[SR-Users] How to configure Kamailio + Asterisk (on same server) to route between several disjoint networks?

Alex Villací­s Lasso a_villacis at palosanto.com
Wed Feb 26 17:39:26 CET 2014


El 26/02/14 05:25, Klaus Darilion escribió:
> Puh, too many questions in one email.
>
I am sorry about that. I wanted to provide as much useful information as possible on my email, including what I had observed, and what I have already tried. After all the exposition, I just want to 1) have a setup that routes media between several disjoint 
networks, 2) while being secure by default even if the firewall gets misconfigured, 3) without having to hardcode a particular IP address in the configuration file.
> First, you should describe what you want to achieve. Eg. is there routing between the networks done by the server? E.g. can a clinet on 10.1.0.0/24 ping a client on 192.168.0.0/16? If yes, there is no need for Kamailio/Asterisk to listen on multiple 
> interfaces.
>
No, the server is not supposed to route ordinary traffic between networks.
> If there is no routing, you need to have a media relay too. Either use rtpproxy or just configure Asterisk with "canreinvite=no" to avoid media offloading.
>
The asterisk instance was supposed to be already configured with directmedia=no the whole time. This was set both in the configuration file and in each of the realtime peers. The full sip.conf file is attached. The #include'd files at the end are currently 
empty. You can see the commented-out attempt to listen on localhost only.

