[OpenSER-Users] NAT + STUN

Dan-Cristian Bogos dan.bogos at gmail.com
Thu Aug 2 15:00:50 CEST 2007


Marc,

your configuration looks good except calling two times radius
accounting for BYEs (once in loose_routing and the second one in
route(3) right after proxying the request out (I assume that your
request will be detected as being generated from behind NAT due to
test flag 2 used in nat_uac_test(). I don't know whether this can
influence message processing, but in the case of failure I am not sure
that BYE will be sent out.
Can u check that once? Your radius server should tell u more about
that. Simplest way should be disabling accounting in both cases just
for tests.
Also, could be good if u would try to see whether the BYE follows
loose_route or goes out in if (!uri==myself) block. (xlog should help
u finding that out).

Cheers,
DanB

On 8/2/07, Marc LEURENT <lftsy at free.fr> wrote:
> According to what I said, it is not a problem that the phones answered with a SIP/2.0 481 CallLeg/Transaction Does Not Exist.
> to SIP pings. What is important is that is will maintain the path through NAT
>
> My only problem is with BYE requests that are not forwarded by OpenSER to the second user
> Is there something wrong in my openser.cfg???
>
>
> #
> # $Id: openser.cfg 1827 2007-03-12 15:22:53Z bogdan_iancu $
> #
> # simple quick-start config script
> # Please refer to the Core CookBook at http://www.openser.org/dokuwiki/doku.php
> # for a explanation of possible statements, functions and parameters.
> #
>
> # ----------- global configuration parameters ------------------------
>
> debug=7            # debug level (cmd line: -dddddddddd)
> fork=no
> log_stderror=yes    # (cmd line: -E)
> children=4
>
> #alias=sd-7501.dedibox.fr
> port=5060
> #server_signature=yes
> #tos=IPTOS_LOWDELAY
>
>
> avp_aliases="day=i:101;time=i:102;can_uri=i:800;s_ip=i:801;billing_party=i:802;from_header=i:803;sip_proxy_ip=i:804"
> #;pstnuser=i:805;pstnpassword=i:806:pstnrealm=i:807"
>
>
> # ------------------ module loading ----------------------------------
>
> #set module path
> mpath="/usr/lib/openser/modules/"
>
> # Uncomment this if you want to use SQL database
> loadmodule "mysql.so"
>
> loadmodule "sl.so"                      # Stateless Module
> loadmodule "tm.so"                      # Transaction Module
> loadmodule "rr.so"                      # Record-Route and Route Module
> loadmodule "maxfwd.so"                  # Max-Forward processor Module
> loadmodule "usrloc.so"                  # User Location Implementation Module
> loadmodule "registrar.so"               # SIP Registrat Implementation Module (need usrloc)
> loadmodule "textops.so"                 # Text Operation Module
> loadmodule "mi_fifo.so"                 # FIFO transport layer implementation for Management Interface
>
> loadmodule "acc.so"                     # Accounting Module
> loadmodule "avpops.so"                  # AVP Operation Module (user preference)
> loadmodule "uri.so"                     # Generic URI operation Module
>
> loadmodule "auth.so"                    # Authentification Module
> #loadmodule "auth_db.so"                        # Database-backend Authentication mMdule
> loadmodule "auth_radius.so"             # RADIUS-backend Authentication Module
> loadmodule "group_radius.so"            # User-groups Module with RADIUS-backend
> #loadmodule "avp_radius.so"             # RADIUS-backend for AVP loading Module
>
> #loadmodule "presence.so"               # Presence server Module
> #loadmodule "pua.so"                    # Common API for presence user agent client
>
> loadmodule "options.so"                 # OPTIONS server replier Module
> loadmodule "xlog.so"                    # Advanced Logger Module
>
> loadmodule "nathelper.so"               # NAT Traversal Helper Module
> #loadmodule "dispatcher.so"             # Dispatcher (load-balancer) Module
>
> loadmodule "uac.so"                     # User Agent Client
