[SR-Users] [VoLTE] 401 unauthorized error

오택경 ohtk at kaist.ac.kr
Tue Aug 24 10:45:33 CEST 2021


Thank you for your help!

I looked into the UE's  IMS register request as you told me. (the content of request is shown below)

As my thinking, my UE can support only two algorithms: hmac-sha1-96 and hmac-md5-96.

But fhoss cannot support above auth algorithms (fhoss can support digest-akav1-md5, digest-akav2-md5, digest, http_digest_md5, early-ims-security, nass-bundled and sip digest).

What algorithm should I switch to for authentication in fhoss? Or do I have to change the UE device (smartphone) for auth?

Very thanks,
Taekkyung Oh.

<IMS register request from the UE>
Frame 4153: 840 bytes on wire (6720 bits), 840 bytes captured (6720 bits) on interface 0
Ethernet II, Src: 02:42:ac:16:00:16 (02:42:ac:16:00:16), Dst: 02:42:ac:16:00:06 (02:42:ac:16:00:06)
Internet Protocol Version 4, Src: 172.22.0.22, Dst: 172.22.0.6
User Datagram Protocol, Src Port: 2152, Dst Port: 2152
GPRS Tunneling Protocol
Internet Protocol Version 4, Src: 192.168.101.3, Dst: 172.22.0.21
Transmission Control Protocol, Src Port: 5060, Dst Port: 5060, Seq: 1021, Ack: 1, Len: 750
[2 Reassembled TCP Segments (1770 bytes): #4147(1020), #4153(750)]
Session Initiation Protocol (REGISTER)
    Request-Line: REGISTER sip:ims.mnc001.mcc001.3gppnetwork.org SIP/2.0
        Method: REGISTER
        Request-URI: sip:ims.mnc001.mcc001.3gppnetwork.org
            Request-URI Host Part: ims.mnc001.mcc001.3gppnetwork.org
        [Resent Packet: False]
    Message Header
        To: <sip:001010000031094 at ims.mnc001.mcc001.3gppnetwork.org>
            SIP to address: sip:001010000031094 at ims.mnc001.mcc001.3gppnetwork.org
                SIP to address User Part: 001010000031094
                SIP to address Host Part: ims.mnc001.mcc001.3gppnetwork.org
        From: <sip:001010000031094 at ims.mnc001.mcc001.3gppnetwork.org>;tag=qyecbkJ
            SIP from address: sip:001010000031094 at ims.mnc001.mcc001.3gppnetwork.org
                SIP from address User Part: 001010000031094
                SIP from address Host Part: ims.mnc001.mcc001.3gppnetwork.org
            SIP from tag: qyecbkJ
        Contact: <sip:001010000031094 at 192.168.101.3:5060>;+sip.instance="<urn:gsma:imei:86355804-632692-0>";+g.3gpp.accesstype="cellular2";audio;video;+g.3gpp.smsip;+g.3gpp.icsi-ref="urn%3Aurn-7%3A3gpp-service.ims.icsi.mmtel"
            Contact URI: sip:001010000031094 at 192.168.101.3:5060
                Contact URI User Part: 001010000031094
                Contact URI Host Part: 192.168.101.3
                Contact URI Host Port: 5060
            Contact parameter: +sip.instance="<urn:gsma:imei:86355804-632692-0>"
            Contact parameter: +g.3gpp.accesstype="cellular2"
            Contact parameter: audio
            Contact parameter: video
            Contact parameter: +g.3gpp.smsip
            Contact parameter: +g.3gpp.icsi-ref="urn%3Aurn-7%3A3gpp-service.ims.icsi.mmtel"\r

