE") {
>                 route(3);
>                 return;
>         } else  if (method=="REGISTER") {
>                 route(2);
>                 return;
>         };
> 
>         lookup("aliases");
>         if (uri!=myself) {
>                 route(4);
>                 route(1);
>                 return;
>         };
> 
>         if (!lookup("location")) {
>                 sl_send_reply("404", "User Not Found");
>                 return;
>         };
> 
>         route(1);
> }
> 
> route[1] {
>         log("XXX default handler: start");
> 
>         # -----------------------------------------------------------------
>         # Default Message Handler
>         # -----------------------------------------------------------------
> 
>         t_on_reply("1");
> 
>         if (!t_relay()) {
>                 if (method=="INVITE" && isflagset(6)) {
>                         unforce_rtp_proxy();
>                 };
>                 sl_reply_error();
>         };
> }
> 
> route[2] {
>         log("XXX REGISTER handler: start");
> 
>         # -----------------------------------------------------------------
>         # REGISTER Message Handler
>         # ----------------------------------------------------------------
> 
>         if (!search("^Contact:[ ]*\*") && nat_uac_test("19")) {
>                 log("XXX REGISTER handler: valid contact and 
> nat_uac_test(19) true");
>                 setflag(6);
>                 fix_nated_register();
>                 force_rport();
>         };
> 
>         log("XXX REGISTER handler: 100 trying");
>         sl_send_reply("100", "Trying");
> 
>         if (!www_authorize("","subscriber")) {
>                 log("XXX REGISTER handler: www_authorize failed");
>                 www_challenge("","0");
>                 return;
>         };
> 
>         if (!check_to()) {
>                 sl_send_reply("401", "Unauthorized");
>                 return;
>         };
> 
>         consume_credentials();
> 
>         if (!save("location")) {
>                 sl_reply_error();
>         };
>         log("XXX REGISTER handler: location saved");
> }
> 
> route[3] {
>         log("XXX INVITE handler: start");
> 
>         # -----------------------------------------------------------------
>         # INVITE Message Handler
>         # -----------------------------------------------------------------
> 
>         if (!proxy_authorize("","subscriber")) {
>                 log("XXX INVITE handler: proxy_authorize failed");
>                 proxy_challenge("","0");
>                 return;
>         } else if (!check_from()) {
>                 sl_send_reply("403", "Use From=ID");
>                 return;
>         };
> 
>         consume_credentials();
> 
>         if (nat_uac_test("19")) {
>                 setflag(6);
>         }
> 
>         lookup("aliases");
>         if (uri!=myself) {
>                 route(4);
>                 route(1);
>                 return;
>         };
> 
>         if (!lookup("location")) {
>                 sl_send_reply("404", "User Not Found");
>                 return;
>         };
> 
>         route(4);
>         route(1);
> }
> 
> route[4] {
>         log("XXX NAT traversal: start");
> 
>         # -----------------------------------------------------------------
>         # NAT Traversal Section
>         # -----------------------------------------------------------------
> 
>         if (isflagset(6)) {
>                 force_rport();
>                 fix_nated_contact();
>                 force_rtp_proxy();
>         }
> }
> 
> onreply_route[1] {
>         log("XXX onreply_route: start");
> 
>         if (isflagset(6) && status=~"(180)|(183)|2[0-9][0-9]") {
>                 if (!search("^Content-Length:[ ]*0")) {
>                         force_rtp_proxy();
>                 };
>         };
> 
>         if (nat_uac_test("1")) {
>                 log("XXX onreply_route: nat_uac_test(1) true");
>                 fix_nated_contact();
>         };
> }
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Users mailing list
> Users at openser.org
> http://openser.org/cgi-bin/mailman/listinfo/users





More information about the sr-users mailing list