> loadmodule "siptrace.so"                # SipTrace module (storage of SIP requests)
> #loadmodule "exec.so"                   # Allows to start an external command from a OpenSER script
>
> # ----------------- setting module-specific parameters ---------------
>
>
> # -- maxfwd params --
> modparam("maxfwd", "max_limit", 10)     # Default is 256 | 10 in the functions
>
>
> # -- sl params --
> #modparam("sl", "enable_stats", 1)
>
>
> # -- mi_fifo params --
> modparam("mi_fifo", "fifo_name", "/tmp/openser_fifo")
>
>
> # -- usrloc params --
> # Uncomment this if you want to use SQL database
> modparam("usrloc", "db_mode", 1)                        # Write instantaneously in the DB
> modparam("usrloc", "db_url", "mysql://openser:test@127.0.0.1/openser")
> modparam("usrloc", "timer_interval", 10)
> modparam("usrloc", "nat_bflag" , 3)
>
>
> # -- rr params --
> modparam("rr", "enable_full_lr", 1)             # add value to ;lr param to make some broken UAs happy
>
>
> # -- siptrace params --
> modparam("siptrace", "db_url", "mysql://openser:test@127.0.0.1/openser")
> modparam("siptrace", "table", "sip_trace")              # Default value "sip_trace"
> modparam("siptrace", "trace_on", 1)
>
>
>
> # -- registrar params --
> modparam("registrar", "default_expires", 1800)
> modparam("registrar", "received_avp", "$avp(i:42)")
>
>
> # -- nathelper params --
> modparam("nathelper", "rtpproxy_disable", 1)
> modparam("nathelper", "sipping_bflag", 5)
> modparam("nathelper", "natping_interval", 10)
> modparam("nathelper", "ping_nated_only", 1)
> modparam("nathelper", "sipping_method", "OPTIONS")
> modparam("nathelper", "received_avp", "$avp(i:42)")             # Same Value as the registrar module
> modparam("nathelper", "sipping_from", "sip:pinger at sd-7501.dedibox.fr")
>
>
> # -- auth params --
> #modparam("auth", "secret", "johndoessecretphrase")                     # Default is random => don't set it
> #modparam("auth", "nonce_expire", 300)                                  # Time before nounce expiration
> modparam("auth_radius", "radius_config", "/etc/radiusclient-ng/radiusclient.conf")
>
>
> # -- group_radius params --
> modparam("group_radius", "radius_config", "/etc/radiusclient-ng/radiusclient.conf")
> modparam("group_radius", "use_domain", 1)       # username at domain will be used for lookup
>
>
> # -- avp_radius parameter --
> #modparam("avp_radius", "radius_config", "/etc/radiusclient-ng/radiusclient.conf")
>
>
> # -- acc params (with radius )--
> modparam("acc", "radius_config", "/etc/radiusclient-ng/radiusclient.conf")
> modparam("acc", "radius_flag", 1)
> modparam("acc", "radius_missed_flag", 2)
>
> modparam("acc", "early_media", 1)
> modparam("acc", "report_cancels", 1)
> #modparam("acc", "report_ack", 0)
> modparam("acc", "detect_direction", 1)
> #modparam("acc", "log_flag", 1)         # number of the flag which will be used to mark messages for accounting
> #modparam("acc", "log_level", 1)        # Set the reporting log level
> #modparam("acc", "log_missed_flag", 2)  #
> #modparam("acc", "failed_transaction_flag", 2)
> modparam("acc", "service_type", 15)     # Radius service type used for accounting : 15 = (SIP)
> #modparam("acc", "radius_extra", "Sip-Src-IP=$si;Sip-Src-Port=$sp")
> # ATTENTION: DO NOT PUT ; at the end of the radius_extra attribute
> modparam("acc", "radius_extra",         "Sip-Src-IP=$si;
>                                         Sip-Src-Port=$sp;
>                                         Canonical-URI=$avp(can_uri);
>                                         Billing-Party=$avp(billing_party);
>                                         SIP-Proxy-IP=$avp(sip_proxy_ip);
>                                         User-Agent=$ua
>                                         ")
>                                         #Billing-Party=$avp(billing_party)
>                                         #From-Header=$hdr(from);
>                                         #User-Name=$fU;