        Expires: 600000
        P-Access-Network-Info: 3GPP-E-UTRAN-FDD;utran-cell-id-3gpp=0010100010019B01
            access-type: 3GPP-E-UTRAN-FDD
            utran-cell-id-3gpp: 0010100010019B01
        Supported: path,sec-agree
        Allow: INVITE,ACK,OPTIONS,BYE,CANCEL,UPDATE,PRACK,NOTIFY,MESSAGE,REFER
        Require: sec-agree
        Proxy-Require: sec-agree
         [truncated]Security-Client: ipsec-3gpp;alg=hmac-sha-1-96;prot=esp;mod=trans;ealg=des-ede3-cbc;spi-c=10559690;spi-s=65664952;port-c=31112;port-s=31803,ipsec-3gpp;alg=hmac-sha-1-96;prot=esp;mod=trans;ealg=aes-cbc;spi-c=10559690;spi-s=65664
            [Security-mechanism]: ipsec-3gpp
            alg: hmac-sha-1-96
            prot: esp
            mod=trans
            ealg: des-ede3-cbc
            spi-c: 10559690 (0x00a120ca)
            spi-s: 65664952 (0x03e9f7b8)
            port-c: 31112
            port-s: 31803
            [Security-mechanism]: ipsec-3gpp
            alg: hmac-sha-1-96
            prot: esp
            mod=trans
            ealg: aes-cbc
            spi-c: 10559690 (0x00a120ca)
            spi-s: 65664952 (0x03e9f7b8)
            port-c: 31112
            port-s: 31803
            [Security-mechanism]: ipsec-3gpp
            alg: hmac-sha-1-96
            prot: esp
            mod=trans
            ealg: null
            spi-c: 10559690 (0x00a120ca)
            spi-s: 65664952 (0x03e9f7b8)
            port-c: 31112
            port-s: 31803
            [Security-mechanism]: ipsec-3gpp
            alg: hmac-md5-96
            prot: esp
            mod=trans
            ealg: des-ede3-cbc
            spi-c: 10559690 (0x00a120ca)
            spi-s: 65664952 (0x03e9f7b8)
            port-c: 31112
            port-s: 31803
            [Security-mechanism]: ipsec-3gpp
            alg: hmac-md5-96
            prot: esp
            mod=trans
            ealg: aes-cbc
            spi-c: 10559690 (0x00a120ca)
            spi-s: 65664952 (0x03e9f7b8)
            port-c: 31112
            port-s: 31803
            [Security-mechanism]: ipsec-3gpp
            alg: hmac-md5-96
            prot: esp
            mod=trans
            ealg: null
            spi-c: 10559690 (0x00a120ca)
            spi-s: 65664952 (0x03e9f7b8)
            port-c: 31112
            port-s: 31803
        Authorization: Digest username="001010000031094 at ims.mnc001.mcc001.3gppnetwork.org",realm="ims.mnc001.mcc001.3gppnetwork.org",uri="sip:ims.mnc001.mcc001.3gppnetwork.org",nonce="",response=""
            Authentication Scheme: Digest
            Username: "001010000031094 at ims.mnc001.mcc001.3gppnetwork.org"
            Realm: "ims.mnc001.mcc001.3gppnetwork.org"
            Authentication URI: "sip:ims.mnc001.mcc001.3gppnetwork.org"
            Nonce Value: ""
            Digest Authentication Response: ""
        Call-ID: txecbknlk at 192.168.101.3
        CSeq: 1 REGISTER
            Sequence Number: 1
            Method: REGISTER
        Max-Forwards: 70
        Via: SIP/2.0/TCP 192.168.101.3:5060;branch=z9hG4bKrzecbkJzsat7Xk6daqm5;rport
            Transport: TCP
            Sent-by Address: 192.168.101.3
            Sent-by port: 5060
            Branch: z9hG4bKrzecbkJzsat7Xk6daqm5
            RPort: rport
        User-Agent: IM-client/OMA1.0 HW-Rto/V1.0
        Content-Length: 0




-----Original Message-----
From: "Yuriy Gorlichenko" <ovoshlook at gmail.com>
To: "Kamailio (SER) - Users Mailing List" <sr-users at lists.kamailio.org>;
Cc:
Sent: 2021-08-24 (화) 05:55:26 (UTC+09:00)
Subject: Re: [SR-Users] [VoLTE] 401 unauthorized error


Hi  401 is normal response for sip authIt is also normal response for IMS service
Look into sip basic auth mechanism to clarify what is going on here and additionally look into Spec of IMS auth. There should be only auth algo change 
I believe you did not check further request processing.On Mon, 23 Aug 2021, 18:19 오택경, <ohtk at kaist.ac.kr mailto:ohtk at kaist.ac.kr> wrote:
Hi.

I am implementing the VoLTE setup with the dockerized project (https://github.com/herlesupreeth/docker_open5gs https://github.com/herlesupreeth/docker_open5gs).

I have almost done to run the VoLTE service, but 401 unauthorized error in sip and auth-pending error in fhoss have occured.

How can I fix this problem?

I will share the discussion note in which I tried to solve some problems including the above one.
: https://github.com/herlesupreeth/docker_open5gs/issues/55 https://github.com/herlesupreeth/docker_open5gs/issues/55

Very thanks,
Taekkyung Oh.
__________________________________________________________Kamailio - Users Mailing List - Non Commercial Discussions  * sr-users at lists.kamailio.org mailto:sr-users at lists.kamailio.orgImportant: keep the mailing list in the recipients, do not reply only to the sender!Edit mailing list options or unsubscribe:  * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users


__________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions * sr-users at lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe: * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users




-----Original Message-----
From: "Yuriy Gorlichenko" <ovoshlook at gmail.com>
To: "Kamailio (SER) - Users Mailing List" <sr-users at lists.kamailio.org>;
Cc:
Sent: 2021-08-24 (화) 05:55:26 (UTC+09:00)
Subject: Re: [SR-Users] [VoLTE] 401 unauthorized error


Hi  401 is normal response for sip authIt is also normal response for IMS service
Look into sip basic auth mechanism to clarify what is going on here and additionally look into Spec of IMS auth. There should be only auth algo change 
I believe you did not check further request processing.On Mon, 23 Aug 2021, 18:19 오택경, <ohtk at kaist.ac.kr mailto:ohtk at kaist.ac.kr> wrote:
Hi.

I am implementing the VoLTE setup with the dockerized project (https://github.com/herlesupreeth/docker_open5gs https://github.com/herlesupreeth/docker_open5gs).

I have almost done to run the VoLTE service, but 401 unauthorized error in sip and auth-pending error in fhoss have occured.

How can I fix this problem?

I will share the discussion note in which I tried to solve some problems including the above one.
: https://github.com/herlesupreeth/docker_open5gs/issues/55 https://github.com/herlesupreeth/docker_open5gs/issues/55

Very thanks,
Taekkyung Oh.
__________________________________________________________Kamailio - Users Mailing List - Non Commercial Discussions  * sr-users at lists.kamailio.org mailto:sr-users at lists.kamailio.orgImportant: keep the mailing list in the recipients, do not reply only to the sender!Edit mailing list options or unsubscribe:  * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users


__________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions * sr-users at lists.kamailio.org Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe: * https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20210824/7cb54f45/attachment.htm>


More information about the sr-users mailing list