I fail to see why rtpproxy would be required in this setup, since asterisk already opens RTP ports on all interfaces. In the (already tested) asterisk-only scenario, media is routed between the test networks through asterisk when it does all of the SIP 
negotiation itself.
> So, what setup have you choosen? Then we can think about problems.
>
> regards
> Klaus
>
>
> Am 25.02.2014 23:31, schrieb Alex Villací­s Lasso:
>> As part of a project, I have installed a CentOS 6 test system (a virtual
>> machine) with Asterisk 11.7.0 and Kamailio 4.1.1 downloaded from
>> http://download.opensuse.org/repositories/home:/kamailio:/telephony/CentOS_CentOS-6/x86_64/.
>> I am trying to setup a combination of Kamailio and Asterisk that will
>> route SIP calls between all the configured networks in the test setup,
>> in addition to being capable of using Asterisk in order to handle PSTN
>> and IAX2 calls.
>>
>> I am using the following online guide to modify my kamailio.cfg:
>> http://kb.asipto.com/asterisk:realtime:kamailio-4.0.x-asterisk-11.3.0-astdb
>> . Based on this, I generated the attached patch for my Kamailio
>> configuration
>>
>> My test setup has the following network interfaces:
>> eth0: 10.1.0.3, on network 10.1.0.0/24
>> eth1: 192.168.5.18, on network 192.168.0.0/16
>> eth2: 10.0.0.2, on network 10.0.0.0/24
>> lo: 127.0.0.1, on network 127.0.0.0/8
>>
>> I first configured Asterisk with SIP realtime support (with no
>> Kamailio), and tested that all configured accounts could register from
>> all interfaces, and that Asterisk could properly route media between any
>> two disjoint networks. After installing Kamailio, the guide called for
>> disabling Asterisk SIP authentication by setting passwords to NULL, and
>> moving Asterisk SIP to a different port (I chose 5080) so that Asterisk
>> and Kamailio  could run on the same machine. At this point, the SIP
>> clients (one softphone and one VoIP phone) can now register at port 5080
>> without authentication.
>>
>> In the process of changing my Kamailio configuration according to the
>> attached patch, the guide says that I should configure the IP of the
>> network interface as the value of asterisk.bindip and kamailio.bindip.
>> After performing all required changes, Kamailio does take over
>> authentication at the default port of 5060. Testing shows that for all
>> SIP clients with IPs belonging to the same network as the configured
>> asterisk.bindip, both registration and media exchange work correctly,
>> and that the SIP clients are still capable of calling into the Asterisk
>> dialplan, and therefore, routing into Asterisk resources.
>>
>> For SIP clients in disjoint networks, the failure mode depends on
>> whether mhomed is enabled or disabled in kamailio.cfg.
>>
>> For mhomed=0 (or unset), I have the following situation between the two
>> SIP clients (one at 10.1.0.1, the other at 10.0.0.3), as shown by "sip
>> show peers" in Asterisk (when asterisk.bindip is set to 192.168.5.18):
>>
>> Privilege escalation protection disabled!
>> See https://wiki.asterisk.org/wiki/x/1gKfAQ for more details.
>> Name/username             Host Dyn Forcerport ACL Port Status
>> Description                      Realtime
>> gatitoscomx64am_100/gatit 10.1.0.3 D   N          A  5060     OK (16
>> ms)                                   Cached RT
>> gatitoscomx64am_101/gatit 10.0.0.2 D   N          A  5060     OK (36
>> ms)                                   Cached RT
>> gatitoscomx64am_IM101     (Unspecified) D   N          A  0
>> UNREACHABLE                                  Cached RT
>> 3 sip peers [Monitored: 2 online, 1 offline Unmonitored: 0 online, 0
>> offline]
>>
>> If I try to call from one SIP client to an extension in the Asterisk
>> dialplan that does NOT map to a SIP client in a disjoint network, the
>> media exchange works (with negotiatied media IP in the same network as
>> the SIP client), regardless of whether the calling client belongs in the
>> same network as asterisk.bindip. If I try to call from the same SIP
>> client to an extension that maps to a SIP client in a disjoint network,
>> the call fails, and I get the spoken message about the user at extension
>> such-and-such being unavailable. Additionally, I get the following error
>> message in the Asterisk logs:
>> [Feb 25 16:53:14] NOTICE[13807][C-00000003] chan_sip.c: Call from
>> 'gatitoscomx64am_101' (10.0.0.2:5060) to extension 'gatitoscomx64am_101'
>> rejected because extension not found in context
>> 'gatitoscomx64am-from-internal'.
>>
>>
>>
>> For mhomed=1, the output of "sip show peers" changes to the following
>> (when asterisk.bindip is set to 192.168.5.18):
>> Privilege escalation protection disabled!
>> See https://wiki.asterisk.org/wiki/x/1gKfAQ for more details.
>> Name/username             Host Dyn Forcerport ACL Port Status
>> Description                      Realtime
>> gatitoscomx64am_100/gatit 192.168.5.18 D   N          A 5060     OK (19
>> ms)                                   Cached RT
>> gatitoscomx64am_101/gatit 192.168.5.18 D   N          A 5060     OK (34
>> ms)                                   Cached RT
>> gatitoscomx64am_IM101     (Unspecified) D   N          A  0
>> UNREACHABLE                                  Cached RT
>> 3 sip peers [Monitored: 2 online, 1 offline Unmonitored: 0 online, 0
>> offline]
>>
>>  From wireshark sniffing, I can see that the SDP payload sent from the
>> client to Kamailio contains the IP address of the client, which is
>> accessible by both Kamailio and Asterisk. However, the SDP payload in
>> the OK response sent back to the client contains a media port with the
>> IP address of asterisk.bindip (the one that appears in the "Host" column
>> in the "sip show peers" report), not the IP address of the interface
>> that received the INVITE. This results in broken media negotiation for
>> all SIP clients belonging to networks other than the one that contains
>> asterisk.bindip.
>>
>> In either case, I have to hardcode an IP address in kamailio.cfg, which
>> is not satisfactory. IPs assigned to interfaces can and do change,
>> especially if the interface is managed with DHCP. To escape this, I
>> tried setting asterisk.bindip to 127.0.0.1, but since apparently
>> localhost is also a disjoint network, all of the above described
>> problems apply.
>>
>> Related to these issues, I am not satisfied with leaving Asterisk
>> running unauthenticated SIP at the nonstandard port. Somebody suggested
>> blocking the port with iptables, but I do not want to rely on this
>> alone. I tried setting bindaddr=127.0.0.1 so that only Kamailio gets to
>> talk to Asterisk, but this also has the side effect of restricting the
>> media negotiation to localhost only.
>>
>> I am asking for help in building a Kamailio/Asterisk configuration that
>> will support all of the networks and route media between all of them,
>> just as if Asterisk were the only program running. Ideally, the
>> configuration should not encode the current IP of any interface (except,
>> maybe, localhost). What is the official name (if any) for the setup I am
>> describing above? Does it have a standard setup procedure? How is
>> Asterisk secured so that clients cannot bypass authentication using the
>> Asterisk SIP port directly?
>>
>>
>> _______________________________________________
>> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
>> sr-users at lists.sip-router.org
>> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>>
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users

-------------- next part --------------
[general]
context=default
allowoverlap=no
allowguest=no
realm=asterisk
srvlookup=yes
tos_sip=cs3
tos_audio=ef
tos_video=af41
relaxdtmf=yes
trustrpid=no
sendrpid=yes
sendrpid=pai
disallow=all
allow=ulaw
allow=alaw
allow=gsm
rtcachefriends=yes
callcounter=yes 
alwaysauthreject=yes
faxdetect=yes
t38pt_udptl=yes
vmexten=*97
videosupport=yes 
maxcallbitrate=384
nat=force_rport,comedia
directmedia=no
accept_outofcall_message=yes
auth_message_requests=yes

;The following settings restrict Asterisk to localhost for Kamailio integration
;bindaddr=127.0.0.1
bindport=5080
deny=0.0.0.0/0.0.0.0
permit=127.0.0.1/255.0.0.0

#include sip_general_custom.conf
#include sip_register.conf
#include sip_custom.conf



More information about the sr-users mailing list