>                                         #From-Header=$avp(from_header);
>                                         #Digest-Realm=$fd
>                                         #Sip-From-Tag=$avp(from_header);
>                                         #SIP-Method=$rm;
>
>
> # -------------------------  request routing logic -------------------
>
> # main routing logic
>
> route{
>
>         # initial sanity checks -- messages with
>         # max_forwards==0, or excessively long requests
>         if (!mf_process_maxfwd_header("10")) {
>                 sl_send_reply("483","Too Many Hops");
>                 exit;
>         };
>
>         if (msg:len >=  2048 ) {
>                 sl_send_reply("513", "Message too big");
>                 exit;
>         };
>
>
>
>
>         # NAT detection
>         route(2);
>
>
>
>
>         # we record-route all messages -- to make sure that
>         # subsequent messages will go through our proxy; that's
>         # particularly good if upstream and downstream entities
>         # use different transport protocol
>         if (!method=="REGISTER") {
>                 record_route();
>         };
>
>         # subsequent messages withing a dialog should take the
>         # path determined by record-routing
>         if (loose_route()) { # mark routing logic in request
>                 append_hf("P-hint: rr-enforced\r\n");
>                 if(is_method("BYE")) { # log it all the time
>                         acc_rad_request("200 ok");
>                         acc_log_request("200 ok");
>                 }
>                 route(1);
>         };
>
>
>
>
>         # Set the acc flags
>         if(is_method("INVITE") && !has_totag()) {
>                 xlog("L_INFO", "I AM SETTING THE FLAGS FOR RADIUS \r\n");
>                 $avp(can_uri) = $ru;            # SIP Request's URI
>                 $avp(billing_party) = $fu;      # From URI
>                 $avp(from_header) = $fU;        # From URI username
>                 $avp(sip_proxy_ip) = $Ri;       # Received IP address
>
>                 setflag(1);             # radius_flag
>                 setflag(2);             # radius_missed_flag
>         };
>
>
>         # Functions when calling other domains
>         if (!uri==myself) {
>                 # check if user is allowed to do voip calls to other domains
> #               if(is_method("INVITE|MESSAGE")) {
> #                       if (radius_is_user_in("From", "voip")) {
> #                               sl_send_reply("403", "Forbidden VoIP");
> #                               exit;
> #                       };
> #               };
>                 # mark routing logic in request
>                 append_hf("P-hint: outbound\r\n");
>                 route(1);
>         };
>
>
>
>
>
>
>         # if the request is for other domain use UsrLoc
>         # (in case, it does not work, use the following command
>         # with proper names and addresses in it)
>         if (uri==myself) {
>
>                 if (method=="REGISTER") {
>                         sip_trace();
>                         xlog("L_INFO", "$fU IS TRYING TO REGISTER \r\n");
>
>
>                         if (!radius_www_authorize("sd-7501.dedibox.fr")) {
>                                 www_challenge("sd-7501.dedibox.fr", "0");       # qop set to 1
>                                 xlog("L_INFO", "WWW_CHALLENGE of $si FAILED \r\n");
>                                 exit;
>                         };
>
>                         #if (isflagset(5)) {
>                         if (isbflagset(3)) {
>                                 #setflag(6);
>                                 # if you want OPTIONS natpings uncomment next
>                                 # setflag(7);   # Deprecated
>                                 setbflag(5);    # Set Flag for SIP PINGING
>                         };
>
>                         save("location");
>                         xlog("L_INFO", "SAVE LOCATION OF $si \r\n");
>                         exit;
>                 };
>
>
>
>
>
>                 if (!lookup("location")) {
>                         # log to acc as missed call
>                         acc_rad_request("404 Not Found");
>                         acc_log_request("404 Not Found");
>                         xlog("L_DBG", "ACC RADIUS: 404 NOT FOUND FOR $si \r\n");
>                         sl_send_reply("404", "Not Found");
>                         exit;
>                 };
>                 append_hf("P-hint: usrloc applied\r\n");
>
>         };
>
>
>
>
>         route(1);
> }
>
>
> ## Generic Forward
> route[1] {
>         if (subst_uri('/(sip:.*);nat=yes/\1/')){
>                 #setflag(6);    # Deprecated, for version 1.1
>                 setbflag(3);
>         };
>
>         #if (isflagset(5)||isflagset(6)) {
>         if (isbflagset(3)) {
>                 route(3);
>         }
>
>         if (!t_relay()) {
>                 sl_reply_error();
>         };
>         exit;
> }
>
>
>
>
> # NAT Detection
> route[2]{
>         force_rport();
>         if (nat_uac_test("19")) {
>                 xlog("!!!!!!!!!  NAT UAC TEST 19 SUCEDEED \r\n");
>                 if (method=="REGISTER") {
>                         fix_nated_register();
>                 } else {
>                         fix_nated_contact();
>                 };
>                 #setflag(5);    Deprecated
>                 setbflag(3);
>         };
> }
>
>
> ## Route for natted contact
> route[3] {
>         if (is_method("BYE|CANCEL")) {
>                 # Ajout Maison
>                 acc_rad_request("200 ok");
>                 acc_log_request("200 ok");
>
>                 #unforce_rtp_proxy();
>
>         } else if (is_method("INVITE")){
>                 #force_rtp_proxy();
>                 t_on_failure("1");
>         };
>         #if (isflagset(5))
>         if (isbflagset(3)){
>                 search_append('Contact:.*sip:[^>[:cntrl:]]*', ';nat=yes');
>         }
>         t_on_reply("1");
> }
>
>
> ## Failure Route 1
> failure_route[1] {
>         xlog("!!!!!!!!!  ON FAILURE ROUTE \r\n");
>         #if (isflagset(6) || isflagset(5)) {
>         if (isbflagset(3)) {
>                 #unforce_rtp_proxy();
>         }
> }
>
> ## Reply route
> onreply_route[1] {
>         xlog("!!!!!!!!!  ON REPLY ROUTE \r\n");
>         #if ((isflagset(5) || isflagset(6)) && status=~"(183)|(2[0-9][0-9])") {
>         if (isbflagset(3) && status=~"(183)|(2[0-9][0-9])") {
>                 #force_rtp_proxy();
>         }
>         search_append('Contact:.*sip:[^>[:cntrl:]]*', ';nat=yes');
>
>         #if (isflagset(6)) {
>         if (isbflagset(3)) {
>                 xlog("!!!!!!!!!  ON REPLY ROUTE / FIX NATED CONTACT \r\n");
>                 fix_nated_contact();
>         }
>         exit;
> }
>
>
>
>
>
> Dan-Cristian Bogos a écrit :
> > Hi Marc,
> >
> > it will help more if u will post full dialog from INVITE to BYE coming
> > in and out from the server. It is important to check whether openser
> > forwards the BYEs and if the end party listens on that port.
> >
> > Cheers,
> > DanB
> >
> > On 8/2/07, Marc LEURENT <lftsy at free.fr> wrote:
> >> STUN seems to be working
> >>
> >> In openserctl ul show, I have:
> >> AOR:: 103       Contact:: sip:103 at 82.127.0.79:1028;user=phone Q=
> >> AOR:: 101       Contact:: sip:101 at 82.127.0.79:1313;user=phone Q=
> >>
> >>
> >> And tcpdump -i eth0 -n port 5060 returns:
> >> 13:47:44.375374 IP 88.191.45.91.5060 > 82.127.0.79.1027: SIP, length: 241
> >> 13:47:44.375396 IP 88.191.45.91.5060 > 82.127.0.79.1312: SIP, length: 241
> >> 13:47:44.422471 IP 82.127.0.79.1027 > 88.191.45.91.5060: SIP, length: 276
> >> 13:47:44.426415 IP 82.127.0.79.1312 > 88.191.45.91.5060: SIP, length: 275
> >>
> >>
> >> And my ngrep returns
> >>
> >>
> >> #
> >> U 88.191.45.91:5060 -> 82.127.0.79:1027
> >> OPTIONS sip:82.127.0.79:1027 SIP/2.0.
> >> Via: SIP/2.0/UDP 88.191.45.91:5060;branch=0.
> >> From: sip:pinger at sd-7501.dedibox.fr;tag=7ad21f92.
> >> To: sip:82.127.0.79:1027.
> >> Call-ID: 90f2eea1-5c41f342-a91 at 88.191.45.91.
> >> CSeq: 1 OPTIONS.
> >> Content-Length: 0.
> >> .
> >>
> >> #
> >> U 88.191.45.91:5060 -> 82.127.0.79:1312
> >> OPTIONS sip:82.127.0.79:1312 SIP/2.0.
> >> Via: SIP/2.0/UDP 88.191.45.91:5060;branch=0.
> >> From: sip:pinger at sd-7501.dedibox.fr;tag=8ad21f92.
> >> To: sip:82.127.0.79:1312.
> >> Call-ID: 90f2eea1-6c41f342-a91 at 88.191.45.91.
> >> CSeq: 1 OPTIONS.
> >> Content-Length: 0.
> >> .
> >>
> >> #
> >> U 82.127.0.79:1027 -> 88.191.45.91:5060
> >> SIP/2.0 481 CallLeg/Transaction Does Not Exist.
> >> Via: SIP/2.0/UDP 88.191.45.91:5060;branch=0.
> >> From: <sip:pinger at sd-7501.dedibox.fr>;tag=7ad21f92.
> >> To: <sip:82.127.0.79:1027>;tag=c0a80101-1db9be2.
> >> Call-ID: 90f2eea1-5c41f342-a91 at 88.191.45.91.
> >> CSeq: 1 OPTIONS.
> >> Content-Length: 0.
> >> .
> >>
> >> #
> >> U 82.127.0.79:1312 -> 88.191.45.91:5060
> >> SIP/2.0 481 CallLeg/Transaction Does Not Exist.
> >> Via: SIP/2.0/UDP 88.191.45.91:5060;branch=0.
> >> From: <sip:pinger at sd-7501.dedibox.fr>;tag=8ad21f92.
> >> To: <sip:82.127.0.79:1312>;tag=c0a80101-573ff0.
> >> Call-ID: 90f2eea1-6c41f342-a91 at 88.191.45.91.
> >> CSeq: 1 OPTIONS.
> >> Content-Length: 0.
> >>
> >>
> >>
> >>
> >>
> >>
> >> Iñaki Baz Castillo a écrit :
> >>> El Thursday 02 August 2007 12:25:07 Marc LEURENT escribió:
> >>>> #
> >>>> U 82.127.0.79:1312 -> 88.191.45.91:5060
> >>>> BYE sip:103 at 82.127.0.79:1027 SIP/2.0.
> >>>> Via: SIP/2.0/UDP 82.127.0.79:1313;branch=z9hG4bK8030359792092547043.
> >>>> From: "101"<sip:101 at sip.leurent.eu:5060;user=phone>;tag=c0a80101-4c5eed.
> >>>> To: <sip:103 at sip.leurent.eu:5060;user=phone>;tag=c0a80101-1d0bb0d.
> >>>> Call-ID: 66464a0-c0a80101-0-1f at 192.168.95.4.
> >>>> CSeq: 2 BYE.
> >>>> Max-Forwards: 70.
> >>>> Route: <sip:88.191.45.91:5060;lr=on;ftag=c0a80101-4c5eed>.
> >>>> User-Agent: THOMSON ST2030 hw0 fw1.50 00-0E-50-4E-AF-AE.
> >>>> Content-Length: 0.
> >>> What more is after this message?
> >>> Did you try tcpdump to monitorize to with IP:port are the messages sent?
> >>>
> >> _______________________________________________
> >> Users mailing list
> >> Users at openser.org
> >> http://openser.org/cgi-bin/mailman/listinfo/users
> >>
>




More information about the sr-users mailing list